This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
darren97
Participant
a month ago
Jump to solution

CheckPoint GAIA - Cisco ISE - TACACS+

Hello,

I'm trying to setup TACACS+ authentication for accessing GAIA. I have Cisco ISE.

CheckPoint GAIA config:

add aaa tacacs-servers priority 1 server 1.1.1.1 key ***** timeout 5
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0

add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features

On Cisco ISE, TACACS Profile>

Common Task Type: Shell

Default Privilege: 1

Maximum Privilege: 15:

Raw View:

priv-lvl=1
max_priv_lvl=15

I'm getting Access denied/Permission denied on both CLI and GUI.

I also tried Custom Attributes like:

CP-Gaia-SuperUser-Access = 1
CP-Gaia-User-Role =TACP-15

or
CheckPoint-SuperUser-Access=1
Checkpoint-User-Role=adminRole

None of them worked.

Based on https://support.checkpoint.com/results/sk/sk101573 "priv-lvl = 15" should enough, but it's not!!

Next example https://support.checkpoint.com/results/sk/sk98733 only mentioned this:

Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'.
Add a shell profile to assign to the authenticated TACACS+ users.
In 'Commands and Tasks', set the maximum privileged level as "15".

I did the same in ISE, not working.

On ISE, TACACS Live Logs, I'm getting " Passed-Authentication: Authentication succeeded ".

Is ISE sending wrong attributes?

Could someone please advise?

0 Kudos
1 Solution

Accepted Solutions
darren97
Participant
a month ago
In response to simonemantovani
Jump to solution

I figured out the problem:

CISCO ISE > Network Device List > FW02A:

Enable Single Connect Mode: I had the checkbox checked.

When I unchecked, login works.

View solution in original post

7 Replies
simonemantovani
MVP
MVP
a month ago
Jump to solution

Hello

could you check the /var/log/secure content on the gateway, to check if there are any related errors?

0 Kudos
darren97
Participant
a month ago
In response to simonemantovani
Jump to solution

Hello,

/var/log/secure:

Mar 11 11:17:11 2026 FW02A sshd[27627]: _tac_crypt: using no TACACS+ encryption
Mar 11 11:17:11 2026 FW02A sshd[27627]: tac_authen_read: invalid reply content, incorrect key?
Mar 11 11:17:11 2026 FW02A sshd[27627]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.27.92.200 user=darren
Mar 11 11:17:13 2026 FW02A sshd[27627]: Failed password for darren from 10.27.92.200 port 64308 ssh2

Shared secret key between CheckPoint and Cisco ISE is correct for sure. ISE is replying with success.

 

/var/log/messages:

Mar 11 11:17:11 2026 FW02A PAM-tacplus[27627]: auth failed: 2

 

0 Kudos
simonemantovani
MVP
MVP
a month ago
In response to darren97
Jump to solution

Dumb question: what is the output of this CLISH command?

show users

(I repeat it's a dumb question, but I'm trying to understand)

0 Kudos
darren97
Participant
a month ago
In response to simonemantovani
Jump to solution

FW02A > show users
User Uid Gid Home Dir. Shell Real Name Privileges
admin 0 0 /home/admin /bin/bash Admin Admin-like shell
monitor 102 100 /home/monitor /etc/cli.sh Monitor None
FW02A >

When I login with local admin user successfully, I see " Failed-Attempt: Authentication failed " "Subject not found in the applicable identity store(s)" on CISCO ISE.

That's ok, as admin user is defined only localy.

simonemantovani
MVP
MVP
a month ago
In response to simonemantovani
Jump to solution

At the moment, the only suggestion could be to capture tacacs+ traffic between firewall and ISE, and analyze it with Wireshark (wireshrk can decrypt tacacs protocol), and try to see if there are any useful information.

this is what I would do.

0 Kudos
darren97
Participant
a month ago
In response to simonemantovani
Jump to solution

I figured out the problem:

CISCO ISE > Network Device List > FW02A:

Enable Single Connect Mode: I had the checkbox checked.

When I unchecked, login works.

Vincent_Bacher
MVP Silver
MVP Silver
a month ago
Jump to solution

As i see that authentication succeeds, it seems to be an issue with authorization. I played around with that some weeks ago as well and found a discussion on Cisco end. Maybe that helps.

https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-authorization-and-checkpoint-...

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events