- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello,
I need to find a way to automate Administrators creation with RADIUS authentication on several Security Sanagement Servers. I don't want the RADIUS administrator to connect on each Security Management Server to creates the Administrators (he is not allowed to do that). I have tried to use the API but unfortunately I got the following message telling me it's not supported :
[sms]# mgmt_cli --port <PORT> -u <USER> -p <PASSWORD> add administrator name "<NAME>" authentication-method "radius" radius-server "<RADIUS_SERVER>"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
Executed command failed. Changes are discarded.
[sms]#
Any idea/trick that I could use to achieve what I want to do?
Thanks
As the command say this syntax should be used for multi domain env , if you have a smart center you probably need to fix the syntax of this command seems that a permission profile is missing too
Those are example from the api reference
Command
add administrator name "admin" password "secret" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" permissions-profile "read write all" --format json • "--format json" is optional. By default the output is presented in plain text. • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.
Command
add administrator name "super_admin" password "aaaa" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "INTERNAL_PASSWORD" multi-domain-profile "domain super user" --format json • "--format json" is optional. By default the output is presented in plain text. • This command is available using the SmartConsole CLI only on a Multi Domain environment and when logged into the MDS domain.
Hello Marco,
Thanks for your quick reply.
I'm not sure I understand what you mean. Even if specifying a permission profile, the examples from the API reference guide says that this "is available using the SmartConsole CLI only on a Multi Domain environment". So it won't work on a SMS
Did I miss something?
Indeed I have missed that part too early morning here so seems that is not supported on a sms sorry for that
No problem
You just need to add:
domain "System Data"
To your command.
Hi Dameon,
It's working, thanks for your help
a true jedi master advice
--domain 'System Data'
For me domain "System Data" does not help. I have tested it in R80.10 and R80.20. The API also do not show me any domains:
> show administrators domain "System Data"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
> show administrators --domain "System Data"
code: "err_inappropriate_domain_type"
message: "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
> show domains
objects: []
total: 0
I am guessing the SmartConsole CLI is logged in to a specific domain - and does not let you specify the domain. This is a real pain if you're using a Check Point cloud SmartCenter (e.g. Endpoint Security cloud) as I don't think you can get OS CLI access (they wouldn't want you to...).
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY