- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hello,
I need to find a way to automate Administrators creation with RADIUS authentication on several Security Sanagement Servers. I don't want the RADIUS administrator to connect on each Security Management Server to creates the Administrators (he is not allowed to do that). I have tried to use the API but unfortunately I got the following message telling me it's not supported :
[sms]# mgmt_cli --port <PORT> -u <USER> -p <PASSWORD> add administrator name "<NAME>" authentication-method "radius" radius-server "<RADIUS_SERVER>"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
Executed command failed. Changes are discarded.
[sms]#
Any idea/trick that I could use to achieve what I want to do?
Thanks
As the command say this syntax should be used for multi domain env , if you have a smart center you probably need to fix the syntax of this command seems that a permission profile is missing too
Those are example from the api reference
Command
add administrator name "admin" password "secret" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" permissions-profile "read write all" --format json • "--format json" is optional. By default the output is presented in plain text. • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.
Command
add administrator name "super_admin" password "aaaa" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" multi-domain-profile "domain super user" --format json • "--format json" is optional. By default the output is presented in plain text. • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.
Hello Marco,
Thanks for your quick reply.
I'm not sure I understand what you mean. Even if specifying a permission profile, the examples from the API reference guide says that this "is available using the SmartConsole CLI only on a Multi Domain environment". So it won't work on a SMS
Did I miss something?
Indeed I have missed that part too early morning here so seems that is not supported on a sms sorry for that
No problem
You just need to add:
domain "System Data"
To your command.
Hi Dameon,
It's working, thanks for your help
a true jedi master advice
--domain 'System Data'
For me domain "System Data" does not help. I have tested it in R80.10 and R80.20. The API also do not show me any domains:
> show administrators domain "System Data"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
> show administrators --domain "System Data"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
> show domains
objects: []
total: 0
I am guessing the SmartConsole CLI is logged in to a specific domain - and does not let you specify the domain. This is a real pain if you're using a Check Point cloud SmartCenter (e.g. Endpoint Security cloud) as I don't think you can get OS CLI access (they wouldn't want you to...).
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY