Solved: Cisco ISE 2.3 TACACS and dot1x not working !!!!

f.arabi1991 · ‎06-11-2018

Hello

I installed Cisco ISE 2.3 primary and secondary , ISE joined to AD and it is operational also secondary node is joined to primary successfully and it is operational too , all TACACS and dot1x configs are fine because I use these configs in another project and it works.

in this project ISE is installed in Datacenter Building and Network Devices located in another building (building 2) connecting by Fiber , from ISE I have the ping of all switches in building 2 and vice versa but TACACS and dot1x not work.I check TACACS shared key on both cisco switches and ISE many times and it was same, I attach my debugs from switch when I use this command: test aaa group tacacs username password

and at below I put my switch config for tacacs:

aaa new-model

tacacs server ISE-PRIMARY
address <ise ip add>
key <key>
timeout 3

!
!
aaa group server tacacs+ <name>
server name ISE-PRIMARY
ip tacacs source-interface <management VLAN>
!
aaa authentication login default group <group-name> local
aaa authentication enable default group <group-name> enable
aaa authorization config-commands
aaa authorization exec default group <group-name> local
aaa authorization commands 1 default group <group-name> local
aaa authorization commands 15 default group <group-name> local
aaa accounting exec default start-stop group <group-name>
aaa accounting commands 1 default start-stop group <group-name>
aaa accounting commands 15 default start-stop group <group-name>

aaa session-id common

f.arabi1991 · ‎06-13-2018

the problem fixed, yoooohooooooo , see the screenshot , the primary node unchecked on this page for device administration, I checked mark it and the problem solved,of course this screen shot is from my home lab , I took this screen shot for other readers which face with this problem , and Thank you RJI for your support during this time :) but its very Weird the ISE setting from my home lab have this check mark for both nodes(primary & secondary) by default but at project the primary node unchecked by default . I dont know why

View solution in original post

Rob Ingram · ‎06-11-2018

Do you receive any errors/output in ISE? If so can you please post here

Is the the switch defined in ISE as a NAD using the IP address of management vlan you configured on the switch?

f.arabi1991 · ‎06-12-2018

no, ISE not show me any output in TACACS live logs or Dot1x live logs

yes I add NAD with the IP address of management vlan which I configured on the switch

just the debug output from switch exist which I attach in previous post

Rob Ingram · ‎06-12-2018

Do you have a firewall between the switch and ISE that could be blocking TACACS?
Can you run a tcpdump on ISE at the same time you test communication from the switch, does it even attempt to communicate?
Do you have the correct licensing for TACACS (Device Admin) installed?

From the output you provided, you don't have a RADIUS server defined so I wouldn't expect to see anything in the radius live logs.

f.arabi1991 · ‎06-12-2018

The ISE ip address is 10.110.11.97

the TACACS license is enable and blue

I test TCPDUMP and I attach the output while I use test aaa group tacacs local Cisc0 <Internal user which I create in ISE>

they told me they dont have any firewall but im not sure , the ACS is running on this network without any trouble

and also I test "Execute Device Command" by entering device IP address and it shows me the show run successfully

f.arabi1991 · ‎06-12-2018

I attached TCP Dump in 2 next replay

f.arabi1991 · ‎06-12-2018

I fill the filter value in TCP DUMP , "ip host 192.168.2.11"

192.168.2.11 is switch ip address

f.arabi1991 · ‎06-12-2018

I attach the right TCP DUMP here

f.arabi1991 · ‎06-12-2018

here is my TCPDUMP in raw format with using command : test aaa group tacacs+ username password

username=local

pass: Cisc0

http://s9.picofile.com/d/8329077726/11e41d28-65d1-47ff-8322-abe2c6d97641/TCPDump.pcap

Rob Ingram · ‎06-13-2018

I can't download that file from that link, you can upload it on here

f.arabi1991 · ‎06-13-2018

I try it but because the file type is .pcap , this forum dont allow me which you cant upload this type of file

f.arabi1991 · ‎06-13-2018

download from here:

https://uploadfiles.io/yhbh3

Rob Ingram · ‎06-13-2018

Ok, from the capture I can at least confirm a 3 way handshake between the switch and ISE, which means they are at least communicating. When the switch sends an authentication, authorization or accounting packet to ISE these are immediately followed by a RST.

Is the switch defined in ISE as a NAD correctly? Correct IP address, TACACS shared secret?
Can you provide screenshots of the NAD, TACACS Policy set?

f.arabi1991 · ‎06-13-2018

yes,sure , today I put one switch in the network as same as ISE , SW ip add: 10.110.11.163

ise: 10.110.11.97 , here my screen shot from ise setup and switch configuration which attach

Rob Ingram · ‎06-13-2018

Can you provide a screenshot of the TACACS+ Policy you've defined please