Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Need assistance configuring Cisco ACS 5.4, so a CheckPoint Firewall can authenticate via TACACS

Hello All,

We are trying to move all CheckPoint Firewalls away from using RADIUS for authentication. We have a mandate to migrate all CheckPoint Firewalls to use CISCO ACS (TACACS+) for authentication instead. I've managed to configure the CISCO ACS from reading some Google searches, however, the CheckPoint FW admin is still UNABLE to authenticate using TACACS. If anyone has successfully done this in the past, please let me know what am I missing for this to work. I would greatly appreciate any input from any successful implementations of this.

Below are the configs I have on the CISCO ACS:

Policy Elements::

  • Device Administration
    • Shell Profiles
      • Nokia-IPSO
        • 1. General tab
          • Name: Nokia-IPSO
          • Description: Nokia-IPSO
        • 2. Common Tasks
          • Default Privilege, value = 15
          • Max Privilege, value = 15
        • 3. Custom Attibutes tab
          • Attribute/Requirement/Value:
            • Nokia-IPSO-SuperUser-Access=1
            • Mandatory
            • 1
          • Attribute/Requirement/Value:
            • Nokia-IPSO-User-Role=adminRole
            • Mandatory
            • adminRole

Access Policies::

  • Access Services
    • Default Device Admin
      • Authorization
        • Name: Nokia-IPSO
        • LDAP:ExternalGroups, contains any: xx.aaa.bbb-CCC.xx
        • NDG:Device Type: AllDeviceTypes: CheckPointFW
        • Shell Profile: Nokia-IPSO
        • Commands: Full access

After this was configured on the CISCO ACS, the CheckPoint Firewall ADMIN tried to gain access using tacacs+ and received

the following ERROR MESSAGES in the CheckPoint Firewall LOGS:

Mar 4 07:32:53 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89982]: tac_send_authen: Network read timed out

Mar 4 07:32:53 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89982]: tac_send_authen: Network read timed out

Mar 4 07:33:00 nkcpfw1ny <cron.[LOG_INFO]> /usr/sbin/cron[89985]: (operator) CMD (/usr/libexec/save-entropy)

Mar 4 07:33:01 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89983]: tac_send_authen: Network read timed out

Mar 4 07:33:01 nkcpfw1ny <auth.[LOG_CRIT]> sshd-x[89983]: tac_send_authen: Network read timed out

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: User is authorized

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: User is authorized

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: Ignoring attribute-value pair from TACACS+ server: priv-lvl=15

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: Ignoring attribute-value pair from TACACS+ server: priv-lvl=15

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: No role(s) received for user charlie from authentication server

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89989]: No role(s) received for user charlie from authentication server

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89980]: Accepted keyboard-interactive/pam for charlie from 172.17.x.y port 62665 ssh2

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_INFO]> sshd-x[89980]: Accepted keyboard-interactive/pam for charlie from 172.17.x.y port 62665 ssh2

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_open_session(): (sshd) session opened for user charlie by root(uid=0)

Mar 4 07:33:09 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_open_session(): (sshd) session opened for user charlie by root(uid=0)

Mar 4 07:33:10 nkcpfw1ny <local0.[LOG_NOTICE]> clish[89992]: User charlie logged out due to an error from CLI shell

Mar 4 07:33:10 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_close_session(): (sshd) session closed for user charlie

Mar 4 07:33:10 nkcpfw1ny <auth.[LOG_NOTICE]> sshd-x[89990]: in pam_sm_close_session(): (sshd) session closed for user charlie

Please help! Thanks.

1 REPLY
Community Member

Need assistance configuring Cisco ACS 5.4, so a CheckPoint Firew

Hello Ohmar,

this works for me:

Policy Elements::

  • Device Administration
    • Shell Profiles
        Nokia-IPSO
          • 1. General tab
            • Name: Nokia-IPSO
            • Description: Nokia-IPSO
          • 2. Common Tasks
            • Default Privilege, value = 15
            • Max Privilege, value = 15
          • 3. Custom Attibutes tab
            • Attribute/Requirement/Value:
              • Nokia-IPSO-SuperUser-Access
              • Mandatory
              • 1
            • Attribute/Requirement/Value:
              • Nokia-IPSO-User-Role
              • Mandatory
              • adminRole

    Regards

    844
    Views
    0
    Helpful
    1
    Replies
    CreatePlease to create content