Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cem82
Contributor

mgmt_cli Only "admin" user works for authentication

Hi

We're wanting to use mgmt_cli but have logs for the particular user that is making the changes for auditing.  Initially tried a user that is defined in Smartconsole that has super domain admin privileges (remote auth) but get auth failed, have also tried creating a local user with the "Gaia API" ticked in Gaia Portal with adminRole selected but same thing.  Only the "admin" username works - what am I missing here?  Running MDM R81.10 JHF 66

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Try updating the Gaia API itself from here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
If you're still having issues, I recommend engaging with the TAC.

0 Kudos
Bob_Zimmerman
Authority
Authority

Are you talking about the Gaia API (for managing OS-level things like routes and SNMP traps), or the management API (for managing application-level things like objects and rules)? mgmt_cli is used for the latter, but the "Gaia API" checkbox is only for the OS-level API.

If you're trying to use the management API with an MDS, you have to specify which management domain you want to login to.

0 Kudos
cem82
Contributor

This is for the mgmt API for object and rules management etc and am specifying the --domain option as we are running MDM.

I've done some further testing now, works for a test user created in Smartconsole using "Check Point password" works.  For all other users we have TACACS auth and that isn't working for mgmt_cli but does for smartconsole/ssh/etc

 

Didn't realise the "Gaia API" was for OS level so thanks for pointing that out

0 Kudos
Bob_Zimmerman
Authority
Authority

That's odd. I use central authentication for my account, and I'm definitely able to get into my MDS via the API:

[Expert@MyMDS]# mgmt_cli -d "Global" login
Username: zimmie
Password: 
uid: "8fb1319e-b00b-4062-84b9-ee705cf053fa"
sid: "8XNsNFG78VUvub477DRkzOiBY7_dB5J9fVCxmBQwetg"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
api-server-version: "1.8"
user-name: "zimmie"
user-uid: "407b754f-40c6-41c6-bee6-2a113e8c9b94"

[Expert@MyMDS]# vi session.txt    # Just to paste the information from above.
[Expert@MyMDS]# mgmt_cli -f json -s session.txt logout
{
  "message" : "OK"
}

I'm using RADIUS rather than TACACS (because you can have admins authenticate against a RADIUS group instead of just one TACACS server), but neither RADIUS nor TACACS has any control over permissions.

Does the TACACS server show the user successfully authenticating?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events