Wednesday, April 20, 2016

fortiOS behavior for tacacs authen-type

Tacacs+ or radius can use PAP / MSCHAP  / or CHAP for authentication to a AAA server. We found out that the above sequence was not being honored under fortiOS 5.2.1  with our newly installed  ACS5.8.

So if  see CHAP related authentication failures with AAA servers similar to these;

Hardcode the  authen-type to PAP since PAP is pretty much playing it safe.




config user tacacs+

 edit "tac+"
        set server "10.10.10.10"
        set secondary-server "10.10.10.11"
        set key mysecretsecretdonttellnoone
        set authen-type pap
        set authorization enable
        set source-ip 192.0.2.2
    next
end


Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment