Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Who rated this post

Cyber Elite
Cyber Elite

Hi @cullums ,


To see the username for failed authentications, you should uncheck "Disclose invalid usernames" under Administration > System > Settings > Security Settings.


To see why the user is failing you should click on the details page icon under Operations > TACACS > Live Logs.


I use TACACS for my NGFW administrative logon, and it works fine.  There are a couple ways to do it:


  1. Configure local administrators with an authentication profile to ISE.  Boom!  Done.
  2. Configure an Authentication Profile under Device/Panorama > Setup >  Management > Authentication Settings.  Here you cannot manually specify the role.  You need to configure VSAs in ISE to send the role to the NGFW.  See the URLs below.






Edit:  TACACS+ with CHAP will not work with AD because PA uses CHAP/MD5.  TACACS+ with PAP works fine with AD.


Help the community: Like helpful comments and mark solutions.

View solution in original post

Who rated this post