- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
Hello,
I'm trying to setup TACACS+ authentication for accessing GAIA. I have Cisco ISE.
CheckPoint GAIA config:
add aaa tacacs-servers priority 1 server 1.1.1.1 key ***** timeout 5
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features
On Cisco ISE, TACACS Profile>
Common Task Type: Shell
Default Privilege: 1
Maximum Privilege: 15:
Raw View:
priv-lvl=1
max_priv_lvl=15
I'm getting Access denied/Permission denied on both CLI and GUI.
I also tried Custom Attributes like:
CP-Gaia-SuperUser-Access = 1
CP-Gaia-User-Role =TACP-15
or
CheckPoint-SuperUser-Access=1
Checkpoint-User-Role=adminRole
None of them worked.
Based on https://support.checkpoint.com/results/sk/sk101573 "priv-lvl = 15" should enough, but it's not!!
Next example https://support.checkpoint.com/results/sk/sk98733 only mentioned this:
Go to 'Policy Elements' > 'Authorization and Permissions' > 'Device Administration' > 'Shell Profiles'.
Add a shell profile to assign to the authenticated TACACS+ users.
In 'Commands and Tasks', set the maximum privileged level as "15".
I did the same in ISE, not working.
On ISE, TACACS Live Logs, I'm getting " Passed-Authentication: Authentication succeeded ".
Is ISE sending wrong attributes?
Could someone please advise?
I figured out the problem:
CISCO ISE > Network Device List > FW02A:
Enable Single Connect Mode: I had the checkbox checked.
When I unchecked, login works.
Hello
could you check the /var/log/secure content on the gateway, to check if there are any related errors?
Hello,
/var/log/secure:
Mar 11 11:17:11 2026 FW02A sshd[27627]: _tac_crypt: using no TACACS+ encryption
Mar 11 11:17:11 2026 FW02A sshd[27627]: tac_authen_read: invalid reply content, incorrect key?
Mar 11 11:17:11 2026 FW02A sshd[27627]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.27.92.200 user=darren
Mar 11 11:17:13 2026 FW02A sshd[27627]: Failed password for darren from 10.27.92.200 port 64308 ssh2
Shared secret key between CheckPoint and Cisco ISE is correct for sure. ISE is replying with success.
/var/log/messages:
Mar 11 11:17:11 2026 FW02A PAM-tacplus[27627]: auth failed: 2
Dumb question: what is the output of this CLISH command?
show users
(I repeat it's a dumb question, but I'm trying to understand)
FW02A > show users
User Uid Gid Home Dir. Shell Real Name Privileges
admin 0 0 /home/admin /bin/bash Admin Admin-like shell
monitor 102 100 /home/monitor /etc/cli.sh Monitor None
FW02A >
When I login with local admin user successfully, I see " Failed-Attempt: Authentication failed " "Subject not found in the applicable identity store(s)" on CISCO ISE.
That's ok, as admin user is defined only localy.
At the moment, the only suggestion could be to capture tacacs+ traffic between firewall and ISE, and analyze it with Wireshark (wireshrk can decrypt tacacs protocol), and try to see if there are any useful information.
this is what I would do.
I figured out the problem:
CISCO ISE > Network Device List > FW02A:
Enable Single Connect Mode: I had the checkbox checked.
When I unchecked, login works.
As i see that authentication succeeds, it seems to be an issue with authorization. I played around with that some weeks ago as well and found a discussion on Cisco end. Maybe that helps.
https://community.cisco.com/t5/network-access-control/cisco-ise-tacacs-authorization-and-checkpoint-...
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 69 | |
| 23 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 |
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY