Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1950
Views
15
Helpful
12
Replies

ACS to ISE 2.7 migration. TACAC+ enable login issue

Go to solution
KelvinT
Level 1
Level 1

‎12-18-2020 10:39 AM

 
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
marce1000
VIP
VIP
In response to KelvinT

‎12-20-2020 07:08 AM

 

 -  https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--919282975

         Follow the referenced example, to create  a user or user(s) with enable(d) privilege(s) directly. If problems persist on the logging for the failed authentication click on detail. Check which policy rules were matched and or check correctness of the policy (sets)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to marce1000

‎12-21-2020 01:44 PM

I found the issue.

 

An ISE configuration that migrated over from 2 previous upgrades using the 1st old ACS to new ACS IOS then from new ACS to ISE.  The configuration was a shell:roles"network-admin" that was on the profile.  The debug showed it failing with ACS but ACS just ignored it and authc the user.  ISE doesn't ignore it.  It gives an authc failure.

 

After removing the av-pair from the shell profile the user authc successfully.

 

Thanks for your help.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
marce1000
VIP
VIP

‎12-19-2020 12:27 AM

 

                               - What is the issue ?

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to marce1000

‎12-19-2020 07:08 AM

Wow!  It didn't take my questions.

 

Basically in ISE the user successfully login the 1st part but when the switch ask for enable password it fails.  Authc failure.

 

FYI when pointing the switch to the ACS it works without issue.

 

Thanks

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to KelvinT

‎12-19-2020 09:20 AM

 

  - What's in the ISE logs when this happens ?

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to marce1000

‎12-19-2020 01:03 PM

The initial log on shows authz successful.  the enable login attempt shows authc failure.  bad credential.

 

 

Go to solution
marce1000
VIP
VIP
In response to KelvinT

‎12-20-2020 12:19 AM

 

 - Verify your ISE policies and setup according to this document :

          https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to marce1000

‎12-20-2020 05:29 AM

Yes it is with some exceptions.

We check the box for maximum privilege 15.  Is there a reason it isn't selected?

 

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to KelvinT

‎12-20-2020 05:39 AM

 

                                - You mean you can't check the box ?

 

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to marce1000

‎12-20-2020 05:43 AM

No.  Its checked.  We are running ISE 2.7 patch2. I thought that was required for enabled mode.

Go to solution
marce1000
VIP
VIP
In response to KelvinT

‎12-20-2020 06:28 AM

 

 - The original document I referred to also contains :

              Note: For TACACS you need to have separate license installed

 

                                      Check this thread for further info's on that :

         https://community.cisco.com/t5/network-access-control/tacacs-licenses-in-ise/m-p/3504911

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to marce1000

‎12-20-2020 06:32 AM

Yes.  Licenses are there and consumed.

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to KelvinT

‎12-20-2020 07:08 AM

 

 -  https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--919282975

         Follow the referenced example, to create  a user or user(s) with enable(d) privilege(s) directly. If problems persist on the logging for the failed authentication click on detail. Check which policy rules were matched and or check correctness of the policy (sets)

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to marce1000

‎12-21-2020 01:44 PM

I found the issue.

 

An ISE configuration that migrated over from 2 previous upgrades using the 1st old ACS to new ACS IOS then from new ACS to ISE.  The configuration was a shell:roles"network-admin" that was on the profile.  The debug showed it failing with ACS but ACS just ignored it and authc the user.  ISE doesn't ignore it.  It gives an authc failure.

 

After removing the av-pair from the shell profile the user authc successfully.

 

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents