11-22-2023 12:14 PM
So I have an interesting issue. I have a Cisco ISE server in our environment doing TACACS+ authentication for all our network devices. ISE is tied to our Active Directory environment, and users in certain OU's are authenticated and authorized based on the AD group they're in. I tried configuring one of our PA-440's to authenticate against the ISE server, however in the TACACS Live Logs I see "INVALID" as the Identity of the user.
Interestingly enough, if I create a user in the local ISE database, and add them to the firewall policy set, then authentication works and I see the correct username in the Identity column.
So authentication works for users in the ISE local ID store, but doesn't work when users are in an Ext ID Store. Is there something I'm missing to allow for external id source authentication?
FYI, I cannot share screenshots or paste configs as this is in an air-gapped environment.
11-24-2023 05:09 AM - edited 11-24-2023 05:26 AM
Hi @cullums ,
To see the username for failed authentications, you should uncheck "Disclose invalid usernames" under Administration > System > Settings > Security Settings.
To see why the user is failing you should click on the details page icon under Operations > TACACS > Live Logs.
I use TACACS for my NGFW administrative logon, and it works fine. There are a couple ways to do it:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/tacacs
Thanks,
Tom
Edit: TACACS+ with CHAP will not work with AD because PA uses CHAP/MD5. TACACS+ with PAP works fine with AD. https://live.paloaltonetworks.com/t5/general-topics/tacacs-cisco-ise-config/td-p/230962/page/2
11-24-2023 05:09 AM - edited 11-24-2023 05:26 AM
Hi @cullums ,
To see the username for failed authentications, you should uncheck "Disclose invalid usernames" under Administration > System > Settings > Security Settings.
To see why the user is failing you should click on the details page icon under Operations > TACACS > Live Logs.
I use TACACS for my NGFW administrative logon, and it works fine. There are a couple ways to do it:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/tacacs
Thanks,
Tom
Edit: TACACS+ with CHAP will not work with AD because PA uses CHAP/MD5. TACACS+ with PAP works fine with AD. https://live.paloaltonetworks.com/t5/general-topics/tacacs-cisco-ise-config/td-p/230962/page/2
11-27-2023 07:17 AM
So, it looks like (now that I can see the username, thanks for that tidbit) I'm getting an error that states "Current Identity Store does not support the authentication method; Skipping it xxxx_AD"
So for whatever reason it's not passing the username to AD. At least now I know where to hone in on the issue. I will say that for admin accounts I have created locally on the ISE server, I am able to authenticate to the firewall. It's only when trying to pass the username to AD that it fails.
11-27-2023 07:42 AM
I just noticed your edit regarding CHAP vs PAP. I just came to the same conclusion and was going to post, but you beat me to it LOL! Thanks for the help. I guess if I want to use ISE as my authentication method I either need to have the admin accounts local on the ISE server in order for CHAP authentication to work, or switch the firewall to PAP and manage the admins through an AD group.
Anyhow, thanks again for the help, I appreciate it!
Steve
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
