06-11-2018 11:27 AM - edited 02-21-2020 10:58 AM
Hello
I installed Cisco ISE 2.3 primary and secondary , ISE joined to AD and it is operational also secondary node is joined to primary successfully and it is operational too , all TACACS and dot1x configs are fine because I use these configs in another project and it works.
in this project ISE is installed in Datacenter Building and Network Devices located in another building (building 2) connecting by Fiber , from ISE I have the ping of all switches in building 2 and vice versa but TACACS and dot1x not work.I check TACACS shared key on both cisco switches and ISE many times and it was same, I attach my debugs from switch when I use this command: test aaa group tacacs username password
and at below I put my switch config for tacacs:
aaa new-model
tacacs server ISE-PRIMARY
address <ise ip add>
key <key>
timeout 3
!
!
aaa group server tacacs+ <name>
server name ISE-PRIMARY
ip tacacs source-interface <management VLAN>
!
aaa authentication login default group <group-name> local
aaa authentication enable default group <group-name> enable
aaa authorization config-commands
aaa authorization exec default group <group-name> local
aaa authorization commands 1 default group <group-name> local
aaa authorization commands 15 default group <group-name> local
aaa accounting exec default start-stop group <group-name>
aaa accounting commands 1 default start-stop group <group-name>
aaa accounting commands 15 default start-stop group <group-name>
aaa session-id common
Solved! Go to Solution.
06-13-2018 06:48 AM - edited 06-13-2018 06:56 AM
the problem fixed, yoooohooooooo , see the screenshot , the primary node unchecked on this page for device administration, I checked mark it and the problem solved,of course this screen shot is from my home lab , I took this screen shot for other readers which face with this problem , and Thank you RJI for your support during this time :) but its very Weird the ISE setting from my home lab have this check mark for both nodes(primary & secondary) by default but at project the primary node unchecked by default . I dont know why
06-11-2018 01:52 PM
06-12-2018 12:40 AM
no, ISE not show me any output in TACACS live logs or Dot1x live logs
yes I add NAD with the IP address of management vlan which I configured on the switch
just the debug output from switch exist which I attach in previous post
06-12-2018 01:40 AM
06-12-2018 02:09 AM - edited 06-12-2018 02:53 AM
The ISE ip address is 10.110.11.97
the TACACS license is enable and blue
I test TCPDUMP and I attach the output while I use test aaa group tacacs local Cisc0 <Internal user which I create in ISE>
they told me they dont have any firewall but im not sure , the ACS is running on this network without any trouble
and also I test "Execute Device Command" by entering device IP address and it shows me the show run successfully
06-12-2018 02:27 AM - edited 06-12-2018 08:00 AM
I attached TCP Dump in 2 next replay
06-12-2018 02:47 AM - edited 06-12-2018 02:50 AM
I fill the filter value in TCP DUMP , "ip host 192.168.2.11"
192.168.2.11 is switch ip address
06-12-2018 02:55 AM
06-12-2018 11:11 PM
here is my TCPDUMP in raw format with using command : test aaa group tacacs+ username password
username=local
pass: Cisc0
http://s9.picofile.com/d/8329077726/11e41d28-65d1-47ff-8322-abe2c6d97641/TCPDump.pcap
06-13-2018 01:30 AM
I can't download that file from that link, you can upload it on here
06-13-2018 01:37 AM
I try it but because the file type is .pcap , this forum dont allow me which you cant upload this type of file
06-13-2018 01:49 AM
download from here:
06-13-2018 02:04 AM
06-13-2018 03:37 AM
06-13-2018 05:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide