topic AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue in Network Access Control

AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

mannygawadcco — Tue, 28 Mar 2017 13:30:29 GMT

Hello everyone,

I am currently doing a POC in one of our customer and started configuring ACS however i have some issue in authentication.

here is the scenario:

* i have a reacheability from switch to ISE server.

* no i am geeting access denied and i don't see any hits in my ISE logs.

* From firewall: port 49 is open.

here is the sample switch config;

aaa new-model

tacacs server ISE

address ipv4 10.10.x.x

key cisco

aaa group server tacacs+ ISE_GROUP

server name ISE

aaa authentication login AAA group ISE_GROUP local

aaa authentication enable default group ISE_GROUP enable

aaa authorization exec AAA group ISE_GROUP local

aaa authorization commands 0 AAA group ISE_GROUP local

aaa authorization commands 1 AAA group ISE_GROUP local

aaa authorization commands 15 AAA group ISE_GROUP local

aaa authorization config-commands

aaa accounting exec default start-stop group ISE_GROUP

aaa accounting commands 1 default start-stop group ISE_GROUP

aaa accounting commands 15 default start-stop group ISE_GROUP

line vty 0 4

authorization commands 0 AAA

authorization commands 1 AAA

authorization commands 15 AAA

authorization exec AAA

line vty 5 15

authorization commands 0 AAA

authorization commands 1 AAA

authorization commands 15 AAA

authorization exec AAA

Testing:

Router#test aaa group tacacs+ manny password legacy (this username is from the ISE databaase)

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

I have used this procedures to configure my ISE servers;

https://communities.cisco.com/servlet/JiveServlet/downloadBody/68194-102-1-125121/How-To_TACACS_for_IOS.pdf

Please advise if there is a missing configuration in the switch.

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

Oliver Laue — Tue, 28 Mar 2017 14:01:37 GMT

did you verified the the tacacs services are running on the ise?

i receive this error if either the tacacs service is down or the ise isn't aware of the nad and isn't responding.

But you'll see a log entry on the ise if the nad isn't configured

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

mannygawadcco — Tue, 28 Mar 2017 17:21:19 GMT

Thanks Oliver for the response, however the Enable Device Admin Service has been selected and it was running from the beginning.

Please note also that I haven't received any logs from ISE.

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

Oliver Laue — Tue, 28 Mar 2017 17:48:26 GMT

did you fired some debug commands on the switch to see what it does also did you checked the ise application logs?

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

mannygawadcco — Tue, 28 Mar 2017 17:59:19 GMT

Yes, I did some debug for aaa and authentication, but what i've got is only access denied.

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

ruhearn — Tue, 28 Mar 2017 20:15:55 GMT

Try debug tacacs on the device to see what's going on. If the device has multiple IP addresses make sure the correct one is configured in ISE.

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

mannygawadcco — Wed, 29 Mar 2017 07:16:16 GMT

Here is the debug output for tacacs authentication and aaa autentication.

QYS-GFC-SW#debug tacacs authentication

TACACS+ authentication debugging is on

QYS-GFC-SW#debug aaa authe

QYS-GFC-SW#debug aaa authentication

AAA Authentication debugging is on

QYS-GFC-SW#terminal monitor

QYS-GFC-SW#

46w2d: AAA/MEMORY: free_user (0x5093FE0) user='cisco' ruser='QYS-GFC-SW' port='tty1' rem_addr='10.10.45. 25' authen_type=ASCII service=NONE priv=15

46w2d: AAA/BIND(000000ED): Bind i/f

46w2d: AAA/AUTHEN/LOGIN (000000ED): Pick method list 'AAA'

46w2d: TPLUS: Queuing AAA Authentication request 237 for processing

46w2d: TPLUS: processing authentication start request id 237

46w2d: TPLUS: Authentication start packet created for 237(manny)

46w2d: TPLUS: Using server 10.10.201.35

46w2d: TPLUS(000000ED)/0/NB_WAIT/4FC8790: Started 5 sec timeout

46w2d: TPLUS(000000ED)/0/NB_WAIT/4FC8790: timed out

46w2d: TPLUS: Choosing next server 10.10.201.35

46w2d: TPLUS(000000ED)/1/NB_WAIT/4FC8790: Started 5 sec timeout

46w2d: TPLUS(000000ED)/4FC8790: releasing old socket 0

46w2d: TPLUS(000000ED)/1/NB_WAIT/4FC8790: timed out

46w2d: TPLUS(000000ED)/1/NB_WAIT/4FC8790: timed out, clean up

46w2d: TPLUS(000000ED)/1/4FC8790: Processing the reply packet

46w2d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: manny] [Source: 10.10.45.25] [localport: 22] [Reas on: Login Authentication Failed] at 01:40:40 UTC Thu Jan 20 1994

46w2d: AAA/AUTHEN/LOGIN (000000ED): Pick method list 'AAA'

46w2d: TPLUS: Queuing AAA Authentication request 237 for processing

46w2d: TPLUS: processing authentication start request id 237

46w2d: TPLUS: Authentication start packet created for 237(manny)

46w2d: TPLUS: Using server 10.10.201.35

46w2d: TPLUS(000000ED)/0/NB_WAIT/5017030: Started 5 sec timeout

46w2d: TPLUS(000000ED)/0/NB_WAIT/5017030: timed out

46w2d: TPLUS: Choosing next server 10.10.201.35

46w2d: TPLUS(000000ED)/1/NB_WAIT/5017030: Started 5 sec timeout

46w2d: TPLUS(000000ED)/5017030: releasing old socket 0

46w2d: TPLUS(000000ED)/1/NB_WAIT/5017030: timed out

46w2d: TPLUS(000000ED)/1/NB_WAIT/5017030: timed out, clean up

46w2d: TPLUS(000000ED)/1/5017030: Processing the reply packet

46w2d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: manny] [Source: 10.10.45.25] [localport: 22] [Reason: Login Authentication Failed] at 01:41:07 UTC Thu Jan 20 1994

46w2d: AAA/AUTHEN/LOGIN (000000ED): Pick method list 'AAA'

46w2d: TPLUS: Queuing AAA Authentication request 237 for processing

46w2d: TPLUS: processing authentication start request id 237

46w2d: TPLUS: Authentication start packet created for 237(manny)

46w2d: TPLUS: Using server 10.10.201.35

46w2d: TPLUS(000000ED)/0/NB_WAIT/4ED4574: Started 5 sec timeout

46w2d: TPLUS(000000ED)/0/NB_WAIT/4ED4574: timed out

46w2d: TPLUS(000000ED)/0/NB_WAIT/4ED4574: timed out, clean up

46w2d: TPLUS(000000ED)/0/4ED4574: Processing the reply packet

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

mannygawadcco — Wed, 29 Mar 2017 07:20:26 GMT

Additional Information (Tacacs Server's IP is Correct)

QYS-GFC-SW#show tacacs

Tacacs+ Server - public : 10.10.201.35/49

Socket opens: 62

Socket closes: 62

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 58

Total Packets Sent: 0

Total Packets Recv: 0

Tacacs+ Server - private : 10.10.201.35/49

Socket opens: 52

Socket closes: 52

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 40

Total Packets Sent: 0

Total Packets Recv: 0

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

Dustin Anderson — Thu, 30 Mar 2017 17:45:59 GMT

So, this is what I use for TACACS+, we are a smaller install, so don't use groups.

This is my switch commands.

tacacs-server host <IP_Sever1> key <VARIABLE>

tacacs-server host <IP_Sever2> key <VARIABLE>

tacacs-server directed-request

tacacs-server administration

radius-server dead-criteria time 5 tries 2

radius-server deadtime 2

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 8 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 8 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

ISE settings are basically default.

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

hslai — Thu, 30 Mar 2017 22:33:31 GMT

I would suggest to try a wireshark/TCPDUMP capture between ISE PSN and the switch. Also, enable DEBUG on ISE component AAA-runtime and check prrt-server.log.

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

mannygawadcco — Sun, 02 Apr 2017 10:43:37 GMT

It's working now, i found out the i have issue with my device management license, so after applying it, it worked perfectly. Thanks folks.

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

ajc — Wed, 09 May 2018 20:39:51 GMT

Hi Manny,

I am not sure if you tested the redundancy scenario but I am getting the same error message even though licenses (base + tacacs) are properly installed on each ISE. My situation is the following:

Using an INTEGRATED DEPLOYMENT with 2 ISE Nodes. One of them is Primary PAN, Sec MNT and PSN. The other one is Sec PAN, Primary MNT and PSN.

I am not using AAA Groups for tacacs on the LAN Switch. I was testing the redundancy scenario on which Secondary PSN/Primary MNT was completely shutdown (halt command from cli). The Primary PAN/PSN did not work so I decided to test each node individually from the LAN Switch. I mean:

When the only entry in the LAN switch is the Primary MNT/PSN, I get the following and tacacs authc worked.

SW#test aaa group tacacs+ test testing legacy

Attempting authentication test to server-group tacacs+ using tacacs+

User was successfully authenticated.

Then, I removed the IP entry for the Primary MNT/PSN in the switch and replaced it by the PRIMARY PAN/PSN but it failed and I got this.

SW#test aaa group tacacs+ test testing legacy

Attempting authentication test to server-group tacacs+ using tacacs+

No authoritative response from any server.

Have you seen this?

thanks

Re: AAA - ACS-Tacacs+ in ISE 2.1 configuration Issue

hslai — Wed, 09 May 2018 21:32:49 GMT

Please try what I suggested. Use TCPDUMP to check whether the T+ requests are sending out and received by the ISE PSN. Then, use ISE live log and runtime DEBUG to debug further.