This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Ejaife
Participant
‎2018-08-08 02:40 PM

TACACS+ and Multiple Roles

We're trying to get TACACS+ working with R80.10 SMS server, per the video - Configure Gaia with TACACS+ Authentication - YouTube .

We're using one TACACS+ server running on Ubuntu. In trying to integrate with the R80.10 SMS. On the SMS server, we've created two roles, TACP-0 (with Read/Write access to to the Authentication Servers and Firewall Management) and TACP-15 (with Read/Write access to everything). Our users can authenticate, but every authenticated user seems to default to the TACP-0 role, even with priv-lvl set to 15, instead of to the TACP-15 role. Is there anything we're missing out?

8 Replies
Danny
Champion
Champion
‎2018-08-08 11:49 PM

Check Point just refreshed sk101573 - How to configure Gaia OS to work with a TACACS+ server

0 Kudos
Petr_Hantak
Advisor
‎2018-08-09 11:40 PM

Yes that is default behavior. You'll always login as TACP-0 first and then you must call for advanced role rights by tacacs_enable TACP-15. It is written in SK mentioned by Danny Jung above. Quite unpleasant is that you'll need to reauthenticate second time.

John_Ejaife
Participant
‎2018-08-10 05:16 PM
In response to Petr_Hantak

Okay, that makes sense from the command line, but what if you're logging into the GUI?

Petr_Hantak
Advisor
‎2018-08-13 12:10 AM
In response to John_Ejaife

Yeah in WebUI you must switch it as well on the top of the page and logic is completely the same. 

0 Kudos
Iain_Keir1
Contributor
‎2019-03-04 05:43 PM
In response to Petr_Hantak

Given that the default role for all TACCS users is TACP-0 it seems that R/W access to the "tacacs_enable" command must exist on the TACP-0 role for the R/W users to be able to use it to escalate to TACP-15 but then this allows RO users to also use it. 

How do you limit RO users so they do not have the ability to escalate their privileges using tacacs_enable TACP-15 whilst allowing R/W users to do so?

Iain
CISSP
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-03-04 11:47 PM
In response to Iain_Keir1

Users that are assigned the TACP-0 role in the TACACS server will not be allowed to escalate their role.

Regards, Maarten
Udupi_krishna
Contributor
‎2019-04-02 01:19 AM
In response to Maarten_Sjouw

As far as I know there are no VSAs supported by Checkpoint when using TACACS. How would you map a user to TACP-0 or TACP-15 on TACACS?

0 Kudos
Jean-Christoph1
Explorer
‎2019-05-28 01:57 AM
In response to Udupi_krishna

Hi Gurus,

 

Answers, comes a little bit late, but any way.

The "priv-lvl" configuration done on your tacacs server is there for that.

If your user is configured with "priv-lvl = 15", then he will be able to change to level 15,  otherwise, he won't.

 

Cheers,

Jean-Christophe

0 Kudos