Creating a User Account with TACACS Server Authentication

Terminal Access Controller Access Control System (TACACS) provides access control for routers, network access servers and other networked devices through one or more centralized servers.

TACACS is an external authentication method that provides verification services. With TACACS, the forwards authentication requests by remote users to the TACACS server. The TACACS server, which stores user account information, authenticates users. The system supports physical card key devices or token cards and Kerberos An authentication server for Microsoft Windows Active Directory Federation Services (ADFS). secret key authentication. TACACS encrypts the user name, password, authentication services and accounting information of all authentication requests to make sure communication is secure.

To configure a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to use TACACS authentication, you must set up the server and enable its use on the Security Gateway.

Users can perform TACACS authentication through a TACACS server or a TACACS server group. A TACACS server group is a high availability group of identical TACACS servers which includes any or all the TACACS servers in the system. When you create the group, you define a priority for each server in the group. If the server with the highest priority fails, the one with the next highest priority in the group takes over, and so on.

After you configure authentication with a TACACS server, you can, in addition, configure authentication with a certificate file. The user can then authenticate to the Security Gateway with the TACACS server or the certificate file.

To configure TACACS server authentication for a user

In SmartConsole, configure a new TACACS / TACACS+ server object

In the top right corner, click the Objects panel.
Click New > More > Server > TACACS.
In the top field, enter the applicable object name.
Optional: Enter the comment.
In the Host field, click the drop-down arrow, click New.
Create a New Host with the IP address of the TACACS server. Click OK.
Make sure that this host shows in the Host field of the New TACACS window.

In the Servers type section, select the applicable value.

Best Practice - The default value is TACACS, but we recommend TACACS+.

If you selected TACACS+, then in the a Secret key field, enter the secret key that you defined previously on the TACACS+ server.
In the Priority field, leave the default value 1.
Click OK.
Publish the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. session.

Create a new user and select TACACS as the authentication method

In the top right corner, click the Objects panel.
Click New > More > User/Identity > User.

The New User window opens.
Choose the applicable user template and click OK.
In the top field, enter the applicable object name.

This must be a unique, case sensitive character string.

If you generate a user certificate with a non-Check Point Certificate Authority, enter the Common Name (CN) component of the Distinguished Name (DN).

For example:

If the DN is: CN = James, O = My Organization, C = My Country

then enter James as the user name.

If you use Common Names as user names, they must contain exactly one string with no spaces.
Optional: Enter the comment.
On the General page, configure the applicable settings:
- Email address (optional)
- Mobile phone number (optional)
- Expire at
  
  This is the date, after which the user is no longer authorized to access network resources and applications.
  
  The default expiration date is configured in Menu > Global Properties > User Accounts > Expiration Date.
On the Groups page, you can select the applicable user group objects (in addition or instead those configured in the user template).

On the Authentication page:

In the Authentication method field, select TACACS.
In the TACACS server field, leave the default value Any or select the applicable TACACS server object.

Important - If you do not select an authentication method, the user cannot log in or use network resources.

On the Location page:
1. Configure the allowed sources from which this user can access or send data and traffic.
  
  These objects must already exist before you can select them.
2. Configure the allowed destinations to which this user can access or send data and traffic.
  
  These objects must already exist before you can select them.
On the Time page:

If the user has specific working days or hours, you can configure when the user can be authenticated for access.
- From and To - Enter start time and end time of an expected workday. This user will not be authenticated if a login attempt is made on a time outside the given range.
- Days in week or Daily - Select the days on which the user can authenticate and access resources. This user will not be authenticated if a login attempt is made on an unselected day.

On the Certificates page:

You can configure the applicable certificates for this user for more secured access control.

Click New.
Select the applicable option:
- Registration Key for certificate enrollment
  
  Sends a registration key that activates the certificate.
  1. Enter the number of days the user has to activate the certificate, before the registration key expires.
  2. Optional: Enter a comment.
  3. Optional: Click Template to preview the email template.
  4. Click Send.
  5. Click OK to save this key.
- Certificate file (p12)
  
  Creates a *.p12 certificate file with a private password for the user.
  1. Enter and confirm the certificate password.
    
    A password is required to protect the sensitive data in the certificate file.
  2. Optional: Enter a comment.
  3. Click OK.
  4. Wait for the Save As window to open.
  5. In the File name field, make sure to include the username.
  6. In the Save as type field, select Certificate Files (*p12).
    
    The certificate file is in the PKCS #12 format, and has a .p12 extension.
  7. Browse to a secure location on the SmartConsole computer.
  8. Click Save.
  9. Give the user this file and password.
Click OK.

Notes:

If a user will not be in the system for some time (for example, going on an extended leave), you can revoke the certificate. This leaves the user account in the system, but it cannot be accessed until you renew the certificate.
To revoke a key / certificate, select the key / certificate and click Revoke.

On the Encryption page:

You can configure the IKEv2 authentication and encryption settings for Remote Access VPN.
1. Select IKE.
2. Click Edit.
  
  The encryption IKE Phase 2 Properties window opens.
3. On the Authentication page, select the authentication schemes:
  1. Password - The user authenticates with a pre-shared secret password.
  2. Public Key - The user authenticates with a public key contained in a certificate file.
4. On the Encryption page, there are no settings to configure.
  
  Youy configure these algorithms in SmartConsole > Global Properties > Remote Access > VPN - Authentication > section Encryption algorithms.
5. Click OK.
Click OK.

Optional: Configure a TACACS server group for SmartConsole user authentication
1. In SmartConsole, configure all the servers that you want to include in the server group.
  
  For each server, enter its priority in the group. The lower the number is, the higher the priority.
  
  For example, if you create a group with 3 servers, with priorities 1,2 and 3, the server with number 1 is approached first, the server with number 2 second, and the server with number 3, third.
2. Create the server group:
  
  In SmartConsole, go to Object Explorer and click New > Server > More > TACACS Group.
3. Configure the group properties and add servers to the group:
  1. Give the group a Name. It can be any name.
  2. Click the plus (+) for each server you want to add, and select each server from the drop-down list.
  3. Click OK.
  4. Publish the SmartConsole session.
4. Add a new user.
5. Publish the SmartConsole session.
6. Install the Access Control Policy.