topic Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied in Firewall and Security Management

TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Thu, 21 Aug 2025 16:37:44 GMT

Hello everyone,

I’ve been working on integrating our Check Point firewalls (Gaia R81.x) with Cisco ISE for TACACS+ device administration and hit a roadblock that I can’t seem to get past. Hoping someone in the community has run into this and can point me in the right direction.

Full disclosure a different team handles Cisco ISE and I do not have access to look in there myself and can only go off screenshots shared to me. [I have configured this in two separate environments with the same Gaia Clish configurations. The only thing that is different is the TACACS+ servers, Cisco ISE, and user credentials.]

Commands used

add aaa tacacs-servers priority 1 server <TACACS_SERVER_1> key ******** timeout 10
add aaa tacacs-servers priority 2 server <TACACS_SERVER_2> key ******** timeout 10
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features
add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"

What works so far

Connectivity is good:

ping, nc -vz <ISE> 49, and tcpdump all confirm the firewall can reach ISE on TCP/49.
IP routes are correct, and ISE is receiving the authentication requests.
Authentication is successful:
ISE Live Logs show Passed-Authentication: Authentication succeeded.
Username is correctly resolved in Active Directory.
Authorization Profile was created:
In ISE, a created a Shell Profile (Checkpoint_Admin) with no custom attributes (mirrors separate working environment)
The TACACS+ policy matches the correct AD group and returns the profile

The Problem

On Gaia, I still get “Permission denied” when attempting SSH login with TACACS credentials.
Gaia logs show:
PAM-tacplus[…] auth failed: 2 tac_connect: all possible TACACS+ servers failed
In ISE Live Logs, AuthZ shows as 0 (no usable profile) even though the rule hits and the profile is applied.

What's been verified

Verified the shared secret matches on both sides.
Created a new test key just in case — same result.
Verified that show aaa tacacs-servers shows the ISE nodes as up.
Confirmed that the RBA role TACP-15 exists and has “All system features.”

Even with the Shell Profile in place, ISE shows AuthZ profile applied but Gaia still refuses login with “permission denied.”

Is there anything specific in CheckPoint RBA mappings that I might be missing?

Do ISE Shell Profiles need any attribute other than shell:priv-lvl=15 for Check Point (unlike IOS/NX-OS which only need that one)?

Could this be related to how Gaia interprets the AD group membership via TACACS?

Any advice or pointers would be hugely appreciated.

Thanks in advance!

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Chris_Atkinson — Sat, 23 Aug 2025 01:40:21 GMT

Is access via the GAiA UI and Console access also effected and which version/JHF is the gateway?

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Sat, 23 Aug 2025 02:11:57 GMT

Hi Chris thank you for replying,

Both Gaia web UI and Console access are effected. Our devices in this particular environment are mostly R81.10 Take 156. I did recently remove old Radius configurations that have not worked thinking that there may have been a conflict between the two. Unfortunately that too did not resolve the underlying issue.

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

the_rock — Sat, 23 Aug 2025 02:38:14 GMT

Hey @Fatalis

I would confirm with tcpdump and fw monitor that you see the communication from the fw itself, not sure what port this is related to, but lets assume, for argument sake its 777, you can try below:

tcpdump -enni any port 777

fw monitor -e "accept port(777);"

See what you get...based on output of those, it should give us better idea.

Best.

Andy

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Sun, 24 Aug 2025 03:44:53 GMT

Hi Rock,

The tcpdump over TACACS port 49 shows a three way handshake between the security gateway and the TACACS server. However, at the very start with tail -f /var/log/messages | grep i tac the following error pops up.
PAM-tacplus[…] auth failed: 2 tac_connect: [Still finishes the three way handshake with the fail]

with fw monitor we can see it going in and out the designated ports to reach the TACACS server and to come back ie i,I,o,O.

There is a firewall that sits in front of the TACACS server which picks up on the cluster VIP when running the fw monitor command. Which should be as expected.

Attempting login to that firewall I just mentioned which sits directly Infront of that TACACS server also results in the same errors.

I would think it could be related to AD permissions but to my knowledge TACACS ISE will pull the AD group associated with the AD user and then give it the Shell Profile privilege that is configured within ISE for privilege levels

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

the_rock — Sun, 24 Aug 2025 03:49:47 GMT

Based on all you said, sounds to me that CP side appears to be fine.

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Sun, 24 Aug 2025 03:54:15 GMT

Yeah i’m also coming to that same conclusion just needed some sanity checks.

Have a scheduled TAC call with Cisco Monday with hopefully more information and a hopefully a resolution.

I’ll post here for any findings or resolutions after the troubleshooting with Cisco

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

the_rock — Sun, 24 Aug 2025 03:57:35 GMT

Sounds good, please keep us posted.

Andy

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Peter_Lyndley — Sun, 24 Aug 2025 06:16:53 GMT

From what I remember, you should not be defining the usernames on the gateway itself. Try deleting one of the users on the gateway and then try that user again via tacacs.

remove these lines below

add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

genisis__ — Sun, 24 Aug 2025 11:57:28 GMT

Is there a SK for this? It would be really good to know how to integrate ISE so there is R/W and RO accounts. With the ISE 3.x/4.x configuration steps as well.

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Peter_Lyndley — Sun, 24 Aug 2025 13:43:36 GMT

There are SKs relating to this, for example sk98733 and sk101573

Note - All TACACS+ users must log in to Gaia OS with the password assigned to the default role TACP-0.

Note 2.To get their applicable TACP role in Gaia OS, after this initial login, TACACS+ users must log in for the second time with the password assigned to their applicable TACP role.

Also check - Configuring Gaia as a TACACS+ Client

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

the_rock — Sun, 24 Aug 2025 15:24:21 GMT

Thats very good to know @Peter_Lyndley

Andy

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Sun, 24 Aug 2025 16:57:43 GMT

In the current working environment I tried this as well without a matching local user assigned TACP-15 and it wouldn't work. Only until I manually created each user with the assigned role TACP-15 in the firewall were we able to finally able to gain access.

Also tried both ways in the broken environment by removing the users and re-adding the user accounts which resulted in the same errors.

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

genisis__ — Mon, 25 Aug 2025 14:02:20 GMT

good to know, thanks.

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

genisis__ — Mon, 25 Aug 2025 14:04:32 GMT

That pretty much want we all want i.e. don't create any accounts on the gateway.

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Mon, 25 Aug 2025 22:50:39 GMT

Latest troubleshooting with TAC I discovered the the Firewall VIP is making it's way to the firewall which sits in front of the TACACS server (i) but never (I, o, O) leaving that firewall to TACACS

I do see return traffic from the source firewall mgmt IP. Just need to figure out why the traffic hits the port on that TACACS border firewall but never leaves to make it's way to that TACACS server. The mgmt IP takes the same exact route and can see that communication back and forth.

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Mon, 25 Aug 2025 22:57:35 GMT

Funny enough I removed the accounts in the working environment and it did in fact work as it was supposed to be intended. I may keep the actual local accounts which auth to TACACS since it'll default our admins into bin/bash. I'll leave the decision up to them once both environments are working

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Fatalis — Mon, 25 Aug 2025 23:19:46 GMT

Edit- It was taking the accelerated path. Updated fw monitor command and verified that communication is returning back to the VIP

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

the_rock — Tue, 26 Aug 2025 00:01:24 GMT

What did Cisco TAC say?

Andy

Re: TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

genisis__ — Sun, 21 Sep 2025 18:55:34 GMT

I've had another go with this but this time with R82 VSX. What I would like to see is a clearly defined instruction guide for Cisco ISE intergration to allow ReadOnly and Admin access. This does not seem to exist (Yes there are some really old Sks).

Anyway I got to the point where I had to have a user created on GAIA (Not what I want), assigned it TACP-15 role. The when I logged in got hit by virtual system access not allowed, I can't assign virtual systems to the role, some features are not allowed. So stuck.

How on earth do I get an admin user authenticated against ISE without creating the user locally and also ensure it can access virtual system with admin rights.

This seems to be the link to look at for a standard gateway (Nothing really in there for VSX that I could see) Configuring TACACS+ Servers for Non-Local Gaia Users
This takes you to a SK then related to Cisco ACS which went EoL years ago.