This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-07-29 11:25 AM

Yes. Define the user in clish, but don't assign a password. This allows you to add an RBA role. The role needs to include permissions for API calls, most (maybe all?) of which start with 'expert_api_'. Once the user is created and the RBA role is assigned, you need to use 

gaia_api access --user <user> --enable true

as described in the link.

Linux uses a subsystem called PAM for authenticating users. With how PAM is set up on Check Point systems, local passwords are tried first, then TACACS and RADIUS. By not defining a password for the user in clish, that check fails and falls through to the central authentication options.

View solution in original post

(1)
Who rated this post