This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bob111
Collaborator
‎2024-11-25 02:00 AM

Tacacs authentication to firewall

Hello guys, I set up tacacs to my firewalls and I wanted to know if there is a way to log in straight to expert mode?
Thanks! 

0 Kudos
10 Replies
Lesley
Mentor Mentor
Mentor
‎2024-11-25 08:22 AM

This can be done via the clish mode with:

set user admin shell /bin/bash

-------
If you like this post please give a thumbs up(kudo)! 🙂
AkosBakos
Mentor Mentor
Mentor
‎2024-11-25 10:02 AM
In response to Lesley

@Lesley 

Not 100% sure, but, TACACS user always "starts" in clish mode, or not?

Of course, you always set the default privilage (not the maximum), which is CLISH

 tacacs.png

https://support.checkpoint.com/results/sk/sk98733

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-11-25 06:48 PM
In response to AkosBakos

Ah yes this is true 

After login, you can use the Gaia Clish command 'tacacs_enable TACP-15' to gain full privileges.
The security goal is to require a different password after logging in to deter malicious activities.
An Expert password that differs from all TACACS passwords, provides even more security.

HostName> add rba role TACP-15 domain-type System readwrite-features backup,clock-date,cluster_ha,configuration,expert,export,hw-monitor,message,perf,reboot_halt,revert,show-route-all,snapshot,static-route,syslog,tacacs_enable

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
bob111
Collaborator
‎2024-11-26 01:12 AM
In response to Lesley

Thank you very much for the help! So just to be clear there is no way for a tacacs user to log in to expert mode directly?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-26 11:38 AM
In response to bob111

All "non local" users are impacted by this entry in /etc/passwd: 

_nonlocl:x:96:100:Non-local user:/home/_nonlocl:/etc/cli.sh

You can change this by editing /etc/passwd manually, but it impacts all TACACS+ and RADIUS servers.

0 Kudos
bob111
Collaborator
‎2024-11-29 11:55 PM
In response to PhoneBoy

Thank you.
Is there something else I need to do afterwards? I changed it but it still connects to clish first.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-02 02:34 PM
In response to bob111

May not be supported to change that.
In any case, a TAC case may be in order here.

0 Kudos
bob111
Collaborator
‎2024-12-03 01:47 AM
In response to PhoneBoy

Understood, thank you! 
Another thing I was wondering is if it is possible to make the expert password tacacs based?  

0 Kudos
PhoneBoy
Admin
Admin
‎2024-12-03 02:44 PM
In response to bob111

Not as far as I know.
TAC should also be able to confirm this.

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2024-12-03 05:48 AM
In response to bob111

To be clear, what Check Point calls "expert mode" is really two separate things: a full shell like BASH and root-level permissions. You can set both of these things for RADIUS ("set aaa radius-servers default-shell VALUE" for all users, and "set aaa radius-servers super-user-uid VALUE" for users defined as superusers), but not for TACACS.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top