This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Ejaife
Participant
‎2018-08-08 02:40 PM

TACACS+ and Multiple Roles

We're trying to get TACACS+ working with R80.10 SMS server, per the video - Configure Gaia with TACACS+ Authentication - YouTube .

We're using one TACACS+ server running on Ubuntu. In trying to integrate with the R80.10 SMS. On the SMS server, we've created two roles, TACP-0 (with Read/Write access to to the Authentication Servers and Firewall Management) and TACP-15 (with Read/Write access to everything). Our users can authenticate, but every authenticated user seems to default to the TACP-0 role, even with priv-lvl set to 15, instead of to the TACP-15 role. Is there anything we're missing out?

9 Replies
Danny
MVP Platinum
MVP Platinum
‎2018-08-08 11:49 PM

Check Point just refreshed sk101573 - How to configure Gaia OS to work with a TACACS+ server

0 Kudos
Petr_Hantak
Advisor
Advisor
‎2018-08-09 11:40 PM

Yes that is default behavior. You'll always login as TACP-0 first and then you must call for advanced role rights by tacacs_enable TACP-15. It is written in SK mentioned by Danny Jung above. Quite unpleasant is that you'll need to reauthenticate second time.

John_Ejaife
Participant
‎2018-08-10 05:16 PM
In response to Petr_Hantak

Okay, that makes sense from the command line, but what if you're logging into the GUI?

Petr_Hantak
Advisor
Advisor
‎2018-08-13 12:10 AM
In response to John_Ejaife

Yeah in WebUI you must switch it as well on the top of the page and logic is completely the same. 

0 Kudos
Iain_Keir1
Contributor
‎2019-03-04 05:43 PM
In response to Petr_Hantak

Given that the default role for all TACCS users is TACP-0 it seems that R/W access to the "tacacs_enable" command must exist on the TACP-0 role for the R/W users to be able to use it to escalate to TACP-15 but then this allows RO users to also use it. 

How do you limit RO users so they do not have the ability to escalate their privileges using tacacs_enable TACP-15 whilst allowing R/W users to do so?

Iain
CISSP
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-03-04 11:47 PM
In response to Iain_Keir1

Users that are assigned the TACP-0 role in the TACACS server will not be allowed to escalate their role.

Regards, Maarten
Udupi_krishna
Contributor
‎2019-04-02 01:19 AM
In response to Maarten_Sjouw

As far as I know there are no VSAs supported by Checkpoint when using TACACS. How would you map a user to TACP-0 or TACP-15 on TACACS?

0 Kudos
Jean-Christoph1
Explorer
‎2019-05-28 01:57 AM
In response to Udupi_krishna

Hi Gurus,

 

Answers, comes a little bit late, but any way.

The "priv-lvl" configuration done on your tacacs server is there for that.

If your user is configured with "priv-lvl = 15", then he will be able to change to level 15,  otherwise, he won't.

 

Cheers,

Jean-Christophe

0 Kudos
bob111
Collaborator
‎2024-09-22 02:14 AM

Hey I know it has been a really long time but I have a question, what is  the password you are supposed to enter to escalate to the TACP-15? where do you configure it?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events