Checkpoint, Gaia, TACACS – two lines of config

If you have a checkpoint firewall, you probably know about Gaia… and if you have more than one firewall admin, you probably want to individually authenticate them to the operating system (as apposed to a encrypted file of usernames & passwords which get’s passed around the office)

 add rba role TACP-0 domain-type System all-features
 set aaa tacacs-servers authentication server 10.10.10.10 key mysecretkey

What you need to know about the above…

  • If a user can successfully authenticate by TACACS they become a super user, if you need different roles read up on “role based administration”, TACP-15 and the enable_tacacs command.
  • The config has been tested on Cisco ACS 5.4, the default TACACS “default device administration” profile works with no changes.
  • This is tacacs authentication only, authorization is handled by the local RBA.

 

rgds,

Nick