cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

673
Views
0
Helpful
3
Replies
Highlighted
Beginner

ISE 2.0 Radius NAS-IP and TACACS Source-IP are the same and failing

This seems like it should be a no brainer for ISE to handle, but I can't seem to get an answer from Cisco yet.

I have added my ASA firewall as a network object in ISE and I have selected the TACACS and RADIUS options within that network object. My firewall configuration is as follows:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 10.12.12.61

key *****

aaa-server RADIUS protocol radius

authorize-only

interim-accounting-update periodic 1

dynamic-authorization

aaa-server RADIUS (inside) host 10.12.12.61

key *****

Because both TACACS and RADIUS are both pointing to ISE and TACACS comes first in the configuration, my VPN users are getting a "Dynamic Authorization Failed" message.  If I remove TACACS configuration or point it to our old ACS server than everything works fine.

I am also unable to move the TACACS configuration below the Radius.

Anyone run into this or have a workaround?

Everyone's tags (4)
3 REPLIES 3
Highlighted
Cisco Employee

Re: ISE 2.0 Radius NAS-IP and TACACS Source-IP are the same and failing

Brian,

What is the AAA Server Group in your AnyConnect Connection profile for VPN users?  Please be sure you have the server group that has RADIUS as the protocol selected.

Regards,

-Tim

Highlighted
Beginner

Re: ISE 2.0 Radius NAS-IP and TACACS Source-IP are the same and failing

Yup, I do have the AAA Server Group for that specific Tunnel-Group set as RADIUS:

tunnel-group SSL-NETENG general-attributes

authentication-server-group RADIUS

authorization-server-group RADIUS

accounting-server-group RADIUS

Highlighted
Cisco Employee

Re: ISE 2.0 Radius NAS-IP and TACACS Source-IP are the same and failing

Since RADIUS configuration is authorize-only, are you performing cert auth against ASA and then ISE for authorization only?

What errors in details are in the CoA attempts? It might worth to try enabling a 2nd interface on ISE with different IP address for T+ and see whether it would help.