Support Center > Search Results > SecureKnowledge Details
Best Practices - Configuring Cisco ACS 5 server for TACACS+ authentication with Gaia OS
Solution

Note: This document does not replace the Cisco ACS formal documentation. Please refer to Cisco ACS documentation for information about other topics.

 

Introduction

In Gaia OS, we have the ability to authenticate with non-local users that are configured on TACACS+ or RADIUS servers. The most popular TACACS+ server is the Cisco ACS server, and below we will show how to configure the Cisco ACS server to work with Gaia OS.

Note: The default shell to /bin/bash for TACACS+ users is not supported, and TACP-0 and TACP-15 roles are used for Privilege Escalation.

Configure network device and AAA client

On the Cisco ACS server, go to 'Network Resources' > 'Network Devices and AAA Clients', and 'Create' new network device.

 

Configure Identity group

Go to 'Users and Identity Stores' > 'Identity Groups', and create a new Identity group with name "CheckPointRW" (or any other name).

 

Adding new User

Go to 'Users and Identity Stores' > 'Internal Identity Stores' > 'Users'. The user should be part of the Identity group added in the previous step. Configure for the user two passwords: login password (for authenticating the login user) and enable password (for the enabling privileged level).

 

Add Shell Profile

Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'. Add shell profile to give to the authenticated TACACS+ users. In 'Commands and Tasks', set the maximum privileged level as "15".

In 'Commands and Tasks', set the maximum privileged level as "15".

 

Create rule

Go to 'Access Policies' > 'Access Service' > 'Default Device Admin' > 'Authorization' > create new rule. The rule will be: If the authenticated user is in the Identity group "CheckPointRW", then the result will be the shell profile created in the previous step.

 

Configure Gaia

To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level X that will be used with tacacs_enable, define the rule TACP-X.

Refer to R77 versions Gaia Administration Guide.

  1. HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable
    
    Note: Use the enable password configured on the ACS server. The enable password is valid for all privileged levels.
    HostName> add rba role TACP-15 domain-type System all-features
    HostName> save config
    HostName> show configuration rba
    
  2. HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
    HostName> set aaa tacacs-servers state on
    HostName> set aaa tacacs-servers user-uid 0
    HostName> save config
    HostName> show configuration aaa
    

 

Related solutons:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment