This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bob111
Contributor
Monday

Tacacs authentication to firewall

Hello guys, I set up tacacs to my firewalls and I wanted to know if there is a way to log in straight to expert mode?
Thanks! 

0 Kudos
5 Replies
Lesley
Leader Leader
Leader
Monday

This can be done via the clish mode with:

set user admin shell /bin/bash

-------
If you like this post please give a thumbs up(kudo)! 🙂
AkosBakos
Advisor
Advisor
Monday
In response to Lesley

@Lesley 

Not 100% sure, but, TACACS user always "starts" in clish mode, or not?

Of course, you always set the default privilage (not the maximum), which is CLISH

 tacacs.png

https://support.checkpoint.com/results/sk/sk98733

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Lesley
Leader Leader
Leader
Monday
In response to AkosBakos

Ah yes this is true 

After login, you can use the Gaia Clish command 'tacacs_enable TACP-15' to gain full privileges.
The security goal is to require a different password after logging in to deter malicious activities.
An Expert password that differs from all TACACS passwords, provides even more security.

HostName> add rba role TACP-15 domain-type System readwrite-features backup,clock-date,cluster_ha,configuration,expert,export,hw-monitor,message,perf,reboot_halt,revert,show-route-all,snapshot,static-route,syslog,tacacs_enable

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
bob111
Contributor
Tuesday
In response to Lesley

Thank you very much for the help! So just to be clear there is no way for a tacacs user to log in to expert mode directly?

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to bob111

All "non local" users are impacted by this entry in /etc/passwd: 

_nonlocl:x:96:100:Non-local user:/home/_nonlocl:/etc/cli.sh

You can change this by editing /etc/passwd manually, but it impacts all TACACS+ and RADIUS servers.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events