Terminal Access Controller Access-Control
System Plus (TACACS+) protocol provides better Authentication security
than RADIUS because it encrypts usernames and passwords (instead
of just passwords), and is also more reliable (it uses TCP instead
When you predefine dynamic administrator roles
on the server, use lower-case to specify the role (for example,
authenticating to the TACACS+ server, the firewall first tries Challenge-Handshake
Authentication Protocol (CHAP) and falls back to Password Authentication
Protocol (PAP) if the server rejects the CHAP request. This will
happen if, for example, the server doesn’t support CHAP or isn’t
configured for CHAP. CHAP is the preferred protocol because it is
more secure than PAP. After falling back to PAP for a particular
TACACS+ server, the firewall uses only PAP in subsequent attempts
to authenticate to that server. The firewall records a fall back
to PAP as a medium severity event in the System logs. If you modify
any fields in the TACACS+ server profile and then commit the changes,
the firewall reverts to first trying CHAP for that server.
Add a TACACS+ server profile.
the server profile.
For a firewall with more than one virtual system (vsys),
where the profile is available.
, enter an interval
in seconds after which an authentication request times out (range
is 1-20, default is 3).
Use single connection for all
check box to use the same TCP session
for all authentications that use this profile. This option improves
performance by avoiding the need to start and end a separate TCP
session for each authentication. The check box is cleared by default.
For each TACACS+ server, click
(to identify the server), server
IP address or FQDN (
(a key to encrypt usernames and passwords), and
for authentication requests (default
If you use an FQDN address object to identify the
server and you subsequently change the address, you must commit
the change for the new server address to take effect.