Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bob111
Contributor

Tacacs authentication to firewall

Hello guys, I set up tacacs to my firewalls and I wanted to know if there is a way to log in straight to expert mode?
Thanks! 

0 Kudos
10 Replies
Lesley
Leader Leader
Leader

This can be done via the clish mode with:

set user admin shell /bin/bash

-------
If you like this post please give a thumbs up(kudo)! 🙂
AkosBakos
Leader Leader
Leader

@Lesley 

Not 100% sure, but, TACACS user always "starts" in clish mode, or not?

Of course, you always set the default privilage (not the maximum), which is CLISH

 tacacs.png

https://support.checkpoint.com/results/sk/sk98733

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Lesley
Leader Leader
Leader

Ah yes this is true 

After login, you can use the Gaia Clish command 'tacacs_enable TACP-15' to gain full privileges.
The security goal is to require a different password after logging in to deter malicious activities.
An Expert password that differs from all TACACS passwords, provides even more security.

HostName> add rba role TACP-15 domain-type System readwrite-features backup,clock-date,cluster_ha,configuration,expert,export,hw-monitor,message,perf,reboot_halt,revert,show-route-all,snapshot,static-route,syslog,tacacs_enable

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
bob111
Contributor

Thank you very much for the help! So just to be clear there is no way for a tacacs user to log in to expert mode directly?

0 Kudos
PhoneBoy
Admin
Admin

All "non local" users are impacted by this entry in /etc/passwd: 

_nonlocl:x:96:100:Non-local user:/home/_nonlocl:/etc/cli.sh

You can change this by editing /etc/passwd manually, but it impacts all TACACS+ and RADIUS servers.

0 Kudos
bob111
Contributor

Thank you.
Is there something else I need to do afterwards? I changed it but it still connects to clish first.

0 Kudos
PhoneBoy
Admin
Admin

May not be supported to change that.
In any case, a TAC case may be in order here.

0 Kudos
bob111
Contributor

Understood, thank you! 
Another thing I was wondering is if it is possible to make the expert password tacacs based?  

0 Kudos
PhoneBoy
Admin
Admin

Not as far as I know.
TAC should also be able to confirm this.

0 Kudos
Bob_Zimmerman
Authority
Authority

To be clear, what Check Point calls "expert mode" is really two separate things: a full shell like BASH and root-level permissions. You can set both of these things for RADIUS ("set aaa radius-servers default-shell VALUE" for all users, and "set aaa radius-servers super-user-uid VALUE" for users defined as superusers), but not for TACACS.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events