cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

544
Views
5
Helpful
4
Replies
Beginner

Cisco ISE- Continues authentication failure with INVALID username.

Hello Experts,

 

Can someone help me with the below issue,

 

- I have ISE standalone running on 2.6, i have enabled the device administration for TACACS services and configured required steps on my Firewall and Switch. 

 

aaa-server ise1 protocol tacacs+

aaa-server ise1 (Inside) host <ISE IP>

key *****

aaa authentication ssh console ise1 LOCAL

aaa authentication enable console ise1 LOCAL

aaa authentication http console ise1 LOCAL

aaa authorization command ise1 LOCAL

aaa accounting ssh console ise1

aaa accounting serial console ise1

aaa accounting enable console ise1

aaa accounting command ise1

aaa authentication secure-http-client

aaa authorization exec authentication-server auto-enable

 

1. I am seeing continues Authentication failure logs on ISE with INVALID username on my Firewall which is hitting the default profile.

 

2. when i tried to authenticate with AD user, the authentication is successful but authorization is hitting to the default deny profile. 

 

Can someone help me did i done something wrong on my TACACS configuration or Is it a Bug?

 

Thanks 

Sumanth 

 

 

 

 

Everyone's tags (1)
4 REPLIES 4
VIP Engager

Re: Cisco ISE- Continues authentication failure with INVALID username.

First introduced in ise 2.4, the masking of usernames failing authentication was done to avoid revealing passwords that may have been placed in the username field.

 

You can disable the masking for 30 minutes if you go to Administration >> Settings >> Protocols >> RADIUS >> Disclose invalid usernames and select the checkbox.

 

As for your issue of hitting the deny rule, you need to confirm that you're matching the conditions you have set, user, Nad, group, etc. Click the details of one of those live logs and share it with us of you want. If you feel you're hitting a bug or this worked before 2.6, TAC will be your only option. 

Beginner

Re: Cisco ISE- Continues authentication failure with INVALID username.

Thanks for the response Miller,

 

I don't find the option for disabling INVALID users, PFA.

 

And i have attached Tacacs policyset and log screenshot. please review it once and let me know any misconfigurations done. 

Contributor

Re: Cisco ISE- Continues authentication failure with INVALID username.

Hi, it told you that authentication is fail, and it not match any rules, you can show what is configured in authentication rule and to be more granular set the protocol for tacacs+

Highlighted
Cisco Employee

Re: Cisco ISE- Continues authentication failure with INVALID username.

Not sure if you already fix this, but in 2.6 the username disclosure setting is in Administration > System > Settings > Security Settings.