https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243761#M40704 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;,</P><P>Logs coming up, give me sometime.</P><P>====</P><P>WR,</P><P>FH</P> Thu, 13 Mar 2025 17:52:35 GMT Firewall_Head 2025-03-13T17:52:35Z https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243729#M40701 <P>Hi Checkmates,</P><P>I have a firewall with TACACS+ enabled and it's working fine.&nbsp;<BR /><BR />I also have some local users configured for administration, but whenever I login using the local user ID, it creates a <STRONG>"failed authentication"</STRONG> log.</P><P>Why is my local user even getting authenticated with the TACACS+ server.</P><P>Can somebody help me on this ? This is creating a headache for the SOC team.</P><P>&nbsp;</P><P>Thanks in advance !</P><P>========</P><P>WR,</P><P>FH</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 13 Mar 2025 12:20:25 GMT https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243729#M40701 Firewall_Head 2025-03-13T12:20:25Z https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243755#M40703 <P>Hey bro,</P> <P>Do you have a screenshot of it by any chance?</P> <P>Andy</P> Thu, 13 Mar 2025 16:01:48 GMT https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243755#M40703 the_rock 2025-03-13T16:01:48Z https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243761#M40704 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;,</P><P>Logs coming up, give me sometime.</P><P>====</P><P>WR,</P><P>FH</P> Thu, 13 Mar 2025 17:52:35 GMT https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243761#M40704 Firewall_Head 2025-03-13T17:52:35Z https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243762#M40705 <P>If it does not help, we can do quick remote tomorrow.</P> <P>Andy</P> Thu, 13 Mar 2025 17:53:34 GMT https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243762#M40705 the_rock 2025-03-13T17:53:34Z https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243967#M40730 <P>Hey bro,</P> <P>Just thought of something. IF you want to block local users from connecting, you can run blockSFAInternalUsers command from fw expert mode to see what it shows, just add -s flag and it would show you how to block it if you want.</P> <P>Andy</P> <P>[Expert@R82:0]# blockSFAInternalUsers</P> <P>Internal User, Single Factor Auth. Blocking Utility</P> <P>Usage: blockSFAInternalUsers [flags]</P> <P>-s show current status<BR />-a allow internal users with password single factor to authenticate<BR />-b block internal users with password single factor from authenticating</P> <P>[Expert@R82:0]# blockSFAInternalUsers -s</P> <P>blockSFAInternalUsers: Allowed</P> <P>[Expert@R82:0]#</P> Mon, 17 Mar 2025 16:33:04 GMT https://community.checkpoint.com/t5/General-Topics/Failed-login-alerts-because-of-TACACS-authentication-failure/m-p/243967#M40730 the_rock 2025-03-17T16:33:04Z