Invalid TACACS Logins from Outside

cancel
Showing results for 
Search instead for 
Did you mean: 

Invalid TACACS Logins from Outside

L1 Bithead

Just setup TACACS authentication using Cisco ISE as our TACACS server.  We can successfully login with our AD accounts, but when I look in the TACACS logs on ISE, I see a ton of "INVALID" attempts from external IPs.  Is the normal/expected?  Is there a way to just limit TACACS to our internal network?

1 ACCEPTED SOLUTION

Accepted Solutions

L1 Bithead

It looks like I may have resolved my own issue.  Under Authentication Profile, someone had "all" listed in the allow list.  I removed "all" and added the specific admins that will administer the firewall.  Once committed, the ISE logs stopped filling up.  Thanks for chiming in everyone!

View solution in original post

6 REPLIES 6

L2 Linker

Hello @ErikMarschang, you can limit the permitted IPs to the management interface to an RFC 1918 address. Device>Setup>Interfaces>Management>Permitted IP Addresses.

Network Administrator

L3 Networker

He @ErikMarschang ,

 

That is not normal or expected.  If you setup TACACS+ for authentication into your NGFW, you should only see requests from the management interface of the NGFW.

 

Maybe you have a security rule allowing TACACS+ from the outside?  You could check the traffic logs.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you confirming that its not normal.   That was my initial thought, but I am fairly new to the Palo NGFWs.  I will check the logs and see what I can find.

L1 Bithead

I was looking in the logs on the Palo.  I dont see anything in the Palo traffic logs regarding TACACS.  So maybe the attempts arent coming from the outside...  When I look ISE TACACS live logs, its full of "username INVALID".  Its almost like something from the Palo is constantly trying to login via TACACS... Not sure exactly, im still digging in.

Cyber Elite
Cyber Elite

Hello,

Also make sure your external interface does not allow logings from IP's you dont have listed. Something like:

I only allow ssh connections to my untrusted interface from the secondary data center. And in the secondary data center firewall I only allow SSH connections to the untrust interfaces from the primary data center. 

 

This example is just in case you lose the internal management for other device failures.

Cheers!

L1 Bithead

It looks like I may have resolved my own issue.  Under Authentication Profile, someone had "all" listed in the allow list.  I removed "all" and added the specific admins that will administer the firewall.  Once committed, the ISE logs stopped filling up.  Thanks for chiming in everyone!

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!