01-07-2019 03:46 AM
Hi,
i am currently struggling with the migration of a ACS/TACACS based ISDN dial in solution to ISE 2.3.
My problem is finding the missing bits under ISE. And if it's generally supported or works at all.
I have configured a couple of Cisco AV-pairs e.g. protocol=lcp,ip,multilink....debug tacacs shows me that the attributes are accepted by the router, but for some reason the router is disconnecting the ppp session:-(
Is there anyone who has a running setup with ISE & TACACS & PPP/CHAP & ISDN?
I would be very thankful for documentation hints or any experience for such a setup!
Thanks
Christian
01-07-2019 02:02 PM
I have not used TACACS with PPP ... but if the ACS system is still around, have you considered capturing a tcpdump on the ACS server CLI and then analyzing (comparing) it with the ISE tcpdump that is failing? Sometimes having a side by side comparison may be helpful.
If the TACACS return traffic to the NAS is identical, then it could be some lingering ACS config on the NAS that needs to change (or be brought in line for ISE IP address etc.). E.g. using a RADIUS analogy, it's easy to overlook changing the CoA IP address on the NAS ... :-p and then wonder why the new Radius server doesn't do what the old one did.
01-08-2019 09:45 AM
Adding to Arne Bier's ...
What really needed is to debug on the network device, the one providing the ISDN dial-in, itself and see why it disconnecting the session. You would probably need to contact the vendor or the platform support for that network device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide