Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
3
Replies

Cisco ACI TACACS ISE authentication issues with local user.

joeharb
Level 5
Level 5

‎08-01-2022 01:51 PM

We are using ISE TACACS for authentication for our ACI environment.  We are also using RSA Securid for MFA, but I want to setup a local user on ISE that we can leverage for our Monitoring solution.  My user (MFA enabled on ISE) authenticates fine to the gui and I am able to do anything needed.  When I attempt to login to the GUI using the newly created account that does not utilize RSA and has a password set it eventually states that the TACACS/AAA took to long to respond.  Checking ISE the authentications for each are successful and the matched authorization policy is correct, along with the same shell provided to ACI.  I am not sure what logs to look at from either side but as I stated this works fine for a user that is setup with a Password type of RSA SecurID but not for a user that has a Password type of Internal User.  I can also type in the wrong pwd and it responds immediately with Access Denied.

Thanks in advance,

Joe

0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎08-01-2022 02:31 PM

Hi @joeharb 

One approach might be to include a TACACS Authentication Rule in ISE that looks for the local username using some form of identifier in the username itself - e.g. a prefix like "ise-xxxx" to distinguish it from the non-local accounts that are MFA enabled.

For Authentication Policy, create a Condition, if you see a username like that, then don't use the External Identity/Sequence that you use for MFA, just use "Internal Users"

And for Authorization Policy, you can either do the same thing again (match on TACACS Username STARTSWITH "ISE-" or whatever you like, and then assign the appropriate Authorization Profile.

0 Helpful

joeharb
Level 5
Level 5
In response to Arne Bier

‎08-01-2022 02:40 PM

 

 

Even the users that are MFA are still local users, their password type is different.  The authentication is successful for both users within the Audit Logs of ISE.

 

jharibison.JPGAAA_Slow.JPG

0 Helpful

Arne Bier
VIP
VIP

‎08-01-2022 03:12 PM

Sorry I didn't quite grasp it without the images - the images helped.

Have you tried changing the jharbison Password Type from RSA SecureID to the default 'Internal User'?

I would like to see your ISE Device Admin Authentication Policies and Authorization Policies - it seems like the non-RSA users are still subjected to additional (MFA) processing in ISE, when this should be bypassed for those users. 

In the the ACI configuration, is there any MFA awareness, or is it just straightforward TACACS+ configuration?

0 Helpful
Customers Also Viewed These Support Documents