cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

Cyber Elite
Cyber Elite

Hi @cullums ,

 

To see the username for failed authentications, you should uncheck "Disclose invalid usernames" under Administration > System > Settings > Security Settings.

 

To see why the user is failing you should click on the details page icon under Operations > TACACS > Live Logs.

 

I use TACACS for my NGFW administrative logon, and it works fine.  There are a couple ways to do it:

 

  1. Configure local administrators with an authentication profile to ISE.  Boom!  Done.
  2. Configure an Authentication Profile under Device/Panorama > Setup >  Management > Authentication Settings.  Here you cannot manually specify the role.  You need to configure VSAs in ISE to send the role to the NGFW.  See the URLs below.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/tacacs

 

Thanks,

 

Tom

 

Edit:  TACACS+ with CHAP will not work with AD because PA uses CHAP/MD5.  TACACS+ with PAP works fine with AD.  https://live.paloaltonetworks.com/t5/general-topics/tacacs-cisco-ise-config/td-p/230962/page/2

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

Who rated this post