Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cassiomaciel
Contributor
Contributor
Jump to solution

Fine tuning on tacacs+ authentication

Hi CheckMates,

I've configured tacacs+ on my gateways and it's working properly.

However, when the user type a bad password, the account is locked instantly on AD.

The gateway is retrying the same authentication with bad credentials, until the user got blocked.

I would like to know, if is there any fine tuning on tacacs configuration in the gateways to avoid this problem.

I'm using 2 tacacs servers with 60s of timeout.

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Not sure if it should be trying to authenticate on both TACACS+ servers.
A TAC case is probably warranted here: https://help.checkpoint.com 

View solution in original post

3 Replies
PhoneBoy
Admin
Admin

What version/JHF?
What functionality is TACACS+ configured to provide authentication for?

0 Kudos
cassiomaciel
Contributor
Contributor

Hi,

All gateways are in R81.10 with JHF 95 or JHF 110, also I've a mix of maestro and traditional clusters.

We're using TACACS+ to authenticate users by console via ssh and gaia via https.

We configured the roles TACP-0 with a few features in read-only and some custom commands and TACP-15 with all features in read-write.

On my TACACS+ server, I noticed 2 attempts in a row, coming from the gateway with a difference of 6s or less, the gateway is trying to authenticate on both servers, that result in 4 failed authentications.

Our password policy on AD, block the user with 3 failed attemtps.

is it expected to gateway try authenticate the user twice? Is there any configuration that I can do or is better to open a case with TAC?

 

0 Kudos
PhoneBoy
Admin
Admin

Not sure if it should be trying to authenticate on both TACACS+ servers.
A TAC case is probably warranted here: https://help.checkpoint.com 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events