Managing access to network devices and controller nodes can be complex and challenging to audit. To provide centralized control, enhance security, and simplify compliance, Prisma SD-WAN now supports the TACACS+ authentication (Terminal Access Controller Access Control System+) authentication protocol that controls network device access and SSH login for controller nodes in a network infrastructure. TACACS+ uses TACACS+ server profiles to log user activity, including when a user starts or stops using a service and the session duration. These logs and records of the initiation and termination of services and any services in progress during the user’s session provide valuable records for auditing and compliance.

A device TACACS+ profile consists of multiple configured TACACS+ servers. You can add a maximum of four servers. Based on their reachability, the system attempts to connect to the servers sequentially. If a user is present in the TACACS+ server and enters the correct credentials, the user will be able to log in successfully. If a device is not online, the AAA server is reachable and the user is in the TACACS+ database, the user can log in using an SSH/remote connection. Based on their reachability, the system attempts to connect to the servers sequentially.

After you create a TACACS+ profile, you must associate it with a device to enable authentication.