Create a Post

gaia api access for tacacs users

Hi,
is there a way to give access to the gaia api to tacacs users?

 https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.6%20\

 

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

I assume the users are not locally defined in Gaia, correct?
That may be a requirement for this option, not entirely sure.

0 Kudos

It was defined locally but I had to  add "add rba user USER roles adminRole" and now it works.
I guess there is no equivalent  api command to  the cli "tacacs_enable TACP-15"  command, right?

0 Kudos

Yes. Define the user in clish, but don't assign a password. This allows you to add an RBA role. The role needs to include permissions for API calls, most (maybe all?) of which start with 'expert_api_'. Once the user is created and the RBA role is assigned, you need to use 

gaia_api access --user <user> --enable true

as described in the link.

Linux uses a subsystem called PAM for authenticating users. With how PAM is set up on Check Point systems, local passwords are tried first, then TACACS and RADIUS. By not defining a password for the user in clish, that check fails and falls through to the central authentication options.

0 Kudos

Yeah thanks, all works. The only think is that I would like to be able to use a non admin user for read_only type of api queries

0 Kudos

add rba role ansibleRO domain-type System readonly-features expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_asset,expert_api_backup,expert_api_cphaprob,expert_api_cpstat,expert_api_dhcp-server,expert_api_diagnostics,expert_api_dns,expert_api_files,expert_api_ftw,expert_api_groups,expert_api_hostname,expert_api_interface,expert_api_ioc-feeder,expert_api_ipv6,expert_api_license,expert_api_lldp,expert_api_passwordcontrols,expert_api_proxy
add rba role ansibleRO domain-type System readonly-features expert_api_route,expert_api_routes,expert_api_runScript,expert_api_server-status,expert_api_snapshot,expert_api_snmp,expert_api_syslog,expert_api_system,expert_api_versions
...
0 Kudos