Note: This document does not replace the Cisco ACS formal documentation. Please refer to Cisco ACS documentation for information about other topics. This document was created based on Check Point lab and specific Cisco ACS version.

 

Introduction

In Gaia OS, it is possible to authenticate with non-local users that are configured on TACACS+ or RADIUS servers. The most popular TACACS+ server is the Cisco ACS server. This article shows how to configure the Cisco ACS server to work with Gaia OS (this information was documented based on the Check Point lab).

Note: The default shell /bin/bash for TACACS+ users is not supported, and TACP-0 and TACP-15 roles are used for Privilege Escalation.

 

Procedure:

1. Configure network device and AAA client

   On the Cisco ACS server, go to 'Network Resources' > 'Network Devices and AAA Clients', and 'Create' new network device.

   

2. Configure Identity group

   Go to 'Users and Identity Stores' > 'Identity Groups', and create a new Identity group with a desired name (e.g., "CheckPointRW").

   

3. Adding new User

   Go to 'Users and Identity Stores' > 'Internal Identity Stores' > 'Users'.
   The user should be part of the Identity group added in the previous step.
   Configure two passwords for this user:

   • login password (for authenticating the login user)
   • enable password (for the enabling privileged level).

   

4. Add Shell Profile

   Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'.
   Add a shell profile to assign to the authenticated TACACS+ users.
   In 'Commands and Tasks', set the maximum privileged level as "15".

   

5. Create rule

   Go to 'Access Policies' > 'Access Service' > 'Default Device Admin' > 'Authorization' > create new rule.
   The rule will be: if the authenticated user is in the Identity group (e.g., "CheckPointRW"), then the result will be the shell profile created in the previous step.

   

6. Configure Gaia OS

   To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level "X" that will be used with tacacs_enable, define the rule TACP-"X".

   Refer to the Gaia Administration Guide (R77.X, R80.10).

   1. HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable
      

      Notes:
      
      • Use the enable password configured on the ACS server.
      • The enable password is valid for all privileged levels.

      HostName> add rba role TACP-15 domain-type System all-features
      HostName> save config
      HostName> show configuration rba
      

   2. HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
      HostName> set aaa tacacs-servers state on
      HostName> set aaa tacacs-servers user-uid 0
      HostName> save config
      HostName> show configuration aaa
      

Note for VSX:

HostName > add rba role TACP-0 virtual-system-access <0, ALL_Relevant VS>
HostName > add rba role TACP-15 virtual-system-access <0, ALL_Relevant VS>

For example:

HostName > add rba role TACP-0 virtual-system-access 0,1,5,6

Related documentation:

• Gaia Administration Guide (R77.X, R80.10)
• Cisco Secure Access Control System formal documentation

 

Related solutions:

• sk101573 - How to configure Gaia OS to work with a TACACS+ server
• sk69703 - TACACS+ support in Gaia OS
• sk108851 - TACACS+ users with role TACP-15 fail to access Expert mode on R77.30 Gaia OS
• sk105542 - How to configure a RADIUS server on Cisco ACS for authentication with Gaia OS
• sk93309 - Troubleshooting RADIUS authentication related issues in Gaia