05-10-2016 11:41 AM
This seems like it should be a no brainer for ISE to handle, but I can't seem to get an answer from Cisco yet.
I have added my ASA firewall as a network object in ISE and I have selected the TACACS and RADIUS options within that network object. My firewall configuration is as follows:
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 10.12.12.61
key *****
aaa-server RADIUS protocol radius
authorize-only
interim-accounting-update periodic 1
dynamic-authorization
aaa-server RADIUS (inside) host 10.12.12.61
key *****
Because both TACACS and RADIUS are both pointing to ISE and TACACS comes first in the configuration, my VPN users are getting a "Dynamic Authorization Failed" message. If I remove TACACS configuration or point it to our old ACS server than everything works fine.
I am also unable to move the TACACS configuration below the Radius.
Anyone run into this or have a workaround?
05-10-2016 11:51 AM
Brian,
What is the AAA Server Group in your AnyConnect Connection profile for VPN users? Please be sure you have the server group that has RADIUS as the protocol selected.
Regards,
-Tim
05-10-2016 11:58 AM
Yup, I do have the AAA Server Group for that specific Tunnel-Group set as RADIUS:
tunnel-group SSL-NETENG general-attributes
authentication-server-group RADIUS
authorization-server-group RADIUS
accounting-server-group RADIUS
05-14-2016 11:11 PM
Since RADIUS configuration is authorize-only, are you performing cert auth against ASA and then ISE for authorization only?
What errors in details are in the CoA attempts? It might worth to try enabling a 2nd interface on ISE with different IP address for T+ and see whether it would help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide