to configure the settings
that define how the firewall or Panorama connects
to Terminal Access Controller Access-Control System Plus (TACACS+)
servers (see Device
> Authentication Profile). You can use TACACS+ to authenticate
end users who access your network resources (through GlobalProtect
or Captive Portal), to authenticate administrators defined locally
on the firewall or Panorama, and to authenticate and authorize administrators
defined externally on the TACACS+ server.
TACACS+ Server Settings
Enter a name to identify the server profile
(up to 31 characters). The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the profile is
available. In the context of a firewall that has more than one virtual
system (vsys), select a vsys or select
virtual systems). In any other context, you can’t select the
its value is predefined as Shared (
) or as Panorama.
After you save the profile, you can’t change its
Administrator Use Only
Select this option to specify that only
administrator accounts can use the profile for authentication. For
multi-vsys firewalls, this option appears only if the
Enter an interval in seconds after which
an authentication request times out (range is 1–20; default is 3).
the firewall uses to secure a connection to the TACACS+ server:
Protocol (CHAP) is the default and preferred protocol because it
is more secure than PAP.
—Select Password Authentication
Protocol (PAP) if the TACACS+ server does not support CHAP or is
not configured for it.
—The firewall first tries to authenticate
using CHAP. If the TACACS+ server doesn’t respond, the firewall
falls back to PAP.
Use single connection for all authentication
Select this option to use the same TCP session
for all authentications. This option improves performance by avoiding
the processing required to initiate and tear down a separate TCP
session for each authentication event.
the following settings for each TACACS+ server:
a name to identify the server.
—Enter the IP address
or FQDN of the TACACS+ server.
—Enter and confirm
a key to verify and encrypt the connection between the firewall
and the TACACS+ server.
—Enter the server port (default
is 49) for authentication requests.