This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cem82
Contributor
‎2022-11-15 03:30 PM

mgmt_cli Only "admin" user works for authentication

Hi

We're wanting to use mgmt_cli but have logs for the particular user that is making the changes for auditing.  Initially tried a user that is defined in Smartconsole that has super domain admin privileges (remote auth) but get auth failed, have also tried creating a local user with the "Gaia API" ticked in Gaia Portal with adminRole selected but same thing.  Only the "admin" username works - what am I missing here?  Running MDM R81.10 JHF 66

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2022-11-15 04:35 PM

Try updating the Gaia API itself from here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
If you're still having issues, I recommend engaging with the TAC.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2022-11-16 07:09 AM

Are you talking about the Gaia API (for managing OS-level things like routes and SNMP traps), or the management API (for managing application-level things like objects and rules)? mgmt_cli is used for the latter, but the "Gaia API" checkbox is only for the OS-level API.

If you're trying to use the management API with an MDS, you have to specify which management domain you want to login to.

0 Kudos
cem82
Contributor
‎2022-11-16 12:55 PM
In response to Bob_Zimmerman

This is for the mgmt API for object and rules management etc and am specifying the --domain option as we are running MDM.

I've done some further testing now, works for a test user created in Smartconsole using "Check Point password" works.  For all other users we have TACACS auth and that isn't working for mgmt_cli but does for smartconsole/ssh/etc

 

Didn't realise the "Gaia API" was for OS level so thanks for pointing that out

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2022-11-16 02:05 PM
In response to cem82

That's odd. I use central authentication for my account, and I'm definitely able to get into my MDS via the API:

[Expert@MyMDS]# mgmt_cli -d "Global" login
Username: zimmie
Password: 
uid: "8fb1319e-b00b-4062-84b9-ee705cf053fa"
sid: "8XNsNFG78VUvub477DRkzOiBY7_dB5J9fVCxmBQwetg"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
api-server-version: "1.8"
user-name: "zimmie"
user-uid: "407b754f-40c6-41c6-bee6-2a113e8c9b94"

[Expert@MyMDS]# vi session.txt    # Just to paste the information from above.
[Expert@MyMDS]# mgmt_cli -f json -s session.txt logout
{
  "message" : "OK"
}

I'm using RADIUS rather than TACACS (because you can have admins authenticate against a RADIUS group instead of just one TACACS server), but neither RADIUS nor TACACS has any control over permissions.

Does the TACACS server show the user successfully authenticating?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events