Showing results for 
Search instead for 
Did you mean: 

ISE 2.0 Radius NAS-IP and TACACS Source-IP are the same and failing


This seems like it should be a no brainer for ISE to handle, but I can't seem to get an answer from Cisco yet.

I have added my ASA firewall as a network object in ISE and I have selected the TACACS and RADIUS options within that network object. My firewall configuration is as follows:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host

key *****

aaa-server RADIUS protocol radius


interim-accounting-update periodic 1


aaa-server RADIUS (inside) host

key *****

Because both TACACS and RADIUS are both pointing to ISE and TACACS comes first in the configuration, my VPN users are getting a "Dynamic Authorization Failed" message.  If I remove TACACS configuration or point it to our old ACS server than everything works fine.

I am also unable to move the TACACS configuration below the Radius.

Anyone run into this or have a workaround?

3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee


What is the AAA Server Group in your AnyConnect Connection profile for VPN users?  Please be sure you have the server group that has RADIUS as the protocol selected.



Yup, I do have the AAA Server Group for that specific Tunnel-Group set as RADIUS:

tunnel-group SSL-NETENG general-attributes

authentication-server-group RADIUS

authorization-server-group RADIUS

accounting-server-group RADIUS

Cisco Employee
Cisco Employee

Since RADIUS configuration is authorize-only, are you performing cert auth against ASA and then ISE for authorization only?

What errors in details are in the CoA attempts? It might worth to try enabling a 2nd interface on ISE with different IP address for T+ and see whether it would help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers