Hi,
I have been looking for the proper configuration between Checkpoint and Clearpass for the last couple of days.. and sadly have come up empty. I reached out to Checkpoint TAC and went through 5(yes 5) more or less clueless engineers that basically told me to check the documentation... which I already did and even they couldn't explain or guide me in any way. Here is what is happening.
I can login to the checkpoint appliance but in an inproper way... Basically, Clearpass gives me the proper enforcement profile but states "Authorization" 0... The last time I saw something similar, I was configuring Riverbed TACACS and the issue was that they used a specific VSA called " local-user-name". Until I had done that(and replaced shell privilege), I was able to login but again, it didn't care which group I was in or the enforcement profile I was getting.. I was just pushed through. Obviously, that's bad...
I asked Checkpoint if they had their own VSA and they told me no we don't.. So I am currently using Shell Privl-lvl 0 and 15, but obviously, this isn't working as intended. Just to prove it isn't working, I asked a colleague who isn't part of the user group that should have access and he still was able to login... He gets a Deny Enforcement profile, but the appliance doesn't care and let's him through. Same with the local admin account which shouldn't work.. still gets in.
Has anyone had the pleasure of working with Checkpoints(feel the sarcasm) and Clearpass that could indicate if they found the proper VSA configuration to make this work? Any help would be greatly appreciated.. even an idea could point me in the right direction.
If you have any questions or want more configuration information, please don't hesitate to let me know.