Hello All,

We are trying to move all CheckPoint Firewalls away from using RADIUS for authentication. We have a mandate to migrate all CheckPoint Firewalls to use CISCO ACS (TACACS+) for authentication instead. I've managed to configure the CISCO ACS from reading some Google searches, however, the CheckPoint FW admin is still UNABLE to authenticate using TACACS. If anyone has successfully done this in the past, please let me know what am I missing for this to work. I would greatly appreciate any input from any successful implementations of this.

Below are the configs I have on the CISCO ACS:

Policy Elements::

• Device Administration
  
  • Shell Profiles
    
    • Nokia-IPSO
      
      • 1. General tab
        
      • • Name: Nokia-IPSO
          
        • Description: Nokia-IPSO
          
      • 2. Common Tasks
        
      • • Default Privilege, value = 15
          
        • Max Privilege, value = 15
          
      • 3. Custom Attibutes tab
        
      • • Attribute/Requirement/Value:
          
          • Nokia-IPSO-SuperUser-Access=1
            
          • Mandatory
            
          • 1
            
        • Attribute/Requirement/Value:
          
          • Nokia-IPSO-User-Role=adminRole
            
          • Mandatory
            
          • adminRole
            

Access Policies::

• Access Services
  
  • Default Device Admin
    
    • Authorization
      
      • Name: Nokia-IPSO
        
      • LDAP:ExternalGroups, contains any: xx.aaa.bbb-CCC.xx
        
      • NDG:Device Type: AllDeviceTypes: CheckPointFW
        
      • Shell Profile: Nokia-IPSO
        
      • Commands: Full access
        

After this was configured on the CISCO ACS, the CheckPoint Firewall ADMIN tried to gain access using tacacs+ and received

the following ERROR MESSAGES in the CheckPoint Firewall LOGS:

Mar 4 07:32:53 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89982]: tac_send_authen: Network read timed out

Mar 4 07:32:53 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89982]: tac_send_authen: Network read timed out

Mar 4 07:33:00 nkcpfw1ny <cron.[LOG_INFO]> /usr/sbin/cron[89985]: (operator) CMD (/usr/libexec/save-entropy)

Mar 4 07:33:01 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89983]: tac_send_authen: Network read timed out

Mar 4 07:33:01 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89983]: tac_send_authen: Network read timed out

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: User is authorized

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: User is authorized

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: Ignoring attribute-value pair from TACACS+ server: priv-lvl=15

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: Ignoring attribute-value pair from TACACS+ server: priv-lvl=15

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: No role(s) received for user charlie from authentication server

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: No role(s) received for user charlie from authentication server

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89980]: Accepted keyboard-interactive/pam for charlie from 172.17.x.y port 62665 ssh2

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89980]: Accepted keyboard-interactive/pam for charlie from 172.17.x.y port 62665 ssh2

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_open_session(): (sshd) session opened for user charlie by root(uid=0)

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_open_session(): (sshd) session opened for user charlie by root(uid=0)

Mar 4 07:33:10 nkcpfw1ny <local0.[LOG_NOTICE]> clish[89992]: User charlie logged out due to an error from CLI shell

Mar 4 07:33:10 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_close_session(): (sshd) session closed for user charlie

Mar 4 07:33:10 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_close_session(): (sshd) session closed for user charlie

Please help! Thanks.