cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2975
Views
0
Helpful
3
Replies
Beginner

Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Configuration Done ON ISE

 

 

Policy Elements::

  • Device Administration
    • Tacacs+ Profiles
      • CheckPoint
        • 1. General tab
          • Name: CheckPoint
          • Description: CheckPoint Firewall
        •  
        • 2. Custom Attibutes tab
          • Attribute/Requirement/Value:
            • CheckPoint-SuperUser-Access=1
            • Mandatory
            • 1
          • Attribute/Requirement/Value:
            • Checkpoint-User-Role=adminRole
            • Mandatory
            • adminRole

 

Configuration on CheckPoint

 

Configure Gaia OS

To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level "X" that will be used with tacacs_enable, define the rule TACP-"X".

 

  1. HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable
    
    Notes:
    • Use the enable password configured on the ACS server.
    • The enable password is valid for all privileged levels.
    HostName> add rba role TACP-15 domain-type System all-features
    HostName> save config
    HostName> show configuration rba
    
  2. HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
    HostName> set aaa tacacs-servers state on
    HostName> set aaa tacacs-servers user-uid 0
    HostName> save config
    HostName> show configuration aaa

     

I had done the above configuration I am able to authenticate but the user is not able to get Level 15 privilege.

I tried to find out documents related to this didn't find out anything on both side ie Cisco and CheckPoint. Please help me in regard to this. If anyone having any case study related to this kindly share with me.

3 REPLIES 3
Highlighted
Beginner

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

Has anyone been able to get TACACS to work with CheckPoint 80.11 and CISE 2.2?

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

perhaps using this guide : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101573

it states : "After login, you can use the Gaia Clish command 'tacacs_enable TACP-15' to gain full privileges."

 

Didn't tried for now, feedback appreciated

 

Beginner

Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

I was in GUI. Tried leverage the privilege by clicking the TACACS+ Enable command. I selected the TACP-15. But it shows authentication failed. On ISE, I am not able to see the authentication request coming in.