cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1430
Views
0
Helpful
3
Replies

ISE 2.0 Radius NAS-IP and TACACS Source-IP are the same and failing

bforan
Level 1
Level 1

This seems like it should be a no brainer for ISE to handle, but I can't seem to get an answer from Cisco yet.

I have added my ASA firewall as a network object in ISE and I have selected the TACACS and RADIUS options within that network object. My firewall configuration is as follows:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 10.12.12.61

key *****

aaa-server RADIUS protocol radius

authorize-only

interim-accounting-update periodic 1

dynamic-authorization

aaa-server RADIUS (inside) host 10.12.12.61

key *****

Because both TACACS and RADIUS are both pointing to ISE and TACACS comes first in the configuration, my VPN users are getting a "Dynamic Authorization Failed" message.  If I remove TACACS configuration or point it to our old ACS server than everything works fine.

I am also unable to move the TACACS configuration below the Radius.

Anyone run into this or have a workaround?

3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee

Brian,

What is the AAA Server Group in your AnyConnect Connection profile for VPN users?  Please be sure you have the server group that has RADIUS as the protocol selected.

Regards,

-Tim

Yup, I do have the AAA Server Group for that specific Tunnel-Group set as RADIUS:

tunnel-group SSL-NETENG general-attributes

authentication-server-group RADIUS

authorization-server-group RADIUS

accounting-server-group RADIUS

hslai
Cisco Employee
Cisco Employee

Since RADIUS configuration is authorize-only, are you performing cert auth against ASA and then ISE for authorization only?

What errors in details are in the CoA attempts? It might worth to try enabling a 2nd interface on ISE with different IP address for T+ and see whether it would help.