https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269760#M60247 <P>Hello wizards,</P><UL><LI>environment: 2x 19200 with R82&nbsp; ElasticXL and VSNext, 10+ Virtual Systems</LI><LI>mission: authenticate non-local Gaia users with TACACS+</LI><LI>state to resolve: how to configure TACP-15 role with intended assigned privileges equal to adminRole.&nbsp;</LI></UL><P>&nbsp;</P><P>Following the information in R82 Gaia Administration Guide and recommendations from&nbsp;<A href="https://support.checkpoint.com/results/sk/sk98733" target="_blank">https://support.checkpoint.com/results/sk/sk98733</A>, we configured TACACS+ Server, we prepared the TACP-0 role on VSNext gateway. We created role TACP-15 with all-features. Trying to allow TACP-15 to all virtual systems we've received following error:&nbsp;</P><PRE><SPAN>[Global]:0&gt;</SPAN> add rba tole TACP-15 domain-type System all-features<BR /><SPAN>[Global]:0&gt;</SPAN> add rba role TACP-15 virtual-system-access all<BR />NMSRBA0429 The following features: CloningGroup, aaa-servers, backup, command, configuration, cron, expert, expert-authentication-method, expert-password, expert-password-hash, ftw, group, grub2-password, grub2-password-hash, rba, scheduled_backup, snapshot, user, are restricted to global users only, and therefore cannot be added to roles with specific VS access.</PRE><P>Is there any document, guide with examples related to configuration TACACS+ authentication in VSNext environment? All documents I've found till now looks like related to Legacy VSX. Is there any known difference between VSNext and Legacy VSX related to TACACS+ authentication? Any hints what features should be assigned to admin role ?</P><P>&nbsp;</P><P>I know a lot of questions, not ultimate solutions are expected, but any tips, hints and opinions to topic are welcome.&nbsp;</P><P>&nbsp;</P><P>milo</P> Thu, 05 Feb 2026 06:55:13 GMT m1l0514v 2026-02-05T06:55:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269760#M60247 <P>Hello wizards,</P><UL><LI>environment: 2x 19200 with R82&nbsp; ElasticXL and VSNext, 10+ Virtual Systems</LI><LI>mission: authenticate non-local Gaia users with TACACS+</LI><LI>state to resolve: how to configure TACP-15 role with intended assigned privileges equal to adminRole.&nbsp;</LI></UL><P>&nbsp;</P><P>Following the information in R82 Gaia Administration Guide and recommendations from&nbsp;<A href="https://support.checkpoint.com/results/sk/sk98733" target="_blank">https://support.checkpoint.com/results/sk/sk98733</A>, we configured TACACS+ Server, we prepared the TACP-0 role on VSNext gateway. We created role TACP-15 with all-features. Trying to allow TACP-15 to all virtual systems we've received following error:&nbsp;</P><PRE><SPAN>[Global]:0&gt;</SPAN> add rba tole TACP-15 domain-type System all-features<BR /><SPAN>[Global]:0&gt;</SPAN> add rba role TACP-15 virtual-system-access all<BR />NMSRBA0429 The following features: CloningGroup, aaa-servers, backup, command, configuration, cron, expert, expert-authentication-method, expert-password, expert-password-hash, ftw, group, grub2-password, grub2-password-hash, rba, scheduled_backup, snapshot, user, are restricted to global users only, and therefore cannot be added to roles with specific VS access.</PRE><P>Is there any document, guide with examples related to configuration TACACS+ authentication in VSNext environment? All documents I've found till now looks like related to Legacy VSX. Is there any known difference between VSNext and Legacy VSX related to TACACS+ authentication? Any hints what features should be assigned to admin role ?</P><P>&nbsp;</P><P>I know a lot of questions, not ultimate solutions are expected, but any tips, hints and opinions to topic are welcome.&nbsp;</P><P>&nbsp;</P><P>milo</P> Thu, 05 Feb 2026 06:55:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269760#M60247 m1l0514v 2026-02-05T06:55:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269825#M60248 <P>In Legacy VSX, much of the OS-level VS configuration comes from Security Management and cannot be done through Gaia OS directly.<BR />This concept is reinforced by the fact there are VSX Gateway specific objects with Legacy VSX installations.<BR />That also means that common settings (like interfaces/routes) apply to all VSes.&nbsp;</P> <P>In VSNext, the OS-level VS is defined on the gateway itself and VSes are defined as regular gateway objects.<BR />Unlike Legacy VSX, you can have VSes managed by completely different Security Managements in unrelated SIC domains (either standalone or multi-domain management).<BR />Also, you can use standard mechanisms (WebUI/clish) to affect OS-level VS changes (e.g. add interfaces/routes).</P> <P>All of which suggests that the relevant configurations for VS access need to be applied at the VS level.<BR />This means you need to apply the relevant configuration in the context of each VS (e.g. by using&nbsp;<BR />set virtual-system X in clish or via the WebUI).&nbsp;<BR />The steps should otherwise be identical.</P> Thu, 05 Feb 2026 17:52:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269825#M60248 PhoneBoy 2026-02-05T17:52:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269834#M60249 <P>I did have a TAC case related to this, and legacy VSX running R82.&nbsp; However the issue we had related to being in expert mode and switching into VS's, which could not be done (been a while since I looked at this though).<BR /><BR /></P> Thu, 05 Feb 2026 20:18:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269834#M60249 genisis__ 2026-02-05T20:18:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269847#M60250 <P>Expert mode is a different beast for sure.</P> <P>Legacy VSX was created before Linux had <A href="https://en.wikipedia.org/wiki/Linux_namespaces" target="_self">Namespaces</A> support.<BR />Not entirely clear to what extent it is being used, however.</P> <P>Meanwhile, VSNext was designed with Linux Namespaces in mind.<BR />Perhaps this applies in the Expert shell, but haven't seen myself.</P> Fri, 06 Feb 2026 00:48:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/269847#M60250 PhoneBoy 2026-02-06T00:48:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/275851#M105066 <P>Dear friends,&nbsp;</P><P>just very short update.&nbsp;</P><P>The need for authenticated access to Gaia management we resolved by using RADIUS authentication.</P> Tue, 21 Apr 2026 07:00:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/275851#M105066 m1l0514v 2026-04-21T07:00:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/275869#M105069 <P>Are you able to share the solution as I suspect configuration on GAIA and ISE are needed.</P> Tue, 21 Apr 2026 10:16:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSNext-and-TACACS-authentication-defining-TACP-15-for-non-local/m-p/275869#M105069 genisis__ 2026-04-21T10:16:28Z