https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592751#M538926 <HTML><HEAD></HEAD><BODY><P>Brian,</P><P></P><P>What is the AAA Server Group in your AnyConnect Connection profile for VPN users?&nbsp; Please be sure you have the server group that has RADIUS as the protocol selected.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Tue, 10 May 2016 18:51:22 GMT Timothy Abbott 2016-05-10T18:51:22Z https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592750#M538925 <HTML><HEAD></HEAD><BODY><P>This seems like it should be a no brainer for ISE to handle, but I can't seem to get an answer from Cisco yet.</P><P></P><P>I have added my ASA firewall as a network object in ISE and I have selected the TACACS and RADIUS options within that network object. My firewall configuration is as follows:</P><P></P><P>aaa-server TACACS protocol tacacs+</P><P>aaa-server TACACS (inside) host 10.12.12.61</P><P> key *****</P><P>aaa-server RADIUS protocol radius</P><P> authorize-only</P><P> interim-accounting-update periodic 1</P><P> dynamic-authorization</P><P>aaa-server RADIUS (inside) host 10.12.12.61</P><P> key *****</P><P></P><P>Because both TACACS and RADIUS are both pointing to ISE and TACACS comes first in the configuration, my VPN users are getting a "Dynamic Authorization Failed" message.&nbsp; If I remove TACACS configuration or point it to our old ACS server than everything works fine.</P><P></P><P>I am also unable to move the TACACS configuration below the Radius.</P><P></P><P>Anyone run into this or have a workaround?</P></BODY></HTML> Tue, 10 May 2016 18:41:05 GMT https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592750#M538925 bforan 2016-05-10T18:41:05Z https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592751#M538926 <HTML><HEAD></HEAD><BODY><P>Brian,</P><P></P><P>What is the AAA Server Group in your AnyConnect Connection profile for VPN users?&nbsp; Please be sure you have the server group that has RADIUS as the protocol selected.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Tue, 10 May 2016 18:51:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592751#M538926 Timothy Abbott 2016-05-10T18:51:22Z https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592752#M538928 <HTML><HEAD></HEAD><BODY><P>Yup, I do have the AAA Server Group for that specific Tunnel-Group set as RADIUS:</P><P></P><P>tunnel-group SSL-NETENG general-attributes</P><P> authentication-server-group RADIUS</P><P> authorization-server-group RADIUS</P><P> accounting-server-group RADIUS</P></BODY></HTML> Tue, 10 May 2016 18:58:28 GMT https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592752#M538928 bforan 2016-05-10T18:58:28Z https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592753#M538930 <HTML><HEAD></HEAD><BODY><P>Since RADIUS configuration is authorize-only, are you performing cert auth against ASA and then ISE for authorization only?</P><P></P><P>What errors in details are in the CoA attempts? It might worth to try enabling a 2nd interface on ISE with different IP address for T+ and see whether it would help.</P></BODY></HTML> Sun, 15 May 2016 06:11:02 GMT https://community.cisco.com/t5/network-access-control/ise-2-0-radius-nas-ip-and-tacacs-source-ip-are-the-same-and/m-p/3592753#M538930 hslai 2016-05-15T06:11:02Z