03-04-2014 08:37 AM - edited 03-10-2019 09:29 PM
Hello All,
We are trying to move all CheckPoint Firewalls away from using RADIUS for authentication. We have a mandate to migrate all CheckPoint Firewalls to use CISCO ACS (TACACS+) for authentication instead. I've managed to configure the CISCO ACS from reading some Google searches, however, the CheckPoint FW admin is still UNABLE to authenticate using TACACS. If anyone has successfully done this in the past, please let me know what am I missing for this to work. I would greatly appreciate any input from any successful implementations of this.
Below are the configs I have on the CISCO ACS:
Policy Elements::
Access Policies::
After this was configured on the CISCO ACS, the CheckPoint Firewall ADMIN tried to gain access using tacacs+ and received
the following ERROR MESSAGES in the CheckPoint Firewall LOGS:
Mar 4 07:32:53 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89982]: tac_send_authen: Network read timed out
Mar 4 07:32:53 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89982]: tac_send_authen: Network read timed out
Mar 4 07:33:00 nkcpfw1ny <cron.[LOG_INFO]> /usr/sbin/cron[89985]: (operator) CMD (/usr/libexec/save-entropy)
Mar 4 07:33:01 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89983]: tac_send_authen: Network read timed out
Mar 4 07:33:01 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89983]: tac_send_authen: Network read timed out
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: User is authorized
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: User is authorized
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: Ignoring attribute-value pair from TACACS+ server: priv-lvl=15
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: Ignoring attribute-value pair from TACACS+ server: priv-lvl=15
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: No role(s) received for user charlie from authentication server
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: No role(s) received for user charlie from authentication server
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89980]: Accepted keyboard-interactive/pam for charlie from 172.17.x.y port 62665 ssh2
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89980]: Accepted keyboard-interactive/pam for charlie from 172.17.x.y port 62665 ssh2
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_open_session(): (sshd) session opened for user charlie by root(uid=0)
Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_open_session(): (sshd) session opened for user charlie by root(uid=0)
Mar 4 07:33:10 nkcpfw1ny <local0.[LOG_NOTICE]> clish[89992]: User charlie logged out due to an error from CLI shell
Mar 4 07:33:10 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_close_session(): (sshd) session closed for user charlie
Mar 4 07:33:10 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_close_session(): (sshd) session closed for user charlie
Please help! Thanks.
03-07-2014 03:45 AM
Hello Ohmar,
this works for me:
Policy Elements::
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide