ION sends authentication requests using CHAP after overriding the AAA TACACS+ configuration to use PAP

ION sends authentication requests using CHAP after overriding the AAA TACACS+ configuration to use PAP

152
Created On 05/27/25 15:02 PM - Last Modified 04/09/26 02:44 AM


Symptom


  • Element TACACS+ config overridden to use PAP, but sends CHAP 
  • This causes authentication failure.
  • TACACS+ Server (Cisco ISE in this case) reports "Authentication failure" and "Root Cause Subject not found in the applicable identity store(s)"

Environment


  • Prisma SD-WAN
  • ION devices
  • 6.5.1-b5 onwards
  • TACACS+ authentication
  • Cisco ISE TACACS+

Cause


Defect in the config update for TACACS+ 

Resolution


  1. Workaround - Delete the AAA TACACS+ profile and create a new one with PAP as the authentication protocol.
  2. The issue is fixed in 6.6.1 software version.

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000blTiKAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail