This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vaibhav_Parmar
Participant
‎2020-08-13 07:00 PM

TACACS+ Config is not working as expected

Hi Mates,

 

I am facing some weird issue here , I had changed  Tacacs+ config for admin users , Earlier authenticating from Cisco ACS only and now some users authenticating from Cisco ISE and some from Cisco ACS.

In Dashboard I have setup some admin users to authenticate from Cisco ISE and some from Cisco ACS.   but somehow some users who are setup to authenticate from Cisco ISE are getting authenticate Cisco ACS,  How this is happening ?

 

When I created users I did install Database and Install Policy .

 

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-08-13 09:31 PM

I'm not clear what these users are authenticating to: Gaia OS, SmartConsole, or?

0 Kudos
Vaibhav_Parmar
Participant
‎2020-08-14 02:37 AM
In response to PhoneBoy

There Authenticating to SmartConsole locally 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-15 07:22 PM
In response to Vaibhav_Parmar

How precisely did you change the config on the Check Point side to support your goal?

0 Kudos
Vaibhav_Parmar
Participant
‎2020-08-19 04:33 AM
In response to PhoneBoy

 

We are facing some weird issues here. We have changed  Tacacs+ config for admin users , Earlier authenticating from Cisco ACS only and now some users authenticating from Cisco ISE and some from Cisco ACS.

 In Checkpoint SmartDashboard we have set up some admin users to authenticate from Cisco ISE and some from Cisco ACS.   But somehow some users who are setup to authenticate from Cisco ISE are getting authenticated Cisco ACS. I have taken different traffic captures from the command line and found users traffic who set up to authenticate from Cisco ISE are not initiating to authenticate for Cisco ISE , But Same traffic is initiating for Cisco ACS. 

 

######################

:

 

 

When I capture logs for one user accounts1 :

01:29:53.794056 IP END-CP-MGMT-01.47747 > end-ise-01.next-uk.next.loc.tacacs: Flags [S], seq 934938609, win 29200, options [mss 1460,sackOK,TS val 3002153689 ecr 0,nop,wscale 10], length 0

01:29:53.794364 IP end-ise-01.next-uk.next.loc.tacacs > END-CP-MGMT-01.47747: Flags [S.], seq 1346839268, ack 934938610, win 28960, options [mss 1460,sackOK,TS val 38800155 ecr 3002153689,nop,wscale 7], length 0

01:29:53.794382 IP END-CP-MGMT-01.47747 > end-ise-01.next-uk.next.loc.tacacs: Flags [.], ack 1, win 29, options [nop,nop,TS val 3002153689 ecr 38800155], length 0

 

Similar setup is with is with another  account :

  

03:32:48.827151 IP END-CP-MGMT-01.46293 > end-iprs14.next-uk.next.loc.tacacs: Flags [S], seq 1368525070, win 29200, options [mss 1460,sackOK,TS val 3009528722 ecr 0,nop,wscale 10], length 0
03:32:48.827456 IP end-iprs14.next-uk.next.loc.tacacs > END-CP-MGMT-01.46293: Flags [S.], seq 4286673841, ack 1368525071, win 14480, options [mss 1460,sackOK,TS val 2678212123 ecr 3009528722,nop,wscale 7], length 0

But  authenticated from Cisco ACS server although the account is set up to authenticate from Cisco ISE only. 

 

Please config is same for both the users which also verified from CP TAC

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events