gaia-logoI have been completing a lot of upgrades for customers, and have been recommending R77.30 across the board (with the appropriate Jumbo Fixes). From an authentication standpoint, the GAiA operating system has caught up and surpassed SPlat with R77.30. How? The TACACS+ functionality in R77.30 has finally been updated to allow the authentication and authorization of non-local users.

This means you no longer have to define accounts locally. You simply define the users on your TACACS+ server (usually tied to AD) and everything is centralized. You were not able to do this previous to R77.30, and for the most part I do not recommend TACACS+ integration unless you are on R77.30.

The challenge then is searching though the different SK articles to find the right combination of commands to get this working (without local accounts). If you want to setup a GAiA appliance/VM to use TACACS+for centralized authentication and authorization, you will need to use the following commands:

 

lock database override
add aaa tacacs-servers priority 1 server “your TACACS+ Server’s IP” key “TACACS+ password” timeout 5
add rba role TACP-0 domain-type System all-features
set aaa tacacs-servers user-uid 0
set aaa tacacs-servers state on
save config

 

So if the IP of my TACACS+ server (ACS for example) is 192.168.10.50 and the shared secret is ‘vpn123’ the commands would look like the following:

 

lock database override
add aaa tacacs-servers priority 1 server 192.168.10.50 key vpn123 timeout 5
add rba role TACP-0 domain-type System all-features
set aaa tacacs-servers user-uid 0
set aaa tacacs-servers state on
save config

Run these commands from Clish on your R77.30 appliances/VMs to point them at your AAA infrastructure. Now you will pass your next audit with flying colors.

Check Point’s sk98733 is a great article on how to setup ACS for GAiA integration

GAiA TACACS+ Secret Recipe

Leave a Reply

Your email address will not be published. Required fields are marked *