End-of-Life (EoL)

Test a TACACS+ Authentication Profile

The following example shows how to test a TACACS+ profile named TACACS-Profile for a user named User3-TACACS and how to troubleshoot error conditions that arise. For details on using the test authentication command, see Run the Test Authentication Command.
  1. On the PAN-OS firewall, Configure a TACACS+ Server Profile and 3 In the authentication profile, you select the new TACACS+ server profile in the
    Server Profile
    drop-down.
  2. Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
  3. (Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
    This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
    To define the target vsys:
    admin@PA-3060>
    set system setting target-vsys
    <vsys-name>
    For example, if the user is defined in vsys2, run the following command:
    admin@PA-3060>
    set system setting target-vsys
    vsys2
    The
    target-vsys
    command is per-login session, so the system clears the option when you log off.
  4. Run the following CLI command:
    admin@PA-3060>
    test authentication authentication-profile TACACS-Profile username User3-TACACS password
  5. When prompted, enter the password for the User3-TACASC account. The following output shows that the test failed:
    Do allow list check before sending out authentication request... name "User2-TACACS" is in group "all" Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS' Server port: 49, timeout: 30, flag: 0 Egress: 10.5.104.98 Attempting CHAP authentication ... CHAP authentication request is created Sending credential: xxxxxx Failed to send CHAP authentication request: Network read timed out Attempting PAP authentication ... PAP authentication request is created Failed to send PAP authentication request: Network read timed out Returned status: -1 Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS Authentication failed for user "User2-TACACS"
    The output shows error
    Network read timed out
    , which indicates that the TACACS+ server could not decrypt the authentication request. In this case, there may be an issue with the secret defined in the TACACS+ server profile.
  6. To resolve this issue, modify the TACACS+ server profile and ensure that the secret defined on the TACACS+ server matches the secret in the server profile.
    1. On the firewall, select
      Device
      Server Profiles
      TACACS+
      and modify the profile named TACACS-Profile.
    2. In the Servers section, locate the TACACS+ server and modify the
      Secret
      field.
    3. Type in the correct secret and then retype to confirm.
    4. Click
      OK
      to save the change.
  7. Run the test command again. The following output shows that the test is successful:
    Do allow list check before sending out authentication request... name "User2-TACACS" is in group "all" Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS' Server port: 49, timeout: 30, flag: 0 Egress: 10.5.104.98 Attempting CHAP authentication ... CHAP authentication request is created Sending credential: xxxxxx CHAP authentication request is sent Authentication succeeded! Authentication succeeded for user "User2-TACACS"

Recommended For You