J-Web login does not support TACACS+ or TACPLUS Authentication

This article describes the issue of TACACS+ or TACPLUS authentication not being supported by J-Web login.

  • When TACPLUS configured in SRX, SSH can login without any issues; but J-Web can login at times, however it also fails at times.
  • In the case of TACPLUS login failure with J-Web, the following error message is generated in the message log:

This issue might be due to the TACPLUS server returning the TACACS+ Authentication response packet with the server message that has either password or Password mentioned in it. Based on JTAC testing in 11.4R6 and 12.1R4, if password or Password is mentioned in the server message, SRX fails to proceed to authentication in J-Web.

The following image illustrates the decrypted TACACS Authentication response with the Enter your Domain Password server message, which is 28 in length:

J-Web login does not support TACACS+ or TACPLUS Authentication-1

If the server message is password or Password, SRX can proceed to authentication in J-Web. The following image illustrates the decrypted TACACS Authentication
Response with the Server message as Password:

J-Web login does not support TACACS+ or TACPLUS Authentication-2

Note: This issue does not occur with SSH, as J-Web triggers a login script that checks the server message in the TACACS Authentication response.

Currently, J-Web login does not support TACPLUS authentication. As a workaround, use local authentication for J-Web login.

About the author

Prasanna

Leave a Comment