topic Re: ACS to ISE 2.7 migration. TACAC+ enable login issue in Network Access Control

ACS to ISE 2.7 migration. TACAC+ enable login issue

KelvinT — Fri, 18 Dec 2020 18:39:21 GMT

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

Mark Elsen — Sat, 19 Dec 2020 08:27:29 GMT

- What is the issue ?

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

KelvinT — Sat, 19 Dec 2020 15:08:18 GMT

Wow! It didn't take my questions.

Basically in ISE the user successfully login the 1st part but when the switch ask for enable password it fails. Authc failure.

FYI when pointing the switch to the ACS it works without issue.

Thanks

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

Mark Elsen — Sat, 19 Dec 2020 17:20:19 GMT

- What's in the ISE logs when this happens ?

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

KelvinT — Sat, 19 Dec 2020 21:03:04 GMT

The initial log on shows authz successful. the enable login attempt shows authc failure. bad credential.

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

Mark Elsen — Sun, 20 Dec 2020 08:19:28 GMT

- Verify your ISE policies and setup according to this document :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

KelvinT — Sun, 20 Dec 2020 13:29:03 GMT

Yes it is with some exceptions.

We check the box for maximum privilege 15. Is there a reason it isn't selected?

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

Mark Elsen — Sun, 20 Dec 2020 13:39:25 GMT

- You mean you can't check the box ?

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

KelvinT — Sun, 20 Dec 2020 13:43:31 GMT

No. Its checked. We are running ISE 2.7 patch2. I thought that was required for enabled mode.

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

Mark Elsen — Sun, 20 Dec 2020 14:28:56 GMT

- The original document I referred to also contains :

Note: For TACACS you need to have separate license installed

Check this thread for further info's on that :

https://community.cisco.com/t5/network-access-control/tacacs-licenses-in-ise/m-p/3504911

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

KelvinT — Sun, 20 Dec 2020 14:32:49 GMT

Yes. Licenses are there and consumed.

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

Mark Elsen — Sun, 20 Dec 2020 15:08:43 GMT

- https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--919282975

Follow the referenced example, to create a user or user(s) with enable(d) privilege(s) directly. If problems persist on the logging for the failed authentication click on detail. Check which policy rules were matched and or check correctness of the policy (sets)

Re: ACS to ISE 2.7 migration. TACAC+ enable login issue

KelvinT — Mon, 21 Dec 2020 21:44:08 GMT

I found the issue.

An ISE configuration that migrated over from 2 previous upgrades using the 1st old ACS to new ACS IOS then from new ACS to ISE. The configuration was a shell:roles"network-admin" that was on the profile. The debug showed it failing with ACS but ACS just ignored it and authc the user. ISE doesn't ignore it. It gives an authc failure.

After removing the av-pair from the shell profile the user authc successfully.

Thanks for your help.