https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197196#M36829 <P>Hi CheckMates,</P><P>I've configured tacacs+ on my gateways and it's working properly.</P><P>However, when the user type a bad password, the account is locked instantly on AD.</P><P>The gateway is retrying the same authentication with bad credentials, until the user got blocked.</P><P>I would like to know, if is there any fine tuning on tacacs configuration in the gateways to avoid this problem.</P><P>I'm using 2 tacacs servers with 60s of timeout.</P><P>&nbsp;</P> Mon, 06 Nov 2023 14:48:35 GMT cassiomaciel 2023-11-06T14:48:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197196#M36829 <P>Hi CheckMates,</P><P>I've configured tacacs+ on my gateways and it's working properly.</P><P>However, when the user type a bad password, the account is locked instantly on AD.</P><P>The gateway is retrying the same authentication with bad credentials, until the user got blocked.</P><P>I would like to know, if is there any fine tuning on tacacs configuration in the gateways to avoid this problem.</P><P>I'm using 2 tacacs servers with 60s of timeout.</P><P>&nbsp;</P> Mon, 06 Nov 2023 14:48:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197196#M36829 cassiomaciel 2023-11-06T14:48:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197250#M36830 <P>What version/JHF?<BR />What functionality is TACACS+ configured to provide authentication for?</P> Mon, 06 Nov 2023 23:12:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197250#M36830 PhoneBoy 2023-11-06T23:12:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197347#M36871 <P>Hi,</P><P>All gateways are in R81.10 with JHF 95 or JHF 110, also I've a mix of maestro and traditional clusters.</P><P>We're using TACACS+ to authenticate users by console via ssh and gaia via https.</P><P>We configured the roles TACP-0 with a few features in read-only and some custom commands and TACP-15 with all features in read-write.</P><P>On my TACACS+ server, I noticed 2 attempts in a row, coming from the gateway with a difference of 6s or less, the gateway is trying to authenticate on both servers, that result in 4 failed authentications.</P><P>Our password policy on AD, block the user with 3 failed attemtps.</P><P>is it expected to gateway try authenticate the user twice?&nbsp;Is there any configuration that I can do or is better to open a case with TAC?</P><P>&nbsp;</P> Tue, 07 Nov 2023 19:25:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197347#M36871 cassiomaciel 2023-11-07T19:25:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197361#M36872 <P>Not sure if it should be trying to authenticate on both TACACS+ servers.<BR />A TAC case is probably warranted here: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Tue, 07 Nov 2023 20:36:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Fine-tuning-on-tacacs-authentication/m-p/197361#M36872 PhoneBoy 2023-11-07T20:36:21Z