topic Re: Legacy remote user connection error in SASE and Remote Access

Legacy remote user connection error

Matlu — Mon, 05 Jun 2023 00:21:45 GMT

Hello, team.

I have remote VPN users, who connect to my ClusterXL, but the particularity of these users, is that they are TACACS+ users.

I understand that the way to add a new user is with the "Add Legacy User Access" option, is this correct?

I have added a new user.

I only created a user object, and a user group object, and I call it to my security rule, but the user indicates that he cannot log in, and in the logs I only see a "Log Failed" event.

This is a problem to be solved from TACACS+???? itself.

This option of "Legacy Users", is for all the environments in which it is integrated to the SMS with a TACACS+?????

Greetings.

Re: Legacy remote user connection error

the_rock — Mon, 05 Jun 2023 01:14:41 GMT

Log failed, thats it? No any other logs?

Andy

Re: Legacy remote user connection error

Matlu — Mon, 05 Jun 2023 13:51:51 GMT

Hi, Bro.

This is what appears to me in the log detail.

The user is a TACACS+ user, and the security rule in the Firewall is created in the source field with the "add legacy user access".

I have created a user object, and in turn a group object, the group object, I have authenticated it with the tacacs+ server.

Within the VPN Community of Remote Access VPN, I have already called the group object, but still, I still cannot log the user in.

Any idea where the error could be?

Re: Legacy remote user connection error

PhoneBoy — Mon, 05 Jun 2023 17:06:49 GMT

Wrong username or password is an issue that would have to be resolved with the TACACS+ configuration.
Or it could be that the user has either non-ASCII characters and/or a password that is longer than is supported similar to what occurs with RADIUS v1.

For your Access Policy, the correct approach is to create an Access Role for your users.
These can be created in terms of the group object you've created.