Creating an Administrator Account with TACACS Server Authentication

Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.

TACACS is an external authentication method that provides verification services. With TACACS, the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. forwards authentication requests by remote administrators to the TACACS server. The TACACS server, which stores administrator account information, authenticates administrators. The system supports physical card key devices or token cards and Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). secret key authentication. TACACS encrypts the administrator name, password, authentication services and accounting information of all authentication requests to secure communication.

You can perform TACACS authentication for SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. administrators through a TACACS server or a TACACS server group. A TACACS server group is a High Availability group of identical TACACS servers in the system. When you create the group, you define a priority for each server. If the server with the highest priority fails, the one with the next highest priority in the group takes over, and so on. All TACACS servers in the group must use the same protocol.

To learn how to configure a TACACS server, refer to the vendor documentation.

After you configure TACACS server authentication, you can, in addition, configure authentication with a certificate file. The administrator can then authenticate to SmartConsole with the TACACS server or the certificate file.

You create the certificate file in SmartConsole. The administrator can use the certificate to log in to SmartConsole in two ways:

• Log in to SmartConsole with the Certificate File option. The administrator must provide the password to use the certificate file.

• You can import the certificate file to the Windows Certificate Store on the Microsoft Windows SmartConsole computer. The administrator can use this stored certificate to log in to SmartConsole with the CAPI Certificate option. The administrator does not need to provide a password to log in.

The administrator can also give the certificate to other administrators to log in to SmartConsole with no administrator account of their own.

To configure TACACS server authentication for an administrator

1. In SmartConsole, add a new TACACS server object

   1. Go to Object Explorer and click New > More > Server > TACACS.

   2. Enter the server Name.

   3. In the Host field, click the drop-down arrow, click New, and create a New Host with the IP address of the TACACS server.

   4. Click OK.

      This host now appears in the Host field of the New TACACS window.

   5. Select a Server type.

   6. If your server type is TACACS+, type the Secret key that you defined previously on the TACACS+ server.

   7. Click OK.

   8. Publish the SmartConsole session.

2. Add a new administrator and define as the authentication method

   1. Go to Manage & Settings > Permissions & Administrators > Administrators > click New.

      The New Administrator window opens.

   2. Enter the administrator name that is defined on the TACACS server.

   3. In Authentication Method, select TACACS.

   4. Select the TACACS Server defined earlier from the drop-down list.

   5. Optional: In the Authentication section > Certificate Information, click Create:

      1. Enter a password.

      2. Click OK.

      3. Save the certificate file to a secure location on the SmartConsole computer:

         Notes: Make sure that the login name is included in the File name field. Make sure that Certificate Files (*p12) is selected in the Save as type drop-down list. The certificate file is in the PKCS #12 format, and has a .p12 extension. A password is required to protect the sensitive data in the certificate file. The certificate file contains the private key. After the certificate is issued, save it to a file and give the administrator this file and password. The administrator can then authenticate with the certificate when they log in with SmartConsole to the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

   6. Assign a Permission Profile.

      See Assigning Permission Profiles to Administrators.

   7. In the Expiration section, select the expiration date and make sure that it is set to a valid future date.

   8. Click OK.

   9. Publish the SmartConsole session.

3. Optional: Configure a TACACS Server group for SmartConsole administrator authentication

   1. In SmartConsole, configure all the servers that you want to include in the server group, as explained in To configure TACACS server authentication for an administrator.

      For each server, enter its priority in the group. The lower the number is, the higher the priority.

      For example, if you create a group with 3 servers, with priorities 1,2 and 3, the server with number 1 is approached first, the server with number 2 second, and the server with number 3, third.

   2. Create the server group: In SmartConsole, go to Object Explorer and click New > Server > More > TACACS Group.

   3. Configure the group properties and add servers to the group:

      1. Enter the group Name.

      2. Click the + icon for each server you want to add, and select the server from the drop-down list.

      3. Click OK.

      4. Publish the SmartConsole session.

4. Optional: Import the certificate file into the Windows Certificate Store

   Note - This procedure applies if you create a certificate authentication in the administrator object, and you log in to SmartConsole with the CAPI Certificate option.

   1. Right-click the *.p12 file you saved when you created the required administrator, and click Install PFX.

      The Certificate Import Wizard opens.

   2. In the Store Location section, select the applicable option:

      • Current User (this is the default)

      • Local Machine

   3. Click Next.

   4. Enter the same certificate password you used when you created the required administrator certificate.

   5. Clear Enable strong private key protection.

   6. Select Mark this key as exportable.

   7. Click Next.

   8. Select Place all certificates in the following store, click Browse > Personal > OK.

   9. Click Next.

   10. Click Finish.