topic Re: ISE - TACACS Authorization Domain Issues in Network Access Control

ISE - TACACS Authorization Domain Issues

bradleyordner — Fri, 21 Feb 2020 18:51:34 GMT

I have a user in another AD domain, which we have visibility of from the ISE. The user is identified and authenticated correctly via this sub domain. When it moves to authorization the exact same domain is checked for identification and now gets an error.

Authentication passing -

24313	Search for matching accounts at join point - ad.company.com
24320	Multiple matching accounts in forest - ad.company.com

Authorization failing -

	24313	Search for matching accounts at join point - ad.company.com
	24317	LDAP search in domain failed - ad.company.com,ERROR_DOMAIN_IS_OFFLINE

Is there any checks or logs I can find to debug this? It happens everytime I check and its checking the same domain as it authenticated against.

Thanks

Brad

Re: ISE - TACACS Authorization Domain Issues

Francesco Molino — Fri, 23 Mar 2018 02:40:54 GMT

Hi

Can you share your policie you want to be pushed? Also, on ISE, under active directory join point, you can test the user. Can you run that test and tell if the test is successful (it should be if it's authenticated.)

You're getting multiple matching message, does this user exists multiple times?

Re: ISE - TACACS Authorization Domain Issues

bradleyordner — Fri, 23 Mar 2018 02:52:52 GMT

Hi,

I will attempt the test and let you know.

The multiple matching is as follows -

User exists in - sub.ad.company.com & 3rdparty.ad.company.com which is a subdomain of ad.company.com

When authenticating, it matches on 3rdparty.ad.company.com first and then says wrong username and password, because that's not the account the user used, It then finds the user in sub.ad.company.com.

The policy set I am trying to push is -

Default Rule (if no match)

Allow Protocols : Default Device Admin

Use - TACACS identity sequence

If user has AD group sub.ad.company.com/TACACS then allow all command sets shell profile Read Only.

I have a rule above this rule that allows me, a user from ad.company.com/TACACS Full Access on the same device.

Thanks

Brad

Re: ISE - TACACS Authorization Domain Issues

bradleyordner — Fri, 23 Mar 2018 22:01:44 GMT

Authentication test is fine.

Re: ISE - TACACS Authorization Domain Issues

Francesco Molino — Sat, 24 Mar 2018 00:42:18 GMT

Can you share the full ISE log when this user authenticates? (please join the screenshot)

Re: ISE - TACACS Authorization Domain Issues

bradleyordner — Thu, 05 Apr 2018 02:13:09 GMT

Hi,

Sorry, been very busy. Is this what you are after? I had to remove a few identifying details.

13013 Received TACACS+ Authentication START Request
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - DEVICE.Location
15006 Matched Default Rule
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - TACACS_Identity_Sequence
15013 Selected Identity Source - _AD
13045 TACACS+ will use the password prompt from global TACACS+ configuration
13015 Returned TACACS+ Authentication Reply
13014 Received TACACS+ Authentication CONTINUE Request (Step latency=4277ms Step latency=4277ms)
15041 Evaluating Identity Policy
15004 Matched rule - Default
15006 Matched Default Rule
22072 Selected identity source sequence - TACACS_Identity_Sequence
15013 Selected Identity Source - _AD
24430 Authenticating user against Active Directory - _AD
24325 Resolving identity - <user name>
24313 Search for matching accounts at join point - ad.com
24320 Multiple matching accounts in forest - ad.com
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24324 Identity resolution detected multiple matching accounts
24344 RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,<username>@3rdparty.ad.com
24343 RPC Logon request succeeded - <user name>@pg.ad.com
24402 User authentication against Active Directory succeeded - _AD
22037 Authentication Passed
13015 Returned TACACS+ Authentication Reply

Re: ISE - TACACS Authorization Domain Issues

Francesco Molino — Fri, 06 Apr 2018 04:22:02 GMT

We see a first login dropped because of wrong password and then ok on another AD.

You didn't share the full ise log because i don't the authorization given the user.

Can you share this information?

Re: ISE - TACACS Authorization Domain Issues

bradleyordner — Fri, 06 Apr 2018 04:28:15 GMT

Hi,

Ah yes, sorry I only added the authentication log. Before I do, I have
noticed something that I wanted to run by you.

We have a distributed ISE model, and when I test the user on our primary
device I get authenticated and the ISE box pulls the groups.

When i try this on our last ISE box, the box that usually authenticates and
authorises this user, they get authenticated and no groups are pulled. It
says -

Groups fetch failed : The domain is offline.
Attribute fetch failed : The domain is offline.

On our primary it says -

Groups : 32 found.
Attributes : 69 found.

Re: ISE - TACACS Authorization Domain Issues

Francesco Molino — Fri, 06 Apr 2018 04:34:17 GMT

Is your box correctly joined to AD?

You can run AD test or box. Run it on this non working box and share results.

Re: ISE - TACACS Authorization Domain Issues

bradleyordner — Fri, 06 Apr 2018 04:58:54 GMT

Im convinced we might have a bug or a cross domain issue. We are upgrading to a new patch new week so I might test after that, AD connectivity is fine from the tests.

I'll check after patch install.

Re: ISE - TACACS Authorization Domain Issues

Francesco Molino — Sat, 07 Apr 2018 14:43:47 GMT

Ok no pb let us know after you applied the new patch

Re: ISE - TACACS Authorization Domain Issues

bradleyordner — Thu, 12 Apr 2018 23:00:00 GMT

Although installing the patch had its own issues, it has resolved this issue. Rebooting the server also helped.

Thanks

Brad

Re: ISE - TACACS Authorization Domain Issues

Eric Glodowski — Mon, 04 Jun 2018 20:43:40 GMT

I too, am in the same boat, but this is a fresh 2.4 install, and we are at the latest patch.

ISE is finding the username multiple times, but TACACS auth fails even though one of the user/pass was successful.

I had to resort to appending the FQDN in order to get shortname to work, but I'm concerned that this bandaid will become a problem as ISE assumes more responsibilities in the future.

Have a TAC case open, and will be happy to report back so this post has a bit more substance, but in the meantime, any suggestions are welcome!

Re: ISE - TACACS Authorization Domain Issues

Alexsandro Reimann — Wed, 27 Jun 2018 16:41:53 GMT

Have you found a way to fix your issue?

Re: ISE - TACACS Authorization Domain Issues

Francesco Molino — Fri, 29 Jun 2018 03:31:04 GMT

His answer was patch applied and server reboot. Have you tried that?

Re: ISE - TACACS Authorization Domain Issues

sean.a.martin — Mon, 22 Jul 2019 18:19:35 GMT

This fix didn't work for me, I am at the most current patch and have rebooted multiple times. I found that if I disable other whitelisted domains it allows me to authenticate. However, it isn't a valid fix. I need to have the ability to authenticate to multiple domains.

Re: ISE - TACACS Authorization Domain Issues

Francesco Molino — Tue, 23 Jul 2019 21:44:11 GMT

What version are you running?
Did AD connector test is ok on all tests?
If you test an authentication from the AD connector tool, does that work?