12-08-2017 03:31 AM
I have a problem where TACACS+ authentication is failing from fortigate FW. On Fortigate I have configured TACACS+ server and if it is using is authentication methods ms-chap or chap, Clearpass show following error in Access Tracker:
"Tacacs server User 'test01' not present in DCN-xxxxxAD(xxxxad.xxx.local).
Failed to authenticate user=test01
However, if I use PAP in authentication method, everything works.
Funny here is, that user which Im using is NOT "test01". There is nothing named "test01" in Fortigates configuration. So why Clearpass tries authenticate user "test01" when using mschap or chap and when using pap Clearpass shows correct user?
If Im correct, pap isn't very secure method, so that is why I would want use mschap.
Thank you for your help!
Solved! Go to Solution.
12-08-2017 11:23 AM - edited 12-08-2017 11:24 AM
Chap is not supported in latest version of clearpass for TACACS. I actually tried today with mschap and ClearPass was throwing an 'unknown protocol' error when i tried to authenticate from my Fortigate. I eventually got it working by setting it to PAP.
While PAP does have security issues if transmitted in the open, TACACS encrypts the entire transaction, so i wouldnt be concerned with using PAP over TACACS+ if its only going over your internal network. Just make sure to set a strong TACACS Key.
ACDX, ACCP, CISSP, CWNA