- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Introducing Check Point Quantum Spark 2500:
Smarter Security, Faster Connectivity, and Simpler MSP Management!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello everyone,
I’ve been working on integrating our Check Point firewalls (Gaia R81.x) with Cisco ISE for TACACS+ device administration and hit a roadblock that I can’t seem to get past. Hoping someone in the community has run into this and can point me in the right direction.
Full disclosure a different team handles Cisco ISE and I do not have access to look in there myself and can only go off screenshots shared to me. [I have configured this in two separate environments with the same Gaia Clish configurations. The only thing that is different is the TACACS+ servers, Cisco ISE, and user credentials.]
Commands used
add aaa tacacs-servers priority 1 server <TACACS_SERVER_1> key ******** timeout 10
add aaa tacacs-servers priority 2 server <TACACS_SERVER_2> key ******** timeout 10
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features
add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"
What works so far
Connectivity is good:
ping, nc -vz <ISE> 49, and tcpdump all confirm the firewall can reach ISE on TCP/49.
IP routes are correct, and ISE is receiving the authentication requests.
Authentication is successful:
ISE Live Logs show Passed-Authentication: Authentication succeeded.
Username is correctly resolved in Active Directory.
Authorization Profile was created:
In ISE, a created a Shell Profile (Checkpoint_Admin) with no custom attributes (mirrors separate working environment)
The TACACS+ policy matches the correct AD group and returns the profile
The Problem
On Gaia, I still get “Permission denied” when attempting SSH login with TACACS credentials.
Gaia logs show:
PAM-tacplus[…] auth failed: 2 tac_connect: all possible TACACS+ servers failed
In ISE Live Logs, AuthZ shows as 0 (no usable profile) even though the rule hits and the profile is applied.
What's been verified
Verified the shared secret matches on both sides.
Created a new test key just in case — same result.
Verified that show aaa tacacs-servers shows the ISE nodes as up.
Confirmed that the RBA role TACP-15 exists and has “All system features.”
Even with the Shell Profile in place, ISE shows AuthZ profile applied but Gaia still refuses login with “permission denied.”
Is there anything specific in CheckPoint RBA mappings that I might be missing?
Do ISE Shell Profiles need any attribute other than shell:priv-lvl=15 for Check Point (unlike IOS/NX-OS which only need that one)?
Could this be related to how Gaia interprets the AD group membership via TACACS?
Any advice or pointers would be hugely appreciated.
Thanks in advance!
Is access via the GAiA UI and Console access also effected and which version/JHF is the gateway?
Hi Chris thank you for replying,
Both Gaia web UI and Console access are effected. Our devices in this particular environment are mostly R81.10 Take 156. I did recently remove old Radius configurations that have not worked thinking that there may have been a conflict between the two. Unfortunately that too did not resolve the underlying issue.
Hey @Fatalis
I would confirm with tcpdump and fw monitor that you see the communication from the fw itself, not sure what port this is related to, but lets assume, for argument sake its 777, you can try below:
tcpdump -enni any port 777
fw monitor -e "accept port(777);"
See what you get...based on output of those, it should give us better idea.
Best.
Andy
Hi Rock,
The tcpdump over TACACS port 49 shows a three way handshake between the security gateway and the TACACS server. However, at the very start with tail -f /var/log/messages | grep i tac the following error pops up.
PAM-tacplus[…] auth failed: 2 tac_connect: [Still finishes the three way handshake with the fail]
with fw monitor we can see it going in and out the designated ports to reach the TACACS server and to come back ie i,I,o,O.
There is a firewall that sits in front of the TACACS server which picks up on the cluster VIP when running the fw monitor command. Which should be as expected.
Attempting login to that firewall I just mentioned which sits directly Infront of that TACACS server also results in the same errors.
I would think it could be related to AD permissions but to my knowledge TACACS ISE will pull the AD group associated with the AD user and then give it the Shell Profile privilege that is configured within ISE for privilege levels
Based on all you said, sounds to me that CP side appears to be fine.
Yeah i’m also coming to that same conclusion just needed some sanity checks.
Have a scheduled TAC call with Cisco Monday with hopefully more information and a hopefully a resolution.
I’ll post here for any findings or resolutions after the troubleshooting with Cisco
Sounds good, please keep us posted.
Andy
Hi
From what I remember, you should not be defining the usernames on the gateway itself. Try deleting one of the users on the gateway and then try that user again via tacacs.
remove these lines below
add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"
Is there a SK for this? It would be really good to know how to integrate ISE so there is R/W and RO accounts. With the ISE 3.x/4.x configuration steps as well.
There are SKs relating to this, for example sk98733 and sk101573
Note - All TACACS+ users must log in to Gaia OS with the password assigned to the default role TACP-0
.
Note 2.To get their applicable TACP role in Gaia OS, after this initial login, TACACS+ users must log in for the second time with the password assigned to their applicable TACP role.
Also check - Configuring Gaia as a TACACS+ Client
Thats very good to know @Peter_Lyndley
Andy
good to know, thanks.
Latest troubleshooting with TAC I discovered the the Firewall VIP is making it's way to the firewall which sits in front of the TACACS server (i) but never (I, o, O) leaving that firewall to TACACS
I do see return traffic from the source firewall mgmt IP. Just need to figure out why the traffic hits the port on that TACACS border firewall but never leaves to make it's way to that TACACS server. The mgmt IP takes the same exact route and can see that communication back and forth.
Edit- It was taking the accelerated path. Updated fw monitor command and verified that communication is returning back to the VIP
What did Cisco TAC say?
Andy
In the current working environment I tried this as well without a matching local user assigned TACP-15 and it wouldn't work. Only until I manually created each user with the assigned role TACP-15 in the firewall were we able to finally able to gain access.
Also tried both ways in the broken environment by removing the users and re-adding the user accounts which resulted in the same errors.
That pretty much want we all want i.e. don't create any accounts on the gateway.
Funny enough I removed the accounts in the working environment and it did in fact work as it was supposed to be intended. I may keep the actual local accounts which auth to TACACS since it'll default our admins into bin/bash. I'll leave the decision up to them once both environments are working
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
17 | |
9 | |
6 | |
5 | |
5 | |
4 | |
3 | |
3 | |
2 | |
2 |
Wed 03 Sep 2025 @ 11:00 AM (SGT)
Deep Dive APAC: Troubleshooting 101 for Quantum Security GatewaysThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksWed 03 Sep 2025 @ 11:00 AM (SGT)
Deep Dive APAC: Troubleshooting 101 for Quantum Security GatewaysThu 04 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: External Risk Management for DummiesWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY