https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/269511#M45259 <P>What Vince said makes sense. See if below is configured:</P> <DIV> <H1><span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span> <STRONG>Most Likely Root Cause</STRONG></H1> <H3><STRONG>Your TACACS server is not returning the required Check Point–specific TACACS attributes.</STRONG></H3> <P>Check Point uses two role names that must be <EM>exact matches</EM>:</P> <UL> <LI><STRONG>TACP-0</STRONG> → Read‑only</LI> <LI><STRONG>TACP-15</STRONG> → Superuser</LI> </UL> <P>If TACACS returns <STRONG>no role</STRONG>, or a <STRONG>role name mismatch</STRONG>, Check Point:</P> <P>✔ Accepts authentication<BR />✘ Fails authorization → session closed (CLI) / no web access (GUI)</P> </DIV> Tue, 03 Feb 2026 02:35:13 GMT the_rock 2026-02-03T02:35:13Z https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/269400#M45226 <P>Hi Experts ,&nbsp;</P><P>&nbsp;</P><P class=""><SPAN>We are currently integrating Check Point devices (firewalls, management servers, MHOs) with TACACS for administrator authentication.</SPAN></P><P class=""><SPAN>Authentication via TACACS is </SPAN><STRONG><SPAN>successful</SPAN></STRONG><SPAN>, and we can see the success logs on the TACACS server. However, after login:</SPAN></P><UL><LI><P class=""><STRONG><SPAN>CLI access</SPAN></STRONG><SPAN>: User is authenticated but immediately logged out</SPAN></P></LI><LI><P class=""><STRONG><SPAN>GUI / SmartConsole</SPAN></STRONG><SPAN>: Error displayed – </SPAN><EM><SPAN>“You are not configured for Web access”</SPAN></EM></P></LI></UL><P class=""><SPAN>We have already followed the Check Point Admin Guide and:</SPAN></P><UL><LI><P class=""><SPAN>Enabled TACACS authentication</SPAN></P></LI><LI><P><SPAN>Created the required roles on Check Point (TACP-0 and TACP-15) with appropriate permissions</SPAN></P></LI></UL><P>What could be the issue ?</P><P>&nbsp;</P><P>Regards&nbsp;</P><P>Sijeel&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Feb 2026 10:44:13 GMT https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/269400#M45226 Malik1 2026-02-02T10:44:13Z https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/269402#M45227 <P>For me it looks like you are facing a successful authentication followed by a failed authorization.<BR />Maybe it is a misconfiguration on your end but maybe not.<BR />My idea:<BR />The Check Point Gaia OS receives a "Password Correct" message from your TACACS server, but because the server doesn't send instructions on what the user is allowed to do, Gaia defaults to the most restrictive state (immediate logout for CLI and "not configured" for Web).<BR /><BR />I guess Custom Attributes to be defined on TACACs server.<BR />On the sk I know about TACACs i don't see anything about that but in our environment we do authorization via TACACs server, in our Case Cisco ISE and it's done like this:<BR /><BR /></P> <P><SPAN><STRONG>Policy Elements::</STRONG></SPAN></P> <UL> <LI><SPAN>Device Administration</SPAN><BR /> <UL> <LI><SPAN>Tacacs+ Profiles</SPAN><BR /> <UL> <LI>CheckPoint<BR /> <UL> <LI><SPAN>1.&nbsp;<STRONG>General tab</STRONG></SPAN></LI> <LI> <DIV> <UL> <LI><SPAN>Name:&nbsp;CheckPoint</SPAN></LI> <LI><SPAN>Description:&nbsp;CheckPoint Firewall</SPAN></LI> </UL> </DIV> </LI> <LI> <DIV>&nbsp;</DIV> </LI> <LI><SPAN>2.&nbsp;<STRONG>Custom Attibutes tab</STRONG></SPAN></LI> <LI> <DIV> <UL> <LI><SPAN><EM>Attribute/Requirement/Valu</EM>e:</SPAN><BR /> <UL> <LI><SPAN>CheckPoint-SuperUser-Access=1</SPAN></LI> <LI><SPAN>Mandatory</SPAN></LI> <LI><SPAN>1</SPAN></LI> </UL> </LI> <LI><SPAN><EM>Attribute/Requirement/Value:</EM></SPAN><BR /> <UL> <LI><SPAN>Checkpoint-User-Role=adminRole</SPAN></LI> <LI><SPAN>Mandatory</SPAN></LI> <LI><SPAN>adminRole</SPAN></LI> </UL> </LI> </UL> </DIV> </LI> </UL> </LI> </UL> </LI> </UL> </LI> </UL> <P>&nbsp;</P> Mon, 02 Feb 2026 11:22:59 GMT https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/269402#M45227 Vincent_Bacher 2026-02-02T11:22:59Z https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/269511#M45259 <P>What Vince said makes sense. See if below is configured:</P> <DIV> <H1><span class="lia-unicode-emoji" title=":white_heavy_check_mark:">✅</span> <STRONG>Most Likely Root Cause</STRONG></H1> <H3><STRONG>Your TACACS server is not returning the required Check Point–specific TACACS attributes.</STRONG></H3> <P>Check Point uses two role names that must be <EM>exact matches</EM>:</P> <UL> <LI><STRONG>TACP-0</STRONG> → Read‑only</LI> <LI><STRONG>TACP-15</STRONG> → Superuser</LI> </UL> <P>If TACACS returns <STRONG>no role</STRONG>, or a <STRONG>role name mismatch</STRONG>, Check Point:</P> <P>✔ Accepts authentication<BR />✘ Fails authorization → session closed (CLI) / no web access (GUI)</P> </DIV> Tue, 03 Feb 2026 02:35:13 GMT https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/269511#M45259 the_rock 2026-02-03T02:35:13Z https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/270008#M45343 <P>Hey Malik,</P> <P>Were you able to figure this out?</P> Sun, 08 Feb 2026 23:52:32 GMT https://community.checkpoint.com/t5/General-Topics/TACACS-Authentication/m-p/270008#M45343 the_rock 2026-02-08T23:52:32Z