This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Malik1
Contributor
Monday

TACACS Authentication

Hi Experts , 

 

We are currently integrating Check Point devices (firewalls, management servers, MHOs) with TACACS for administrator authentication.

Authentication via TACACS is successful, and we can see the success logs on the TACACS server. However, after login:

  • CLI access: User is authenticated but immediately logged out

  • GUI / SmartConsole: Error displayed – “You are not configured for Web access”

We have already followed the Check Point Admin Guide and:

  • Enabled TACACS authentication

  • Created the required roles on Check Point (TACP-0 and TACP-15) with appropriate permissions

What could be the issue ?

 

Regards 

Sijeel 

 

 

 

 

 

 

Preview file
159 KB
0 Kudos
2 Replies
Vincent_Bacher
MVP Silver
MVP Silver
Monday

For me it looks like you are facing a successful authentication followed by a failed authorization.
Maybe it is a misconfiguration on your end but maybe not.
My idea:
The Check Point Gaia OS receives a "Password Correct" message from your TACACS server, but because the server doesn't send instructions on what the user is allowed to do, Gaia defaults to the most restrictive state (immediate logout for CLI and "not configured" for Web).

I guess Custom Attributes to be defined on TACACs server.
On the sk I know about TACACs i don't see anything about that but in our environment we do authorization via TACACs server, in our Case Cisco ISE and it's done like this:

Policy Elements::

  • Device Administration
    • Tacacs+ Profiles
      • CheckPoint
        • 1. General tab
          • Name: CheckPoint
          • Description: CheckPoint Firewall
        •  
        • 2. Custom Attibutes tab
          • Attribute/Requirement/Value:
            • CheckPoint-SuperUser-Access=1
            • Mandatory
            • 1
          • Attribute/Requirement/Value:
            • Checkpoint-User-Role=adminRole
            • Mandatory
            • adminRole

 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
Monday

What Vince said makes sense. See if below is configured:

Most Likely Root Cause

Your TACACS server is not returning the required Check Point–specific TACACS attributes.

Check Point uses two role names that must be exact matches:

  • TACP-0 → Read‑only
  • TACP-15 → Superuser

If TACACS returns no role, or a role name mismatch, Check Point:

✔ Accepts authentication
✘ Fails authorization → session closed (CLI) / no web access (GUI)

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events