I was in GUI. Tried leverage the privilege by clicking the TACACS+ Enable command. I selected the TACP-15. But it shows authentication failed. On ISE, I am not able to see the authentication request coming in.

Hi there,

We have similar problem. We use ISE as a TACACS server and R80 GAIA as client.
We were able to get basic authentication working but no matter what is configured on ISE it always goes to TACP-0 mode.
So if you want expert you need to escalate to TACP-15 and from there to expert. For this purpose there is an "set aaa radius-servers default-shell /bin/bash" command not present for tacacs, which is ok, but event direct login to TACP-15 doesn't work.

On GAIA we have config similar to the above one.
On ISE we tried many combination with these attributes

priv-lvl=15
CP-Gaia-SuperUser-Access = 1
CP-Gaia-User-Role =TACP-15

priv-lvl=15
CheckPoint-SuperUser-Access=1
Checkpoint-User-Role=adminRole

However we always get only TACP-0, and actually there is no authorization request, only authentication ones and none of the mentioned attributes is ever being sent to the GAIA. The only thing that is being sent is below in the authentication reply:
{Authen-Reply-Status=Pass; }

If anyone has made it work to login directly to TACP-15 or expert mode and share the setup on the CheckPoint and ISE side would be really appreciated.
Thanks!

Hello

Were you able to get this working? We are running into the same issue

Hi,

unfortunately not, which is quite disappointing. Not much to add here.

Hello,

I tried to do it the same way you did, however, I'm always connected to TACP-0 first. Afterwards I have to enter my password to get to TACP-15.

If this has worked for you without the step through TACP-0, can you share your shell policy?

Best regards

Christian

Hi Christian,

Can’t share the shell with you, company policy, but potentially you haven't created the RBA role yet and pointed to the ISE TACACS Server:
I would run through these steps:
Step 1: Login into Check Point Gaia Portal at <IP>
Step 2: Navigate to User Management > Authentication Servers
Step 3: Scroll down to “TACACS+ Servers and click “add”
Step 4: Fill in information
Note* Pre-share key needs to be the same on both the Checkpoint Firewall and ISE server
Step 5: Add Rule Based Access
(RBA) roles object by navigating to User Management > Roles
Step 6: Add RBA role TACP-0
Select features "Authentication Servers" and "TACACS_Enable" in drop down select Read/Write
Step 7: Add RBA role TACP-15 and configure as below:
Note* TACP-15 is highest level privilege, which will be mapped out in the ISE authorization policy for the GaiaOS.
Note* Select all 105 possible elements, all must be given Read write priv.
Step 8: In the TACP-15 RBA role select “Extended Commands” and click all options for all 45 commands

Give this a shot and see if it fixes it.

Regards,

Adam

Hi Adam,

thank you for the commands. Unfortunately it is still not working as expcted. I am able to login to TACP-0 and after that with privilege escallation to TACP-15. But the first step with TACP-0 is always needed, I have not made it directly to TACP-15.

Which ISE and CheckPoint version are you using?

Best regards

Christian

We were running into same issue where ISE logs show user entered wrong password. This was fixed after users are added on Checkpoint Firewalls. We stopped sending parameters from ISE and defined user access on Checkpoints locally. Only authentication is being handled by ISE.
below is what we used under shell profile on ISE

Maximum privilage level = 15

• Attribute/Requirement/Value:
  
  • CheckPoint-SuperUser-Access=1
  • Mandatory
  • 1

On Gaia you need to specify RBA roles for different types of privileges. For example, if you want that the user automatically lands into full admin access then configure the following:

add rba role TACP-0 domain-type System readwrite-features tacacs_enable, cdt,certificate_authority,chassis,clock-date,cluster_ha,command,configuration,consent-flags,core-dump,cpnano-status,cron,dhcp,distribution,dns,domainname,dynamic-balancing,environment,expert,expert-authentication-method,expert-password,expert-password-hash,expert_api_Cluster,expert_api_Interfaces,expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_arp,expert_api_asset,expert_api_backup
add rba role TACP-0 domain-type System readonly-features expert_api_bgp,expert_api_bootp,expert_api_cluster,expert_api_cphaprob,expert_api_cpview,expert_api_cron,expert_api_dhcp6-config,expert_api_dhcp-server,expert_api_dhcpv6-server,expert_api_diagnostics,expert_api_dns,expert_api_dynamic_content,expert_api_expertPassword,expert_api_expertpassword,expert_api_extended-commands,expert_api_features,expert_api_files,expert_api_ftw,expert_api_global-params,expert_api_groups,expert_api_grubPassword
add rba role TACP-0 domain-type System readonly-features expert_api_grubpassword,expert_api_hostname,expert_api_igmp,expert_api_inbound-route-filter,expert_api_interface,expert_api_interfaces,expert_api_ioc-feeder,expert_api_ip_conflicts,expert_api_ipv6,expert_api_isis,expert_api_keyboard-layout,expert_api_license,expert_api_lightshots,expert_api_lightshots-partition,expert_api_lldp,expert_api_maestro,expert_api_messages,expert_api_misc,expert_api_mld,expert_api_nat-pool,expert_api_nfs,expert_api_ntp
add rba role TACP-0 domain-type System readonly-features expert_api_open-telemetry,expert_api_ospf,expert_api_passwordcontrols,expert_api_pim,expert_api_pim6,expert_api_provisioning,expert_api_proxy,expert_api_rba-roles,expert_api_route,expert_api_route-redistribution,expert_api_routemap,expert_api_router-id,expert_api_routes,expert_api_runScript,expert_api_runscript,expert_api_serial-number,expert_api_server-status,expert_api_show-connections,expert_api_show-connections-presets,expert_api_simulate_packet
add rba role TACP-0 domain-type System readonly-features expert_api_snapshot,expert_api_snmp,expert_api_ssh-server,expert_api_static-mroute,expert_api_syslog,expert_api_system,expert_api_users,expert_api_versions,expert_api_vsx,export,fcd,file,firewall_management,format,ftw,group,grub2-password,grub2-password-hash,host,host-access,hostname,hw-monitor,igmp,import,inactto,installer,installer_conf,interface,interface-name,ip-conflicts-monitor,iphelper,ipreachdetect,ipsec-routing,ipv6-state,isis,lcd,license
add rba role TACP-0 domain-type System readonly-features license_activation,lldp,location-led,lom,maestro,management_interface,mdps,message,mfc-static,mgmt-gui-clients,nat-pool,neighbor,netaccess,netflow,ntp,ospf,password-controls,pbr-combine-static,perf,pim,prefix,prod-maintain,proxy,raid-monitor,rba,rdisc,reboot_halt,rip,route,route-injection,route-options,routed-cluster,routemap,routing-event-trigger,sam,scheduled_backup,scratchpad,sdwan-status,securexl,security-gateway,selfpasswd,show-route-all
add rba role TACP-0 domain-type System readonly-features smart-console,smo,snapshot,snapshot_scheduled,snmp,spike-detective,ssh-client,ssl,ssm,ssmtp,static-mroute,static-route,sysconfig,sysenv,syslog,system,upgrade,user,users-access-log,version,virtual-system,vpnt,vrrp,vsx,web
add rba role scpRole domain-type System readonly-features expert

On the other hand, if you want to give access to all the features but with read-only access then you must do the following:

add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-0 domain-type System readonly-features cdt,certificate_authority,chassis,clock-date,cluster_ha,command,configuration,consent-flags,core-dump,cpnano-status,cron,dhcp,distribution,dns,domainname,dynamic-balancing,environment,expert,expert-authentication-method,expert-password,expert-password-hash,expert_api_Cluster,expert_api_Interfaces,expert_api_Messages,expert_api_Misc,expert_api_NTP,expert_api_aaa,expert_api_allowed-clients,expert_api_arp,expert_api_asset,expert_api_backup
add rba role TACP-0 domain-type System readonly-features expert_api_bgp,expert_api_bootp,expert_api_cluster,expert_api_cphaprob,expert_api_cpview,expert_api_cron,expert_api_dhcp6-config,expert_api_dhcp-server,expert_api_dhcpv6-server,expert_api_diagnostics,expert_api_dns,expert_api_dynamic_content,expert_api_expertPassword,expert_api_expertpassword,expert_api_extended-commands,expert_api_features,expert_api_files,expert_api_ftw,expert_api_global-params,expert_api_groups,expert_api_grubPassword
add rba role TACP-0 domain-type System readonly-features expert_api_grubpassword,expert_api_hostname,expert_api_igmp,expert_api_inbound-route-filter,expert_api_interface,expert_api_interfaces,expert_api_ioc-feeder,expert_api_ip_conflicts,expert_api_ipv6,expert_api_isis,expert_api_keyboard-layout,expert_api_license,expert_api_lightshots,expert_api_lightshots-partition,expert_api_lldp,expert_api_maestro,expert_api_messages,expert_api_misc,expert_api_mld,expert_api_nat-pool,expert_api_nfs,expert_api_ntp
add rba role TACP-0 domain-type System readonly-features expert_api_open-telemetry,expert_api_ospf,expert_api_passwordcontrols,expert_api_pim,expert_api_pim6,expert_api_provisioning,expert_api_proxy,expert_api_rba-roles,expert_api_route,expert_api_route-redistribution,expert_api_routemap,expert_api_router-id,expert_api_routes,expert_api_runScript,expert_api_runscript,expert_api_serial-number,expert_api_server-status,expert_api_show-connections,expert_api_show-connections-presets,expert_api_simulate_packet
add rba role TACP-0 domain-type System readonly-features expert_api_snapshot,expert_api_snmp,expert_api_ssh-server,expert_api_static-mroute,expert_api_syslog,expert_api_system,expert_api_users,expert_api_versions,expert_api_vsx,export,fcd,file,firewall_management,format,ftw,group,grub2-password,grub2-password-hash,host,host-access,hostname,hw-monitor,igmp,import,inactto,installer,installer_conf,interface,interface-name,ip-conflicts-monitor,iphelper,ipreachdetect,ipsec-routing,ipv6-state,isis,lcd,license
add rba role TACP-0 domain-type System readonly-features license_activation,lldp,location-led,lom,maestro,management_interface,mdps,message,mfc-static,mgmt-gui-clients,nat-pool,neighbor,netaccess,netflow,ntp,ospf,password-controls,pbr-combine-static,perf,pim,prefix,prod-maintain,proxy,raid-monitor,rba,rdisc,reboot_halt,rip,route,route-injection,route-options,routed-cluster,routemap,routing-event-trigger,sam,scheduled_backup,scratchpad,sdwan-status,securexl,security-gateway,selfpasswd,show-route-all
add rba role TACP-0 domain-type System readonly-features smart-console,smo,snapshot,snapshot_scheduled,snmp,spike-detective,ssh-client,ssl,ssm,ssmtp,static-mroute,static-route,sysconfig,sysenv,syslog,system,upgrade,user,users-access-log,version,virtual-system,vpnt,vrrp,vsx,web

You can optionally add access to expert commands as well. The most intuitive way to configure all of this above including access to expert commands is from Gaia web GUI.

Regards,
Igor