Solved: ACAS scanning with authentication via ISE AAA.

Eric R. Jones · ‎06-03-2019

Hello, this is for folks who are familiar with ACAS but any feedback would be appreciated.

We currently are using ISE 2.4.

We have been successfully authenticating our network edge devices for sometime.

We are event able to utilize PKI for edge access so no username/passwords are required except for emergent access.

The ACAS team runs their scans of the network but we don't see it access all the devices when viewing ISE TACACS Live Logs.

We can see it hit say the core, a distribution switch and some edges but it doesn't access other devices in the same IP subnet range. So when we view the running live log we see nice green checks for switch 1, switch 2, switch 4, and switch 6 but switches 3 and 5 don't appear as successful or failed attempts. Viewing the local log on switch 3 and 5 says that the account used to do the scans successfully accessed the device.

If I login to the same device, switches 3 and 5 with the same credential using SecureCRT or putty I gain access and I'm at the proper privilege level.

I did an extensive Wireshark capture using but monitor session # filter vlan #### , #### and monitor session # source vlan ### , ####.

I got tons of traffic and the successful ISE authentications were there; however, I didn't see any traffic for the devices that didn't go through ISE for AAA.

The ACAS is scanning a /8 range for the subnet, in our view this is way to broad but it's not our server.

We have the subnets broken up into a couple of /27's and /24's.

Any ideas on where to start sleuthing?

ej

Arne Bier · ‎06-04-2019

Hi Eric

You did the right thing by doing a tcpdump - if you didn't see a request come into ISE then it probably didn't happen - I would say that the ACAS system is performing either a random sample (given that /8 is pretty huge) - or perhaps it just hasn't got around to doing all the hosts. But it doesn't seem weird - it should work through the list sequentially, right? You'd think so. Maybe it's buggy.

The trouble with ISE is that you're limited to 5 min tcpdump - if we had proper access to the Linux we could run a real tcpdump for as long as you like, with the necessary filters in place.

Also, if you have more than one PSN doing TACACS then your single allowed instance of tcpdump will miss the traffic that it doesn't see. Even ACS had the ability to run tcpdump on the CLI of each node ... ISE one step forward, two steps back sometimes :(

View solution in original post

Arne Bier · ‎06-04-2019

Hi Eric

You did the right thing by doing a tcpdump - if you didn't see a request come into ISE then it probably didn't happen - I would say that the ACAS system is performing either a random sample (given that /8 is pretty huge) - or perhaps it just hasn't got around to doing all the hosts. But it doesn't seem weird - it should work through the list sequentially, right? You'd think so. Maybe it's buggy.

The trouble with ISE is that you're limited to 5 min tcpdump - if we had proper access to the Linux we could run a real tcpdump for as long as you like, with the necessary filters in place.

Also, if you have more than one PSN doing TACACS then your single allowed instance of tcpdump will miss the traffic that it doesn't see. Even ACS had the ability to run tcpdump on the CLI of each node ... ISE one step forward, two steps back sometimes :(