This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Han_Lung_Kuo
Explorer
‎2024-07-04 07:47 PM

How to Config a TACACS Server for non-local Quantum Spark Appliance users

 

Hi All,

  I use 1600 appliance at R81.10.07, and use cisco ISE as TACACS server,

when I choice "Use default role for TACACS+ users" at Spark WebUI,

and assign it to be Super Admin, It is work well.


But I would like to known how can I assign role by TACACS server?

I see WebUI have options "Use roles defined on TACACS+ server",

but I can't found info about config for TACACS+.

 

 

0 Kudos
6 Replies
JonnyRabinowitz
Employee
Employee
‎2024-07-04 11:41 PM

Hi there

I don't think I can fully answer the question but hope that I can point in the right direction 

What you are describing is that authentication against Cisco ISE is working OK. However, issue relates to the Authorization policy on ISE and specifically the attributes. 

You need to use livelogs on ISE to the TACACS+ profile assigned and then look at "Custom Attributes tab" to see specific attributes being returned. There should be a specific reserved attribute name that indicates the role to be assigned to the administrator

I cannot talk specifically to the attribute name to use. Googling, it seems to be something similar to

  • Checkpoint-User-Role=adminRole   // where adminRole is the name of the Role defined on appliance

 

0 Kudos
Han_Lung_Kuo
Explorer
‎2024-07-16 11:03 PM
In response to JonnyRabinowitz

Hi Jonny,

Thanks for you reply. but I try:

- Checkpoint-User-Role=adminRole
- CheckPoint-SuperUser-Access=1
- CP-Gaia-User-Role=adminRole

and all get Read-Only Admin, I am not sure need some else or not?

 

0 Kudos
JonnyRabinowitz
Employee
Employee
‎2024-07-17 02:50 AM
In response to Han_Lung_Kuo

Did you confirm on  livelogs on ISE to see the TACACS+ profile assigned and confirm that is the profile where you defined the attributes above to be returned?

0 Kudos
Han_Lung_Kuo
Explorer
‎2024-07-29 08:13 AM
In response to JonnyRabinowitz

Hi Jonny,

Yes, I can see livelogs on ISE have response attributes.

005.jpg

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-17 10:47 AM

Does your TACACS+ server assigned the same roles listed in the documentation (with the same capitalization)?
https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/set-administrators-tacacs-au... 

0 Kudos
Han_Lung_Kuo
Explorer
‎2024-09-29 08:21 PM


finally, I ask TAC and our partner.

TACACS Server values: priv-lvl=<n>
  ( For Cisco ISE, is the "Default Privilege" )

0 Monitor (Read-Only)
1 Mobile
2 Networking
3 Admin (full Read/Write)

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top