If we decide to setup RADIUS or TACACS authentication, does it fail to the local database if the servers are unavailable? Are local accounts still usable when auth servers are configured?
To clarify, are you talking about in Gaia or when authenticating with SmartConsole/SmartDashboard?
For Gaia, it depends on how you've configured AAA.
For SmartConsole, a user can only authenticate with the method configured for that user.
Like I said, a given SmartConsole user can only be configured to use one authentication mechanism.
If that method is unavailable for some reason, that user can't log in.
Local users (with a local password) will always be available in that case.
When RADIUS or TACACS+ is configured, these have priority over local users.
If these servers aren't available, local authentication should be available.
What I'm not 100% sure about is whether or not local users are available even when RADIUS/TACACS+ servers are configured and working.
I am not 100% sure my assumptions are correct, but this is what I have expirienced :-) So please correct me if wrong!
@SmartConsole R80.10 with multiple login options (clients supportet see sk111583):
user base can be configured in the login option (automatic might be same as for older versions, but have not testet yet)
@SmartConsole R77 or legacy clients with R80.10:
1. local users are always taken first -> they get authenticated according to the setting in the user propiertes for authentication
2. LDAP is searched as second stage -> authentication happens based on setting in account unit
3. external user profiles -> authentication and userbase are taken from the authentication configured in the external user profile
Order is as follows:
- users with pw are authenticated locally
- users wihout pw (* as password-hash) are authenticated according to aaa but settings like shell are taken from local config
- non-existing users are also authenticated according to aaa
So I got TACACS+ auth working on Gaia (successful log entry on my auth server), but it still is not logging me in. Is there a particular dictionary, av pair, or role that I need to send back to successfully login after successful server auth?
Are you following the steps in How to configure Gaia OS to work with a TACACS+ server ?
The roles you need to have defined are:
Yes I followed the guide.
I'm just curious what the shell attribute is called for me to send back the role. For example, when I login to a Cisco Nexus device, I send back the cisco-av-pair shell:roles="network-admin" with privilege level 15.
I'm not familiar with the "shell attribute."
That said, perhaps this SK may help as it shows how to configure Cisco ACS 5 with screenshots: Best Practices - Configuring Cisco ACS 5 server for TACACS+ authentication with Gaia OS
Also this one has an example configuration with the TACACS+ server you can get on Ubuntu in the SK I linked earlier.
I have it working with Cisco ISE (similar to ACS), we (me and the team) are able to get logged in CLI, Web GUI and SmartDashboards to all of our Checkpoint servers, we are still R77.30 (latest GA HFAs)...not R80.x for a while yet.
In Windows Active directory , we created a group called Firewalls-admins, Cisco ISE checks against that AD group upon successfully authentication then authorized if you belong to that AD group...permit access.
As per link supplied by Dameon above, you still need to define the users in GAIA webGUI and Firewall Smartdashboard.
Note, since I have not found anything similar as Shell=15 privilege in GAIA,
after SSH into the CP server... you still need to type expert and enter the Expert password...if you need the expert commands. If Radius servers are down, we still able to access via LOCAL admin as fallback.
We are trying to implement authentication and authorization using clear pass for No local users. The problem that we are having that we can't control the privileges.
Could you please share the config of clearpass to use the privileges?
Retrieving data ...