End-of-Life (EoL)

Configure a TACACS+ Server Profile

Terminal Access Controller Access-Control System Plus (TACACS+) protocol provides better Authentication security than RADIUS because it encrypts usernames and passwords (instead of just passwords), and is also more reliable (it uses TCP instead of UDP).
When you predefine dynamic administrator roles on the server, use lower-case to specify the role (for example, enter
superuser
, not
SuperUser
).
When authenticating to the TACACS+ server, the firewall first tries Challenge-Handshake Authentication Protocol (CHAP) and falls back to Password Authentication Protocol (PAP) if the server rejects the CHAP request. This will happen if, for example, the server doesn’t support CHAP or isn’t configured for CHAP. CHAP is the preferred protocol because it is more secure than PAP. After falling back to PAP for a particular TACACS+ server, the firewall uses only PAP in subsequent attempts to authenticate to that server. The firewall records a fall back to PAP as a medium severity event in the System logs. If you modify any fields in the TACACS+ server profile and then commit the changes, the firewall reverts to first trying CHAP for that server.
  1. Add a TACACS+ server profile.
    1. Select
      Device
      Server Profiles
      TACACS+
      and click
      Add
      .
    2. Enter a
      Profile Name
      to identify the server profile.
    3. For a firewall with more than one virtual system (vsys), select the
      Location
      (vsys or
      Shared
      ) where the profile is available.
    4. For the
      Timeout
      , enter an interval in seconds after which an authentication request times out (range is 1-20, default is 3).
    5. Select the
      Use single connection for all authentication
      check box to use the same TCP session for all authentications that use this profile. This option improves performance by avoiding the need to start and end a separate TCP session for each authentication. The check box is cleared by default.
    6. For each TACACS+ server, click
      Add
      and enter a
      Name
      (to identify the server), server IP address or FQDN (
      TACACS+ Server
      field),
      Secret
      /
      Confirm Secret
      (a key to encrypt usernames and passwords), and server
      Port
      for authentication requests (default is 49).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    7. Click
      OK
      .
  2. Implement the TACACS+ server profile.
    1. Assign the TACACS+ server profile to an authentication profile or sequence.
    2. Test a TACACS+ Authentication Profile to verify that the firewall or Panorama can connect to the TACACS+ server.
    3. Commit
      your changes.

Recommended For You