Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Han_Lung_Kuo
Explorer

How to Config a TACACS Server for non-local Quantum Spark Appliance users

 

Hi All,

  I use 1600 appliance at R81.10.07, and use cisco ISE as TACACS server,

when I choice "Use default role for TACACS+ users" at Spark WebUI,

and assign it to be Super Admin, It is work well.


But I would like to known how can I assign role by TACACS server?

I see WebUI have options "Use roles defined on TACACS+ server",

but I can't found info about config for TACACS+.

 

 

0 Kudos
6 Replies
JonnyRabinowitz
Employee
Employee

Hi there

I don't think I can fully answer the question but hope that I can point in the right direction 

What you are describing is that authentication against Cisco ISE is working OK. However, issue relates to the Authorization policy on ISE and specifically the attributes. 

You need to use livelogs on ISE to the TACACS+ profile assigned and then look at "Custom Attributes tab" to see specific attributes being returned. There should be a specific reserved attribute name that indicates the role to be assigned to the administrator

I cannot talk specifically to the attribute name to use. Googling, it seems to be something similar to

  • Checkpoint-User-Role=adminRole   // where adminRole is the name of the Role defined on appliance

 

0 Kudos
Han_Lung_Kuo
Explorer

Hi Jonny,

Thanks for you reply. but I try:

- Checkpoint-User-Role=adminRole
- CheckPoint-SuperUser-Access=1
- CP-Gaia-User-Role=adminRole

and all get Read-Only Admin, I am not sure need some else or not?

 

0 Kudos
JonnyRabinowitz
Employee
Employee

Did you confirm on  livelogs on ISE to see the TACACS+ profile assigned and confirm that is the profile where you defined the attributes above to be returned?

0 Kudos
Han_Lung_Kuo
Explorer

Hi Jonny,

Yes, I can see livelogs on ISE have response attributes.

005.jpg

 

0 Kudos
PhoneBoy
Admin
Admin

Does your TACACS+ server assigned the same roles listed in the documentation (with the same capitalization)?
https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/set-administrators-tacacs-au... 

0 Kudos
Han_Lung_Kuo
Explorer


finally, I ask TAC and our partner.

TACACS Server values: priv-lvl=<n>
  ( For Cisco ISE, is the "Default Privilege" )

0 Monitor (Read-Only)
1 Mobile
2 Networking
3 Admin (full Read/Write)

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events