Configuring TACACS+ Servers

Configuring TACACS+ Servers in Gaia Portal

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

In the TACACS+ Configuration section, select Enable TACACS+ authentication.

This setting applies to all configured TACACS+ servers.

3

Click Apply.

4

In the TACACS+ Servers section, click Add.

5

Configure the TACACS+ parameters:

  • Priority

    The priority of the TACACS+ server - from 1 to 20.

    Must be unique for this operating system.

    GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. uses the priority:

    • To determine the order, in which Gaia connects to the TACACS+ servers.

      First, Gaia connects to the TACACS+ server with the lowest priority number.

      For example: Three TACACS+ servers have a priority of 1, 5, and 10 respectively.

      Gaia connects to these TACACS+ servers in that order, and uses the first TACACS+ server that responds.

    • To identify the TACACS+ server in commands. A command with priority 1 applies to the TACACS+ server with priority 1.

  • Server

    IPv4 address of the TACACS+ server.

  • Shared Key

    The Shared Secret used for authentication between the TACACS+ server and Gaia.

    Enter the shared secret text string up to 256 characters, without any whitespace characters and without a backslash.

    Make sure that the shared string defined on the Gaia matches the shared string defined on the TACACS+ server.

  • Timeout in Seconds

    Enter the timeout in seconds (from 1 to 60), during which Gaia waits for the TACACS+ server to respond.

    The default value is 5.

    If there is no response after the configured timeout, Gaia tries to connect to a different configured TACACS+ server.

6

Click OK.

7

Optional: In the TACACS+ Servers Advanced Configuration section, select the User UID - 0, or 96 and click Apply.

This setting applies to all configured TACACS+ servers.

Note - On a Maestro Orchestrator, you must configure the value "0".

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

In the TACACS+ configuration section, clear Enable TACACS+ authentication.

This setting applies to all configured TACACS+ servers.

3

Click Apply.

Step

Instructions

1

In the navigation tree, click User Management > Authentication Servers.

2

In the TACACS+ Servers section, select a TACACS+ server.

3

Click Delete.

4

Click OK to confirm.

Configuring TACACS+ Servers in Gaia Clish

Syntax

add aaa tacacs-servers priority <Priority> server <IPv4 Address of TACACS+ Server> key <Shared Secret> timeout <1-60> 

set aaa tacacs-servers priority <Priority>
      server <IPv4 Address of TACACS+ Server>
      new-priority <New Priority>
      key <Shared Secret>
      timeout <1-60>
 
set aaa tacacs-servers
      state {on | off}
      user-uid <0 | 96>

show aaa tacacs-servers list 

show aaa tacacs-servers priority <Priority>
      server
      timeout
 
show aaa tacacs-servers
      state
      user-uid
 
delete aaa tacacs-servers
      priority <Priority>
 
delete aaa tacacs-servers
      NAS-IP

Important - After you add, configure, or delete features, run the "save config" command to save the settings permanently.

Parameters

Parameter

Description

priority <Priority>

The priority of the TACACS+ server - from 1 to 20.

Must be unique for this operating system.

The priority is used:

  • To determine the order, in which Gaia connects to the TACACS+ servers.

    First, Gaia connects to the TACACS+ server with the lowest priority number.

    For example: Three TACACS+ servers have a priority of 1, 5, and 10 respectively.

    Gaia connects to these TACACS+ servers in that order, and uses the first TACACS+ server that responds.

  • To identify the TACACS+ server in commands. A command with priority 1 applies to the TACACS+ server with priority 1.

Values:

  • Range: 1 - 20

  • Default: No default

server <IPv4 Address of TACACS+ Server>

IPv4 address of the TACACS+ server.

key <Shared Secret>

The Shared Secret used for authentication between the TACACS+ server and Gaia.

Enter the shared secret text string up to 256 characters, without any whitespace characters and without a backslash.

Make sure that the shared string defined on the Gaia matches the shared string defined on the TACACS+ server.

timeout <1-60>

Enter the timeout in seconds, during which Gaia waits for the TACACS+ server to respond.

If there is no response after the configured timeout, Gaia tries to connect to a different configured TACACS+ server.

  • Range: 1 - 60

  • Default: 5

new-priority <New Priority>

Configures the new priority for the TACACS+ server.

state {on | off}

Configures the state of TACACS+ authentication.

  • Range: on, or off

  • Default: off

user-uid

Specifies the User ID assigned to a TACACS+ user: "0" or "96".

Note - On a Maestro Orchestrator, you must configure the value "0".

gaia> set aaa tacacs-servers priority 2 server 10.10.10.99 key MySharedSecretKey timeout 10

Checking if the Logged In User is Enabled for TACACS+

Step

Instructions

1

Connect to the command line on Gaia.

2

Log in to Gaia ClishClosed The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..

3

Run:

show tacacs_enable