Best Practices - Configuring Cisco ACS 5 server for TACACS+ authentication with Gaia OS
Note: This document does not replace the Cisco ACS formal documentation. Please refer to Cisco ACS documentation for information about other topics.
In Gaia OS, we have the ability to authenticate with non-local users that are configured on TACACS+ or RADIUS servers. The most popular TACACS+ server is the Cisco ACS server, and below we will show how to configure the Cisco ACS server to work with Gaia OS.
Note: The default shell to /bin/bash for TACACS+ users is not supported, and TACP-0 and TACP-15 roles are used for Privilege Escalation.
Configure network device and AAA client
On the Cisco ACS server, go to 'Network Resources' > 'Network Devices and AAA Clients', and 'Create' new network device.
Configure Identity group
Go to 'Users and Identity Stores' > 'Identity Groups', and create a new Identity group with name "CheckPointRW" (or any other name).
Adding new User
Go to 'Users and Identity Stores' > 'Internal Identity Stores' > 'Users'. The user should be part of the Identity group added in the previous step. Configure for the user two passwords: login password (for authenticating the login user) and enable password (for the enabling privileged level).
Add Shell Profile
Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'. Add shell profile to give to the authenticated TACACS+ users. In 'Commands and Tasks', set the maximum privileged level as "15".
In 'Commands and Tasks', set the maximum privileged level as "15".
Go to 'Access Policies' > 'Access Service' > 'Default Device Admin' > 'Authorization' > create new rule. The rule will be: If the authenticated user is in the Identity group "CheckPointRW", then the result will be the shell profile created in the previous step.
To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level X that will be used with tacacs_enable, define the rule TACP-X.
Refer to R77 versions Gaia Administration Guide.
HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable
Note: Use the enable password configured on the ACS server. The enable password is valid for all privileged levels.
HostName> add rba role TACP-15 domain-type System all-features
HostName> save config
HostName> show configuration rba
HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
HostName> set aaa tacacs-servers state on
HostName> set aaa tacacs-servers user-uid 0
HostName> save config
HostName> show configuration aaa