11-13-2018 12:38 AM
Dear All,
I integrade PALOALTO to Tacacs+ for authenticator, but I got message error as below
Authentication to TACACS+ server at '192.168.101.46' for user 'user1'
Server port: 49, timeout: 10, flag: 0
Egress: 192.168.101.42
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
CHAP authentication request is sent
Authorization request is created
Authorization request sent with priv_lvl=1 user=user1 service=PaloAlto protocol=
firewall
Authorization failed: Return code: 17 Illegal packet (version=0xc1 type=0x02)
Authentication/authorization failed against TACACS+ server at 192.168.101.46:49
for user user1
Anyone encounter this issue ?
03-12-2019 01:42 PM - edited 03-12-2019 03:32 PM
Hello,
The message body of this post (TACACS issue) doesn't seem to correlate to the subject line (Policy Based Forwarding).
Have you opened a support case regarding the TACACS message you posted?
Which version of PAN-OS are you running on your firewall?
I know there was at least one case where a bug was identified based on how the firewall was sending an invalid message to the TACACS+ server - the resulting behavior was logged the same as you depict in your post. That particular issue was fixed in PAN-OS 8.0.15.
Please keep in mind that there will always be cases where further investigation is required in order to obtain the root cause before a final resolution is determined. If you are still experiencing this issue, I would recommend that you open a support case to get assistance with this.
Thanks for your post!
Jeff Hochberg | Sr. Systems Engineer - Technical Business Development
Palo Alto Networks | Atlanta, GA | USA
The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.
05-23-2019 01:52 AM
Hi,
You have successful authentication from TACACS but there is a missing VSA due to which authorization is failing. To resolve this, configure VSA with string value as Superuser on the TACACS server.
Regards
US
06-11-2019 08:21 AM
@singhup thanks for your response!
@HengTIDC please try the recommended solution and let us know if that works for you.
Jeff Hochberg | Sr. Systems Engineer - Technical Business Development
Palo Alto Networks | Atlanta, GA | USA
The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.
06-11-2019 08:59 AM
You’re welcome. I’m glad that my TAC experience is useful for others.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
