Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2469
Views
15
Helpful
12
Replies

ACS to ISE 2.7 migration. TACAC+ enable login issue

Go to solution
KelvinT
Level 1
Level 1

‎12-18-2020 10:39 AM

 
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to KelvinT

‎12-20-2020 07:08 AM

 

 -  https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--919282975

         Follow the referenced example, to create  a user or user(s) with enable(d) privilege(s) directly. If problems persist on the logging for the failed authentication click on detail. Check which policy rules were matched and or check correctness of the policy (sets)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mark Elsen

‎12-21-2020 01:44 PM

I found the issue.

 

An ISE configuration that migrated over from 2 previous upgrades using the 1st old ACS to new ACS IOS then from new ACS to ISE.  The configuration was a shell:roles"network-admin" that was on the profile.  The debug showed it failing with ACS but ACS just ignored it and authc the user.  ISE doesn't ignore it.  It gives an authc failure.

 

After removing the av-pair from the shell profile the user authc successfully.

 

Thanks for your help.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎12-19-2020 12:27 AM

 

                               - What is the issue ?

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mark Elsen

‎12-19-2020 07:08 AM

Wow!  It didn't take my questions.

 

Basically in ISE the user successfully login the 1st part but when the switch ask for enable password it fails.  Authc failure.

 

FYI when pointing the switch to the ACS it works without issue.

 

Thanks

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to KelvinT

‎12-19-2020 09:20 AM

 

  - What's in the ISE logs when this happens ?

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mark Elsen

‎12-19-2020 01:03 PM

The initial log on shows authz successful.  the enable login attempt shows authc failure.  bad credential.

 

 

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to KelvinT

‎12-20-2020 12:19 AM

 

 - Verify your ISE policies and setup according to this document :

          https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mark Elsen

‎12-20-2020 05:29 AM

Yes it is with some exceptions.

We check the box for maximum privilege 15.  Is there a reason it isn't selected?

 

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to KelvinT

‎12-20-2020 05:39 AM

 

                                - You mean you can't check the box ?

 

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mark Elsen

‎12-20-2020 05:43 AM

No.  Its checked.  We are running ISE 2.7 patch2. I thought that was required for enabled mode.

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to KelvinT

‎12-20-2020 06:28 AM

 

 - The original document I referred to also contains :

              Note: For TACACS you need to have separate license installed

 

                                      Check this thread for further info's on that :

         https://community.cisco.com/t5/network-access-control/tacacs-licenses-in-ise/m-p/3504911

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mark Elsen

‎12-20-2020 06:32 AM

Yes.  Licenses are there and consumed.

0 Helpful

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame
In response to KelvinT

‎12-20-2020 07:08 AM

 

 -  https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--919282975

         Follow the referenced example, to create  a user or user(s) with enable(d) privilege(s) directly. If problems persist on the logging for the failed authentication click on detail. Check which policy rules were matched and or check correctness of the policy (sets)

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mark Elsen

‎12-21-2020 01:44 PM

I found the issue.

 

An ISE configuration that migrated over from 2 previous upgrades using the 1st old ACS to new ACS IOS then from new ACS to ISE.  The configuration was a shell:roles"network-admin" that was on the profile.  The debug showed it failing with ACS but ACS just ignored it and authc the user.  ISE doesn't ignore it.  It gives an authc failure.

 

After removing the av-pair from the shell profile the user authc successfully.

 

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents