How to troubleshoot problems with TACACS+

In this topic, you will learn how to troubleshoot typical problems with the operation of the Portnox™ TACACS+ service.


Error	Solutions
`Access Alert: TACACS+ access attempt denied due to wrong credentials` but credentials are correct Alert occurs when using Cisco Nexus 9000 (may also occur on other NX-OS devices) Alert occurs when using a Portnox account but LDAP-based accounts work correctly	Remove the following command from switch configuration: `tacacs-server directed-request` If you enable the `directed-request` option, Cisco devices with the NX-OS operating system use only the TACACS+ method for authentication and not the default local method. For more information, see: Cisco documentation.
`Access Alert: TACACS+ authentication attempt denied due to MFA verification failure. Entra ID user must perform MFA to access` TACACS+ server logs include: `Authentication request returned error` and `limit reached for account`.	Consider the following resolution options: Add or modify relevant Conditional Access Policies in Entra ID to skip MFA enforcement for selected users. Bypass MFA for selected IP addresses, see: Bypass multi-factor authentication in Entra ID. Also, check your TACACS+ license for potential expiration.
`Access Alert: TACACS+ service connection not allowed for the account` Alert occurs when using Juniper switches	The switch configuration includes an explicit definition of `service-name`, but this name is not configured in the Portnox TACACS+ policy. Instead, the policy only includes the default service name `junos-exec`. Example of an explicit definition of `service-name`: `show configuration \| display set \| match portnox set system tacplus-options service-name Portnox` Solution: Follow the steps in this topic to edit the TACACS+ authorization policy: Create or edit a TACACS+ authorization policy. Add the explicitly defined service name to the Allowed services list. For more information, see Juniper documentation.
`Access Alert: TACACS+ authentication attempt denied due to missing TACACS+ policy mapping` Users cannot log in to some NAS devices or can only login to NAS devices under a parent site.	The TACACS+ policy is incorrectly configured. Sites do not support inheritance. Only parent-child relationhips between sites are supported but not parent-child-grandchild relationips. Solution: Follow the steps in this topic to assign TACACS+ policies to devices: Assign policies to a group. Use the OR element to specify multiple Site > Name > Equals conditions.
`Access Alert: TACACS+ authentication attempt denied due to missing TACACS+ policy mapping` The TACACS+ server is deployed in a cloud environment (e.g. AWS, Azure), and is behind a load balancer.	The public IP addresses of the load balancer are unknown to Portnox Cloud. Solution: Follow the steps in this topic to assign TACACS+ policies to devices: Assign policies to a group. Use the OR element to specify multiple NAS > IpAddress > Equals conditions with the public IP addresses of the load balancer.
`Access Alert: TACACS+ authentication attempt due to MFA timeout` No MFA request is received via AgentP.	Configure the firewall for AgentP connections. See: How to set up the firewall for AgentP to connect to Cloud.
`Access Alert: TACACS+ authentication attempt due to MFA timeout` The MFA request is received via AgentP but you can’t confirm fast enough before the attempt time outs.	You need to increase the TACACS+ timeout value on the switch itself to have more time to react to the MFA prompt. Consult the documentation of your switch to learn how to change the TACACS+ timeout value for your specific make and model.
A Fortinet NAS user receives elevated privileges, even though they are assigned to a low-privilege group in Portnox Cloud.	Fortinet doesn’t rely on standard attributes, such as `priv-lvl`, to control admin access. Instead, it uses specific vendor-specific attributes (VSAs) like `admin_prof` or `memberof` to map users to admin profiles, and if those attributes aren’t included in the policy, users may end up with more access than intended. Solution: Follow the steps in this topic to edit the TACACS+ authorization policy: Create or edit a TACACS+ authorization policy. Add `fortigate` to the Allowed services list. Add relevant `admin_prof` and/or `memberof` attributes to the Custom attributes list. For example: `admin_prof=User-RO-Profile` `memberof=Fortigate-User-RO-Group`
After switching Cisco ACI APICs to Portnox TACACS+ authentication, users can log in, but the ACI GUI loads with missing tabs, buttons, and features, suggesting incomplete privileges, while SSH access works normally.	The TACACS+ authorization policy for the Cisco ACI NAS is missing a required custom attribute. Without this attribute, the ACI GUI does not grant full access even though the user authenticates successfully. Solution: Follow the steps in this topic to edit the TACACS+ authorization policy: Create or edit a TACACS+ authorization policy. Add `shell:domains=all/admin/` to the Custom attributes list. For more information, consult Cisco documentation.