Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

pozodionisio62774 — Tue, 30 Nov 2021 13:37:19 GMT

Hello everyone;

I am doing a deployment to create a new tacacs server through cisco ISE (authenticating to an AD).

The thing is that I am not receiving any TACACS log on the Cisco ISE, and on the firewall, I can observe that the requests from the test SW are arriving to my Cisco ISE.

On the other hand, on the AD I can't see any request either.

The thing is that in the switch I get the message "access denied".

I go to show you guys some additional information:

SW-TEST#test aaa group tacacs+ MYUSER PASSWORD legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

In Cisco Switch configuration:

aaa new-model
!
!
aaa group server tacacs+ GROUP1
server name ISE01
!
aaa authentication login default group GROUP1 local
aaa authorization config-commands
aaa authorization exec default group GROUP1 local
aaa authorization commands 0 default group GROUP1 local
aaa authorization commands 7 default group GROUP1 local
aaa authorization commands 15 default group GROUP1 local
aaa accounting system default start-stop group tacacs+

tacacs server ISE01
address ipv4 10.239.254.243 (this is the IP of Cisco ISE)
key 7 03215F1B145D711E1C
!

PD: Debubbing additional info:

Log Buffer (4096 bytes):
0: state was SYNSENT -> ESTAB [17344 -> 10.239.254.243(49)]
.Nov 30 11:43:35.151: TCP0: tcb 76AD1CC connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:35.151: TCP0: tcb 76AD1CC connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:35.151: TPLUS(0000087D)/0/NB_WAIT: socket event 2
.Nov 30 11:43:35.151: TPLUS(0000087D)/0/NB_WAIT: wrote entire 47 bytes request
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: socket event 1
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: Would block while reading
.Nov 30 11:43:35.159: TCP0: FIN processed
.Nov 30 11:43:35.159: TCP0: state was ESTAB -> CLOSEWAIT [17344 -> 10.239.254.243(49)]
.Nov 30 11:43:35.159: TCP0: bad seg from 10.239.254.243 -- ACK sent to validate RST: port 17344 seq 1532879747 ack 0 rcvnxt 1532879748 rcvwnd 4128 len 0
.Nov 30 11:43:35.159: TCP0: RST received, ACK sent to validate RST
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: socket event 1
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: read 0 bytes
.Nov 30 11:43:35.159: TCP0: RST received, Closing connection
.Nov 30 11:43:35.159: TCP0: state was CLOSEWAIT -> CLOSED [17344 -> 10.239.254.243(49)]
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: socket event 1
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: errno 32
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/739F9B8: Processing the reply packet
.Nov 30 11:43:35.159: TPA: Released port 17344 in Transport Port Agent for TCP IP type 1 delay 240000
.Nov 30 11:43:35.159: TCB 0x76AD1CC destroyed
.Nov 30 11:43:49.922: AAA/AUTHOR: auth_need : user= 'edpr_tr' ruser= 'EUPTNSWERMESINDE194'rem_addr= '172.17.86.253' priv= 15 list= '' AUTHOR-TYPE= 'command'
.Nov 30 11:43:49.922: AAA: parse name=tty4 idb type=-1 tty=-1
.Nov 30 11:43:49.922: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0
.Nov 30 11:43:49.922: AAA/MEMORY: create_user (0x74F81B0) user='edpr_tr' ruser='EUPTNSWERMESINDE194' ds0=0 port='tty4' rem_addr='172.17.86.253' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): Port='tty4' list='' service=CMD
.Nov 30 11:43:49.922: AAA/AUTHOR/CMD: tty4 (621972277) user='edpr_tr'
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV service=shell
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV cmd=show
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV cmd-arg=logging
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV cmd-arg=<cr>
.Nov 30 11:43:49.931: tty4 AAA/AUTHOR/CMD(621972277): found list "default"
.Nov 30 11:43:49.931: tty4 AAA/AUTHOR/CMD (621972277): Method=GROUP1 (tacacs+)
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): user=edpr_tr
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV service=shell
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV cmd=show
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV cmd-arg=logging
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV cmd-arg=<cr>
.Nov 30 11:43:49.931: TAC+: Using default tacacs server-group "GROUP1" list.
.Nov 30 11:43:49.931: TAC+: Opening TCP/IP to 10.239.254.243/49 timeout=5
.Nov 30 11:43:49.931: TCB07697018 created
.Nov 30 11:43:49.931: TCB07697018 setting property TCP_GIVEUP (12) 762FBA0
.Nov 30 11:43:49.931: TCP: Random local port generated 25269, network 1
.Nov 30 11:43:49.931: TPA: Reserved port 25269 in Transport Port Agent for TCP IP type 1
.Nov 30 11:43:49.931: TCP: sending SYN, seq 19705197, ack 0
.Nov 30 11:43:49.931: TCP0: Connection to 10.239.254.243:49, advertising MSS 536
.Nov 30 11:43:49.931: TCP0: state was CLOSED -> SYNSENT [25269 -> 10.239.254.243(49)]
.Nov 30 11:43:49.939: TCP0: state was SYNSENT -> ESTAB [25269 -> 10.239.254.243(49)]
.Nov 30 11:43:49.939: TCP0: tcb 7697018 connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:49.939: TCP0: tcb 7697018 connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:49.939: TCB07697018 connected to 10.239.254.243.49
.Nov 30 11:43:49.939: TAC+: Opened TCP/IP handle 0x7697018 to 10.239.254.243/49

TCPDUMP in Cisco ISE in attached files.

Could someone help me, please?

Kind regards.

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

PSM — Tue, 30 Nov 2021 12:18:50 GMT

Which Patch version are you running with on ISE 3.0 ?

Hope you have enabled 'Device Admin Service' under Administration > System > Deployment > PSN (or node )

If you enabled it try to disable and enable and then test.

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Rob Ingram — Tue, 30 Nov 2021 12:21:41 GMT

@pozodionisio62774 have you enabled Device Adminstration on the PSN(s)?

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

pozodionisio62774 — Tue, 30 Nov 2021 12:38:36 GMT

Hi Rob;

I just enabled as you showed me in the screenshoot.

But i am still having the problem

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

pozodionisio62774 — Tue, 30 Nov 2021 12:39:18 GMT

The version is:

Standalone

3.0.0.458

Active

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

thomas — Mon, 13 Dec 2021 21:52:43 GMT

Call TAC.

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Marcelo Morais — Tue, 14 Dec 2021 00:46:05 GMT

Hi @pozodionisio62774 ,

please try first to install the latest Patch: 3.0 P4 and if the issue continues, then open a TAC Case (as @thomas said).

Hope this helps !!!

topic Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found in Network Access Control

Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

Re: Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found