Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3042
Views
5
Helpful
6
Replies

Cisco ISE 3.0 - TACACS+ is not working, Tacacs logs: No data found

pozodionisio62774
Level 1
Level 1

‎11-30-2021 03:26 AM - edited ‎11-30-2021 05:37 AM

Hello everyone;

I am doing a deployment to create a new tacacs server through cisco ISE (authenticating to an AD).

The thing is that I am not receiving any TACACS log on the Cisco ISE, and on the firewall, I can observe that the requests from the test SW are arriving to my Cisco ISE.

On the other hand, on the AD I can't see any request either.

The thing is that in the switch I get the message "access denied".

 

 

I go to show you guys some additional information:

 

SW-TEST#test aaa group tacacs+ MYUSER PASSWORD legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

 

 

In Cisco Switch configuration:

aaa new-model
!
!
aaa group server tacacs+ GROUP1
server name ISE01
!
aaa authentication login default group GROUP1 local
aaa authorization config-commands
aaa authorization exec default group GROUP1 local
aaa authorization commands 0 default group GROUP1 local
aaa authorization commands 7 default group GROUP1 local
aaa authorization commands 15 default group GROUP1 local
aaa accounting system default start-stop group tacacs+

 

tacacs server ISE01
address ipv4 10.239.254.243 (this is the IP of Cisco ISE)
key 7 03215F1B145D711E1C
!

 

 

PD: Debubbing additional info:

 

Log Buffer (4096 bytes):
0: state was SYNSENT -> ESTAB [17344 -> 10.239.254.243(49)]
.Nov 30 11:43:35.151: TCP0: tcb 76AD1CC connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:35.151: TCP0: tcb 76AD1CC connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:35.151: TPLUS(0000087D)/0/NB_WAIT: socket event 2
.Nov 30 11:43:35.151: TPLUS(0000087D)/0/NB_WAIT: wrote entire 47 bytes request
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: socket event 1
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: Would block while reading
.Nov 30 11:43:35.159: TCP0: FIN processed
.Nov 30 11:43:35.159: TCP0: state was ESTAB -> CLOSEWAIT [17344 -> 10.239.254.243(49)]
.Nov 30 11:43:35.159: TCP0: bad seg from 10.239.254.243 -- ACK sent to validate RST: port 17344 seq 1532879747 ack 0 rcvnxt 1532879748 rcvwnd 4128 len 0
.Nov 30 11:43:35.159: TCP0: RST received, ACK sent to validate RST
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: socket event 1
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: read 0 bytes
.Nov 30 11:43:35.159: TCP0: RST received, Closing connection
.Nov 30 11:43:35.159: TCP0: state was CLOSEWAIT -> CLOSED [17344 -> 10.239.254.243(49)]
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: socket event 1
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/READ: errno 32
.Nov 30 11:43:35.159: TPLUS(0000087D)/0/739F9B8: Processing the reply packet
.Nov 30 11:43:35.159: TPA: Released port 17344 in Transport Port Agent for TCP IP type 1 delay 240000
.Nov 30 11:43:35.159: TCB 0x76AD1CC destroyed
.Nov 30 11:43:49.922: AAA/AUTHOR: auth_need : user= 'edpr_tr' ruser= 'EUPTNSWERMESINDE194'rem_addr= '172.17.86.253' priv= 15 list= '' AUTHOR-TYPE= 'command'
.Nov 30 11:43:49.922: AAA: parse name=tty4 idb type=-1 tty=-1
.Nov 30 11:43:49.922: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0
.Nov 30 11:43:49.922: AAA/MEMORY: create_user (0x74F81B0) user='edpr_tr' ruser='EUPTNSWERMESINDE194' ds0=0 port='tty4' rem_addr='172.17.86.253' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): Port='tty4' list='' service=CMD
.Nov 30 11:43:49.922: AAA/AUTHOR/CMD: tty4 (621972277) user='edpr_tr'
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV service=shell
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV cmd=show
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV cmd-arg=logging
.Nov 30 11:43:49.922: tty4 AAA/AUTHOR/CMD (621972277): send AV cmd-arg=<cr>
.Nov 30 11:43:49.931: tty4 AAA/AUTHOR/CMD(621972277): found list "default"
.Nov 30 11:43:49.931: tty4 AAA/AUTHOR/CMD (621972277): Method=GROUP1 (tacacs+)
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): user=edpr_tr
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV service=shell
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV cmd=show
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV cmd-arg=logging
.Nov 30 11:43:49.931: AAA/AUTHOR/TAC+: (621972277): send AV cmd-arg=<cr>
.Nov 30 11:43:49.931: TAC+: Using default tacacs server-group "GROUP1" list.
.Nov 30 11:43:49.931: TAC+: Opening TCP/IP to 10.239.254.243/49 timeout=5
.Nov 30 11:43:49.931: TCB07697018 created
.Nov 30 11:43:49.931: TCB07697018 setting property TCP_GIVEUP (12) 762FBA0
.Nov 30 11:43:49.931: TCP: Random local port generated 25269, network 1
.Nov 30 11:43:49.931: TPA: Reserved port 25269 in Transport Port Agent for TCP IP type 1
.Nov 30 11:43:49.931: TCP: sending SYN, seq 19705197, ack 0
.Nov 30 11:43:49.931: TCP0: Connection to 10.239.254.243:49, advertising MSS 536
.Nov 30 11:43:49.931: TCP0: state was CLOSED -> SYNSENT [25269 -> 10.239.254.243(49)]
.Nov 30 11:43:49.939: TCP0: state was SYNSENT -> ESTAB [25269 -> 10.239.254.243(49)]
.Nov 30 11:43:49.939: TCP0: tcb 7697018 connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:49.939: TCP0: tcb 7697018 connection to 10.239.254.243:49, received MSS 1460, MSS is 536
.Nov 30 11:43:49.939: TCB07697018 connected to 10.239.254.243.49
.Nov 30 11:43:49.939: TAC+: Opened TCP/IP handle 0x7697018 to 10.239.254.243/49

 

TCPDUMP in Cisco ISE in attached files.

 

 

 

Could someone help me, please?

 

Kind regards.

 

Preview file
31 KB
0 Helpful
6 Replies 6

PradeepSingh
Level 1
Level 1

‎11-30-2021 04:18 AM

Which Patch version are you running with on ISE 3.0 ?

Hope you have enabled 'Device Admin Service' under Administration > System > Deployment > PSN (or node )

 

If you enabled it try to disable and enable and then test.

 

0 Helpful

pozodionisio62774
Level 1
Level 1
In response to PradeepSingh

‎11-30-2021 04:39 AM

The version is:

 

Standalone 
3.0.0.458 Active
0 Helpful

Marcelo Morais
VIP
VIP
In response to pozodionisio62774

‎12-13-2021 04:46 PM

Hi @pozodionisio62774 ,

 please try first to install the latest Patch: 3.0 P4 and if the issue continues, then open a TAC Case (as @thomas said).

 

Hope this helps !!!

0 Helpful

Rob Ingram
VIP
VIP

‎11-30-2021 04:21 AM

@pozodionisio62774 have you enabled Device Adminstration on the PSN(s)?

 

11.PNG

pozodionisio62774
Level 1
Level 1
In response to Rob Ingram

‎11-30-2021 04:38 AM

Hi Rob;

 

I just enabled as you showed me in the screenshoot.

 

But i am still having the problem

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to pozodionisio62774

‎12-13-2021 01:52 PM

Call TAC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents