Showing results for 
Search instead for 
Did you mean: 
Post a Question


I have been researching about how TACACS+ works on GAiA for the past 4 to 5 hours and I have come to a conclusion that either I am confused or my understanding was wrong all these years.

I have a setup with few CP firewalls trying to authenticate using TACACS+ running on ACS 5.X. The configuration is fine on both devices, in fact I am able to authenticate to the boxes as well. If I need to escalate my privilege, i am supposed to be using tacacs_enable TACP-N (15 in my case). Then I have RBA roles configuration related to TACP-15 on the Checkpoint firewalls which allows me to perform certain actions.

Here comes my million dollar doubt, In a typical environment we might have read-only and read-write user on ACS/external authentication server. R77.X documentation about TACACS+ highlights the following statement "Gaia supports TACACS+ for authentication only. Challenge-response authentication, such as S/Key, is not supported."

So in a scenario where a read-only User according to my ACS authenticates to Checkpoint and uses TACP-15 with his enable password he/she gets complete privilege. Logically speaking just beats the purpose of access control, unless my understanding here is wrong.

In addition to this, R77.X guide also says the following - "When a non-local user logs in to Gaia, the TACACS server authenticates the user and assigns the permissions to the user. You must configure the TACACS server to correctly authenticate and authorize non-local Gaia users."

These statements are contradicting in its own way unless there are attributes which can used on ACS which can control the Authorization as well.

0 Kudos
4 Replies


For the authorization you use the TACP-N key you create a RBA role:

add rba role TACP-15 domain-type System all-features

now with the following command you can remove specific commands from the list of available commands, using the tab key you will see the full list of options:

delete rba role TACP-0 readwrite-features <features to be removed>

You can create multiple TACP-N RBA roles with different functionality, but I don't think you will be able to elevate yourself from one rba role to anther, there is no enable option.

Regards, Maarten


The R77.X documentation confirms that all TACACS users are by default in TACP-0. So if I am executing tacacs_enable TACP-15 the user is indeed jumping from 0 to 15.

Now my question is from the perspective of how read-write and read-only authorization can be controlled from TACACS server if it's only possible. For e.g., I have few Palo Alto firewalls where I use attribute values of auth profiles setup on the firewalls in TACACS to ensure read-only users in TACACS cannot have any additional privilege.

But in case of a Checkpoint firewall, if a read-only based user access firewall, he/she can just go into TACP-15 because there aren't any such attribute values which is setup on TACACS server.

0 Kudos


You will have to create a RBA role for TACP-15 as well and remove the features you don't want a user to have in that role.

Regards, Maarten
0 Kudos


Sorry about the late reply, been away for a while. 

After going through couple of other posts and documentation, understand that I cannot use TACACS+ to run central authorization for non-local users which is what I was trying to acheive. It supports only authentication since there are no such VSAs supported by Checkpoint to map a RBA role.

In a way the above limitation beats the purpose of using TACACS.

On the other hand RADIUS does support central authorization for non-local users.

0 Kudos