TACACS+ with PAN-OS Authentication failed, Returned status: 2 error
Resolution
Issue
PAN-OS 7.0+ supports TACACS+ authentication and some customers will use open source implementation of TACACS+ server in Linux distros like CentOS or Ubuntu. In this situation, existing Cisco devices will function just fine, but PAN-OS devices using TACACS+ authentication will fail and the logs will show error "Returned status: 2"
Authentication to TACACS+ server at 'SERVER_IP' for user 'username'
Server port: 49, timeout: 3, flag: 4
Egress: 172.18.0.21
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
CHAP authentication failed:
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent
Returned status: 2
Authentication failed against TACACS+ server at SERVER_IP:49 for user 'username'
Verification
The debugging options should be enabled inside the TACACS+ server to figure out what is actually happening when authentication.
This can be enabled by starting the daemon with –d switch with 2 8 16 32 64 128
In the debug, look for the error like below:
No chap or global secret for <user name>
If we that message in the TACACS+ daemon then the steps mentioned below can be followed to fix it.
On the Palo Alto Networks CLI, you can also run the following command to test:
> test authentication authentication-profile <TACACS-Profile> username <test> password
Resolution
The resolution for this error needs to be performed on the TACACS server and not on the PAN device.
The following user_attr should be added to the user in tac_plus.conf
pap = des <des_string_password>
For example, the test user config under tac_plus.conf should look like
user = test {
pap = des <des_string_password>
pap = PAM
chap = cleartext "chap password"
login = <password_spec>
enable = <password_spec>
}
Note: Some attributes might not be present in this example, as this is just for illustration.
After adding it to the tac_plus.conf on the TACACS server, the daemon should be restarted to take effect and after that, the authentication should succeed.