Device > Server Profiles > TACACS+

Select
Device
Server Profiles
TACACS+
or
Panorama
Server Profiles
TACACS+
to configure the settings TechDocs_logo_cropped.png that define how the firewall or Panorama connects to Terminal Access Controller Access-Control System Plus (TACACS+) servers (see Device > Authentication Profile). You can use TACACS+ to authenticate end users who access your network resources (through GlobalProtect or Captive Portal), to authenticate administrators defined locally on the firewall or Panorama, and to authenticate and authorize administrators defined externally on the TACACS+ server.
TACACS+ Server Settings
Description
Profile Name
Enter a name to identify the server profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location
Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select
Shared
(all virtual systems). In any other context, you can’t select the
Location
; its value is predefined as Shared (
firewalls
) or as Panorama. After you save the profile, you can’t change its
Location
.
Administrator Use Only
Select this option to specify that only administrator accounts can use the profile for authentication. For multi-vsys firewalls, this option appears only if the
Location
is
Shared
.
Timeout
Enter an interval in seconds after which an authentication request times out (range is 1–20; default is 3).
Authentication Protocol
Select the
Authentication Protocol
that the firewall uses to secure a connection to the TACACS+ server:
  • CHAP
    —Challenge-Handshake Authentication Protocol (CHAP) is the default and preferred protocol because it is more secure than PAP.
  • PAP
    —Select Password Authentication Protocol (PAP) if the TACACS+ server does not support CHAP or is not configured for it.
  • Auto
    —The firewall first tries to authenticate using CHAP. If the TACACS+ server doesn’t respond, the firewall falls back to PAP.
Use single connection for all authentication
Select this option to use the same TCP session for all authentications. This option improves performance by avoiding the processing required to initiate and tear down a separate TCP session for each authentication event.
Servers
Click
Add
and specify the following settings for each TACACS+ server:
  • Name
    —Enter a name to identify the server.
  • TACACS+ Server
    —Enter the IP address or FQDN of the TACACS+ server.
  • Secret/Confirm Secret
    —Enter and confirm a key to verify and encrypt the connection between the firewall and the TACACS+ server.
  • Port
    —Enter the server port (default is 49) for authentication requests.

Related Documentation