CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 4 of 4

Thread: TACACS configuration and SIC Reset

  1. #1
    Join Date
    2013-05-06
    Posts
    6
    Rep Power
    0

    Default TACACS configuration and SIC Reset

    Hello all,

    I was working on an environment with an IPSO R75 cluster. We were resetting SIC due to a management IP/hostname change. When we reset SIC on the first firewall, we lost SSH access. Device is still pingable. When we unloaded local from console cable, we could SSH normally. We encountered a load on module error failed and rebooted during troubleshooting that issue. After reboot, users (all of whom are TACACS based) cannot authenticate. Is this expected behavior? I've never had issues with losing TACACS in SPLAT or GAIA.

    We even tried going into single user mode and editing the users password hash to a known hash we created and still weren't able to get in.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,369
    Rep Power
    15

    Default Re: TACACS configuration and SIC Reset

    Editing /etc/shadow won't work since it will be regenerated on reboot by xpand anyway.
    You have to set the immutable flag on the file so xpand can't overwrite it (chattr +I if I recall correctly).

    It sounds like the TACACS configuration somehow got clobbered or the policy is blocking access to the TACACS server (which would cause the same issue).
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,409
    Rep Power
    8

    Default Re: TACACS configuration and SIC Reset

    Quote Originally Posted by jcstefansson View Post
    Hello all,

    I was working on an environment with an IPSO R75 cluster. We were resetting SIC due to a management IP/hostname change. When we reset SIC on the first firewall, we lost SSH access. Device is still pingable. When we unloaded local from console cable, we could SSH normally. We encountered a load on module error failed and rebooted during troubleshooting that issue. After reboot, users (all of whom are TACACS based) cannot authenticate. Is this expected behavior? I've never had issues with losing TACACS in SPLAT or GAIA.

    We even tried going into single user mode and editing the users password hash to a known hash we created and still weren't able to get in.
    This sounds like multiple issues here.

    I'm going to guess address spoofing is the reason for the ssh drop. Just guessing since it sounds like there are new networks and possibly you're sshing from a new network. If tracker access is down fw ctl zdebug drop on the firewall will show you why stuff is getting denied.

    load on module failure requires debugging policy install. I just got right for the debug of atomic load.

    fw -d fetchlocal -d $FWDIR/state/__tmp/FW1 >& ~/debug-policy.txt

    You might be running initial policy now as well come to think of it. What does fw stat show?

    As for tacacs, you haven't stated if you're getting a connection to the tacacs server or not. My guess is not. Verify connectivity with tcpdump / fw mon / netstat -an. Granted if you're having policy issues still that will need to be addressed before fixing tacacs.

    freebsd ver of chattr is

    chflags schg

    Also.. i don't remember all the password files on IPSO. I think changes to the hash in whatever the shadow file is called have to be done with vipw which would update the mater password datatbase. I don't remember what the file is called but just sort /etc by date after using vipw and see which files changed then chflags everything you want to keep.

    This assuming its not flash based IPSO BTW.

  4. #4
    Join Date
    2013-05-06
    Posts
    6
    Rep Power
    0

    Default Re: TACACS configuration and SIC Reset

    Updating the thread with what we wound up doing:
    https://supportcenter.checkpoint.com...oduct=Security
    This SK procedure to reset the admin, which let us fw unloadlocal and then we could establish SIC and push the correct policy which then TACACS and SSH resumed working normally.

Similar Threads

  1. TACACS+
    By zarcoff in forum Authentication
    Replies: 1
    Last Post: 2010-04-12, 15:15
  2. Tacacs failing
    By VFCP1 in forum Authentication
    Replies: 1
    Last Post: 2008-07-01, 13:42
  3. Authentication with TACACS
    By zarcoff in forum Authentication
    Replies: 3
    Last Post: 2008-06-20, 12:03
  4. R55 & TACACS
    By ipcmd0 in forum Authentication
    Replies: 0
    Last Post: 2008-02-27, 21:47
  5. RADIUS vs TACACS+
    By Minguccio75 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2007-03-20, 12:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •