cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

8112
Views
0
Helpful
7
Replies
pankaj
Beginner

Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Configuration Done ON ISE

 

 

Policy Elements::

  • Device Administration
    • Tacacs+ Profiles
      • CheckPoint
        • 1. General tab
          • Name: CheckPoint
          • Description: CheckPoint Firewall
        •  
        • 2. Custom Attibutes tab
          • Attribute/Requirement/Value:
            • CheckPoint-SuperUser-Access=1
            • Mandatory
            • 1
          • Attribute/Requirement/Value:
            • Checkpoint-User-Role=adminRole
            • Mandatory
            • adminRole

 

Configuration on CheckPoint

 

Configure Gaia OS

To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level "X" that will be used with tacacs_enable, define the rule TACP-"X".

 

  1. HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable
    
    Notes:
    • Use the enable password configured on the ACS server.
    • The enable password is valid for all privileged levels.
    HostName> add rba role TACP-15 domain-type System all-features
    HostName> save config
    HostName> show configuration rba
    
  2. HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
    HostName> set aaa tacacs-servers state on
    HostName> set aaa tacacs-servers user-uid 0
    HostName> save config
    HostName> show configuration aaa

     

I had done the above configuration I am able to authenticate but the user is not able to get Level 15 privilege.

I tried to find out documents related to this didn't find out anything on both side ie Cisco and CheckPoint. Please help me in regard to this. If anyone having any case study related to this kindly share with me.

1 ACCEPTED SOLUTION

Accepted Solutions
Adam Peters
Beginner

I couldn't get the TACACs client to login directly to TACP-15 but was able to get the account to access TACP-15 after login with TACP-0

 

The fix was to go into Cisco ISE

Work Centers> Device Administration> Policy Elements>Results>TACACS Profiles>

Create a TACACS Profile for GAIA_OS

 

Under Common Tasks:

 

Check "Maximum Privilege" and set to 15

 

Under custom Attributes:

Click add

Type= MANDATORY Name = CheckPoint-SuperUser-Access Value=1

 

The issue was identified on ISE Operations> TACACS>Live logs and received error stating shell misconfigured for associated user thou the user was authenticated the user was not authorized due to shell TACAS policy being misconfigured. I hope it helps.

 

View solution in original post

7 REPLIES 7
Louis Gonzales
Beginner

Has anyone been able to get TACACS to work with CheckPoint 80.11 and CISE 2.2?

perhaps using this guide : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101573

it states : "After login, you can use the Gaia Clish command 'tacacs_enable TACP-15' to gain full privileges."

 

Didn't tried for now, feedback appreciated

 

I was in GUI. Tried leverage the privilege by clicking the TACACS+ Enable command. I selected the TACP-15. But it shows authentication failed. On ISE, I am not able to see the authentication request coming in.

Hi there,

We have similar problem. We use ISE as a TACACS server and R80 GAIA as client.
We were able to get basic authentication working but no matter what is configured on ISE it always goes to TACP-0 mode.
So if you want expert you need to escalate to TACP-15 and from there to expert. For this purpose there is an "set aaa radius-servers default-shell /bin/bash" command not present for tacacs, which is ok, but event direct login to TACP-15 doesn't work.

On GAIA we have config similar to the above one.
On ISE we tried many combination with these attributes

 

priv-lvl=15
CP-Gaia-SuperUser-Access = 1
CP-Gaia-User-Role =TACP-15

 

priv-lvl=15
CheckPoint-SuperUser-Access=1
Checkpoint-User-Role=adminRole

 

However we always get only TACP-0, and actually there is no authorization request, only authentication ones and none of the mentioned attributes is ever being sent to the GAIA. The only thing that is being sent is below in the authentication reply:
{Authen-Reply-Status=Pass; }

If anyone has made it work to login directly to TACP-15 or expert mode and share the setup on the CheckPoint and ISE side would be really appreciated.
Thanks!

Hello

 

Were you able to get this working? We are running into the same issue

Hi,

 

unfortunately not, which is quite disappointing. Not much to add here.

Adam Peters
Beginner

I couldn't get the TACACs client to login directly to TACP-15 but was able to get the account to access TACP-15 after login with TACP-0

 

The fix was to go into Cisco ISE

Work Centers> Device Administration> Policy Elements>Results>TACACS Profiles>

Create a TACACS Profile for GAIA_OS

 

Under Common Tasks:

 

Check "Maximum Privilege" and set to 15

 

Under custom Attributes:

Click add

Type= MANDATORY Name = CheckPoint-SuperUser-Access Value=1

 

The issue was identified on ISE Operations> TACACS>Live logs and received error stating shell misconfigured for associated user thou the user was authenticated the user was not authorized due to shell TACAS policy being misconfigured. I hope it helps.

 

View solution in original post

Content for Community-Ad