Occasional Contributor II

Checkpoint Firewalls and Clearpass TACACS



I have been looking for the proper configuration between Checkpoint and Clearpass for the last couple of days.. and sadly have come up empty. I reached out to Checkpoint TAC and went through 5(yes 5) more or less clueless engineers that basically told me to check the documentation... which I already did and even they couldn't explain or guide me in any way. Here is what is happening.


I can login to the checkpoint appliance but in an inproper way... Basically, Clearpass gives me the proper enforcement profile but states "Authorization" 0... The last time I saw something similar, I was configuring Riverbed TACACS and the issue was that they used a specific VSA called " local-user-name". Until I had done that(and replaced shell privilege), I was able to login but again, it didn't care which group I was in or the enforcement profile I was getting.. I was just pushed through. Obviously, that's bad...


I asked Checkpoint if they had their own VSA and they told me no we don't.. So I am currently using Shell Privl-lvl 0 and 15, but obviously, this isn't working as intended. Just to prove it isn't working, I asked a colleague who isn't part of the user group that should have access and he still was able to login... He gets a Deny Enforcement profile, but the appliance doesn't care and let's him through. Same with the local admin account which shouldn't work.. still gets in.


Has anyone had the pleasure of working with Checkpoints(feel the sarcasm) and Clearpass that could indicate if they found the proper VSA configuration to make this work? Any help would be greatly appreciated.. even an idea could point me in the right direction. 


If you have any questions or want more configuration information, please don't hesitate to let me know.

New Contributor

Re: Checkpoint Firewalls and Clearpass TACACS

You may use the below enforcement profile for your issue.

Where the value

  • TACP-0 is for Read-only Users
  • TACP-15 is for Read-write Users


<TacacsEnfProfile description="SampleCheckpoint TACACS Enf Prof" name="Checkpoint TACACS Enf Prof" autzStatus="PASS_REPL" maxPrivLevel="15">
<RulesCondition valueDispName="TACP-15" value="TACP-15" oper="EQUALS" name="Role" type="Shell"/>
<CmdAutzSet permitUnmatchedCmds="true" type="shell"/>

Super Contributor II

Re: Checkpoint Firewalls and Clearpass TACACS

I have gone through the same frustration months ago, so we have a compromise between me the NAC (TACACS) and Security Team:

I create a TACACS service just for CheckPoint that only checks for authenticated user then pass thru with Shell privl-lvl 15 to CheckPoint. In CheckPoint > Manage & Settings > Permisions & Administrators > Administrators, CheckPoint Smart Console can configure who get access and at what level.   


~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: