gaia-logoI received a few emails from some of you letting me know that TACACS+ in GAiA is nothing new, and that it has been there from the beginning. Well that is true to a degree, but my point in writing this is more about the fact that TACACS+ in GAiA finally has some “enterprise” features in R77.30 mainly the fact that locally defined accounts are not needed on the host anymore.

R77.20 (and back to R75.40) did not have true “centralization.” What do I mean? Let’s say we have a co-worker named ‘Joe’ and I want to authenticate and authorize him on R77.20 appliances/gateways/servers. I would create an account for him on a TACACS+ server (ACS, not-ISE, Tac_plus, etc.). However I also have to define ‘Joe’ locally on every single Check Point R77.20 appliance/firewall/server. The reason for this is that previous to R77.30 there is no authorization tie-in with GAiA, which is why we need to define the users locally as well.

TACACS1

This may not be a big deal if you have a pair of firewalls and three firewall admins (for example). But it is entirely different if you have a dozen admins managing 180 firewalls: visit 180 devices and create a dozen accounts on each device. With R77.30, the TACACS+ functionality is finally truly centralized.

TACACS2

 

The R77.30 CLIsh command that makes all of this possible is the inclusion of:

set aaa tacacs-servers user-uid 0

With the above command you no longer need locally defined accounts. One clue will be in the GAiA web interface in the top left:

TACACS3

In the example above, the administrator logged-in with the account  ‘Joe’ that was defined only on TACACS+. Notice the ‘joe[TACP-0]’ in the top left. Also notice that there is no account ‘Joe’ defined locally on the firewall.

GAiA TACACS+ Secret Recipe pt. 2

Leave a Reply

Your email address will not be published. Required fields are marked *