Solved: Re: CheckPoint GAIA - Cisco ISE - TACACS+

darren97

Hello,

I'm trying to setup TACACS+ authentication for accessing GAIA. I have Cisco ISE.

CheckPoint GAIA config:

add aaa tacacs-servers priority 1 server 1.1.1.1 key ***** timeout 5
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0

add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features

On Cisco ISE, TACACS Profile>

Common Task Type: Shell

Default Privilege: 1

Maximum Privilege: 15:

Raw View:

priv-lvl=1
max_priv_lvl=15

I'm getting Access denied/Permission denied on both CLI and GUI.

I also tried Custom Attributes like:

CP-Gaia-SuperUser-Access = 1
CP-Gaia-User-Role =TACP-15

or
CheckPoint-SuperUser-Access=1
Checkpoint-User-Role=adminRole

None of them worked.

Based on https://support.checkpoint.com/results/sk/sk101573 "priv-lvl = 15" should enough, but it's not!!

Next example https://support.checkpoint.com/results/sk/sk98733 only mentioned this:

Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'.
Add a shell profile to assign to the authenticated TACACS+ users.
In 'Commands and Tasks', set the maximum privileged level as "15".

I did the same in ISE, not working.

On ISE, TACACS Live Logs, I'm getting " Passed-Authentication: Authentication succeeded ".

Is ISE sending wrong attributes?

Could someone please advise?

darren97

I figured out the problem:

CISCO ISE > Network Device List > FW02A:

Enable Single Connect Mode: I had the checkbox checked.

When I unchecked, login works.

View solution in original post

simonemantovani

Hello

could you check the /var/log/secure content on the gateway, to check if there are any related errors?

darren97

Hello,

/var/log/secure:

Mar 11 11:17:11 2026 FW02A sshd[27627]: _tac_crypt: using no TACACS+ encryption
Mar 11 11:17:11 2026 FW02A sshd[27627]: tac_authen_read: invalid reply content, incorrect key?
Mar 11 11:17:11 2026 FW02A sshd[27627]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.27.92.200 user=darren
Mar 11 11:17:13 2026 FW02A sshd[27627]: Failed password for darren from 10.27.92.200 port 64308 ssh2

Shared secret key between CheckPoint and Cisco ISE is correct for sure. ISE is replying with success.

/var/log/messages:

Mar 11 11:17:11 2026 FW02A PAM-tacplus[27627]: auth failed: 2

simonemantovani

Dumb question: what is the output of this CLISH command?

show users

(I repeat it's a dumb question, but I'm trying to understand)

darren97

FW02A > show users
User Uid Gid Home Dir. Shell Real Name Privileges
admin 0 0 /home/admin /bin/bash Admin Admin-like shell
monitor 102 100 /home/monitor /etc/cli.sh Monitor None
FW02A >

When I login with local admin user successfully, I see " Failed-Attempt: Authentication failed " "Subject not found in the applicable identity store(s)" on CISCO ISE.

That's ok, as admin user is defined only localy.

simonemantovani

At the moment, the only suggestion could be to capture tacacs+ traffic between firewall and ISE, and analyze it with Wireshark (wireshrk can decrypt tacacs protocol), and try to see if there are any useful information.

this is what I would do.

darren97

I figured out the problem:

CISCO ISE > Network Device List > FW02A:

Enable Single Connect Mode: I had the checkbox checked.

When I unchecked, login works.

Vincent_Bacher

As i see that authentication succeeds, it seems to be an issue with authorization. I played around with that some weeks ago as well and found a discussion on Cisco end. Maybe that helps.

https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-authorization-and-checkpoint-...

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Are you a member of CheckMates?

CheckPoint GAIA - Cisco ISE - TACACS+