Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
2
Replies

Configure tacacs+ Cisco ISE for IOS Network Device

PutmanoAIT
Level 1
Level 1

‎08-07-2018 03:46 AM

I have installed the Cisco ISE with tacacs+ feature as authentication server. I have configured the policy and network resource. The I configured Cisco switch 2960 but I got fail authenticated when i use command "test aaa group ise-tacacs+ <mydomain>\<username> <password> legacy". Please kindly see the output as below:

 

Attempting authentication test to server-group ise-tacacs+ using tacacs+
No authoritative response from any server.

FC-HQ-4thFloor#
04:45:06: TAC+: send AUTHEN/START packet ver=192 id=316651065
04:45:06: TAC+: Using default tacacs server-group "ise-tacacs+" list.
04:45:06: TAC+: Opening TCP/IP to 192.168.142.21/49 timeout=5
04:45:06: TAC+: Opened TCP/IP handle 0x2B59B0C to 192.168.142.21/49 using source 192.168.148.254
04:45:06: TAC+: 192.168.142.21 (316651065) AUTHEN/START/LOGIN/ASCII queued
04:45:06: TAC+: (316651065) AUTHEN/START/LOGIN/ASCII processed
04:45:06: TAC+: decrypt: no key for encrypted pak
04:45:06: TAC+: Unable to decrypt data from server.
04:45:06: TAC+: Closing TCP/IP 0x2B59B0C connection to 192.168.142.21/49
04:45:06: TAC+: Using default tacacs server-group "ise-tacacs+" list.

 

Please kindly see the configuration as below:

 

aaa authentication login default group ise-tacacs+ local
aaa authentication enable default group ise-tacacs+ enable

ip tacacs source-interface Vlan80
tacacs-server host 192.168.142.21
tacacs-server directed-request

aaa group server tacacs+ ise-tacacs+
server 192.168.142.21

 

I'm not sure what is the issue which make the issue.

 

 

0 Helpful
2 Replies 2

anthonylofreso
Level 4
Level 4

‎08-07-2018 04:32 AM - edited ‎08-07-2018 04:36 AM

I'm not seeing a TACACS Shared Secret configured. You need:

"tacacs-server host 192.168.142.21 key blah-blah"

 

This key should match the key you configured under:

Work Centers > Device Administration > Network Resources > Network Devices > TACACS Authentication Settings > Shared Secret

This should get authentication working.

 

Here is how I typically will setup my aaa server groups:

aaa group server tacacs+ ise_PSNs
server name psn01
server name psn02

tacacs server psn01
 address ipv4 psn01
 key  blah-blah
tacacs server psn02
 address ipv4 psn02
 key  blah-blah

Of course, DNS is required for this to work. Otherwise just change 'address ipv4 psn01' to 'address ipv4 <ip of psn>'

0 Helpful

paul
Level 10
Level 10

‎08-07-2018 06:25 AM

You are missing your TACACS key.  Using the newest style here is my standard TACACS script:

 

tacacs server <ISE PSN #1 Name>
address ipv4 <ISE PSN #1 IP>
key 0 <TACACS key>
timeout 10
tacacs server <ISE PSN #2 Name>
address ipv4 <ISE PSN #2 IP>
key 0 <TACACS key>
timeout 10
!
aaa group server tacacs+ ISE-TACACS
server name <ISE PSN #1 Name>
server name <ISE PSN #2 Name>
!
aaa authentication login default group ISE-TACACS local
aaa authentication enable default group ISE-TACACS enable
aaa authorization exec default group ISE-TACACS if-authenticated
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 0 default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
!
ip tacacs source-interface <source interface>

0 Helpful
Customers Also Viewed These Support Documents