Security

Reply
Occasional Contributor II

Clearpass and Fortigate TACACS auth fail

Hi,

 

I have a problem where TACACS+ authentication is failing from fortigate FW. On Fortigate I have configured TACACS+ server and if it is using is authentication methods ms-chap or chap, Clearpass show following error in Access Tracker: 

"Tacacs server User 'test01' not present in DCN-xxxxxAD(xxxxad.xxx.local).
Failed to authenticate user=test01

 

However, if I use PAP in authentication method, everything works. 

Funny here is, that user which Im using is NOT "test01". There is nothing named "test01" in Fortigates configuration. So why Clearpass tries authenticate user "test01" when using mschap or chap and when using pap Clearpass shows correct user?

If Im correct, pap isn't very secure method, so that is why I would want use mschap.

 

Thank you for your help!

Regular Contributor I

Re: Clearpass and Fortigate TACACS auth fail

Chap is not supported in latest version of clearpass for TACACS. I actually tried today with mschap and ClearPass was throwing an 'unknown protocol' error when i tried to authenticate from my Fortigate. I eventually got it working by setting it to PAP. 

 

While PAP does have security issues if transmitted in the open, TACACS encrypts the entire transaction, so i wouldnt be concerned with using PAP over TACACS+ if its only going over your internal network. Just make sure to set a strong TACACS Key. 

-------------------
ACDX, ACCP, CISSP, CWNA
Occasional Contributor II

Re: Clearpass and Fortigate TACACS auth fail

Hi,

 

thank you for your response, this is good to know.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: