cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

TACACS+ and Multiple Roles

We're trying to get TACACS+ working with R80.10 SMS server, per the video - Configure Gaia with TACACS+ Authentication - YouTube .

We're using one TACACS+ server running on Ubuntu. In trying to integrate with the R80.10 SMS. On the SMS server, we've created two roles, TACP-0 (with Read/Write access to to the Authentication Servers and Firewall Management) and TACP-15 (with Read/Write access to everything). Our users can authenticate, but every authenticated user seems to default to the TACP-0 role, even with priv-lvl set to 15, instead of to the TACP-15 role. Is there anything we're missing out?

8 Replies
Danny
Pearl

Re: TACACS+ and Multiple Roles

0 Kudos
Petr_Hantak
Silver

Re: TACACS+ and Multiple Roles

Yes that is default behavior. You'll always login as TACP-0 first and then you must call for advanced role rights by tacacs_enable TACP-15. It is written in SK mentioned by Danny Jung above. Quite unpleasant is that you'll need to reauthenticate second time.

Highlighted

Re: TACACS+ and Multiple Roles

Okay, that makes sense from the command line, but what if you're logging into the GUI?

Petr_Hantak
Silver

Re: TACACS+ and Multiple Roles

Yeah in WebUI you must switch it as well on the top of the page and logic is completely the same. 

0 Kudos
Iain_Keir1
Nickel

Re: TACACS+ and Multiple Roles

Given that the default role for all TACCS users is TACP-0 it seems that R/W access to the "tacacs_enable" command must exist on the TACP-0 role for the R/W users to be able to use it to escalate to TACP-15 but then this allows RO users to also use it. 

How do you limit RO users so they do not have the ability to escalate their privileges using tacacs_enable TACP-15 whilst allowing R/W users to do so?

Iain
CISSP
0 Kudos

Re: TACACS+ and Multiple Roles

Users that are assigned the TACP-0 role in the TACACS server will not be allowed to escalate their role.

Regards, Maarten

Re: TACACS+ and Multiple Roles

As far as I know there are no VSAs supported by Checkpoint when using TACACS. How would you map a user to TACP-0 or TACP-15 on TACACS?

0 Kudos

Re: TACACS+ and Multiple Roles

Hi Gurus,

 

Answers, comes a little bit late, but any way.

The "priv-lvl" configuration done on your tacacs server is there for that.

If your user is configured with "priv-lvl = 15", then he will be able to change to level 15,  otherwise, he won't.

 

Cheers,

Jean-Christophe

0 Kudos