Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2445
Views
5
Helpful
2
Replies

ISE tacacs with local fallback

Go to solution
carolinahusker
Level 1
Level 1

‎09-05-2019 07:00 AM

We are using tacacs hosted by ISE to authenticate our Cisco devices with local authentication as the fallback. The external Identity source is Active Directory. The domain controller associated with the ISE node is a single domain controller. Two questions:

1. How can I verify that the external source is pointed to the root of the domain and not a single domain controller (I didn't set up the relationship)? I'm concerned that if a single domain controller fails tacacs will fail.

2.  Our Cisco gear uses tacacs with local failback. If ISE loses connectivity to AD, will local failback occur? My concern is that tacacs hosted by ISE will still be running and will not failback to local authentication if the AD is unavailable. Is that the case? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎09-09-2019 04:01 AM

2.  Our Cisco gear uses tacacs with local failback. If ISE loses connectivity to AD, will local failback occur? My concern is that tacacs hosted by ISE will still be running and will not failback to local authentication if the AD is unavailable. Is that the case? 

You are correct that in the event that ISE loses comms with AD (unlikely but possible) then the NAD won't know, and it will continue using TACACS+ because ISE is still responding.  The trick here is to use an Identity Source Sequence that always searches AD first, followed by Internal Identities.  And then create a few local user identities in ISE that you "use in case of emergencies". If you have such a Sequence, and AD were to fail, then you can optionally tell ISE to fail that auth, and then your Authentication Policy can catch that and DROP the request, thus causing the NAS to seek alternative means (e.g. another server or local auth) - but in that case you would lose the ability to use the Internal Identity.  It's a matter of personal preference how you wish to handle the various failures.

1) AD Failed -> allow the use of internal ISE accounts instead, or DROP all TACACS requests, thus forcing NAS local auth

2) ISE Failed -> NAS will have no choice but to use its local auth

 

 

You can configure ISE to display a hint during Password entry help the user determine whether they are using TACACS+ or local account. It's under Work Centers > Device Admin > Settings > Connection Settings > Username Prompt / Password Prompt - if TACACS+ has failed then you won't see the prefix that you have configured (e.g. prefix might be 'TACACS-'

 

Hope that helps?

 

 

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎09-05-2019 12:28 PM

Please see the post that describes how TACACS fallback works

https://community.cisco.com/t5/firewalls/can-tacacs-be-configured-as-fallback-to-local-in-aaa/td-p/2347405

 

As for integration with ISE, a domain is a join point in AD and you can white list number of domains. There are some best practices and pre-requesities for AD-ISE to work smoothly.( Needs 1 GC, NTP needs to be synced etc, SRV queries being successfull, ISE co-located in the same site as AD domain controller etc.)

 

ISE supports 50 join points in the domain independent of forest. You can also create a list of authentication domains that you want ISE to authenticate to.

 

Here is the link for that. Check the last section on AD connector internal operations.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

Go to solution
Arne Bier
VIP
VIP

‎09-09-2019 04:01 AM

2.  Our Cisco gear uses tacacs with local failback. If ISE loses connectivity to AD, will local failback occur? My concern is that tacacs hosted by ISE will still be running and will not failback to local authentication if the AD is unavailable. Is that the case? 

You are correct that in the event that ISE loses comms with AD (unlikely but possible) then the NAD won't know, and it will continue using TACACS+ because ISE is still responding.  The trick here is to use an Identity Source Sequence that always searches AD first, followed by Internal Identities.  And then create a few local user identities in ISE that you "use in case of emergencies". If you have such a Sequence, and AD were to fail, then you can optionally tell ISE to fail that auth, and then your Authentication Policy can catch that and DROP the request, thus causing the NAS to seek alternative means (e.g. another server or local auth) - but in that case you would lose the ability to use the Internal Identity.  It's a matter of personal preference how you wish to handle the various failures.

1) AD Failed -> allow the use of internal ISE accounts instead, or DROP all TACACS requests, thus forcing NAS local auth

2) ISE Failed -> NAS will have no choice but to use its local auth

 

 

You can configure ISE to display a hint during Password entry help the user determine whether they are using TACACS+ or local account. It's under Work Centers > Device Admin > Settings > Connection Settings > Username Prompt / Password Prompt - if TACACS+ has failed then you won't see the prefix that you have configured (e.g. prefix might be 'TACACS-'

 

Hope that helps?

 

 

 

0 Helpful
Customers Also Viewed These Support Documents