last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Checkpoint Firewalls and Clearpass TACACS

  • 1.  Checkpoint Firewalls and Clearpass TACACS

    Posted Aug 02, 2018 02:13 PM



    I have been looking for the proper configuration between Checkpoint and Clearpass for the last couple of days.. and sadly have come up empty. I reached out to Checkpoint TAC and went through 5(yes 5) more or less clueless engineers that basically told me to check the documentation... which I already did and even they couldn't explain or guide me in any way. Here is what is happening.


    I can login to the checkpoint appliance but in an inproper way... Basically, Clearpass gives me the proper enforcement profile but states "Authorization" 0... The last time I saw something similar, I was configuring Riverbed TACACS and the issue was that they used a specific VSA called " local-user-name". Until I had done that(and replaced shell privilege), I was able to login but again, it didn't care which group I was in or the enforcement profile I was getting.. I was just pushed through. Obviously, that's bad...


    I asked Checkpoint if they had their own VSA and they told me no we don't.. So I am currently using Shell Privl-lvl 0 and 15, but obviously, this isn't working as intended. Just to prove it isn't working, I asked a colleague who isn't part of the user group that should have access and he still was able to login... He gets a Deny Enforcement profile, but the appliance doesn't care and let's him through. Same with the local admin account which shouldn't work.. still gets in.


    Has anyone had the pleasure of working with Checkpoints(feel the sarcasm) and Clearpass that could indicate if they found the proper VSA configuration to make this work? Any help would be greatly appreciated.. even an idea could point me in the right direction. 


    If you have any questions or want more configuration information, please don't hesitate to let me know.

  • 2.  RE: Checkpoint Firewalls and Clearpass TACACS

    Posted Aug 29, 2018 03:26 AM

    You may use the below enforcement profile for your issue.

    Where the value

    • TACP-0 is for Read-only Users
    • TACP-15 is for Read-write Users


    <TacacsEnfProfile description="SampleCheckpoint TACACS Enf Prof" name="Checkpoint TACACS Enf Prof" autzStatus="PASS_REPL" maxPrivLevel="15">
    <RulesCondition valueDispName="TACP-15" value="TACP-15" oper="EQUALS" name="Role" type="Shell"/>
    <CmdAutzSet permitUnmatchedCmds="true" type="shell"/>

  • 3.  RE: Checkpoint Firewalls and Clearpass TACACS

    Posted Aug 29, 2018 04:31 PM

    I have gone through the same frustration months ago, so we have a compromise between me the NAC (TACACS) and Security Team:

    I create a TACACS service just for CheckPoint that only checks for authenticated user then pass thru with Shell privl-lvl 15 to CheckPoint. In CheckPoint > Manage & Settings > Permisions & Administrators > Administrators, CheckPoint Smart Console can configure who get access and at what level.