Test a TACACS+ Authentication Profile
The following example shows how to test a TACACS+ profile named TACACS-Profile for a user named User3-TACACS and how to troubleshoot error conditions that arise. For details on using the test authentication command, see Run the Test Authentication Command.
TACACS+ Authentication Profile Test Example
On the PAN-OS firewall, Configure a TACACS+ Server Profile and Configure an authentication profile. In the authentication profile, you select the new TACACS+ server profile in the Server Profile drop-down.
Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
(Firewalls with virtual systems configured) Define the target virtual system that the test command will access. This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command can locate the user (Global Protect or Captive Portal, for example) in the correct vsys. To define the target vsys: admin@PA-3060> set system setting target-vsys <vsys-name> For example, if the user is defined in vsys2, run the following command: admin@PA-3060> set system setting target-vsys vsys2 The target-vsys command is per-login session, so the system clears the option when you log off.
Run the following CLI command: admin@PA-3060> test authentication authentication-profile TACACS-Profile username User3-TACACS password
When prompted, enter the password for the User3-TACASC account. The following output shows that the test failed: Do allow list check before sending out authentication request... name "User2-TACACS" is in group "all" Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS' Server port: 49, timeout: 30, flag: 0 Egress: 10.5.104.98 Attempting CHAP authentication ... CHAP authentication request is created Sending credential: xxxxxx Failed to send CHAP authentication request: Network read timed out Attempting PAP authentication ... PAP authentication request is created Failed to send PAP authentication request: Network read timed out Returned status: -1 Authentication failed against TACACS+ server at 10.5.196.62:49 for user User2-TACACS Authentication failed for user "User2-TACACS" The output shows error Network read timed out, which indicates that the TACACS+ server could not decrypt the authentication request. In this case, there may be an issue with the secret defined in the TACACS+ server profile.
To resolve this issue, modify the TACACS+ server profile and ensure that the secret defined on the TACACS+ server matches the secret in the server profile. On the firewall, select Device > Server Profiles > TACACS+ and modify the profile named TACACS-Profile. In the Servers section, locate the TACACS+ server and modify the Secret field. Type in the correct secret and then retype to confirm. Click OK to save the change.
Run the test command again. The following output shows that the test is successful: Do allow list check before sending out authentication request... name "User2-TACACS" is in group "all" Authentication to TACACS+ server at '10.5.196.62' for user 'User2-TACACS' Server port: 49, timeout: 30, flag: 0 Egress: 10.5.104.98 Attempting CHAP authentication ... CHAP authentication request is created Sending credential: xxxxxx CHAP authentication request is sent Authentication succeeded! Authentication succeeded for user "User2-TACACS"

Related Documentation