Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1210
Views
0
Helpful
3
Replies

ISE 2.0 Radius NAS-IP and TACACS Source-IP are the same and failing

bforan
Beginner
Beginner

‎05-10-2016 11:41 AM

This seems like it should be a no brainer for ISE to handle, but I can't seem to get an answer from Cisco yet.

I have added my ASA firewall as a network object in ISE and I have selected the TACACS and RADIUS options within that network object. My firewall configuration is as follows:

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 10.12.12.61

key *****

aaa-server RADIUS protocol radius

authorize-only

interim-accounting-update periodic 1

dynamic-authorization

aaa-server RADIUS (inside) host 10.12.12.61

key *****

Because both TACACS and RADIUS are both pointing to ISE and TACACS comes first in the configuration, my VPN users are getting a "Dynamic Authorization Failed" message.  If I remove TACACS configuration or point it to our old ACS server than everything works fine.

I am also unable to move the TACACS configuration below the Radius.

Anyone run into this or have a workaround?

0 Helpful
3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee

‎05-10-2016 11:51 AM

Brian,

What is the AAA Server Group in your AnyConnect Connection profile for VPN users?  Please be sure you have the server group that has RADIUS as the protocol selected.

Regards,

-Tim

0 Helpful

bforan
Beginner
Beginner
In response to Timothy Abbott

‎05-10-2016 11:58 AM

Yup, I do have the AAA Server Group for that specific Tunnel-Group set as RADIUS:

tunnel-group SSL-NETENG general-attributes

authentication-server-group RADIUS

authorization-server-group RADIUS

accounting-server-group RADIUS

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎05-14-2016 11:11 PM

Since RADIUS configuration is authorize-only, are you performing cert auth against ASA and then ISE for authorization only?

What errors in details are in the CoA attempts? It might worth to try enabling a 2nd interface on ISE with different IP address for T+ and see whether it would help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents