Best Practices - Configuring Cisco ACS 5 server for TACACS+ authentication with Gaia OS
Note: This document does not replace the Cisco ACS formal documentation. Please refer to Cisco ACS documentation for information about other topics. This document was created based on Check Point lab and specific Cisco ACS version.
In Gaia OS, it is possible to authenticate with non-local users that are configured on TACACS+ or RADIUS servers. The most popular TACACS+ server is the Cisco ACS server. This article shows how to configure the Cisco ACS server to work with Gaia OS (this information was documented based on the Check Point lab).
Note: The default shell /bin/bash for TACACS+ users is not supported, and TACP-0 and TACP-15 roles are used for Privilege Escalation.
Configure network device and AAA client
On the Cisco ACS server, go to 'Network Resources' > 'Network Devices and AAA Clients', and 'Create' new network device.
Configure Identity group
Go to 'Users and Identity Stores' > 'Identity Groups', and create a new Identity group with a desired name (e.g., "CheckPointRW").
Adding new User
Go to 'Users and Identity Stores' > 'Internal Identity Stores' > 'Users'.
The user should be part of the Identity group added in the previous step.
Configure two passwords for this user:
- login password (for authenticating the login user)
- enable password (for the enabling privileged level).
Add Shell Profile
Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'.
Add a shell profile to assign to the authenticated TACACS+ users.
In 'Commands and Tasks', set the maximum privileged level as "15".
Go to 'Access Policies' > 'Access Service' > 'Default Device Admin' > 'Authorization' > create new rule.
The rule will be: if the authenticated user is in the Identity group (e.g., "CheckPointRW"), then the result will be the shell profile created in the previous step.
Configure Gaia OS
To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level "X" that will be used with tacacs_enable, define the rule TACP-"X".
Refer to the Gaia Administration Guide (R77.X, R80.10).
HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable
- Use the enable password configured on the ACS server.
- The enable password is valid for all privileged levels.
HostName> add rba role TACP-15 domain-type System all-features
HostName> save config
HostName> show configuration rba
HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
HostName> set aaa tacacs-servers state on
HostName> set aaa tacacs-servers user-uid 0
HostName> save config
HostName> show configuration aaa
Note for VSX:
HostName > add rba role TACP-0 virtual-system-access <0, ALL_Relevant VS>
HostName > add rba role TACP-15 virtual-system-access <0, ALL_Relevant VS>
HostName > add rba role TACP-0 virtual-system-access 0,1,5,6