https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45619#M33518 <HTML><HEAD></HEAD><BODY><P>Hi Gururaj,</P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">As per my knowledgeTACACS is not supported for authentication by PANFW as of now.&nbsp; You can not use tricks, such as changing the port number to 49 instead of 1812 on RADIUS, because message format is different for both RADIUS and TACACS.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> </SPAN></P><P>RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.</P><P><IMG alt="Radius.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8048_Radius.JPG.jpg" /></P><P><IMG alt="TACACS.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8049_TACACS.JPG.jpg" /></P><P></P><P>TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 04 Sep 2013 05:48:18 GMT HULK 2013-09-04T05:48:18Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45618#M33517 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>Is there any tricks to use TACACS authentication? as PaloAlto dos't support TACACS auth directly.</P><P></P><P>Regards,</P><P>Gururaj</P></BODY></HTML> Wed, 04 Sep 2013 04:52:48 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45618#M33517 Gururaj 2013-09-04T04:52:48Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45619#M33518 <HTML><HEAD></HEAD><BODY><P>Hi Gururaj,</P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">As per my knowledgeTACACS is not supported for authentication by PANFW as of now.&nbsp; You can not use tricks, such as changing the port number to 49 instead of 1812 on RADIUS, because message format is different for both RADIUS and TACACS.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> </SPAN></P><P>RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.</P><P><IMG alt="Radius.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8048_Radius.JPG.jpg" /></P><P><IMG alt="TACACS.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8049_TACACS.JPG.jpg" /></P><P></P><P>TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 04 Sep 2013 05:48:18 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45619#M33518 HULK 2013-09-04T05:48:18Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45620#M33519 <HTML><HEAD></HEAD><BODY><P>As per my knowledge TACAS+ is currently no supported.</P><P>Currently the authentication for the users can be done based on Radius, LDAP and kerberos.</P><P>However if this is something that will be useful in your environment you can ask your Sales Engineer to file a feature request on your behalf.</P><P>Hope this helps.</P><P>Thank you</P><P>Numan </P></BODY></HTML> Wed, 04 Sep 2013 15:23:16 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45620#M33519 mbutt 2013-09-04T15:23:16Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45621#M33520 <HTML><HEAD></HEAD><BODY><P>There is a guide to authenticate PA to the Cisco ACS using RADIUS settings.</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1979">Configuring Cisco ACS 5.2 for use with Palo Alto VSA</A></P></BODY></HTML> Wed, 04 Sep 2013 15:56:52 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-use-tacacs-authentication/m-p/45621#M33520 pulukas 2013-09-04T15:56:52Z