This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fatalis
Explorer
‎2025-08-21 09:37 AM

TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Hello everyone,

I’ve been working on integrating our Check Point firewalls (Gaia R81.x) with Cisco ISE for TACACS+ device administration and hit a roadblock that I can’t seem to get past. Hoping someone in the community has run into this and can point me in the right direction. 

Full disclosure a different team handles Cisco ISE and I do not have access to look in there myself and can only go off screenshots shared to me. [I have configured this in two separate environments with the same Gaia Clish configurations. The only thing that is different is the TACACS+ servers, Cisco ISE, and user credentials.]

Commands used

add aaa tacacs-servers priority 1 server <TACACS_SERVER_1> key ******** timeout 10
add aaa tacacs-servers priority 2 server <TACACS_SERVER_2> key ******** timeout 10
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features
add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"


 What works so far

Connectivity is good:

ping, nc -vz <ISE> 49, and tcpdump all confirm the firewall can reach ISE on TCP/49.
IP routes are correct, and ISE is receiving the authentication requests.
Authentication is successful:
ISE Live Logs show Passed-Authentication: Authentication succeeded.
Username is correctly resolved in Active Directory.
Authorization Profile was created:
In ISE, a created a Shell Profile (Checkpoint_Admin) with no custom attributes (mirrors separate working environment)
The TACACS+ policy matches the correct AD group and returns the profile


The Problem

On Gaia, I still get “Permission denied” when attempting SSH login with TACACS credentials.
Gaia logs show:
PAM-tacplus[…] auth failed: 2 tac_connect: all possible TACACS+ servers failed
In ISE Live Logs, AuthZ shows as 0 (no usable profile) even though the rule hits and the profile is applied.


What's been verified

Verified the shared secret matches on both sides.
Created a new test key just in case — same result.
Verified that show aaa tacacs-servers shows the ISE nodes as up.
Confirmed that the RBA role TACP-15 exists and has “All system features.”


Even with the Shell Profile in place, ISE shows AuthZ profile applied but Gaia still refuses login with “permission denied.”

Is there anything specific in CheckPoint RBA mappings that I might be missing?

Do ISE Shell Profiles need any attribute other than shell:priv-lvl=15 for Check Point (unlike IOS/NX-OS which only need that one)?

Could this be related to how Gaia interprets the AD group membership via TACACS?

Any advice or pointers would be hugely appreciated.

Thanks in advance!

Labels
0 Kudos
37 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 08:35 AM
In response to genisis__

Right, but then it besg the question WHY does it not allow it?

Andy

Best,
Andy
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-09-23 09:17 AM
In response to the_rock

Exactly - now I have also just tried this:

add rba role TACP-15 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 virtual-system-access all

with the same result.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 09:20 AM
In response to genisis__

Did you end up opening TAC case?

Best,
Andy
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-09-23 11:58 AM
In response to the_rock

yes - will being doing more troubleshooting with TAC over a zoom this week.

the_rock
MVP Platinum
MVP Platinum
‎2025-09-23 12:05 PM
In response to genisis__

Hope it goes well and is useful.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-09-24 02:21 PM
In response to genisis__

Unfortunately, due to the way legacy VSX is implemented, VS-level separation at the OS level isn't really possible.
VSnext in R82 should support this.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-09-25 07:36 PM
In response to PhoneBoy

Are you referring to something different than this:

add rba role <Existing Role Name>
virtual-system-access 0
virtual-system-access all
virtual-system-access VSID1,VSID2,...,VSIDn

See also: https://community.checkpoint.com/t5/Management/Read-Only-Access-to-Virtual-System/td-p/22842  

CCSM R77/R80/ELITE
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2025-09-26 04:02 AM
In response to Chris_Atkinson

Almost the same Chris - I also had a TAC session where we tried different things.  I believe an internal ticket has been raised as well.

Also the SK related to getting this working with Cisco ACS really needs updating to do this with Cisco ISE.  The TAC engineer to be fair could not assist on this side so it was a bit of a grey area, that said I don't think the issue is here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events