I have the following config on my Firewalls for AAA
aaa-server ISE_TACACS protocol tacacs+
aaa-server ISE_TACACS (inside) host A.B.C.D
aaa authentication http console ISE_TACACS LOCAL
aaa authentication ssh console ISE_TACACS LOCAL
aaa authorization exec authentication-server
aaa accounting ssh console ISE_TACACS
aaa authentication serial console LOCAL
We are facing intermittent 'RPC Logon failures' errors on ISE and our login fail, does this event qualify for authentication fall back to Local? If yes, then it is not falling back.
Solved! Go to Solution.
I'm assuming the RPC failures are between ISE and your AD environment?
I would not think this qualifies as a fallback method if the TACACs server/s are reachable/ACTIVE from the ASA, eg if showing
Server Group: TACACS
Server Protocol: tacacs+
Server Address: 10.40.0.10
Server port: 49
Server status: ACTIVE, Last transaction at 12:43:36 BST Tue May 21 2019
Yes, it is between AD and ISE (with Cisco and MS blaming each other!)
I can't login to the firewall when this happens, so how can I even confirm the last successfull transaction? When ISE starts working, obviously the last successful transaction will have no meaning for me.
I agree with the above post. The server will fail to local if the AAA server is not reachable. Examples are, the server is down or an ACL is blocking the request.