Configuring TACACS+ Servers

To configure a TACACS+ server

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

In the TACACS+ Configuration section, select Enable TACACS+ authentication.

This setting applies to all configured TACACS+ servers.

3

Click Apply.

4

In the TACACS+ Servers section, click Add.

5

Configure the TACACS+ parameters:

Priority

The priority of the TACACS+ server - from 1 to 20.

Must be unique for this operating system.

Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. uses the priority:
- To determine the order, in which Gaia connects to the TACACS+ servers.
  
  First, Gaia connects to the TACACS+ server with the lowest priority number.
  
  For example: Three TACACS+ servers have a priority of 1, 5, and 10 respectively.
  
  Gaia connects to these TACACS+ servers in that order, and uses the first TACACS+ server that responds.
- To identify the TACACS+ server in commands. A command with priority 1 applies to the TACACS+ server with priority 1.
Server

IPv4 address of the TACACS+ server.
Shared Key

The Shared Secret used for authentication between the TACACS+ server and Gaia.

Enter the shared secret text string up to 256 characters, without any whitespace characters and without a backslash.

Make sure that the shared string defined on the Gaia matches the shared string defined on the TACACS+ server.
Timeout in Seconds

Enter the timeout in seconds (from 1 to 60), during which Gaia waits for the TACACS+ server to respond.

The default value is 5.

If there is no response after the configured timeout, Gaia tries to connect to a different configured TACACS+ server.

6

Click OK.

7

Optional: In the TACACS+ Servers Advanced Configuration section, select the User UID - 0, or 96 and click Apply.

This setting applies to all configured TACACS+ servers.

Note - On a Maestro Orchestrator, you must configure the value "0".

To disable TACACS+ authentication

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

In the TACACS+ configuration section, clear Enable TACACS+ authentication.

This setting applies to all configured TACACS+ servers.

3

Click Apply.

To delete a TACACS+ server

Step	Instructions
1	In the navigation tree, click User Management > Authentication Servers.
2	In the TACACS+ Servers section, select a TACACS+ server.
3	Click Delete.
4	Click OK to confirm.

To configure TACACS+ server for use in a single authentication profile

add aaa tacacs-servers priority <Priority> server <IPv4 Address of TACACS+ Server> key <Shared Secret> timeout <1-60>

To change the configuration of a specific TACACS+ server

set aaa tacacs-servers priority <Priority>

      server <IPv4 Address of TACACS+ Server>

      new-priority <New Priority>

      key <Shared Secret>

      timeout <1-60>

To change the configuration that applies to all configured TACACS+ servers

set aaa tacacs-servers

      state {on | off}

      user-uid <0 | 96>

To show a list of all configured TACACS+ servers associated with an authentication profile

show aaa tacacs-servers list

To show the configuration of a specific TACACS+ server

show aaa tacacs-servers priority <Priority>

      server

      timeout

To show the configuration that applies to all configured TACACS+ servers

show aaa tacacs-servers

      state

      user-uid

To delete a specific TACACS+ server

delete aaa tacacs-servers

      priority <Priority>

CLI Parameters

Parameter

Description

priority <Priority>

The priority of the TACACS+ server - from 1 to 20.

Must be unique for this operating system.

The priority is used:

To determine the order, in which Gaia connects to the TACACS+ servers.

First, Gaia connects to the TACACS+ server with the lowest priority number.

For example: Three TACACS+ servers have a priority of 1, 5, and 10 respectively.

Gaia connects to these TACACS+ servers in that order, and uses the first TACACS+ server that responds.
To identify the TACACS+ server in commands. A command with priority 1 applies to the TACACS+ server with priority 1.

Values:

Range: 1 - 20
Default: No default

server <IPv4 Address of TACACS+ Server>

IPv4 address of the TACACS+ server.

key <Shared Secret>

The Shared Secret used for authentication between the TACACS+ server and Gaia.

Enter the shared secret text string up to 256 characters, without any whitespace characters and without a backslash.

Make sure that the shared string defined on the Gaia matches the shared string defined on the TACACS+ server.

timeout <1-60>

Enter the timeout in seconds, during which Gaia waits for the TACACS+ server to respond.

If there is no response after the configured timeout, Gaia tries to connect to a different configured TACACS+ server.

Range: 1 - 60
Default: 5

new-priority <New Priority>

Configures the new priority for the TACACS+ server.

state {on | off}

Configures the state of TACACS+ authentication.

Range: on, or off
Default: off

user-uid

Specifies the User ID assigned to a TACACS+ user: "0" or "96".

Note - On a Maestro Orchestrator, you must configure the value "0".

Example

gaia> set aaa tacacs-servers priority 2 server 10.10.10.99 key MySharedSecretKey timeout 10

Configuring TACACS+ Servers

Configuring TACACS+ Servers in Gaia Portal

Configuring TACACS+ Servers in Gaia Clish

Checking if the Logged In User is Enabled for TACACS+