Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TA_05
Participant

TACACS+ Authentication-Failure:Only TACACS+ Users can do enable (r80.10/r80.20)

Already preparing to open an SR for this but wanted to post my issue to see if anyone else has run into this when using TACACS for Authentication on the Gateways. No issues authenticating the first time, get my MFA prompt and all is well. Then comes my attempt to elevate privilege:

:TACP-0> tacacs_enable TACP-15
Failure: Only TACACS+ users can do enable

Figured it was worth a shot to see if anyone else has seen this issue while I get all of the necessary information to Checkpoint for further investigation.

0 Kudos
5 Replies
G_W_Albrecht
Legend Legend
Legend

Look here: sk101573: How to configure Gaia OS to work with a TACACS+ server

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
TA_05
Participant

Thanks for that, I used the same guide for my configuration on the Gateways.  May need to have the TACACS Server configuration double checked as that box is outside of my control.

0 Kudos
TA_05
Participant

After enough digging and finally making sure to "check my own backyard", I found the issue with TACACS+ had to do with X11 forwarding.  I typically use the MobaXterm tool for connectivity and sure enough, I found on any gateways which I have been experiencing the issue, that X11 Forwarding was enabled in the save sessions (Even though I had disabled X11 Forwarding globally).  Another note for informational purposes, I found this was not an issue on appliances that are running R80.20SP as I have yet to experience the TACACS+ error on any of these gateways. Hopefully this helps someone else avoid running into this issue in the future!

0 Kudos
Henrik_Noerr1
Advisor

One issue you need to be aware of with tacacs, is that if you have multiple tacacs servers defined and you mistype your password - gaia will ask every server defined.

This could easily lead to user lock out.

/Henrik

0 Kudos
TA_05
Participant

Good looking out, thankfully we only have one Tacacs server so this would not be the case for my situation. But will definitely keep this in mind going forward. Thanks again!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events