Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2098
Views
0
Helpful
4
Replies

Cisco ISE do not see any TACACS hit !!!

Beacon Bits
Level 1
Level 1

‎03-12-2019 09:58 AM

Hello everyone,

 

I have cisco switch authenticating to Cisco ISE fine with the below commands.

 

Switch Config

-------------

aaa authentication login default group tacplus-server local line

 

aaa group server tacacs+ tacplus-server
server 10.10.200.200

 

Scenario

---------

I built a new ISE vm and pointing my switch to new ISE(10.10.200.205)

 

Problem

--------

new ISE do not see any log or any policy hit whereas it has same configuration as the exisiting one (10.10.200.200).

I did debug on the switch and seeing a message "FAIL - password incorrect"

 

00:48:06: AAA/AUTHEN/LINE(00000004): GET_PASSWORD
00:48:14: AAA/AUTHEN/LINE(00000004): FAIL - password incorrect
00:48:16: AAA/AUTHEN/LOGIN (00000004): Pick method list 'default'
00:48:16: AAA/AUTHEN/LINE(00000004): GET_PASSWORD

00:48:17: AAA/AUTHEN/LINE(00000004): FAIL - password incorrect

 

Can anyone help??

 

Regards,

B

0 Helpful
4 Replies 4

paul
Level 10
Level 10

‎03-12-2019 11:23 AM

Did you enabled the Device Admin service in ISE and configure the appropriate rules?  Did you enable the TACACS shared secret on the network device in ISE?  What do you see in the TACACS Live Logs?  I am guessing nothing.

0 Helpful

Arne Bier
VIP
VIP
In response to paul

‎03-12-2019 02:45 PM

further to what  @paul  said, you are missing a few IOS commands - typically the source interface has to be specified in the tacacs server config or else the IP source IP address gets used by whichever interface the NAS uses to send the TCP packet - you need to make it deterministic.

 

 

 

I would follow the Prescriptive Guide - excellent document - step by step

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

0 Helpful

Beacon Bits
Level 1
Level 1
In response to paul

‎03-13-2019 02:09 AM

Hi @paul / @Arne Bier 

 

Switch config is fine as I did not paste the whole config and Production ISE config fine too.

 

The new ISE has a backup config uploaded as the production ISE.

So on the switch, I just pointed towards the new ISE.

 

In doing so, I don't see any hit from the switch and this is not the first time I'm doing this scenario.

Not sure, what I'm missing!

 

Thanks!

 

0 Helpful

Arne Bier
VIP
VIP
In response to Beacon Bits

‎03-13-2019 04:49 AM

Hi @Beacon Bits  - I would suggest that you share parts of the show run so that we can verify the switch config.

Have you tried any debug commands to see whether the switch tries to contact the correct IP (ISE node) ?

0 Helpful
Customers Also Viewed These Support Documents