topic Re: Login issue for TACACS user in Palo Alto NGFW in General Topics

Login issue for TACACS user in Palo Alto NGFW

PankajDhobe — Tue, 10 Aug 2021 12:44:10 GMT

We are not able to login into Palo Alto via TACACS user.

PA NGFW is asking for reset password before login.

We are not able to reset password.

We have reset password complexity by login with another local user.

We have not assigned any admin roles for TACACS user on firewall.

So, how to mitigate the issue, if PA NGFW is asking to reset password.

Re: Login issue for TACACS user in Palo Alto NGFW

juan.reynolds — Tue, 10 Aug 2021 14:33:26 GMT

is it referring to the default user and password? i know you will receive notification if you havent updated the default password.

Re: Login issue for TACACS user in Palo Alto NGFW

aleksandar.astardzhiev — Wed, 11 Aug 2021 04:41:53 GMT

Hi @PankajDhobe ,

Can you give a bit more information? It would be useful to see your config (you can hide the TACACS server details).
- Have you configured authentication profile that is using the TACACS server?

- Have you configured that auth profile to be used for admin access - Device -> Management -> Authentication Settings

- Or you have configured the users locally and each user is configured with tacacs auth profile?

- This is a good document for configuring TACACS - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO&lang=en_US%E2%80%A9

- What VSA have you configured on your server?

- Do you have duplication between local and tacacs usernames?

Long, long time ago I have experience something similar when authentication protocol (under Server profile) was wrong. My experience was with RADIUS and we initially configured something else, while the radius server was expecting PAP. Because of that when user put his credentials FW was prompting him with challenge-response - even that the radius server was not configured for such.

Password complexity policy should affect only local users so I am assuming either tacacs authentication is not working properly, or FW is matching your local user first.

Re: Login issue for TACACS user in Palo Alto NGFW

PankajDhobe — Wed, 11 Aug 2021 07:22:42 GMT

Please, find answers to your questions;

- Have you configured authentication profile that is using the TACACS server?

=> Yes, we have configurd Authetication profile that is using TACACS Server

- Have you configured that auth profile to be used for admin access - Device -> Management -> Authentication Settings

=> Yes, we have configured Auth profile to be used for admin access.

- Or you have configured the users locally and each user is configured with tacacs auth profile?

=> No, we have not configured user locally with Tacacs auth profile attached.

- What VSA have you configured on your server?

=> As discussed with customer, VSA is not configured.

- Do you have duplication between local and tacacs usernames?

=> We had Tacacs user as "ITsupport" and local user as "itsupport".

But we have removed local user with same name still there is issue.

Re: Login issue for TACACS user in Palo Alto NGFW

aleksandar.astardzhiev — Wed, 11 Aug 2021 07:52:45 GMT

Hi @PankajDhobe,

As described in the documentation (step 6.3) - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-tacacs-authentication.html

You need to define the VSA on the tacacs server for service, protocol and role. Additionally you can define user group (if you want to use the allow-list in the auth profile in PAN FW - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/tacacs.html

Re: Login issue for TACACS user in Palo Alto NGFW

PankajDhobe — Sun, 15 Aug 2021 12:54:41 GMT

HI @aleksandar.astardzhiev Thanks for you support.

I had raised the case with Palo Alto TAC.

TAC engineer took the root access of firewall by using below commands

>debug tac-login challenge

(Receive an output and TAC engineer coped it)

>debug tac-login response.

(After that entered the response generated for above challenge )

After that deleted the user name from the password change database of both(active and passive) PA firewall.

Please, find the PA TAC call summery for more details.

=================================================

Thanks for your time on call. A quick recap of the zoom meeting :

1. Firewall was prompting for password change for TACACS user "ITsupport". In the past, you had the same local username on the firewall which is now deleted.
2. We took root access of the firewall and removed the below problematic usernames from lastpwchange & pwchangerequired SQL database.

#Troubleshooting commands:
[root@yyyy~]# sqlite3 /opt/pancfg/mgmt/global/db/loginhistory.db
SQLite version 3.6.12
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .schema
CREATE TABLE gracelogin(name varchar, start datetime, count integer);
CREATE TABLE lastpwchange(name varchar, dt datetime);
CREATE TABLE loginhistory(name varchar, dt datetime, status integer, client varchar);
CREATE TABLE pwchangerequired(name varchar, pwchanged integer);
sqlite>
sqlite> select * from lastpwchange;
sqlite> delete from lastpwchange where name='xxxx';
sqlite> select * from pwchangerequired;
sqlite> delete from pwchangerequiredwhere name='xxxx';
sqlite> .quit :
[root@yyyy~]# exit
logout

3. After the above changes we were able to log in to the Active firewall with "ITsupport" TACACS account. Repeated same process for passive firewall.

Per your confirmation, this ticket will now be closed. It was my pleasure assisting you with this case. After that issue has been resolved Tacacs user was successfully able to login to the PA firewall.

================================================