09-03-2013 10:48 PM
Hi Gururaj,
As per my knowledgeTACACS is not supported for authentication by PANFW as of now. You can not use tricks, such as changing the port number to 49 instead of 1812 on RADIUS, because message format is different for both RADIUS and TACACS.
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Thanks
09-04-2013 08:23 AM
As per my knowledge TACAS+ is currently no supported.
Currently the authentication for the users can be done based on Radius, LDAP and kerberos.
However if this is something that will be useful in your environment you can ask your Sales Engineer to file a feature request on your behalf.
Hope this helps.
Thank you
Numan
09-04-2013 08:56 AM
There is a guide to authenticate PA to the Cisco ACS using RADIUS settings.
Configuring Cisco ACS 5.2 for use with Palo Alto VSA
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
