Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
0
Helpful
3
Replies

AAA Device Administration is not working with Policy node

Go to solution
kai.onken
Level 1
Level 1

‎10-11-2018 11:44 PM - edited ‎10-11-2018 11:44 PM

Good Morning,

 

I encountered the following problem with my ISE 2.3 installation regarding Device Administration. When ich configure the primary or secondary node for AAA everything works fine, Tacacs Auth, aso. When I replace the primary and/or secondary node with a policy node no AAA is working any more.

My first guess was ACL and/or Firewall, but none of them. I place a plain switch with only AAA on it in the same network where a policy node is located and it worked with the primary and/or secondary node. But again not with the policy node. I even can't see anything on the TACACS live log.

 

The current installation is based on five physical ISE servers in a distributed deployment. The machines are installed and configure like this (see attached Files):

 

        SFLAISE01      -       Administration, Policy Service with Session and Device Administration

        SFLAISE02      -       Administration, Monitoring, Policy Service with Session and Device Administration

        SCPHISE01      -       Policy Service with Session and Device Administration

        SHAMISE01      -       Policy Service with Session and Device Administration

        SHAISE01       -       Policy Service with Session and Device Administration

 

A Device Administration licence is availabled (see attached file)

 

I've no idea why the policy node is not handling AAA.

 

Thanks for any help.

Kai

 

 

 

Preview file
33 KB
Preview file
60 KB
Preview file
70 KB
Preview file
51 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to kai.onken

‎10-25-2018 08:29 AM

A couple of things you may try:

  • Check whether the PSNs are listening on port 49 by CLI "show port" and from another machine "telnet <PSN-IP> 49"
  • Take packet capture between NAD and PSN
  • Enable DEBUG on Runtime-AAA and check debug log prrt-server.log

If that not giving any clues, please engage Cisco TAC.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
tasneemjan
Level 1
Level 1

‎10-12-2018 04:28 AM

make sure you have the following setup correctly:

on devices you are point to PSN ip addresses and not the PANs. 

if you are using mgmt interfaces these will be in a vrf. you need to use ip vrf forwarding Mgmt-vrf under aaa group server

You have correctly setup NADs on the ISE with TACACS ticked and matching key.

regards

0 Helpful

Go to solution
kai.onken
Level 1
Level 1
In response to tasneemjan

‎10-12-2018 04:36 AM

Hello Tasneemjan,

 

to your topics:

 

make sure you have the following setup correctly:

 1. On devices you are point to PSN ip addresses and not the PANs. 

   When I use the PAN IP's it works

   When I use the PSN IP's its not working

 

2. If you are using mgmt interfaces these will be in a vrf. You need to use ip vrf forwarding Mgmt-vrf under aaa group server

  You are right, but I'm using in bound management

 

3. You have correctly setup NADs on the ISE with TACACS ticked and matching key.

  Please see Topic 1.

 

Kind regards

Kai

regards

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to kai.onken

‎10-25-2018 08:29 AM

A couple of things you may try:

  • Check whether the PSNs are listening on port 49 by CLI "show port" and from another machine "telnet <PSN-IP> 49"
  • Take packet capture between NAD and PSN
  • Enable DEBUG on Runtime-AAA and check debug log prrt-server.log

If that not giving any clues, please engage Cisco TAC.

0 Helpful
Customers Also Viewed These Support Documents