Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14820
Views
41
Helpful
4
Replies

Cisco ISE- Continues authentication failure with INVALID username.

sumanth2464
Level 1
Level 1

‎02-26-2019 06:54 AM - edited ‎02-21-2020 11:03 AM

Hello Experts,

 

Can someone help me with the below issue,

 

- I have ISE standalone running on 2.6, i have enabled the device administration for TACACS services and configured required steps on my Firewall and Switch. 

 

aaa-server ise1 protocol tacacs+

aaa-server ise1 (Inside) host <ISE IP>

key *****

aaa authentication ssh console ise1 LOCAL

aaa authentication enable console ise1 LOCAL

aaa authentication http console ise1 LOCAL

aaa authorization command ise1 LOCAL

aaa accounting ssh console ise1

aaa accounting serial console ise1

aaa accounting enable console ise1

aaa accounting command ise1

aaa authentication secure-http-client

aaa authorization exec authentication-server auto-enable

 

1. I am seeing continues Authentication failure logs on ISE with INVALID username on my Firewall which is hitting the default profile.

 

2. when i tried to authenticate with AD user, the authentication is successful but authorization is hitting to the default deny profile. 

 

Can someone help me did i done something wrong on my TACACS configuration or Is it a Bug?

 

Thanks 

Sumanth 

 

 

 

 

1 person had this problem
Preview file
708 KB
0 Helpful
4 Replies 4

Damien Miller
VIP Alumni
VIP Alumni

‎02-26-2019 04:30 PM - edited ‎02-26-2019 04:37 PM

First introduced in ise 2.4, the masking of usernames failing authentication was done to avoid revealing passwords that may have been placed in the username field.

 

You can disable the masking for 30 minutes if you go to Administration >> Settings >> Protocols >> RADIUS >> Disclose invalid usernames and select the checkbox.

 

As for your issue of hitting the deny rule, you need to confirm that you're matching the conditions you have set, user, Nad, group, etc. Click the details of one of those live logs and share it with us of you want. If you feel you're hitting a bug or this worked before 2.6, TAC will be your only option. 

sumanth2464
Level 1
Level 1
In response to Damien Miller

‎02-26-2019 05:10 PM

Thanks for the response Miller,

 

I don't find the option for disabling INVALID users, PFA.

 

And i have attached Tacacs policyset and log screenshot. please review it once and let me know any misconfigurations done. 

Preview file
458 KB
Preview file
476 KB
Preview file
692 KB
0 Helpful

ognyan.totev
Level 5
Level 5
In response to sumanth2464

‎02-26-2019 09:35 PM

Hi, it told you that authentication is fail, and it not match any rules, you can show what is configured in authentication rule and to be more granular set the protocol for tacacs+

0 Helpful

Demo Benavides
Cisco Employee
Cisco Employee

‎08-14-2019 03:56 PM

Not sure if you already fix this, but in 2.6 the username disclosure setting is in Administration > System > Settings > Security Settings.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents