I have been looking for the proper configuration between Checkpoint and Clearpass for the last couple of days.. and sadly have come up empty. I reached out to Checkpoint TAC and went through 5(yes 5) more or less clueless engineers that basically told me to check the documentation... which I already did and even they couldn't explain or guide me in any way. Here is what is happening.
I can login to the checkpoint appliance but in an inproper way... Basically, Clearpass gives me the proper enforcement profile but states "Authorization" 0... The last time I saw something similar, I was configuring Riverbed TACACS and the issue was that they used a specific VSA called " local-user-name". Until I had done that(and replaced shell privilege), I was able to login but again, it didn't care which group I was in or the enforcement profile I was getting.. I was just pushed through. Obviously, that's bad...
I asked Checkpoint if they had their own VSA and they told me no we don't.. So I am currently using Shell Privl-lvl 0 and 15, but obviously, this isn't working as intended. Just to prove it isn't working, I asked a colleague who isn't part of the user group that should have access and he still was able to login... He gets a Deny Enforcement profile, but the appliance doesn't care and let's him through. Same with the local admin account which shouldn't work.. still gets in.
Has anyone had the pleasure of working with Checkpoints(feel the sarcasm) and Clearpass that could indicate if they found the proper VSA configuration to make this work? Any help would be greatly appreciated.. even an idea could point me in the right direction.
If you have any questions or want more configuration information, please don't hesitate to let me know.
You may use the below enforcement profile for your issue.
Where the value
<TacacsEnfProfile description="SampleCheckpoint TACACS Enf Prof" name="Checkpoint TACACS Enf Prof" autzStatus="PASS_REPL" maxPrivLevel="15"><ServiceNameList><string>Shell</string></ServiceNameList><ServiceAttrList><RulesCondition valueDispName="TACP-15" value="TACP-15" oper="EQUALS" name="Role" type="Shell"/></ServiceAttrList><CmdAutzSet permitUnmatchedCmds="true" type="shell"/></TacacsEnfProfile>
I have gone through the same frustration months ago, so we have a compromise between me the NAC (TACACS) and Security Team:
I create a TACACS service just for CheckPoint that only checks for authenticated user then pass thru with Shell privl-lvl 15 to CheckPoint. In CheckPoint > Manage & Settings > Permisions & Administrators > Administrators, CheckPoint Smart Console can configure who get access and at what level.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.