This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Miguel_Mig
Advisor
‎2022-07-28 08:30 AM
Jump to solution

gaia api access for tacacs users

Hi,
is there a way to give access to the gaia api to tacacs users?

 https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#api_access~v1.6%20\

 

 

0 Kudos
2 Solutions

Accepted Solutions
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-07-29 11:25 AM
Jump to solution

Yes. Define the user in clish, but don't assign a password. This allows you to add an RBA role. The role needs to include permissions for API calls, most (maybe all?) of which start with 'expert_api_'. Once the user is created and the RBA role is assigned, you need to use 

gaia_api access --user <user> --enable true

as described in the link.

Linux uses a subsystem called PAM for authenticating users. With how PAM is set up on Check Point systems, local passwords are tried first, then TACACS and RADIUS. By not defining a password for the user in clish, that check fails and falls through to the central authentication options.

View solution in original post

(1)
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-07-29 12:07 PM
In response to Luis_Miguel_Mig
Jump to solution 

add rba role ansibleRO domain-type System readonly-features expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_asset,expert_api_backup,expert_api_cphaprob,expert_api_cpstat,expert_api_dhcp-server,expert_api_diagnostics,expert_api_dns,expert_api_files,expert_api_ftw,expert_api_groups,expert_api_hostname,expert_api_interface,expert_api_ioc-feeder,expert_api_ipv6,expert_api_license,expert_api_lldp,expert_api_passwordcontrols,expert_api_proxy
add rba role ansibleRO domain-type System readonly-features expert_api_route,expert_api_routes,expert_api_runScript,expert_api_server-status,expert_api_snapshot,expert_api_snmp,expert_api_syslog,expert_api_system,expert_api_versions
...

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2022-07-28 10:19 AM
Jump to solution

I assume the users are not locally defined in Gaia, correct?
That may be a requirement for this option, not entirely sure.

0 Kudos
Luis_Miguel_Mig
Advisor
‎2022-07-29 02:00 AM
In response to PhoneBoy
Jump to solution

It was defined locally but I had to  add "add rba user USER roles adminRole" and now it works.
I guess there is no equivalent  api command to  the cli "tacacs_enable TACP-15"  command, right?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-07-29 11:25 AM
Jump to solution

Yes. Define the user in clish, but don't assign a password. This allows you to add an RBA role. The role needs to include permissions for API calls, most (maybe all?) of which start with 'expert_api_'. Once the user is created and the RBA role is assigned, you need to use 

gaia_api access --user <user> --enable true

as described in the link.

Linux uses a subsystem called PAM for authenticating users. With how PAM is set up on Check Point systems, local passwords are tried first, then TACACS and RADIUS. By not defining a password for the user in clish, that check fails and falls through to the central authentication options.

(1)
Luis_Miguel_Mig
Advisor
‎2022-07-29 11:29 AM
In response to Bob_Zimmerman
Jump to solution

Yeah thanks, all works. The only think is that I would like to be able to use a non admin user for read_only type of api queries

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-07-29 12:07 PM
In response to Luis_Miguel_Mig
Jump to solution 

add rba role ansibleRO domain-type System readonly-features expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_asset,expert_api_backup,expert_api_cphaprob,expert_api_cpstat,expert_api_dhcp-server,expert_api_diagnostics,expert_api_dns,expert_api_files,expert_api_ftw,expert_api_groups,expert_api_hostname,expert_api_interface,expert_api_ioc-feeder,expert_api_ipv6,expert_api_license,expert_api_lldp,expert_api_passwordcontrols,expert_api_proxy
add rba role ansibleRO domain-type System readonly-features expert_api_route,expert_api_routes,expert_api_runScript,expert_api_server-status,expert_api_snapshot,expert_api_snmp,expert_api_syslog,expert_api_system,expert_api_versions
...
0 Kudos
D_W
Advisor
‎2023-08-16 06:50 AM
In response to Bob_Zimmerman
Jump to solution

@Bob_Zimmerman 
Works like a charm!

But why is then there the option "gaia_api access -u unlocal_users -e true"?
When I try it without @Bob_Zimmerman local created user - the tacacs user logs into the API successfully with TACP-0 but cannot execute any commands. Although i added the REST API Calls to the TACP-0 Role.

The official documentation for this is not helpful 🙄 Unfortunately that's not the first time where the documentation is not answering all questions... luckily we have check mates!

0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2023-08-17 11:40 PM
In response to Bob_Zimmerman
Jump to solution

Itried to see if it works for _nonlocl user  .....

]# gaia_api access --user _nonlocl --enable true
Grant Access: User '_nonlocl' doesn't exist

Too bad it didn't. That would solve it all at once.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events