cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


409
Views
10
Helpful
6
Replies
Beginner

ASA : AAA (ISE) Fallback to Local not working

Hello

 

I have the following config on my Firewalls for AAA

 

aaa-server ISE_TACACS protocol tacacs+
aaa-server ISE_TACACS (inside) host A.B.C.D
key *******

 

aaa authentication http console ISE_TACACS LOCAL
aaa authentication ssh console ISE_TACACS LOCAL
aaa authorization exec authentication-server
aaa accounting ssh console ISE_TACACS
aaa authentication serial console LOCAL

 

 

We are facing intermittent 'RPC Logon failures' errors on ISE and our login fail, does this event qualify for authentication fall back to Local? If yes, then it is not falling back.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Frequent Contributor

Re: ASA : AAA (ISE) Fallback to Local not working

I believe if the ASA sees the Server as reachable then it will not fallback to device local, which is happening in your case.

Within ISE, you could potentially setup a local user account in the ISE database and fall back to the Internal Database in the event of issues with AD/ISE. In your identity source sequence you are using for device policy sets, have Internal Users next in line. I don't have access to ISE at the moment to look into this properly though.

If I was you I would focus on fixing the ISE/AD issue as your solution.
6 REPLIES 6
Frequent Contributor

Re: ASA : AAA (ISE) Fallback to Local not working

I'm assuming the RPC failures are between ISE and your AD environment?

 

I would not think this qualifies as a fallback method if the TACACs server/s are reachable/ACTIVE from the ASA, eg if showing

 

sh aaa-server
......................................truncated

Server Group: TACACS
Server Protocol: tacacs+
Server Address: 10.40.0.10
Server port: 49
Server status: ACTIVE, Last transaction at 12:43:36 BST Tue May 21 2019

Beginner

Re: ASA : AAA (ISE) Fallback to Local not working

Thank you.

 

Yes, it is between AD and ISE (with Cisco and MS blaming each other!)

 

I can't login to the firewall when this happens, so how can I even confirm the last successfull transaction? When ISE starts working, obviously the last successful transaction will have no meaning for me.

Frequent Contributor

Re: ASA : AAA (ISE) Fallback to Local not working

I believe if the ASA sees the Server as reachable then it will not fallback to device local, which is happening in your case.

Within ISE, you could potentially setup a local user account in the ISE database and fall back to the Internal Database in the event of issues with AD/ISE. In your identity source sequence you are using for device policy sets, have Internal Users next in line. I don't have access to ISE at the moment to look into this properly though.

If I was you I would focus on fixing the ISE/AD issue as your solution.
Highlighted
Beginner

Re: ASA : AAA (ISE) Fallback to Local not working

That makes sense, thanks a lot.

Frequent Contributor

Re: ASA : AAA (ISE) Fallback to Local not working

I think you would need to amend or create a new one within the actual Identity Source Sequence itself, under identity management. Depends on what else you use it for.
Contributor

Re: ASA : AAA (ISE) Fallback to Local not working

I agree with the above post.  The server will fail to local if the AAA server is not reachable.  Examples are, the server is down or an ACL is blocking the request.