This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fatalis
Explorer
2 weeks ago

TACACS+ with Check Point Gaia & Cisco ISE — AuthZ Profile Created but Still Getting Denied

Hello everyone,

I’ve been working on integrating our Check Point firewalls (Gaia R81.x) with Cisco ISE for TACACS+ device administration and hit a roadblock that I can’t seem to get past. Hoping someone in the community has run into this and can point me in the right direction. 

Full disclosure a different team handles Cisco ISE and I do not have access to look in there myself and can only go off screenshots shared to me. [I have configured this in two separate environments with the same Gaia Clish configurations. The only thing that is different is the TACACS+ servers, Cisco ISE, and user credentials.]

Commands used

add aaa tacacs-servers priority 1 server <TACACS_SERVER_1> key ******** timeout 10
add aaa tacacs-servers priority 2 server <TACACS_SERVER_2> key ******** timeout 10
set aaa tacacs-servers state on
set aaa tacacs-servers user-uid 0
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features
add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"


 What works so far

Connectivity is good:

ping, nc -vz <ISE> 49, and tcpdump all confirm the firewall can reach ISE on TCP/49.
IP routes are correct, and ISE is receiving the authentication requests.
Authentication is successful:
ISE Live Logs show Passed-Authentication: Authentication succeeded.
Username is correctly resolved in Active Directory.
Authorization Profile was created:
In ISE, a created a Shell Profile (Checkpoint_Admin) with no custom attributes (mirrors separate working environment)
The TACACS+ policy matches the correct AD group and returns the profile


The Problem

On Gaia, I still get “Permission denied” when attempting SSH login with TACACS credentials.
Gaia logs show:
PAM-tacplus[…] auth failed: 2 tac_connect: all possible TACACS+ servers failed
In ISE Live Logs, AuthZ shows as 0 (no usable profile) even though the rule hits and the profile is applied.


What's been verified

Verified the shared secret matches on both sides.
Created a new test key just in case — same result.
Verified that show aaa tacacs-servers shows the ISE nodes as up.
Confirmed that the RBA role TACP-15 exists and has “All system features.”


Even with the Shell Profile in place, ISE shows AuthZ profile applied but Gaia still refuses login with “permission denied.”

Is there anything specific in CheckPoint RBA mappings that I might be missing?

Do ISE Shell Profiles need any attribute other than shell:priv-lvl=15 for Check Point (unlike IOS/NX-OS which only need that one)?

Could this be related to how Gaia interprets the AD group membership via TACACS?

Any advice or pointers would be hugely appreciated.

Thanks in advance!

Labels
0 Kudos
18 Replies
Chris_Atkinson
Employee Employee
Employee
a week ago

Is access via the GAiA UI and Console access also effected and which version/JHF is the gateway?

CCSM R77/R80/ELITE
0 Kudos
Fatalis
Explorer
a week ago
In response to Chris_Atkinson

Hi Chris thank you for replying,

Both Gaia web UI and Console access are effected. Our devices in this particular environment are mostly R81.10 Take 156. I did recently remove old Radius configurations that have not worked thinking that there may have been a conflict between the two. Unfortunately that too did not resolve the underlying issue. 

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Fatalis

Hey @Fatalis 

I would confirm with tcpdump and fw monitor that you see the communication from the fw itself, not sure what port this is related to, but lets assume, for argument sake its 777, you can try below:

tcpdump -enni any port 777

fw monitor -e "accept port(777);"

See what you get...based on output of those, it should give us better idea.

Best.

Andy

0 Kudos
Fatalis
Explorer
a week ago
In response to the_rock

Hi Rock,

The tcpdump over TACACS port 49 shows a three way handshake between the security gateway and the TACACS server. However, at the very start with tail -f /var/log/messages | grep i tac the following error pops up. 
PAM-tacplus[…] auth failed: 2 tac_connect:                  [Still finishes the three way handshake with the fail]

with fw monitor we can see it going in and out the designated ports to reach the TACACS server and to come back ie i,I,o,O.

There is a firewall that sits in front of the TACACS server which picks up on the cluster VIP when running the fw monitor command. Which should be as expected. 


Attempting login to that firewall I just mentioned which sits directly Infront of that TACACS server also results in the same errors.

 

I would think it could be related to AD permissions but to my knowledge TACACS ISE will pull the AD group associated with the AD user and then give it the Shell Profile privilege that is configured within ISE for privilege levels

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Fatalis

Based on all you said, sounds to me that CP side appears to be fine.

Fatalis
Explorer
a week ago
In response to the_rock

Yeah i’m also coming to that same conclusion just needed some sanity checks.

 

Have a scheduled TAC call with Cisco Monday with hopefully more information and a hopefully a resolution.

I’ll post here for any findings or resolutions after the troubleshooting with Cisco 

the_rock
Legend
Legend
a week ago
In response to Fatalis

Sounds good, please keep us posted.

Andy

0 Kudos
Peter_Lyndley
Advisor
Advisor
a week ago
In response to Fatalis

Hi

From what I remember, you should not be defining the usernames on the gateway itself. Try deleting one of the users on the gateway and then try that user again via tacacs.

remove these lines below

add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"

 

0 Kudos
genisis__
Mentor Mentor
Mentor
a week ago
In response to Peter_Lyndley

Is there a SK for this?  It would be really good to know how to integrate ISE so there is R/W and RO accounts.  With the ISE 3.x/4.x configuration steps as well.

0 Kudos
Peter_Lyndley
Advisor
Advisor
a week ago
In response to genisis__

There are SKs relating to this, for example sk98733 and sk101573

Note - All TACACS+ users must log in to Gaia OS with the password assigned to the default role TACP-0.

Note 2.To get their applicable TACP role in Gaia OS, after this initial login, TACACS+ users must log in for the second time with the password assigned to their applicable TACP role.

Also check - Configuring Gaia as a TACACS+ Client

(1)
the_rock
Legend
Legend
a week ago
In response to Peter_Lyndley

Thats very good to know @Peter_Lyndley 

Andy

0 Kudos
genisis__
Mentor Mentor
Mentor
a week ago
In response to Peter_Lyndley

good to know, thanks.

0 Kudos
Fatalis
Explorer
a week ago
In response to genisis__

Latest troubleshooting with TAC I discovered the the Firewall VIP is making it's way to the firewall which sits in front of the TACACS server (i) but never (I, o, O) leaving that firewall to TACACS

I do see return traffic from the source firewall mgmt IP. Just need to figure out why the traffic hits the port on that TACACS border firewall but never leaves to make it's way to that TACACS server. The mgmt IP takes the same exact route and can see that communication back and forth. 

0 Kudos
Fatalis
Explorer
a week ago
In response to Fatalis

Edit- It was taking the accelerated path. Updated fw monitor command and verified that communication is returning back to the VIP

0 Kudos
the_rock
Legend
Legend
a week ago
In response to Fatalis

What did Cisco TAC say?

Andy

0 Kudos
Fatalis
Explorer
a week ago
In response to Peter_Lyndley

In the current working environment I tried this as well without a matching local user assigned TACP-15 and it wouldn't work. Only until I manually created each user with the assigned role TACP-15 in the firewall were we able to finally able to gain access. 

Also tried both ways in the broken environment by removing the users and re-adding the user accounts which resulted in the same errors.

0 Kudos
genisis__
Mentor Mentor
Mentor
a week ago
In response to Fatalis

That pretty much want we all want i.e. don't create any accounts on the gateway.

Fatalis
Explorer
a week ago
In response to genisis__

Funny enough I removed the accounts in the working environment and it did in fact work as it was supposed to be intended. I may keep the actual local accounts which auth to TACACS since it'll default our admins into bin/bash. I'll leave the decision up to them once both environments are working

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events