Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

TACACS+ and Multiple Roles

We're trying to get TACACS+ working with R80.10 SMS server, per the video - Configure Gaia with TACACS+ Authentication - YouTube .

We're using one TACACS+ server running on Ubuntu. In trying to integrate with the R80.10 SMS. On the SMS server, we've created two roles, TACP-0 (with Read/Write access to to the Authentication Servers and Firewall Management) and TACP-15 (with Read/Write access to everything). Our users can authenticate, but every authenticated user seems to default to the TACP-0 role, even with priv-lvl set to 15, instead of to the TACP-15 role. Is there anything we're missing out?

8 Replies
Highlighted
Pearl

0 Kudos
Highlighted
Silver

Yes that is default behavior. You'll always login as TACP-0 first and then you must call for advanced role rights by tacacs_enable TACP-15. It is written in SK mentioned by Danny Jung above. Quite unpleasant is that you'll need to reauthenticate second time.

Highlighted

Okay, that makes sense from the command line, but what if you're logging into the GUI?

Highlighted
Silver

Yeah in WebUI you must switch it as well on the top of the page and logic is completely the same. 

0 Kudos
Highlighted
Nickel

Given that the default role for all TACCS users is TACP-0 it seems that R/W access to the "tacacs_enable" command must exist on the TACP-0 role for the R/W users to be able to use it to escalate to TACP-15 but then this allows RO users to also use it. 

How do you limit RO users so they do not have the ability to escalate their privileges using tacacs_enable TACP-15 whilst allowing R/W users to do so?

Iain
CISSP
0 Kudos
Highlighted

Users that are assigned the TACP-0 role in the TACACS server will not be allowed to escalate their role.

Regards, Maarten
Highlighted

As far as I know there are no VSAs supported by Checkpoint when using TACACS. How would you map a user to TACP-0 or TACP-15 on TACACS?

0 Kudos
Highlighted

Hi Gurus,

 

Answers, comes a little bit late, but any way.

The "priv-lvl" configuration done on your tacacs server is there for that.

If your user is configured with "priv-lvl = 15", then he will be able to change to level 15,  otherwise, he won't.

 

Cheers,

Jean-Christophe

0 Kudos