Creating a User Account with TACACS Server Authentication

Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.

TACACS is an external authentication method that provides verification services. With TACACS, the forwards authentication requests by remote users to the TACACS server. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to make sure communication is secure.

To configure a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to use TACACS authentication, you must set up the server and enable its use on the Security Gateway.

Users can perform TACACS authentication through a TACACS server or a TACACS server group. A TACACS server group is a high availability group of identical TACACS servers which includes any or all the TACACS servers in the system. When you create the group, you define a priority for each server in the group. If the server with the highest priority fails, the one with the next highest priority in the group takes over, and so on.

After you configure authentication with a TACACS server, you can, in addition, configure authentication with a certificate file. The user can then authenticate to the Security Gateway with the TACACS server or the certificate file.

To configure TACACS server authentication for a user

1. In SmartConsole, configure a new TACACS+ server object

   1. In SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., create a TACACS server:

      Go to the Object Explorer > New > More > Server > TACACS.

   2. Give the server a Name. It can be any name.

   3. In the Host field, click the drop-down arrow, click New and create a New Host. Give it the IP address of the TACACS server.

   4. Click OK.

   5. Make sure that this host shows in the Host field of the New TACACS window.

   6. Select the Servers Type.

      Best Practice - The default is TACACS, but we recommend TACACS+.

   7. Enter a Secret key (required only if you selected TACACS+ server type).

   8. Click OK.

2. Create a new user and define TACACS as the authentication method

   1. In the Object Explorer (F11), click New > More > User/Identity > User.

      The New User window opens.

   2. Select a template and click OK.

   3. Enter a User Name - A unique, case sensitive character string.

      If you generate a user certificate with a non-Check Point Certificate Authority, enter the Common Name (CN) component of the Distinguished Name (DN).

      For example, if the DN is [CN = James, O = My Organization, C = My Country], then enter James as the username. If you use Common Names as user names, they must contain exactly one string with no spaces.

   4. Configure the user's General Properties:

      1. Select an Expiration Date - The date, after which the user is no longer authorized to access network resources and applications. By default, the date defined in the main menu > Global Properties > User Accounts > Expiration Date shows as the expiration date.

      2. Optional settings: Comment, Email Address, Mobile Phone Number.

   5. In Groups - Use this window to add users to user groups.

   6. Configure the user's Authentication: From the drop-down menu, select TACACS.

      Important - If you do not select an authentication method, the user cannot log in or use network resources.

   7. In Location, select objects from which this user can access or send data and traffic.

      In the Allowed locations section:
      

      • Sources - Click Add, to add selected objects to this user's permitted resources. The user can get data and traffic from these objects.

      • Destination - Click Add, to add selected objects to this user's permitted destinations. The user can send data and traffic to these objects.

   8. In Time - If the user has specific working days or hours, you can configure when the user can be authenticated for access.

      • From and To - Enter start time and end time of an expected workday. This user will not be authenticated if a login attempt is made on a time outside the given range.

      • Days in week or Daily - Select the days on which the user can authenticate and access resources. This user will not be authenticated if a login attempt is made on an unselected day.

   9. In Certificates:

      Generate and register SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificates for user accounts. This authenticates the user in the Check Point system. Use certificates with required authentication for added access control.

      1. Click New.

      2. Select key or p12 file:

         • Registration key for certificate enrollment - Select to send a registration key that activates the certificate. When prompted, select the number of days the user has to activate the certificate, before the registration key expires.

         • Certificate file (p12) - Select to create a .p12 certificate file with a private password for the user. When prompted, enter and confirm the certificate password.

      3. Click OK

      If a user is not in the system for some time (for example, when going on an extended leave), you can revoke the certificate. This leaves the user account in the system, but the user cannot access it until you renew the certificate.

      To revoke a certificate, select the certificate and click Revoke.

   10. In Encryption:

       If the user accesses resources from a remote location, traffic between the remote user and internal resources will be encrypted. Configure encryption settings for remote access users.

       1. Select an encryption method for the user.

       2. Click Edit.

          The encryption Properties window opens.

          The next steps are for IKE Phase 2. The options can be different for different methods.

       3. Open the Authentication tab.

       4. Select the authentication schemes:

          • Password - The user authenticates with a pre-shared secret password. Enter and confirm the password.

          • Public Key - The user authenticates with a public key contained in a certificate file.

   11. Click OK.

3. Optional: Configure a TACACS server group for SmartConsole user authentication

   1. In SmartConsole, configure all the servers that you want to include in the server group.

      For each server, enter its priority in the group. The lower the number is, the higher the priority.

      For example, if you create a group with 3 servers, with priorities 1,2 and 3, the server with number 1 is approached first, the server with number 2 second, and the server with number 3, third.

   2. Create the server group:

      In SmartConsole, go to Object Explorer and click New > Server > More > TACACS Group.

   3. Configure the group properties and add servers to the group:

      1. Give the group a Name. It can be any name.

      2. Click the plus (+) for each server you want to add, and select each server from the drop-down list.

      3. Click OK.

      4. Publish the SmartConsole session.

   4. Add a new user.

   5. Publish the SmartConsole session.