I have a problem where TACACS+ authentication is failing from fortigate FW. On Fortigate I have configured TACACS+ server and if it is using is authentication methods ms-chap or chap, Clearpass show following error in Access Tracker:
"Tacacs server User 'test01' not present in DCN-xxxxxAD(xxxxad.xxx.local).Failed to authenticate user=test01
However, if I use PAP in authentication method, everything works.
Funny here is, that user which Im using is NOT "test01". There is nothing named "test01" in Fortigates configuration. So why Clearpass tries authenticate user "test01" when using mschap or chap and when using pap Clearpass shows correct user?
If Im correct, pap isn't very secure method, so that is why I would want use mschap.
Thank you for your help!
Chap is not supported in latest version of clearpass for TACACS. I actually tried today with mschap and ClearPass was throwing an 'unknown protocol' error when i tried to authenticate from my Fortigate. I eventually got it working by setting it to PAP.
While PAP does have security issues if transmitted in the open, TACACS encrypts the entire transaction, so i wouldnt be concerned with using PAP over TACACS+ if its only going over your internal network. Just make sure to set a strong TACACS Key.
thank you for your response, this is good to know.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.