08-07-2018 03:46 AM
I have installed the Cisco ISE with tacacs+ feature as authentication server. I have configured the policy and network resource. The I configured Cisco switch 2960 but I got fail authenticated when i use command "test aaa group ise-tacacs+ <mydomain>\<username> <password> legacy". Please kindly see the output as below:
Attempting authentication test to server-group ise-tacacs+ using tacacs+
No authoritative response from any server.
FC-HQ-4thFloor#
04:45:06: TAC+: send AUTHEN/START packet ver=192 id=316651065
04:45:06: TAC+: Using default tacacs server-group "ise-tacacs+" list.
04:45:06: TAC+: Opening TCP/IP to 192.168.142.21/49 timeout=5
04:45:06: TAC+: Opened TCP/IP handle 0x2B59B0C to 192.168.142.21/49 using source 192.168.148.254
04:45:06: TAC+: 192.168.142.21 (316651065) AUTHEN/START/LOGIN/ASCII queued
04:45:06: TAC+: (316651065) AUTHEN/START/LOGIN/ASCII processed
04:45:06: TAC+: decrypt: no key for encrypted pak
04:45:06: TAC+: Unable to decrypt data from server.
04:45:06: TAC+: Closing TCP/IP 0x2B59B0C connection to 192.168.142.21/49
04:45:06: TAC+: Using default tacacs server-group "ise-tacacs+" list.
Please kindly see the configuration as below:
aaa authentication login default group ise-tacacs+ local
aaa authentication enable default group ise-tacacs+ enable
ip tacacs source-interface Vlan80
tacacs-server host 192.168.142.21
tacacs-server directed-request
aaa group server tacacs+ ise-tacacs+
server 192.168.142.21
I'm not sure what is the issue which make the issue.
08-07-2018 04:32 AM - edited 08-07-2018 04:36 AM
I'm not seeing a TACACS Shared Secret configured. You need:
"tacacs-server host 192.168.142.21 key blah-blah"
This key should match the key you configured under:
Work Centers > Device Administration > Network Resources > Network Devices > TACACS Authentication Settings > Shared Secret
This should get authentication working.
Here is how I typically will setup my aaa server groups:
aaa group server tacacs+ ise_PSNs server name psn01 server name psn02 tacacs server psn01 address ipv4 psn01 key blah-blah tacacs server psn02 address ipv4 psn02 key blah-blah
Of course, DNS is required for this to work. Otherwise just change 'address ipv4 psn01' to 'address ipv4 <ip of psn>'
08-07-2018 06:25 AM
You are missing your TACACS key. Using the newest style here is my standard TACACS script:
tacacs server <ISE PSN #1 Name>
address ipv4 <ISE PSN #1 IP>
key 0 <TACACS key>
timeout 10
tacacs server <ISE PSN #2 Name>
address ipv4 <ISE PSN #2 IP>
key 0 <TACACS key>
timeout 10
!
aaa group server tacacs+ ISE-TACACS
server name <ISE PSN #1 Name>
server name <ISE PSN #2 Name>
!
aaa authentication login default group ISE-TACACS local
aaa authentication enable default group ISE-TACACS enable
aaa authorization exec default group ISE-TACACS if-authenticated
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 0 default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
!
ip tacacs source-interface <source interface>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide