topic ISE 2.6.0.156 Patch 7, Error: 13078 in Network Access Control

ISE 2.6.0.156 Patch 7, Error: 13078

GlennF — Sat, 29 Aug 2020 00:16:06 GMT

I have been tasked to manually move all devices using TACACS+ authentication on an ACS 5.3.0.40 to ISE 2.6 (Patch 7). I have moved a majority of our switches and routers to ISE successfully and I am currently attempting to move two Nexus 5548 switches. When I change the config on the Nexus 5548 to add the new TACACS server host (ISE) and remove the old ACS hosts, an error pops up in the TACACS+ logs on ISE:

13078 Invalid TACACS+ authorization request packet - possibly malformed packet

The following is the old config on the 5548:

tacacs-server host <ip of ACS host 1> key 7 "shared secret"
tacacs-server host <ip of ACS host 2> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
server <ip of ACS host 1>
server <ip of ACS host 2>

The following is the new config I inputted:

tacacs-server host <ip of ACS host 3> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
server <ip of ACS host 3>

And the aaa section remained untouched:

aaa authentication login default group ACS-SERVERS local
aaa authentication login console group ACS-SERVERS local
aaa authorization config-commands default group ACS-SERVERS local
aaa authorization commands default group ACS-SERVERS local
aaa accounting default group ACS-SERVERS

This is something new to me and I feel lucky that I was able to move the other switches and routers with little issues but I am stumped with these devices. Could there be a bug on the current version of ISE that we have installed or do I have something misconfigured somewhere else?

Re: ISE 2.6.0.156 Patch 7, Error: 13078

Marcelo Morais — Sun, 30 Aug 2020 01:30:37 GMT

Hi @GlennF

did you take a look at Nexus 5548 logs? For example:

debug tacacs all

Best regards.

Re: ISE 2.6.0.156 Patch 7, Error: 13078

Greg Gibbs — Mon, 31 Aug 2020 00:11:42 GMT

Have a look at the Nexus Platform section of the Cisco ISE Device Administration Prescriptive Deployment Guide and compare it to your Nexus and ISE configuration. You may be missing the following option or some other configuration.

aaa authentication login ascii-authentication

Re: ISE 2.6.0.156 Patch 7, Error: 13078

poongarg — Mon, 31 Aug 2020 03:37:44 GMT

Check if you have configured tacacs global shared secret key using below command:

tacacs-server key 7 "xxxxxx"

If it is there then remove it and test again.

Re: ISE 2.6.0.156 Patch 7, Error: 13078

GlennF — Tue, 01 Sep 2020 20:54:56 GMT

Thank you for your advice. The following command is what we have inputted for the ACS servers:

When I input the new ISE server (and removed the old ACS servers) along with adding it to the aaa TACACS+ group server, it did not work:

tacacs-server host <ip of ACS host 3> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
server <ip of ACS host 3>

Re: ISE 2.6.0.156 Patch 7, Error: 13078

GlennF — Tue, 01 Sep 2020 20:56:39 GMT

Thank you for your advice. I inputted your suggestion in the appropriate section and it still did not work.

Re: ISE 2.6.0.156 Patch 7, Error: 13078

GlennF — Tue, 01 Sep 2020 21:03:02 GMT

Thank you for your advice.

I ran the debug as you suggested when it was pointing to the new ISE host server and took capture of the output. I then did the same when it was pointing to the old ACS servers. I compared the two and there are some differences but not sure what to look for that would be causing the issue.

Re: ISE 2.6.0.156 Patch 7, Error: 13078

Greg Gibbs — Tue, 01 Sep 2020 23:18:01 GMT

Just to be clear, when you use the 'key 7' option for configuring the shared secret, the switch is expecting the encrypted text for the shared secret. If you are inputting the clear-text shared secret (i.e. 'cisco123) using the 'key 7' option, this will not work.

If you have not already done so, I would suggest removing the tacacs-server configuration and re-configuring it using the following command syntax.

tacacs-server host <ip of ISE> key 0 <clear-text secret>

If that still does not solve your issue, I would suggest opening a TAC case to gather debugs and information necessary to investigate further.

Re: ISE 2.6.0.156 Patch 7, Error: 13078

Marcelo Morais — Thu, 03 Sep 2020 02:43:26 GMT

Hi,

could you please share the debug output?

Best regards.

Re: ISE 2.6.0.156 Patch 7, Error: 13078

harikish21 — Fri, 13 Nov 2020 05:15:17 GMT

Hi Glen, did you find your luck? I am facing the same issue with Nexus 9K switches with ISE 2.7, tried all the suggestions provided in this group. ISE logs " 13078 Invalid TACACS+ authorization request packet - possibly malformed packet " error.

Re: ISE 2.6.0.156 Patch 7, Error: 13078

harikish21 — Fri, 13 Nov 2020 06:52:48 GMT

I was able to resolve this issue with the help of TAC, it was a mismatch secret. The error message in ISE was misleading.

May be a different issue for you, I pushed the config onto Nexus via DCNM. DCNM expects encrypted key to enter the config, which i copied from a catalyst switch. Looks like the type 7 encryption on Nexus is different than Catalyst switches, when i replaced the key with an encrypted key by Nexus, it worked.

FYI, i have not added tacacs key global command and also tacacs source interface global command. All commands were specific to either group or tacacs-server.

Good luck with your problem.