Tacacs+ or radius can use PAP / MSCHAP / or CHAP for authentication to a AAA server. We found out that the above sequence was not being honored under fortiOS 5.2.1 with our newly installed ACS5.8.
So if see CHAP related authentication failures with AAA servers similar to these;
Hardcode the authen-type to PAP since PAP is pretty much playing it safe.
config user tacacs+
edit "tac+"
set server "10.10.10.10"
set secondary-server "10.10.10.11"
set key mysecretsecretdonttellnoone
set authen-type pap
set authorization enable
set source-ip 192.0.2.2
next
end
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment