I have been researching about how TACACS+ works on GAiA for the past 4 to 5 hours and I have come to a conclusion that either I am confused or my understanding was wrong all these years.

I have a setup with few CP firewalls trying to authenticate using TACACS+ running on ACS 5.X. The configuration is fine on both devices, in fact I am able to authenticate to the boxes as well. If I need to escalate my privilege, i am supposed to be using tacacs_enable TACP-N (15 in my case). Then I have RBA roles configuration related to TACP-15 on the Checkpoint firewalls which allows me to perform certain actions.

Here comes my million dollar doubt, In a typical environment we might have read-only and read-write user on ACS/external authentication server. R77.X documentation about TACACS+ highlights the following statement "Gaia supports TACACS+ for authentication only. Challenge-response authentication, such as S/Key, is not supported."

So in a scenario where a read-only User according to my ACS authenticates to Checkpoint and uses TACP-15 with his enable password he/she gets complete privilege. Logically speaking just beats the purpose of access control, unless my understanding here is wrong.

In addition to this, R77.X guide also says the following - "When a non-local user logs in to Gaia, the TACACS server authenticates the user and assigns the permissions to the user. You must configure the TACACS server to correctly authenticate and authorize non-local Gaia users."

These statements are contradicting in its own way unless there are attributes which can used on ACS which can control the Authorization as well.