I want to set up tacacs authentication IN VPN , if someone from X network tries to connect to checkpoint Firewall (Gaia or Clish) in Site A , the firewall connect to an ACS Server in Site B to authenticate him , how can i do that ?
You might need to follow these steps:
- Configure GAIA OS to authenticate against your tacacs server using cli or webui
- Configure the site to site vpn between the gateways and make sure that the tacacs server is part of the encryption domain
- The tricky part any traffic matches implied rules will not be encrypted you might do the following:
- In global properties set the "Accepte outgooing packets originating from gateway to be before last"
- if the above option doesn't work you might need to to disable tacacs in implied_rules.def file on the mgmt server and create rule o allow the firewall to access the tacacs server and push policy
thank you for answering , yes this is the issue , the traffic toward my ACS is not encrypted .
I swicth to Radius and i can seee that traffic is now encrypted , authentication doesnt work but its progress . thank you
Retrieving data ...