Symantec Privileged Access Management

 View Only
  • 1.  CA PAM: Working with TACACS+

    Posted May 10, 2016 06:08 PM

    Dear All,


    I am integrating CA PAM with TACACS+ server, All configuration shows correct as TACACS+ events shows that authentication from CA PAM user is successful, but on other hand CA-PAM shows server not available and login fails.


    Anybody faced such issues ? any pointers ?



  • 2.  Re: CA PAM: Working with TACACS+

    Posted May 11, 2016 01:08 AM

    If it is an AD account which is mapped with TACAS for authentication and authorization, I think you can do it.


    1) Define application with application type as Cisco

    2) In Accounts, Define a account and select the application as created in step1, Under Account type select TACAS+,

    Select Connect As  : This account

    Access Privilage As : This account.


    This works for me, Let me know if this helps for you as well..

  • 3.  Re: CA PAM: Working with TACACS+

    Posted May 11, 2016 07:27 AM

    Thanks a lot for your response.. but currently what i am trying to achieve is to authenticate PAM user with TACACS+ during their login time.


    do let me know if you have such scenarios or can assist on the same.


    Thanks again mate for all the assistance

  • 4.  Re: CA PAM: Working with TACACS+
    Best Answer

    Posted May 12, 2016 12:01 AM

    What version of PAM you are testing this on?

    I do see the same behavior on PAM 2.5


    TACACS Log:


    Wed May 11 23:34:45 2016 [9762]: authorization query for 'jonathanm' Virtual00 from accepted


    PAM Log:


    DetailsUser jonathanm cannot be authorized. Make sure the server is available. TACACS+


    Message 18002: Bad User ID (jonathanm) or Password.





    Vinay Reddy

  • 5.  Re: CA PAM: Working with TACACS+

    Posted May 12, 2016 02:54 AM

    Thanks Vinay,


    I am using PAM 2.5 and its the same error i am facing..

    I will keep you posted if there is any progress on the same and likewise if you hit any door please share the same.




  • 6.  Re: CA PAM: Working with TACACS+

    Broadcom Employee
    Posted Nov 21, 2016 03:38 AM

    I would suggest a couple of things


    1. Log in to the cisco router and run a show run to make sure the tacacs+ server is selected

    2. Login to the tacacs+ acs server user interface to look into the user you are trying to manage and see its properties

    3. Retry the login procedure but outside CA PAM. What PAM is doing when managing a tacacs+ account is basically hitting an Enter whenever it receives the prompt from the CISCO router, and that triggers a Change your password prompt. See if when you do this manually for that user, by ssh'ing to the cisco router, you are able to hit enter and change the password. If you get an error there, don't go further: if you can't do it directly from outside pam pam won't be able to do it either

    4. If 3 works, then if you have a local user to tacacs+ (one which is not ad integrated) try that one. if that one works, then the problem will be with the communication with AD

    5. If 3 or 4 are unclear or still do not work, repeat the procedure and ge the catalina log. That one will tell you exactly what PAM is doing


    Ultimately, if you can't sort it out, please open a case with CA Support. We will be happy to assist :-)

  • 7.  Re: CA PAM: Working with TACACS+

    Posted Nov 21, 2016 03:30 AM

    Hi Moiz,


    Did you resolve your problem? I use CA PAM version 2.6 and I saw the same issue like you



  • 8.  Re: CA PAM: Working with TACACS+

    Posted Nov 30, 2016 07:38 AM

    Hi Moiz.  TACACS is like LDAP and Radius in that you have to add a group to CA PAM.  Did you create a TACACS group in CA PAM, after adding TACACS on the 3rd party page?