Solved: Re: Cisco ISE Tacacs+ Authorization and Checkpoint Firewall

pankaj · ‎09-27-2017

Configuration Done ON ISE

Policy Elements::

Device Administration
- Tacacs+ Profiles
  - CheckPoint
    - 1. General tab
    - Name: CheckPoint
      Description: CheckPoint Firewall
    - 2. Custom Attibutes tab
    - Attribute/Requirement/Value:
      CheckPoint-SuperUser-Access=1
      Mandatory
      1
      Attribute/Requirement/Value:
      Checkpoint-User-Role=adminRole
      Mandatory
      adminRole

Configuration on CheckPoint

Configure Gaia OS

To be able to login to Gaia OS with TACACS+ user, configure the role TACP-0, and for every privileged level "X" that will be used with tacacs_enable, define the rule TACP-"X".

HostName> add rba role TACP-0 domain-type System readwrite-features tacacs_enable

Notes:

Use the enable password configured on the ACS server.
The enable password is valid for all privileged levels.

HostName> add rba role TACP-15 domain-type System all-features
HostName> save config
HostName> show configuration rba

HostName> add aaa tacacs-servers priority 1 server <IP_ADDRESS_of_ACS_SERVER> key <KEY> timeout 3
HostName> set aaa tacacs-servers state on
HostName> set aaa tacacs-servers user-uid 0
HostName> save config
HostName> show configuration aaa

I had done the above configuration I am able to authenticate but the user is not able to get Level 15 privilege.

I tried to find out documents related to this didn't find out anything on both side ie Cisco and CheckPoint. Please help me in regard to this. If anyone having any case study related to this kindly share with me.

Adam Peters · ‎12-02-2020

I couldn't get the TACACs client to login directly to TACP-15 but was able to get the account to access TACP-15 after login with TACP-0

The fix was to go into Cisco ISE

Work Centers> Device Administration> Policy Elements>Results>TACACS Profiles>

Create a TACACS Profile for GAIA_OS

Under Common Tasks:

Check "Maximum Privilege" and set to 15

Under custom Attributes:

Click add

Type= MANDATORY Name = CheckPoint-SuperUser-Access Value=1

The issue was identified on ISE Operations> TACACS>Live logs and received error stating shell misconfigured for associated user thou the user was authenticated the user was not authorized due to shell TACAS policy being misconfigured. I hope it helps.

View solution in original post

Louis Gonzales · ‎02-15-2018

Has anyone been able to get TACACS to work with CheckPoint 80.11 and CISE 2.2?

Guillaume BARBEROT · ‎02-21-2018

perhaps using this guide : https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk101573

it states : "After login, you can use the Gaia Clish command 'tacacs_enable TACP-15' to gain full privileges."

Didn't tried for now, feedback appreciated

Hua Pan · ‎06-14-2019

I was in GUI. Tried leverage the privilege by clicking the TACACS+ Enable command. I selected the TACP-15. But it shows authentication failed. On ISE, I am not able to see the authentication request coming in.

MiroslavStefanov9752 · ‎04-03-2020

Hi there,

We have similar problem. We use ISE as a TACACS server and R80 GAIA as client.
We were able to get basic authentication working but no matter what is configured on ISE it always goes to TACP-0 mode.
So if you want expert you need to escalate to TACP-15 and from there to expert. For this purpose there is an "set aaa radius-servers default-shell /bin/bash" command not present for tacacs, which is ok, but event direct login to TACP-15 doesn't work.

On GAIA we have config similar to the above one.
On ISE we tried many combination with these attributes

priv-lvl=15
CP-Gaia-SuperUser-Access = 1
CP-Gaia-User-Role =TACP-15

priv-lvl=15
CheckPoint-SuperUser-Access=1
Checkpoint-User-Role=adminRole

However we always get only TACP-0, and actually there is no authorization request, only authentication ones and none of the mentioned attributes is ever being sent to the GAIA. The only thing that is being sent is below in the authentication reply:
{Authen-Reply-Status=Pass; }

If anyone has made it work to login directly to TACP-15 or expert mode and share the setup on the CheckPoint and ISE side would be really appreciated.
Thanks!

adias1287 · ‎08-23-2020

Hello

Were you able to get this working? We are running into the same issue

MiroslavStefanov9752 · ‎09-07-2020

Hi,

unfortunately not, which is quite disappointing. Not much to add here.

Adam Peters · ‎12-02-2020

I couldn't get the TACACs client to login directly to TACP-15 but was able to get the account to access TACP-15 after login with TACP-0

The fix was to go into Cisco ISE

Work Centers> Device Administration> Policy Elements>Results>TACACS Profiles>

Create a TACACS Profile for GAIA_OS

Under Common Tasks:

Check "Maximum Privilege" and set to 15

Under custom Attributes:

Click add

Type= MANDATORY Name = CheckPoint-SuperUser-Access Value=1

The issue was identified on ISE Operations> TACACS>Live logs and received error stating shell misconfigured for associated user thou the user was authenticated the user was not authorized due to shell TACAS policy being misconfigured. I hope it helps.

cedelmann · ‎04-22-2022

Hello,

I tried to do it the same way you did, however, I'm always connected to TACP-0 first. Afterwards I have to enter my password to get to TACP-15.

If this has worked for you without the step through TACP-0, can you share your shell policy?

Best regards

Christian

Adam Peters · ‎04-22-2022

Hi Christian,

Can’t share the shell with you, company policy, but potentially you haven't created the RBA role yet and pointed to the ISE TACACS Server:
I would run through these steps:
Step 1: Login into Check Point Gaia Portal at <IP>
Step 2: Navigate to User Management > Authentication Servers
Step 3: Scroll down to “TACACS+ Servers and click “add”
Step 4: Fill in information
Note* Pre-share key needs to be the same on both the Checkpoint Firewall and ISE server
Step 5: Add Rule Based Access
(RBA) roles object by navigating to User Management > Roles
Step 6: Add RBA role TACP-0
Select features "Authentication Servers" and "TACACS_Enable" in drop down select Read/Write
Step 7: Add RBA role TACP-15 and configure as below:
Note* TACP-15 is highest level privilege, which will be mapped out in the ISE authorization policy for the GaiaOS.
Note* Select all 105 possible elements, all must be given Read write priv.
Step 8: In the TACP-15 RBA role select “Extended Commands” and click all options for all 45 commands

Give this a shot and see if it fixes it.

Regards,

Adam

cedelmann · ‎04-27-2022

Hi Adam,

thank you for the commands. Unfortunately it is still not working as expcted. I am able to login to TACP-0 and after that with privilege escallation to TACP-15. But the first step with TACP-0 is always needed, I have not made it directly to TACP-15.

Which ISE and CheckPoint version are you using?

Best regards

Christian

Sri Harsha Dasari · ‎12-11-2023

We were running into same issue where ISE logs show user entered wrong password. This was fixed after users are added on Checkpoint Firewalls. We stopped sending parameters from ISE and defined user access on Checkpoints locally. Only authentication is being handled by ISE.
below is what we used under shell profile on ISE

Maximum privilage level = 15

Attribute/Requirement/Value:
- CheckPoint-SuperUser-Access=1
- Mandatory
- 1

Thanks, Sri.