topic AAA Device Administration is not working with Policy node in Network Access Control

AAA Device Administration is not working with Policy node

kai.onken — Fri, 12 Oct 2018 06:44:58 GMT

Good Morning,

I encountered the following problem with my ISE 2.3 installation regarding Device Administration. When ich configure the primary or secondary node for AAA everything works fine, Tacacs Auth, aso. When I replace the primary and/or secondary node with a policy node no AAA is working any more.

My first guess was ACL and/or Firewall, but none of them. I place a plain switch with only AAA on it in the same network where a policy node is located and it worked with the primary and/or secondary node. But again not with the policy node. I even can't see anything on the TACACS live log.

The current installation is based on five physical ISE servers in a distributed deployment. The machines are installed and configure like this (see attached Files):

SFLAISE01 - Administration, Policy Service with Session and Device Administration

SFLAISE02 - Administration, Monitoring, Policy Service with Session and Device Administration

SCPHISE01 - Policy Service with Session and Device Administration

SHAMISE01 - Policy Service with Session and Device Administration

SHAISE01 - Policy Service with Session and Device Administration

A Device Administration licence is availabled (see attached file)

I've no idea why the policy node is not handling AAA.

Thanks for any help.

Kai

Re: AAA Device Administration is not working with Policy node

tasneemjan — Fri, 12 Oct 2018 11:28:23 GMT

make sure you have the following setup correctly:

on devices you are point to PSN ip addresses and not the PANs.

if you are using mgmt interfaces these will be in a vrf. you need to use ip vrf forwarding Mgmt-vrf under aaa group server

You have correctly setup NADs on the ISE with TACACS ticked and matching key.

regards

Re: AAA Device Administration is not working with Policy node

kai.onken — Fri, 12 Oct 2018 11:36:43 GMT

Hello Tasneemjan,

to your topics:

make sure you have the following setup correctly:

1. On devices you are point to PSN ip addresses and not the PANs.

When I use the PAN IP's it works

When I use the PSN IP's its not working

2. If you are using mgmt interfaces these will be in a vrf. You need to use ip vrf forwarding Mgmt-vrf under aaa group server

You are right, but I'm using in bound management

3. You have correctly setup NADs on the ISE with TACACS ticked and matching key.

Please see Topic 1.

Kind regards

Kai

regards

Re: AAA Device Administration is not working with Policy node

hslai — Thu, 25 Oct 2018 15:29:52 GMT

A couple of things you may try:

Check whether the PSNs are listening on port 49 by CLI "show port" and from another machine "telnet <PSN-IP> 49"
Take packet capture between NAD and PSN
Enable DEBUG on Runtime-AAA and check debug log prrt-server.log

If that not giving any clues, please engage Cisco TAC.