https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661692#M576461 <P>We are using ISE TACACS for authentication for our ACI environment.&nbsp; We are also using RSA Securid for MFA, but I want to setup a local user on ISE that we can leverage for our Monitoring solution.&nbsp; My user (MFA enabled on ISE) authenticates fine to the gui and I am able to do anything needed.&nbsp; When I attempt to login to the GUI using the newly created account that does not utilize RSA and has a password set it eventually states that the TACACS/AAA took to long to respond.&nbsp; Checking ISE the authentications for each are successful and the matched authorization policy is correct, along with the same shell provided to ACI.&nbsp; I am not sure what logs to look at from either side but as I stated this works fine for a user that is setup with a Password type of RSA SecurID but not for a user that has a Password type of Internal User.&nbsp; I can also type in the wrong pwd and it responds immediately with Access Denied.</P> <P>Thanks in advance,</P> <P>Joe</P> Mon, 01 Aug 2022 20:51:13 GMT joeharb 2022-08-01T20:51:13Z https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661692#M576461 <P>We are using ISE TACACS for authentication for our ACI environment.&nbsp; We are also using RSA Securid for MFA, but I want to setup a local user on ISE that we can leverage for our Monitoring solution.&nbsp; My user (MFA enabled on ISE) authenticates fine to the gui and I am able to do anything needed.&nbsp; When I attempt to login to the GUI using the newly created account that does not utilize RSA and has a password set it eventually states that the TACACS/AAA took to long to respond.&nbsp; Checking ISE the authentications for each are successful and the matched authorization policy is correct, along with the same shell provided to ACI.&nbsp; I am not sure what logs to look at from either side but as I stated this works fine for a user that is setup with a Password type of RSA SecurID but not for a user that has a Password type of Internal User.&nbsp; I can also type in the wrong pwd and it responds immediately with Access Denied.</P> <P>Thanks in advance,</P> <P>Joe</P> Mon, 01 Aug 2022 20:51:13 GMT https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661692#M576461 joeharb 2022-08-01T20:51:13Z https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661703#M576462 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/320052">@joeharb</a>&nbsp;</P> <P>One approach might be to include a TACACS Authentication Rule in ISE that looks for the local username using some form of identifier in the username itself - e.g. a prefix like "ise-xxxx" to distinguish it from the non-local accounts that are MFA enabled.</P> <P>For Authentication Policy, create a Condition, if you see a username like that, then don't use the External Identity/Sequence that you use for MFA, just use "Internal Users"</P> <P>And for Authorization Policy, you can either do the same thing again (match on TACACS Username STARTSWITH "ISE-" or whatever you like, and then assign the appropriate Authorization Profile.</P> Mon, 01 Aug 2022 21:31:53 GMT https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661703#M576462 Arne Bier 2022-08-01T21:31:53Z https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661710#M576463 <P>&nbsp;</P> <P>&nbsp;</P> <P>Even the users that are MFA are still local users, their password type is different.&nbsp; The authentication is successful for both users within the Audit Logs of ISE.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jharibison.JPG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/158768iC0E8E28E9152B709/image-size/large?v=v2&amp;px=999" role="button" title="jharibison.JPG" alt="jharibison.JPG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AAA_Slow.JPG" style="width: 935px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/158769i49074386F53FD3B3/image-size/large?v=v2&amp;px=999" role="button" title="AAA_Slow.JPG" alt="AAA_Slow.JPG" /></span></P> Mon, 01 Aug 2022 21:40:22 GMT https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661710#M576463 joeharb 2022-08-01T21:40:22Z https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661721#M576465 <P>Sorry I didn't quite grasp it without the images - the images helped.</P> <P>Have you tried changing the jharbison Password Type from RSA SecureID to the default 'Internal User'?</P> <P>I would like to see your ISE Device Admin Authentication Policies and Authorization Policies - it seems like the non-RSA users are still subjected to additional (MFA) processing in ISE, when this should be bypassed for those users.&nbsp;</P> <P>In the the ACI configuration, is there any MFA awareness, or is it just straightforward TACACS+ configuration?</P> Mon, 01 Aug 2022 22:12:51 GMT https://community.cisco.com/t5/network-access-control/cisco-aci-tacacs-ise-authentication-issues-with-local-user/m-p/4661721#M576465 Arne Bier 2022-08-01T22:12:51Z