https://live.paloaltonetworks.com/t5/general-topics/tacacs-authentication-with-cisco-ise-not-working/m-p/1229171#M124307 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/373635923">@fhassan</a>,</P> <P>Are these firewalls independent or part of an active/passive setup? If part of an active/passive pair, do you utilize the MGMT interface or do you have a service route configured to utilize a dataplane interface? </P> <P>&nbsp;</P> <P>If these are standalone make sure that ISE is actually accepting connections. Your error message indicates you aren't getting a return; I'm pretty sure that ISE won't respond to requests if the source address isn't included as a network device, so you'd want to check that the ISE side of this configuration is actually correct. </P> Thu, 15 May 2025 17:02:55 GMT BPry 2025-05-15T17:02:55Z https://live.paloaltonetworks.com/t5/general-topics/tacacs-authentication-with-cisco-ise-not-working/m-p/1229114#M124297 <P>Hello, I would like to ask currently I have two firewall that needs to be configure TACACS. One of the firewall is working fine and I'm able to login using my credentials from ISE. However, another firewall is not working for the TACACS authentication. I have followed the same steps based on the working firewall.</P> <P>&nbsp;</P> <P>Below here is the error I got when doing the test command:</P> <P>xx@Txx&gt; test authentication authentication-profile Tacacs_auth_profile username xxxx password<BR />Enter password :</P> <P>Target vsys is not specified, user "xxxx" is assumed to be configured with a shared auth profile.</P> <P>Do allow list check before sending out authentication request...<BR />name "xxxx" has exact match in allow list</P> <P>Authentication to TACACS+ server at '10.x.x.x' for user 'xxxx'<BR />Server port: 49, timeout: 5, flag: 0<BR />Egress: 10.x.x.x<BR />Attempting CHAP authentication ...<BR />CHAP authentication request is created<BR />Sending credential: xxxxxx<BR /><STRONG>Failed to send CHAP authentication request: connect: timed out</STRONG></P> <P><STRONG>Returned status: -1</STRONG><BR />Authentication/authorization failed against TACACS+ server at 10.x.x.x for user Axxx</P> <P>&nbsp;</P> <P>Appreciate the help on how I can troubleshoot this issue.</P> Thu, 15 May 2025 02:27:10 GMT https://live.paloaltonetworks.com/t5/general-topics/tacacs-authentication-with-cisco-ise-not-working/m-p/1229114#M124297 fhassan 2025-05-15T02:27:10Z https://live.paloaltonetworks.com/t5/general-topics/tacacs-authentication-with-cisco-ise-not-working/m-p/1229171#M124307 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/373635923">@fhassan</a>,</P> <P>Are these firewalls independent or part of an active/passive setup? If part of an active/passive pair, do you utilize the MGMT interface or do you have a service route configured to utilize a dataplane interface? </P> <P>&nbsp;</P> <P>If these are standalone make sure that ISE is actually accepting connections. Your error message indicates you aren't getting a return; I'm pretty sure that ISE won't respond to requests if the source address isn't included as a network device, so you'd want to check that the ISE side of this configuration is actually correct. </P> Thu, 15 May 2025 17:02:55 GMT https://live.paloaltonetworks.com/t5/general-topics/tacacs-authentication-with-cisco-ise-not-working/m-p/1229171#M124307 BPry 2025-05-15T17:02:55Z