https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103303#M561223 <P>Hello, we are trying to utilize TACACS Proxy for the following scenario,</P><P>&nbsp;</P><P><SPAN>WLC &lt; ----- &gt; ISE2.6-Patch5 &lt; ----- proxying ----- &gt; Central ISE</SPAN></P><P>&nbsp;</P><P><SPAN>We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute.&nbsp;</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thumbnail_image005.jpg" style="width: 685px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/76715i00874381DB0C264E/image-size/large?v=v2&amp;px=999" role="button" title="thumbnail_image005.jpg" alt="thumbnail_image005.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thumbnail_image019.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/76714i0A229875249E6CFB/image-size/large?v=v2&amp;px=999" role="button" title="thumbnail_image019.png" alt="thumbnail_image019.png" /></span></P><P>&nbsp;</P><P><SPAN>The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”. </SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Mon, 15 Jun 2020 12:45:18 GMT joshhunter 2020-06-15T12:45:18Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103303#M561223 <P>Hello, we are trying to utilize TACACS Proxy for the following scenario,</P><P>&nbsp;</P><P><SPAN>WLC &lt; ----- &gt; ISE2.6-Patch5 &lt; ----- proxying ----- &gt; Central ISE</SPAN></P><P>&nbsp;</P><P><SPAN>We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute.&nbsp;</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thumbnail_image005.jpg" style="width: 685px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/76715i00874381DB0C264E/image-size/large?v=v2&amp;px=999" role="button" title="thumbnail_image005.jpg" alt="thumbnail_image005.jpg" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="thumbnail_image019.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/76714i0A229875249E6CFB/image-size/large?v=v2&amp;px=999" role="button" title="thumbnail_image019.png" alt="thumbnail_image019.png" /></span></P><P>&nbsp;</P><P><SPAN>The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”. </SPAN></P><P><SPAN>&nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Mon, 15 Jun 2020 12:45:18 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103303#M561223 joshhunter 2020-06-15T12:45:18Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103313#M561226 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/183914">@joshhunter</a>&nbsp;</P> <P>To absolutely confirm that is indeed this attribute which is not letting the Central ISE match that AuthZ rule, can you please remove the condition where you are looking for this.</P> <P>So, if this attribute is really the problem, you should match that particular AuthZ rule with the other two conditions in place.</P> Mon, 15 Jun 2020 13:09:11 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103313#M561226 Anurag Sharma 2020-06-15T13:09:11Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103338#M561228 Sorry I forgot to mention, yes it matches rules further down, so it is definitely this attribute.<BR />It needs this attribute to match on we cannot use location, device group, or IP.<BR />Thanks Mon, 15 Jun 2020 13:47:16 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103338#M561228 joshhunter 2020-06-15T13:47:16Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103566#M561238 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/183914">@joshhunter</a>&nbsp;,</P> <OL> <LI>How are you "proxying" the requests from one ISE to another?</LI> <LI>Which version is the 'Central ISE'?</LI> </OL> <P>I'd suggest you enable DEBUG for the component called '<SPAN>runtime-AAA' on the central ISE and check there.&nbsp;</SPAN></P> <P><SPAN>The log to check would be prrt-server.log.</SPAN></P> <P><SPAN>Check out this article for debugs and logs:&nbsp;<A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc28" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc28</A>&nbsp;</SPAN></P> <P>&nbsp;</P> Mon, 15 Jun 2020 17:20:39 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103566#M561238 Anurag Sharma 2020-06-15T17:20:39Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103629#M561243 <P><SPAN>Central ISE is running 2.7 Patch1 but tried various versions in lab environment.&nbsp;<BR /><BR />TACACS PROXY using the external TACACS server pointing ISE to Central ISE.<BR /><BR />I will give the debug ago&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks </SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 15 Jun 2020 18:24:51 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103629#M561243 joshhunter 2020-06-15T18:24:51Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103988#M561253 <P>Hello, I've since tried without TACACS 'Proxy' (Using External TACACS server). It still fails to match.</P><P><SPAN>I tried to match using the service argument of “ciscowlc”.&nbsp; This didn’t match the required rule – again I tried the different options. &nbsp;</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Tue, 16 Jun 2020 08:47:26 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4103988#M561253 joshhunter 2020-06-16T08:47:26Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4104229#M561258 <P>The debugging didn't tell me much.</P><P>I suspect it is a BUG and will log.</P><P>&nbsp;</P><P>Thanks</P> Tue, 16 Jun 2020 15:59:23 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4104229#M561258 joshhunter 2020-06-16T15:59:23Z https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4104264#M561263 <P>Alright. Please let us know the findings.</P> Tue, 16 Jun 2020 16:51:20 GMT https://community.cisco.com/t5/network-access-control/tacacs-proxy-with-service-argument-attribute-not-working-issue/m-p/4104264#M561263 Anurag Sharma 2020-06-16T16:51:20Z