Just setup TACACS authentication using Cisco ISE as our TACACS server. We can successfully login with our AD accounts, but when I look in the TACACS logs on ISE, I see a ton of "INVALID" attempts from external IPs. Is the normal/expected? Is there a way to just limit TACACS to our internal network?
He @ErikMarschang ,
That is not normal or expected. If you setup TACACS+ for authentication into your NGFW, you should only see requests from the management interface of the NGFW.
Maybe you have a security rule allowing TACACS+ from the outside? You could check the traffic logs.
I was looking in the logs on the Palo. I dont see anything in the Palo traffic logs regarding TACACS. So maybe the attempts arent coming from the outside... When I look ISE TACACS live logs, its full of "username INVALID". Its almost like something from the Palo is constantly trying to login via TACACS... Not sure exactly, im still digging in.
Also make sure your external interface does not allow logings from IP's you dont have listed. Something like:
I only allow ssh connections to my untrusted interface from the secondary data center. And in the secondary data center firewall I only allow SSH connections to the untrust interfaces from the primary data center.
This example is just in case you lose the internal management for other device failures.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!