cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

93
Views
5
Helpful
2
Replies
Beginner

ISE tacacs with local fallback

We are using tacacs hosted by ISE to authenticate our Cisco devices with local authentication as the fallback. The external Identity source is Active Directory. The domain controller associated with the ISE node is a single domain controller. Two questions:

1. How can I verify that the external source is pointed to the root of the domain and not a single domain controller (I didn't set up the relationship)? I'm concerned that if a single domain controller fails tacacs will fail.

2.  Our Cisco gear uses tacacs with local failback. If ISE loses connectivity to AD, will local failback occur? My concern is that tacacs hosted by ISE will still be running and will not failback to local authentication if the AD is unavailable. Is that the case? 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: ISE tacacs with local fallback


2.  Our Cisco gear uses tacacs with local failback. If ISE loses connectivity to AD, will local failback occur? My concern is that tacacs hosted by ISE will still be running and will not failback to local authentication if the AD is unavailable. Is that the case? 


You are correct that in the event that ISE loses comms with AD (unlikely but possible) then the NAD won't know, and it will continue using TACACS+ because ISE is still responding.  The trick here is to use an Identity Source Sequence that always searches AD first, followed by Internal Identities.  And then create a few local user identities in ISE that you "use in case of emergencies". If you have such a Sequence, and AD were to fail, then you can optionally tell ISE to fail that auth, and then your Authentication Policy can catch that and DROP the request, thus causing the NAS to seek alternative means (e.g. another server or local auth) - but in that case you would lose the ability to use the Internal Identity.  It's a matter of personal preference how you wish to handle the various failures.

1) AD Failed -> allow the use of internal ISE accounts instead, or DROP all TACACS requests, thus forcing NAS local auth

2) ISE Failed -> NAS will have no choice but to use its local auth

 

 

You can configure ISE to display a hint during Password entry help the user determine whether they are using TACACS+ or local account. It's under Work Centers > Device Admin > Settings > Connection Settings > Username Prompt / Password Prompt - if TACACS+ has failed then you won't see the prefix that you have configured (e.g. prefix might be 'TACACS-'

 

Hope that helps?

 

 

 

2 REPLIES 2
Highlighted
Cisco Employee

Re: ISE tacacs with local fallback

Please see the post that describes how TACACS fallback works

https://community.cisco.com/t5/firewalls/can-tacacs-be-configured-as-fallback-to-local-in-aaa/td-p/2347405

 

As for integration with ISE, a domain is a join point in AD and you can white list number of domains. There are some best practices and pre-requesities for AD-ISE to work smoothly.( Needs 1 GC, NTP needs to be synced etc, SRV queries being successfull, ISE co-located in the same site as AD domain controller etc.)

 

ISE supports 50 join points in the domain independent of forest. You can also create a list of authentication domains that you want ISE to authenticate to.

 

Here is the link for that. Check the last section on AD connector internal operations.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

VIP Advocate

Re: ISE tacacs with local fallback


2.  Our Cisco gear uses tacacs with local failback. If ISE loses connectivity to AD, will local failback occur? My concern is that tacacs hosted by ISE will still be running and will not failback to local authentication if the AD is unavailable. Is that the case? 


You are correct that in the event that ISE loses comms with AD (unlikely but possible) then the NAD won't know, and it will continue using TACACS+ because ISE is still responding.  The trick here is to use an Identity Source Sequence that always searches AD first, followed by Internal Identities.  And then create a few local user identities in ISE that you "use in case of emergencies". If you have such a Sequence, and AD were to fail, then you can optionally tell ISE to fail that auth, and then your Authentication Policy can catch that and DROP the request, thus causing the NAS to seek alternative means (e.g. another server or local auth) - but in that case you would lose the ability to use the Internal Identity.  It's a matter of personal preference how you wish to handle the various failures.

1) AD Failed -> allow the use of internal ISE accounts instead, or DROP all TACACS requests, thus forcing NAS local auth

2) ISE Failed -> NAS will have no choice but to use its local auth

 

 

You can configure ISE to display a hint during Password entry help the user determine whether they are using TACACS+ or local account. It's under Work Centers > Device Admin > Settings > Connection Settings > Username Prompt / Password Prompt - if TACACS+ has failed then you won't see the prefix that you have configured (e.g. prefix might be 'TACACS-'

 

Hope that helps?