cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2574
Views
6
Helpful
7
Replies

how can i configure for running TACACS with ISE?

sbmc014
Level 4
Level 4

after i setup and check TACACS log , it display this error msg "22056 Subject not found in the applicable identity store(s)"

anything i miss to configure ? or which part i should adjust setting ?

ISE verison:2.4.0

detail steps like this :

Steps

13013Received TACACS+ Authentication START Request
15049Evaluating Policy Group
15008Evaluating Service Selection Policy
15041Evaluating Identity Policy
15013Selected Identity Source - Internal Endpoints
13045TACACS+ will use the password prompt from global TACACS+ configuration
13015Returned TACACS+ Authentication Reply
13014Received TACACS+ Authentication CONTINUE Request
15041Evaluating Identity Policy
15013Selected Identity Source - Internal Endpoints
24209Looking up Endpoint in Internal Endpoints IDStore
24217The host is not found in the internal endpoints identity store
15013Selected Identity Source - Internal Endpoints
24209Looking up Endpoint in Internal Endpoints IDStore
24217The host is not found in the internal endpoints identity store
22016Identity sequence completed iterating the IDStores
22056Subject not found in the applicable identity store(s)
22058The advanced option that is configured for an unknown user is used
22061The 'Reject' advanced option is configured in case of a failed authentication request
13015Returned TACACS+ Authentication Reply
7 Replies 7

Craig Hyps
Level 10
Level 10

Check your Authentication Policy for Device Admin.  It appears that the matching rule is choosing the Internal Endpoints store, or may the Internal Endpoints store has been added to the ALL_User_ID_Stores identity sequence (Under Administration > Identity Management > Identity Source Sequences).

In short, TACACS+ should be authenticating USERS, not MAC Addresses, which is what the Internal Endpoints store is used for during MAB.  Check and update Authentication rules to make sure you are selecting correct Allowed_Protocols (for example, Default Device Admin) and that ID store under Authentication Rules point to Internal Users or external user ID store.

Craig

thanks for your reply , now user can auth via TACACS from ISE ,

but i have another issue for detail behavior , for example :

i want this user cannot config lldp via telnet , and i done configurations like below :

configure TACACS command like this :

set tacacs command to deny.jpg

and configure authorization policy like this , and i am sure this rule be hit when this user login via telnet :

authorization policy set for tacacs.jpg

but user still can config lldp well via telnet :

it can config lldp success.jpg

this behavior is not my expectation , i do not know why ? any configurations i miss ? or some setting i need to adjust ?

hslai
Cisco Employee
Cisco Employee

Please check T+ live logs and see whether your NAD sending command authorization requests to ISE and which rules are matched.

thanks for your reply , after i checked the logs , there is nothing in "matched command set"

nothing in matched command set.jpg

but i do configured the rule and make sure it be hit , it is called "tacacs for low power" :

authorization policy set for tacacs.jpg

why it cannot hit this command sets ? any setting i need to adjust ? or some configurations i miss ?

hslai
Cisco Employee
Cisco Employee

The authorization you showed in your screenshot is one for a shell profile, because its overview has

Message TextDevice-Administration: Session Authorization succeeded

and one of the steps gives --

15017Selected Shell Profile

Below shows T+ live logs with T+ authC, T+ shell authZ, and T+ command authZ.

Screen Shot 2018-05-18 at 6.11.55 AM.png

Here shows the auth detail report of one of command authZ requests from the above.

Screen Shot 2018-05-18 at 6.15.11 AM.png

Its overview has

Message TextDevice-Administration: Command Authorization succeeded

And, its steps have:

  15018Selected Command Set
13024Command matched a Permit rule

Thus, it does not appear your NAD sending command authorization at all.

Please post additional or followup questions in a new question.

This helps ensure that each specific question is addressed, especially after we mark the question as Answered.