cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1132
Views
0
Helpful
3
Replies

AAA Device Administration is not working with Policy node

kai.onken
Level 1
Level 1

Good Morning,

 

I encountered the following problem with my ISE 2.3 installation regarding Device Administration. When ich configure the primary or secondary node for AAA everything works fine, Tacacs Auth, aso. When I replace the primary and/or secondary node with a policy node no AAA is working any more.

My first guess was ACL and/or Firewall, but none of them. I place a plain switch with only AAA on it in the same network where a policy node is located and it worked with the primary and/or secondary node. But again not with the policy node. I even can't see anything on the TACACS live log.

 

The current installation is based on five physical ISE servers in a distributed deployment. The machines are installed and configure like this (see attached Files):

 

        SFLAISE01      -       Administration, Policy Service with Session and Device Administration

        SFLAISE02      -       Administration, Monitoring, Policy Service with Session and Device Administration

        SCPHISE01      -       Policy Service with Session and Device Administration

        SHAMISE01      -       Policy Service with Session and Device Administration

        SHAISE01       -       Policy Service with Session and Device Administration

 

A Device Administration licence is availabled (see attached file)

 

I've no idea why the policy node is not handling AAA.

 

Thanks for any help.

Kai

 

 

 

1 Accepted Solution

Accepted Solutions

A couple of things you may try:

  • Check whether the PSNs are listening on port 49 by CLI "show port" and from another machine "telnet <PSN-IP> 49"
  • Take packet capture between NAD and PSN
  • Enable DEBUG on Runtime-AAA and check debug log prrt-server.log

If that not giving any clues, please engage Cisco TAC.

View solution in original post

3 Replies 3

tasneemjan
Level 1
Level 1

make sure you have the following setup correctly:

on devices you are point to PSN ip addresses and not the PANs. 

if you are using mgmt interfaces these will be in a vrf. you need to use ip vrf forwarding Mgmt-vrf under aaa group server

You have correctly setup NADs on the ISE with TACACS ticked and matching key.

regards

Hello Tasneemjan,

 

to your topics:

 

make sure you have the following setup correctly:

 1. On devices you are point to PSN ip addresses and not the PANs. 

   When I use the PAN IP's it works

   When I use the PSN IP's its not working

 

2. If you are using mgmt interfaces these will be in a vrf. You need to use ip vrf forwarding Mgmt-vrf under aaa group server

  You are right, but I'm using in bound management

 

3. You have correctly setup NADs on the ISE with TACACS ticked and matching key.

  Please see Topic 1.

 

Kind regards

Kai

regards

A couple of things you may try:

  • Check whether the PSNs are listening on port 49 by CLI "show port" and from another machine "telnet <PSN-IP> 49"
  • Take packet capture between NAD and PSN
  • Enable DEBUG on Runtime-AAA and check debug log prrt-server.log

If that not giving any clues, please engage Cisco TAC.