topic Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall in Network Access Control

Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

pankaj — Fri, 21 Feb 2020 18:35:00 GMT

Configuration Done ON ISE

Policy Elements::

Device Administration
- Tacacs+ Profiles
  - CheckPoint
    - 1. General tab
    - Name: CheckPoint
      Description: CheckPoint Firewall
    - 2. Custom Attibutes tab
    - Attribute/Requirement/Value:
      CheckPoint-SuperUser-Access=1
      Mandatory
      1
      Attribute/Requirement/Value:
      Checkpoint-User-Role=adminRole
      Mandatory
      adminRole

Configuration on CheckPoint

Configure Gaia OS

To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level "X" that will be used with tacacs_enable, define the rule TACP-"X".

HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable

Notes:

Use the enable password configured on the ACS server.
The enable password is valid for all privileged levels.

HostName> add rba role TACP-15 domain-type System all-features
HostName> save config
HostName> show configuration rba

HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
HostName> set aaa tacacs-servers state on
HostName> set aaa tacacs-servers user-uid 0
HostName> save config
HostName> show configuration aaa

I had done the above configuration I am able to authenticate but the user is not able to get Level 15 privilege.

I tried to find out documents related to this didn't find out anything on both side ie Cisco and CheckPoint. Please help me in regard to this. If anyone having any case study related to this kindly share with me.

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Louis Gonzales — Thu, 15 Feb 2018 23:27:43 GMT

Has anyone been able to get TACACS to work with CheckPoint 80.11 and CISE 2.2?

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Guillaume BARBEROT — Wed, 21 Feb 2018 12:35:47 GMT

perhaps using this guide : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101573

it states : "After login, you can use the Gaia Clish command 'tacacs_enable TACP-15' to gain full privileges."

Didn't tried for now, feedback appreciated

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Hua Pan — Fri, 14 Jun 2019 19:56:31 GMT

I was in GUI. Tried leverage the privilege by clicking the TACACS+ Enable command. I selected the TACP-15. But it shows authentication failed. On ISE, I am not able to see the authentication request coming in.

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

MiroslavStefanov9752 — Fri, 03 Apr 2020 12:33:21 GMT

Hi there,

We have similar problem. We use ISE as a TACACS server and R80 GAIA as client.
We were able to get basic authentication working but no matter what is configured on ISE it always goes to TACP-0 mode.
So if you want expert you need to escalate to TACP-15 and from there to expert. For this purpose there is an "set aaa radius-servers default-shell /bin/bash" command not present for tacacs, which is ok, but event direct login to TACP-15 doesn't work.

On GAIA we have config similar to the above one.
On ISE we tried many combination with these attributes

priv-lvl=15
CP-Gaia-SuperUser-Access = 1
CP-Gaia-User-Role =TACP-15

priv-lvl=15
CheckPoint-SuperUser-Access=1
Checkpoint-User-Role=adminRole

However we always get only TACP-0, and actually there is no authorization request, only authentication ones and none of the mentioned attributes is ever being sent to the GAIA. The only thing that is being sent is below in the authentication reply:
{Authen-Reply-Status=Pass; }

If anyone has made it work to login directly to TACP-15 or expert mode and share the setup on the CheckPoint and ISE side would be really appreciated.
Thanks!

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

adias1287 — Mon, 24 Aug 2020 01:45:55 GMT

Hello

Were you able to get this working? We are running into the same issue

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

MiroslavStefanov9752 — Mon, 07 Sep 2020 11:01:51 GMT

Hi,

unfortunately not, which is quite disappointing. Not much to add here.

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Adam Peters — Wed, 02 Dec 2020 16:20:13 GMT

I couldn't get the TACACs client to login directly to TACP-15 but was able to get the account to access TACP-15 after login with TACP-0

The fix was to go into Cisco ISE

Work Centers> Device Administration> Policy Elements>Results>TACACS Profiles>

Create a TACACS Profile for GAIA_OS

Under Common Tasks:

Check "Maximum Privilege" and set to 15

Under custom Attributes:

Click add

Type= MANDATORY Name = CheckPoint-SuperUser-Access Value=1

The issue was identified on ISE Operations> TACACS>Live logs and received error stating shell misconfigured for associated user thou the user was authenticated the user was not authorized due to shell TACAS policy being misconfigured. I hope it helps.

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

cedelmann — Fri, 22 Apr 2022 10:44:43 GMT

Hello,

I tried to do it the same way you did, however, I'm always connected to TACP-0 first. Afterwards I have to enter my password to get to TACP-15.

If this has worked for you without the step through TACP-0, can you share your shell policy?

Best regards

Christian

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Adam Peters — Fri, 22 Apr 2022 14:42:45 GMT

Hi Christian,

Can’t share the shell with you, company policy, but potentially you haven't created the RBA role yet and pointed to the ISE TACACS Server:
I would run through these steps:
Step 1: Login into Check Point Gaia Portal at <IP>
Step 2: Navigate to User Management > Authentication Servers
Step 3: Scroll down to “TACACS+ Servers and click “add”
Step 4: Fill in information
Note* Pre-share key needs to be the same on both the Checkpoint Firewall and ISE server
Step 5: Add Rule Based Access
(RBA) roles object by navigating to User Management > Roles
Step 6: Add RBA role TACP-0
Select features "Authentication Servers" and "TACACS_Enable" in drop down select Read/Write
Step 7: Add RBA role TACP-15 and configure as below:
Note* TACP-15 is highest level privilege, which will be mapped out in the ISE authorization policy for the GaiaOS.
Note* Select all 105 possible elements, all must be given Read write priv.
Step 8: In the TACP-15 RBA role select “Extended Commands” and click all options for all 45 commands

Give this a shot and see if it fixes it.

Regards,

Adam

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

cedelmann — Wed, 27 Apr 2022 14:26:38 GMT

Hi Adam,

thank you for the commands. Unfortunately it is still not working as expcted. I am able to login to TACP-0 and after that with privilege escallation to TACP-15. But the first step with TACP-0 is always needed, I have not made it directly to TACP-15.

Which ISE and CheckPoint version are you using?

Best regards

Christian

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Sri Harsha Dasari — Tue, 12 Dec 2023 04:26:48 GMT

We were running into same issue where ISE logs show user entered wrong password. This was fixed after users are added on Checkpoint Firewalls. We stopped sending parameters from ISE and defined user access on Checkpoints locally. Only authentication is being handled by ISE.
below is what we used under shell profile on ISE

Maximum privilage level = 15

Attribute/Requirement/Value:
- CheckPoint-SuperUser-Access=1
- Mandatory
- 1

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

igor.mamuzic — Tue, 11 Feb 2025 15:01:12 GMT

On Gaia you need to specify RBA roles for different types of privileges. For example, if you want that the user automatically lands into full admin access then configure the following:

add rba role TACP-0 domain-type System readwrite-features tacacs_enable, cdt,certificate_authority,chassis,clock-date,cluster_ha,command,configuration,consent-flags,core-dump,cpnano-status,cron,dhcp,distribution,dns,domainname,dynamic-balancing,environment,expert,expert-authentication-method,expert-password,expert-password-hash,expert_api_Cluster,expert_api_Interfaces,expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_arp,expert_api_asset,expert_api_backup
add rba role TACP-0 domain-type System readonly-features expert_api_bgp,expert_api_bootp,expert_api_cluster,expert_api_cphaprob,expert_api_cpview,expert_api_cron,expert_api_dhcp6-config,expert_api_dhcp-server,expert_api_dhcpv6-server,expert_api_diagnostics,expert_api_dns,expert_api_dynamic_content,expert_api_expertPassword,expert_api_expertpassword,expert_api_extended-commands,expert_api_features,expert_api_files,expert_api_ftw,expert_api_global-params,expert_api_groups,expert_api_grubPassword
add rba role TACP-0 domain-type System readonly-features expert_api_grubpassword,expert_api_hostname,expert_api_igmp,expert_api_inbound-route-filter,expert_api_interface,expert_api_interfaces,expert_api_ioc-feeder,expert_api_ip_conflicts,expert_api_ipv6,expert_api_isis,expert_api_keyboard-layout,expert_api_license,expert_api_lightshots,expert_api_lightshots-partition,expert_api_lldp,expert_api_maestro,expert_api_messages,expert_api_misc,expert_api_mld,expert_api_nat-pool,expert_api_nfs,expert_api_ntp
add rba role TACP-0 domain-type System readonly-features expert_api_open-telemetry,expert_api_ospf,expert_api_passwordcontrols,expert_api_pim,expert_api_pim6,expert_api_provisioning,expert_api_proxy,expert_api_rba-roles,expert_api_route,expert_api_route-redistribution,expert_api_routemap,expert_api_router-id,expert_api_routes,expert_api_runScript,expert_api_runscript,expert_api_serial-number,expert_api_server-status,expert_api_show-connections,expert_api_show-connections-presets,expert_api_simulate_packet
add rba role TACP-0 domain-type System readonly-features expert_api_snapshot,expert_api_snmp,expert_api_ssh-server,expert_api_static-mroute,expert_api_syslog,expert_api_system,expert_api_users,expert_api_versions,expert_api_vsx,export,fcd,file,firewall_management,format,ftw,group,grub2-password,grub2-password-hash,host,host-access,hostname,hw-monitor,igmp,import,inactto,installer,installer_conf,interface,interface-name,ip-conflicts-monitor,iphelper,ipreachdetect,ipsec-routing,ipv6-state,isis,lcd,license
add rba role TACP-0 domain-type System readonly-features license_activation,lldp,location-led,lom,maestro,management_interface,mdps,message,mfc-static,mgmt-gui-clients,nat-pool,neighbor,netaccess,netflow,ntp,ospf,password-controls,pbr-combine-static,perf,pim,prefix,prod-maintain,proxy,raid-monitor,rba,rdisc,reboot_halt,rip,route,route-injection,route-options,routed-cluster,routemap,routing-event-trigger,sam,scheduled_backup,scratchpad,sdwan-status,securexl,security-gateway,selfpasswd,show-route-all
add rba role TACP-0 domain-type System readonly-features smart-console,smo,snapshot,snapshot_scheduled,snmp,spike-detective,ssh-client,ssl,ssm,ssmtp,static-mroute,static-route,sysconfig,sysenv,syslog,system,upgrade,user,users-access-log,version,virtual-system,vpnt,vrrp,vsx,web
add rba role scpRole domain-type System readonly-features expert

On the other hand, if you want to give access to all the features but with read-only access then you must do the following:

add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-0 domain-type System readonly-features cdt,certificate_authority,chassis,clock-date,cluster_ha,command,configuration,consent-flags,core-dump,cpnano-status,cron,dhcp,distribution,dns,domainname,dynamic-balancing,environment,expert,expert-authentication-method,expert-password,expert-password-hash,expert_api_Cluster,expert_api_Interfaces,expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_arp,expert_api_asset,expert_api_backup
add rba role TACP-0 domain-type System readonly-features expert_api_bgp,expert_api_bootp,expert_api_cluster,expert_api_cphaprob,expert_api_cpview,expert_api_cron,expert_api_dhcp6-config,expert_api_dhcp-server,expert_api_dhcpv6-server,expert_api_diagnostics,expert_api_dns,expert_api_dynamic_content,expert_api_expertPassword,expert_api_expertpassword,expert_api_extended-commands,expert_api_features,expert_api_files,expert_api_ftw,expert_api_global-params,expert_api_groups,expert_api_grubPassword
add rba role TACP-0 domain-type System readonly-features expert_api_grubpassword,expert_api_hostname,expert_api_igmp,expert_api_inbound-route-filter,expert_api_interface,expert_api_interfaces,expert_api_ioc-feeder,expert_api_ip_conflicts,expert_api_ipv6,expert_api_isis,expert_api_keyboard-layout,expert_api_license,expert_api_lightshots,expert_api_lightshots-partition,expert_api_lldp,expert_api_maestro,expert_api_messages,expert_api_misc,expert_api_mld,expert_api_nat-pool,expert_api_nfs,expert_api_ntp
add rba role TACP-0 domain-type System readonly-features expert_api_open-telemetry,expert_api_ospf,expert_api_passwordcontrols,expert_api_pim,expert_api_pim6,expert_api_provisioning,expert_api_proxy,expert_api_rba-roles,expert_api_route,expert_api_route-redistribution,expert_api_routemap,expert_api_router-id,expert_api_routes,expert_api_runScript,expert_api_runscript,expert_api_serial-number,expert_api_server-status,expert_api_show-connections,expert_api_show-connections-presets,expert_api_simulate_packet
add rba role TACP-0 domain-type System readonly-features expert_api_snapshot,expert_api_snmp,expert_api_ssh-server,expert_api_static-mroute,expert_api_syslog,expert_api_system,expert_api_users,expert_api_versions,expert_api_vsx,export,fcd,file,firewall_management,format,ftw,group,grub2-password,grub2-password-hash,host,host-access,hostname,hw-monitor,igmp,import,inactto,installer,installer_conf,interface,interface-name,ip-conflicts-monitor,iphelper,ipreachdetect,ipsec-routing,ipv6-state,isis,lcd,license
add rba role TACP-0 domain-type System readonly-features license_activation,lldp,location-led,lom,maestro,management_interface,mdps,message,mfc-static,mgmt-gui-clients,nat-pool,neighbor,netaccess,netflow,ntp,ospf,password-controls,pbr-combine-static,perf,pim,prefix,prod-maintain,proxy,raid-monitor,rba,rdisc,reboot_halt,rip,route,route-injection,route-options,routed-cluster,routemap,routing-event-trigger,sam,scheduled_backup,scratchpad,sdwan-status,securexl,security-gateway,selfpasswd,show-route-all
add rba role TACP-0 domain-type System readonly-features smart-console,smo,snapshot,snapshot_scheduled,snmp,spike-detective,ssh-client,ssl,ssm,ssmtp,static-mroute,static-route,sysconfig,sysenv,syslog,system,upgrade,user,users-access-log,version,virtual-system,vpnt,vrrp,vsx,web

You can optionally add access to expert commands as well. The most intuitive way to configure all of this above including access to expert commands is from Gaia web GUI.

Regards,
Igor