https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67344#M9562 AD Authentication is not supported at all on GAIA. A TACACS+ user does not have to be created on GAIA though. All you need to do is setup the TACACS connection:<BR />add aaa tacacs-servers priority 1 server 1.2.1.3 key ***** timeout 5 <BR />set aaa tacacs-servers state on <BR />set aaa tacacs-servers user-uid 0 <BR />set aaa radius-servers super-user-uid 96 <BR />add rba role TACP-0 domain-type System all-features <BR /><BR />That should suffice, how the TACACS server itself will handle the request for the user that is not there in the user list, I don't know, we are also struggling with that part of the implementation. Wed, 13 Nov 2019 22:48:37 GMT Maarten_Sjouw 2019-11-13T22:48:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67337#M9560 <DIV class="lia-quilt-row lia-quilt-row-message-subject"><DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-subject-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"><DIV class="topic-subject-wrapper"><DIV class="lia-message-subject lia-component-message-view-widget-subject"><DIV class="MessageSubject">&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV><DIV class="lia-quilt-row lia-quilt-row-message-body"><DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-body-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>Hi,</P><P>I've got TACACS+ set up (VSX Cluster). I can use my AD credentials to log in to Smart Dashboard but i cant do the same for CLI or Expert on my gateways.</P><P>I believe i need to do some configuration on the CLI but i cant get the appropriate SK to get this done.</P><P>Would appreciate some direction/help. I tried creating a User/rba but it requires setting up a password on the gateway which defeats the purpose of syncing with AD and TACACS server</P><P>Thank You</P></DIV></DIV></DIV></DIV></DIV> Wed, 13 Nov 2019 21:35:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67337#M9560 Enyi_Ajoku 2019-11-13T21:35:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67340#M9561 What is it that you specifically need to do?<BR />Might be easier to use dynamic CLI: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk144112" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk144112</A><BR />And possibly add some extended commands: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk86583" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk86583</A> Wed, 13 Nov 2019 21:51:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67340#M9561 PhoneBoy 2019-11-13T21:51:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67344#M9562 AD Authentication is not supported at all on GAIA. A TACACS+ user does not have to be created on GAIA though. All you need to do is setup the TACACS connection:<BR />add aaa tacacs-servers priority 1 server 1.2.1.3 key ***** timeout 5 <BR />set aaa tacacs-servers state on <BR />set aaa tacacs-servers user-uid 0 <BR />set aaa radius-servers super-user-uid 96 <BR />add rba role TACP-0 domain-type System all-features <BR /><BR />That should suffice, how the TACACS server itself will handle the request for the user that is not there in the user list, I don't know, we are also struggling with that part of the implementation. Wed, 13 Nov 2019 22:48:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67344#M9562 Maarten_Sjouw 2019-11-13T22:48:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67594#M9563 <P>Thanks Maarten,</P><P>The config you provided actually worked. On the other hand i could not login to expert mode with the my AD password</P> Fri, 15 Nov 2019 19:22:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67594#M9563 Enyi_Ajoku 2019-11-15T19:22:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67596#M9564 Yes, you have to enter the actual "expert" password to enter expert mode.<BR />That password cannot be controlled via TACACS.<BR />Thus my earlier suggestion about moving the necessary commands into clish so expert mode does not have to be entered.<BR /> Fri, 15 Nov 2019 19:28:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Clish-Expert-Access-with-TACACS/m-p/67596#M9564 PhoneBoy 2019-11-15T19:28:25Z