TACACS+ with PAN-OS Authentication failed, Returned status: 2 error

Printer Friendly Page

Issue

PAN-OS 7.0+ supports TACACS+ authentication and some customers will use open source implementation of TACACS+ server in Linux distros like CentOS or Ubuntu. In this situation, existing Cisco devices will function just fine, but PAN-OS devices using TACACS+ authentication will fail and the logs will show error "Returned status: 2"

 

Authentication to TACACS+ server at 'SERVER_IP' for user 'username' 
Server port: 49, timeout: 3, flag: 4
Egress: 172.18.0.21
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
CHAP authentication failed:
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent

Returned status: 2
Authentication failed against TACACS+ server at SERVER_IP:49 for user 'username'

Verification

The debugging options should be enabled inside the TACACS+ server to figure out what is actually happening when authentication.

This can be enabled by starting the daemon with –d switch with 2 8 16 32 64 128

 

In the debug, look for the error like below:

No chap or global secret for <user name>

1.png

If we that message in the TACACS+ daemon then the steps mentioned below can be followed to fix it.

 

On the Palo Alto Networks CLI, you can also run the following command to test:

> test authentication authentication-profile <TACACS-Profile> username <test> password

 

Resolution

The resolution for this error needs to be performed on the TACACS server and not on the PAN device.

The following user_attr should be added to the user in tac_plus.conf

pap = des <des_string_password>

 

For example, the test user config under tac_plus.conf should look like

user = test { 
pap = des <des_string_password>

pap = PAM
chap = cleartext "chap password"

login = <password_spec>
enable = <password_spec>
}

 

Note: Some attributes might not be present in this example, as this is just for illustration.

 

After adding it to the tac_plus.conf on the TACACS server, the daemon should be restarted to take effect and after that, the authentication should succeed.

 

Comments

Self-published by author prior to review. Moved to internal KB.

Could you let me know where to post so that it'd be reviewed and posted to public KB space?