This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Can someone help me with the below issue,
- I have ISE standalone running on 2.6, i have enabled the device administration for TACACS services and configured required steps on my Firewall and Switch.
aaa-server ise1 protocol tacacs+
aaa-server ise1 (Inside) host <ISE IP>
aaa authentication ssh console ise1 LOCAL
aaa authentication enable console ise1 LOCAL
aaa authentication http console ise1 LOCAL
aaa authorization command ise1 LOCAL
aaa accounting ssh console ise1
aaa accounting serial console ise1
aaa accounting enable console ise1
aaa accounting command ise1
aaa authentication secure-http-client
aaa authorization exec authentication-server auto-enable
1. I am seeing continues Authentication failure logs on ISE with INVALID username on my Firewall which is hitting the default profile.
2. when i tried to authenticate with AD user, the authentication is successful but authorization is hitting to the default deny profile.
Can someone help me did i done something wrong on my TACACS configuration or Is it a Bug?
First introduced in ise 2.4, the masking of usernames failing authentication was done to avoid revealing passwords that may have been placed in the username field.
You can disable the masking for 30 minutes if you go to Administration >> Settings >> Protocols >> RADIUS >> Disclose invalid usernames and select the checkbox.
As for your issue of hitting the deny rule, you need to confirm that you're matching the conditions you have set, user, Nad, group, etc. Click the details of one of those live logs and share it with us of you want. If you feel you're hitting a bug or this worked before 2.6, TAC will be your only option.
Thanks for the response Miller,
I don't find the option for disabling INVALID users, PFA.
And i have attached Tacacs policyset and log screenshot. please review it once and let me know any misconfigurations done.
Hi, it told you that authentication is fail, and it not match any rules, you can show what is configured in authentication rule and to be more granular set the protocol for tacacs+
Not sure if you already fix this, but in 2.6 the username disclosure setting is in Administration > System > Settings > Security Settings.