cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

652
Views
0
Helpful
4
Replies
Highlighted
Beginner

ISE 2.3 and TACACS

Hello,

 

I'm running ISE 2.3 and trying to get TACACS working with a Switch and an ASA. The license and NAD configuration all look good. A aaa radius test works from the switch, while the tacacs test is user rejected.

I don't see any ISE logs for TACACS.

I am able to ping the ISE node from the NAD's and have double checked the keys.

 

Switch configuration;
aaa group server tacacs+ ISE-TACACS
server name apollo-ise
!
aaa authentication login ISE-LOGIN group ISE-TACACS local
aaa authentication enable default group ISE-TACACS enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec ISE-LOGIN group ISE-TACACS local if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
!
ip tacacs source-interface Loopback0
!
tacacs server apollo-ise
address ipv4 10.0.0.101
key 7 03265A080D0B711C5C
timeout 2
!

line vty 0 4
exec-timeout 15 0
authorization exec ISE-LOGIN
logging synchronous
login authentication ISE-LOGIN
transport input ssh

 

Any help appreciated.

4 REPLIES 4
Highlighted
Participant

Did you actually enabled Device Administration on one of your ISE PSN nodes (under the Deployment page)?

 

To review TACACS+ activity you need to run a device administration report - it doesn't integrate with the Live Log unfortunately - do you actually see any TACACS+ requests hitting ISE?  Alternatively, run a tcpdump and filter on TCP/UDP 49.

 

Get back to us when you have some info from a report and/or packet trace....

 

Rich

Highlighted

Thanks for your reply Rich.

 

Yes I can confirm Device Admin is enabled.

 

Performing a packet trace and filtering port 49 (tcp.port == 49) which I have attached, we see port 49 hitting the ISE node (10.0.0105) and communication between the NAD (172.16.0.2)

 

I have had this working previously so don't know why it has now stopped!

Highlighted

Can't say I have much experience of packet traces with TACACS+, but there are a lot of RSTs in there.  Doesn't look right to me on the face of it, though admittedly you can see it going through Authentication / Authorisation.

 

What do the TACACS+ reports in ISE say.  Do they acknowledge even receiving any traffic?

 

Likewise, what does troubleshooting TACACS+ on the Switch reveal?

Highlighted

I agree the RST's are a bit of a worry, but Radius logs make it in OK.

 

If I look at the reports Operations>Reports>Device Administration> there are no reports to view!

 

The Switch tacacs debug shows the following;

 

May 1 13:21:31.357: TPLUS: Queuing AAA Authentication request 63 for processing
May 1 13:21:31.357: TPLUS(0000003F) login timer started 1020 sec timeout
May 1 13:21:31.357: TPLUS: processing authentication start request id 63
May 1 13:21:31.357: TPLUS: Authentication start packet created for 63(admin)
May 1 13:21:31.357: TPLUS: Using server 10.0.0.101
May 1 13:21:31.357: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.360: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.360: TPLUS(0000003F)/0/NB_WAIT: wrote entire 37 bytes request
May 1 13:21:31.360: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.360: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: read 0 bytes
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.364: TPLUS(0000003F)/0/B3B9038: Processing the reply packet
May 1 13:21:31.381: TPLUS: Queuing AAA Authorization request 63 for processing
May 1 13:21:31.381: TPLUS(0000003F) login timer started 1020 sec timeout
May 1 13:21:31.381: TPLUS: processing authorization request id 63
May 1 13:21:31.381: TPLUS: Protocol set to None .....Skipping
May 1 13:21:31.381: TPLUS: Sending AV service=shell
May 1 13:21:31.381: TPLUS: Sending AV cmd*
May 1 13:21:31.381: TPLUS: Authorization request created for 63(admin)
May 1 13:21:31.381: TPLUS: using previously set server 10.0.0.101 from group ISE-TACACS
May 1 13:21:31.385: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.385: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.388: TPLUS(0000003F)/0/NB_WAIT: wrote entire 56 bytes request
May 1 13:21:31.388: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.388: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.392: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.392: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.392: TPLUS(0000003F)/0/B3B9038: Processing the reply packet
May 1 13:21:31.392: TPLUS: Queuing AAA Accounting request 63 for processing
May 1 13:21:31.392: TPLUS: processing accounting request id 63
May 1 13:21:31.392: TPLUS: Sending AV task_id=527
May 1 13:21:31.392: TPLUS: Sending AV timezone=BST
May 1 13:21:31.395: TPLUS: Sending AV service=shell
May 1 13:21:31.395: TPLUS: Sending AV start_time=1525180891
May 1 13:21:31.395: TPLUS: Accounting request created for 63(admin)
May 1 13:21:31.395: TPLUS: using previously set server 10.0.0.101 from group ISE-TACACS
May 1 13:21:31.395: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.399: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.399: TPLUS(0000003F)/0/NB_WAIT: wrote entire 99 bytes request
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: read 0 bytes
May 1 13:21:31.402: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.402: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.402: TPLUS(0000003F)/0/B3B9038: Processing the reply packet