How to troubleshoot problems with TACACS+

In this topic, you will learn how to troubleshoot typical problems with the operation of the Portnox™ TACACS+ service.


Error	Solutions
`Access Alert: TACACS+ access attempt denied due to wrong credentials` but credentials are correct Alert occurs when using Cisco Nexus 9000 (may also occur on other NX-OS devices) Alert occurs when using a Portnox account but LDAP-based accounts work correctly	Remove the following command from switch configuration: `tacacs-server directed-request` If you enable the `directed-request` option, Cisco devices with the NX-OS operating system use only the TACACS+ method for authentication and not the default local method. For more information, see: Cisco documentation.
`Access Alert: TACACS+ authentication attempt denied due to MFA verification failure. Entra ID user must perform MFA to access` TACACS+ server logs include: `Authentication request returned error` and `limit reached for account`.	Consider the following resolution options: Add or modify relevant Conditional Access Policies in Entra ID to skip MFA enforcement for selected users. Bypass MFA for selected IP addresses, see: Bypass multi-factor authentication in Entra ID. Also, check your TACACS+ license for potential expiration.
`Access Alert: TACACS+ service connection not allowed for the account` Alert occurs when using Juniper switches	The switch configuration includes an explicit definition of `service-name`, but this name is not configured in the Portnox TACACS+ policy. Instead, the policy only includes the default service name `junos-exec`. Example of an explicit definition of `service-name`: `show configuration \| display set \| match portnox set system tacplus-options service-name Portnox` Solution: Follow the steps in this topic to edit the TACACS+ authorization policy: Create or edit a TACACS+ authorization policy. Add the explicitly defined service name to the Allowed services list. For more information, see Juniper documentation.
`Access Alert: TACACS+ authentication attempt denied due to missing TACACS+ policy mapping` Users cannot log in to some NAS devices or can only login to NAS devices under a parent site.	The TACACS+ policy is incorrectly configured. Sites do not support inheritance. Only parent-child relationships between sites are supported but not parent-child-grandchild relationships. Solution: Follow the steps in this topic to assign TACACS+ policies to devices: Assign policies to a group. Use the OR element to specify multiple Site > Name > Equals conditions.
`Access Alert: TACACS+ authentication attempt denied due to missing TACACS+ policy mapping` The TACACS+ server is deployed in a cloud environment (e.g. AWS, Azure), and is behind a load balancer.	The public IP addresses of the load balancer are unknown to Portnox Cloud. Solution: Follow the steps in this topic to assign TACACS+ policies to devices: Assign policies to a group. Use the OR element to specify multiple NAS > IpAddress > Equals conditions with the public IP addresses of the load balancer.
`Access Alert: TACACS+ authentication attempt due to MFA timeout` No MFA request is received via AgentP.	Configure the firewall for AgentP connections. See: How to set up the firewall for AgentP to connect to Cloud.
`Access Alert: TACACS+ authentication attempt due to MFA timeout` The MFA request is received via AgentP but you can’t confirm fast enough before the attempt time outs.	You need to increase the TACACS+ timeout value on the switch itself to have more time to react to the MFA prompt. Consult the documentation of your switch to learn how to change the TACACS+ timeout value for your specific make and model. In some cases, a short timeout may also cause errors in the logs such as: `Invalid Client information received as input` or `Session closed`.
A Fortinet NAS user receives elevated privileges, even though they are assigned to a low-privilege group in Portnox Cloud.	Fortinet doesn’t rely on standard attributes, such as `priv-lvl`, to control admin access. Instead, it uses specific vendor-specific attributes (VSAs) like `admin_prof` or `memberof` to map users to admin profiles, and if those attributes aren’t included in the policy, users may end up with more access than intended. Solution: Follow the steps in this topic to edit the TACACS+ authorization policy: Create or edit a TACACS+ authorization policy. Add `fortigate` to the Allowed services list. Add relevant `admin_prof` and/or `memberof` attributes to the Custom attributes list. For example: `admin_prof=User-RO-Profile` `memberof=Fortigate-User-RO-Group`
After switching Cisco ACI APICs to Portnox TACACS+ authentication, users can log in, but the ACI GUI loads with missing tabs, buttons, and features, suggesting incomplete privileges, while SSH access works normally.	The TACACS+ authorization policy for the Cisco ACI NAS is missing a required custom attribute. Without this attribute, the ACI GUI does not grant full access even though the user authenticates successfully. Solution: Follow the steps in this topic to edit the TACACS+ authorization policy: Create or edit a TACACS+ authorization policy. Add `shell:domains=all/admin/` to the Custom attributes list. For more information, consult Cisco documentation.
Portnox Cloud successfully receives TACACS+ accounting logs (for example, login and logout events) from Cisco NAS devices, but it does not show any executed commands (such as `show` or `configure`) in the logs or alerts.	By default, Cisco devices only send command accounting data to the TACACS+ server for privilege levels that are specifically set. If a user logs in at a level (0, 1, or 15) that has no accounting enabled, command execution will not be recorded, even if session accounting works. To fix this, add AAA command accounting in the switch TACACS+ configuration. Example: enable command accounting for privilege level 15 (full admin) with this command: `aaa accounting commands 15 default start-stop group tacacs+`