This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maik
Advisor
‎2019-03-11 09:34 AM

TACACS+ Configuration on MDM/SMS

Hello guys,

I have a few questions regarding TACACS+ authentication on MDM and SMS appliances. As far as I know you can configure TACACS servers via the web UI and clish for GAiA itself and also via the related SmartConsole objects (Objects => New => More => Server => More => TACACS) when it comes to SmartConsole access. As far as I understand these are three different configuration approaches for 2 different config goals. This means, that the GAiA (clish + web UI) config is absolutely not related to the SmartConsole TACACS+ authentication.

In detail; you need to specify the same server twice if you want to use it for GAiA access and SmartConsole access.

Is my assumption correct? Or can the GAiA TACACS config get replicated to the actual "management product configuration" of the SMS/MDM?

And one final question; is there any way to test a TACACS configuration on a gateway or MDM/SMS? I mean sure, you can just try to log in. But especially if you have configured more than one server and want to test the secondary one a command to test the related config and connection would be great. (The only way to test TACACS auth. for a secondary server I currently know is to disable the connection to the primary one, which is not really a decent solution.)

Regards,

Maik

6 Replies
Maik
Advisor
‎2019-03-13 01:10 AM

*push*

Maik
Advisor
‎2019-03-18 01:01 AM
In response to Maik

*push*

 

One last attempt - if that does not help I can accept that this thread is dead 😛

Jerry
Mentor
Mentor
‎2019-03-18 02:13 AM

sk101573
sk69703

need more details mate ?
Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-18 02:14 AM

https://community.checkpoint.com/t5/General-Management-Topics/TACACS-and-Multiple-Roles/td-p/17216

this should help I guess? or rather ... I believe? 🙂
Jerry
Maik
Advisor
‎2019-03-18 03:27 AM
In response to Jerry

Hey Jerry,

 

Thanks for your reply.

I have already read both SKs and I am familiar with the general tacacs config within GAiA. 🙂

My questions were;

- is it possible to configure tacacs on the GAiA level on a SMS/MDM and adapt this config for the SmartConsole access later?

- are there any commands to verify a tacacs config - especially related to scenarios where you have a secondary tacacs server that won't be used unless the first one fails. [The only way I know to verify if everything works is by logging in with a tacacs user - to verify the secondary tacacs you need to disable any connection to the primary one.]

Jerry
Mentor
Mentor
‎2019-03-20 01:13 AM
In response to Maik

alright, so here is the thing based on my experience:

1. tacacs for shell/gaia/clish is one thing, tacacs for Management (SC) is another, bear that in mind please
2. failover with ACS is another story and I believe it has nothing to do with Gaia (you need 2 acs servers configured for redundancy of AAA do you?)
3. gaia and other systems like that will always see AAA server as one but pool both so you should be comfortable having them both configured and both "pool' able" however, as far as I know the resource used for AAA will remain one-at-the-time for users.

try experimenting and first see if both "allowed" ACS servers talk to the GAIA itself and SMS at the same time (fw monitor?) and see if the tokens are issued correctly (logs?). then try to differenciate users between shell (gaia) and SmartConsole (Management/OPSEC) setup.

let me know how it goes, I do have similar setup with RADIUS with one of my clients but it shouldn't be that different really ...
Jerry
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events