Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2068
Views
0
Helpful
3
Replies

authentication denied after Cisco ISE failover

Go to solution
jeremytetart
Level 1
Level 1

‎11-13-2017 10:33 AM - edited ‎02-21-2020 10:38 AM

Hello guys,

Could you help me to resolve a problem please.

I use Cisco ISE cluster (version 2.3.0) with Active directory to verify which users are authorized to manage Cisco switch & Router.

However, when an automatic failover occur, I'm not able to connect to my devices with tacacs protocol

The error show :
login as: <user_x>
Using keyboard-interactive authentication.
Password:
Access denied

I didn't find anything in log of ISE after the failover.Before that, the authentication working fine.

Service on cluster :
TACACS1(Master) has : PAM, MNT & PSN => 192.168.0.1
TACACS2(Standby) has : PAM, MNT & PSN => 192.168.0.2

 - Share key on both switch and ISE is OK
 - Communication between AD and ISE is OK

Switch config :

switch1#
aaa group server tacacs+ TACACS_ADMIN
 server name TACACS1
 server name TACACS2
!
aaa authentication login default local
aaa authentication login AUTHENT group TACACS_ADMIN local
aaa authorization exec default group TACACS_ADMIN none
aaa accounting exec default start-stop group TACACS_ADMIN
!
tacacs server TACACS1
address ipv4 192.168.0.1
key 7 095841xxxxxxxxxxxxxxxx
tacacs server TACACS2
address ipv4 192.168.0.2
key 7 150604xxxxxxxxxxxxxxxx

line vty 0 4
login authentication AUTHENT
transport input ssh
line vty 5 15
login authentication AUTHENT
transport input ssh

I did few tests on switch1 before launch manual failover

Test on switch1 to reach TACACS1 (192.168.0.1) before failover

switch1#test aaa group tacacs+ <user account> <pwd> legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

switch1#test aaa group TACACS_ADMIN server 192.168.0.1<user account> <pwd> legacy
Attempting authentication test to server-group TACACS_ADMIN using tacacs+
User was successfully authenticated.

switch1#ping 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

switch1#telnet 192.0.0.1 49
Trying 192.168.0.1, 49 ... Open

Result:
- Ping OK
- Port 49 open
- Authentication user OK with TACACS1 & AD (192.168.0.1)

Now try the same test on switch1 to reach TACACS2 before failover

switch1#ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

swrica05b#telnet 192.168.0.2 49
Trying 192.168.0.2, 49 ... Open
[Connection to 192.168.0.2 closed by foreign host]

switch1#test aaa group TACACS_ADMIN server 192.168.0.2 <user account> <pwd> legacy
Attempting authentication test to server-group TACACS_ADMIN using tacacs+
User was successfully authenticated.

Result :
- Ping OK
- Port 49 open but closed immediatly (maybe because it's a standby cluster for PAM)
- Authentication user OK with TACACS2 & AD (192.168.0.2)

Now, I stop TACACS1 and launch new test. Still Access Denied.

I don't see anything in Operation => Tacacs => live logs on TACACS2


I launch debug on the switch. In attachment the result (Tacacs Log.txt).

- debug tacacs
- debug aaa authentication

switch1#sh tacacs
Tacacs+ Server -  public  :
               Server name: TACACS1
            Server address: 192.168.0.1
               Server port: 49
              Socket opens:         24
             Socket closes:         24
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:         26
        Total Packets Recv:         21

Tacacs+ Server -  public  :
               Server name: TACACS2
            Server address: 192.168.0.2
               Server port: 49
              Socket opens:          5
             Socket closes:          5
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:          5
        Total Packets Recv:          0

I launch a tcpdump and I see this

Sequence 1 src: switch1 dst: 192.168.0.2 protocol:tcp paquet : [syn]
Sequence 2 src: 192.168.0.2 dst: switch1 protocol:tcp paquet : [syn, ack]
Sequence 3 src: switch1 dst: 192.168.0.2 protocol:tcp paquet : [ack]
Sequence 4 src: 192.168.0.2 dst: switch1 protocol:tcp paquet : [fin, ack]

Sequence 5 src: switch1 dst: 192.168.0.2 protocol:tacacs+ paquet : [authentication]
Sequence 6 src: 192.168.0.2 dst: switch1 protocol:tcp paquet : [RST]

I think TACACS2 close the TCP/IP session before the tacacs authentication frame is sent. After that, a TCP/IP Reset occur.

When I restart TACACS1 (which have secondary administration role now), I'm able to connect to my device. So I think I have a misconfiguration or problem on TACACS2.

Someone can help me please.

Regards.

2 people had this problem
Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeremytetart
Level 1
Level 1
In response to andrewswanson

‎11-13-2017 12:34 PM

Hi Andy,

 

Yes, My nodes are in the same group.

 

Regards.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
andrewswanson
Level 7
Level 7

‎11-13-2017 11:49 AM

Hi

Are your ISE nodes in the same node group?

Andy

0 Helpful

Go to solution
jeremytetart
Level 1
Level 1
In response to andrewswanson

‎11-13-2017 12:34 PM

Hi Andy,

 

Yes, My nodes are in the same group.

 

Regards.

0 Helpful

Go to solution
jeremytetart
Level 1
Level 1
In response to jeremytetart

‎11-14-2017 06:28 AM

Update: Broken and re-create the cluster has resolved my issue.

 

Regards.

0 Helpful
Customers Also Viewed These Support Documents