Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass and Fortigate TACACS auth fail

Jump to Best Answer
This thread has been viewed 6 times
  • 1.  Clearpass and Fortigate TACACS auth fail

    Posted Dec 08, 2017 06:31 AM

    Hi,

     

    I have a problem where TACACS+ authentication is failing from fortigate FW. On Fortigate I have configured TACACS+ server and if it is using is authentication methods ms-chap or chap, Clearpass show following error in Access Tracker: 

    "Tacacs server User 'test01' not present in DCN-xxxxxAD(xxxxad.xxx.local).
    Failed to authenticate user=test01

     

    However, if I use PAP in authentication method, everything works. 

    Funny here is, that user which Im using is NOT "test01". There is nothing named "test01" in Fortigates configuration. So why Clearpass tries authenticate user "test01" when using mschap or chap and when using pap Clearpass shows correct user?

    If Im correct, pap isn't very secure method, so that is why I would want use mschap.

     

    Thank you for your help!



  • 2.  RE: Clearpass and Fortigate TACACS auth fail
    Best Answer

    Posted Dec 08, 2017 02:24 PM

    Chap is not supported in latest version of clearpass for TACACS. I actually tried today with mschap and ClearPass was throwing an 'unknown protocol' error when i tried to authenticate from my Fortigate. I eventually got it working by setting it to PAP. 

     

    While PAP does have security issues if transmitted in the open, TACACS encrypts the entire transaction, so i wouldnt be concerned with using PAP over TACACS+ if its only going over your internal network. Just make sure to set a strong TACACS Key. 



  • 3.  RE: Clearpass and Fortigate TACACS auth fail

    Posted Dec 11, 2017 02:34 AM

    Hi,

     

    thank you for your response, this is good to know.