Support Center > Search Results > SecureKnowledge Details
Best Practices - Configuring Cisco ACS 5 server for TACACS+ authentication with Gaia OS Technical Level

Note: This document does not replace the Cisco ACS formal documentation. Please refer to Cisco ACS documentation for information about other topics. This document was created based on Check Point lab and specific Cisco ACS version.



In Gaia OS, it is possible to authenticate with non-local users that are configured on TACACS+ or RADIUS servers. The most popular TACACS+ server is the Cisco ACS server. This article shows how to configure the Cisco ACS server to work with Gaia OS (this information was documented based on the Check Point lab).

Note: The default shell /bin/bash for TACACS+ users is not supported, and TACP-0 and TACP-15 roles are used for Privilege Escalation.



  1. Configure network device and AAA client

    On the Cisco ACS server, go to 'Network Resources' > 'Network Devices and AAA Clients', and 'Create' new network device.

  2. Configure Identity group

    Go to 'Users and Identity Stores' > 'Identity Groups', and create a new Identity group with a desired name (e.g., "CheckPointRW").

  3. Adding new User

    Go to 'Users and Identity Stores' > 'Internal Identity Stores' > 'Users'.
    The user should be part of the Identity group added in the previous step.
    Configure two passwords for this user:

    • login password (for authenticating the login user)
    • enable password (for the enabling privileged level).

  4. Add Shell Profile

    Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'.
    Add a shell profile to assign to the authenticated TACACS+ users.
    In 'Commands and Tasks', set the maximum privileged level as "15".

  5. Create rule

    Go to 'Access Policies' > 'Access Service' > 'Default Device Admin' > 'Authorization' > create new rule.
    The rule will be: if the authenticated user is in the Identity group (e.g., "CheckPointRW"), then the result will be the shell profile created in the previous step.

  6. Configure Gaia OS

    To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level "X" that will be used with tacacs_enable, define the rule TACP-"X".

    Refer to the Gaia Administration Guide (R77.X, R80.10).

    1. HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable
      • Use the enable password configured on the ACS server.
      • The enable password is valid for all privileged levels.
      HostName> add rba role TACP-15 domain-type System all-features
      HostName> save config
      HostName> show configuration rba
    2. HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
      HostName> set aaa tacacs-servers state on
      HostName> set aaa tacacs-servers user-uid 0
      HostName> save config
      HostName> show configuration aaa

Note for VSX:

HostName > add rba role TACP-0 virtual-system-access <0, ALL_Relevant VS>
HostName > add rba role TACP-15 virtual-system-access <0, ALL_Relevant VS>

For example:

HostName > add rba role TACP-0 virtual-system-access 0,1,5,6

Related documentation:


Related solutions:

Give us Feedback
Please rate this document