Re: ISE 2.3 and TACACS

paul1202 · ‎05-01-2018

Hello,

I'm running ISE 2.3 and trying to get TACACS working with a Switch and an ASA. The license and NAD configuration all look good. A aaa radius test works from the switch, while the tacacs test is user rejected.

I don't see any ISE logs for TACACS.

I am able to ping the ISE node from the NAD's and have double checked the keys.

Switch configuration;
aaa group server tacacs+ ISE-TACACS
server name apollo-ise
!
aaa authentication login ISE-LOGIN group ISE-TACACS local
aaa authentication enable default group ISE-TACACS enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec ISE-LOGIN group ISE-TACACS local if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
!
ip tacacs source-interface Loopback0
!
tacacs server apollo-ise
address ipv4 10.0.0.101
key 7 03265A080D0B711C5C
timeout 2
!

line vty 0 4
exec-timeout 15 0
authorization exec ISE-LOGIN
logging synchronous
login authentication ISE-LOGIN
transport input ssh

Any help appreciated.

RichardAtkin · ‎05-01-2018

Did you actually enabled Device Administration on one of your ISE PSN nodes (under the Deployment page)?

To review TACACS+ activity you need to run a device administration report - it doesn't integrate with the Live Log unfortunately - do you actually see any TACACS+ requests hitting ISE? Alternatively, run a tcpdump and filter on TCP/UDP 49.

Get back to us when you have some info from a report and/or packet trace....

Rich

paul1202 · ‎05-01-2018

Thanks for your reply Rich.

Yes I can confirm Device Admin is enabled.

Performing a packet trace and filtering port 49 (tcp.port == 49) which I have attached, we see port 49 hitting the ISE node (10.0.0105) and communication between the NAD (172.16.0.2)

I have had this working previously so don't know why it has now stopped!

RichardAtkin · ‎05-01-2018

Can't say I have much experience of packet traces with TACACS+, but there are a lot of RSTs in there. Doesn't look right to me on the face of it, though admittedly you can see it going through Authentication / Authorisation.

What do the TACACS+ reports in ISE say. Do they acknowledge even receiving any traffic?

Likewise, what does troubleshooting TACACS+ on the Switch reveal?

paul1202 · ‎05-01-2018

I agree the RST's are a bit of a worry, but Radius logs make it in OK.

If I look at the reports Operations>Reports>Device Administration> there are no reports to view!

The Switch tacacs debug shows the following;

May 1 13:21:31.357: TPLUS: Queuing AAA Authentication request 63 for processing
May 1 13:21:31.357: TPLUS(0000003F) login timer started 1020 sec timeout
May 1 13:21:31.357: TPLUS: processing authentication start request id 63
May 1 13:21:31.357: TPLUS: Authentication start packet created for 63(admin)
May 1 13:21:31.357: TPLUS: Using server 10.0.0.101
May 1 13:21:31.357: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.360: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.360: TPLUS(0000003F)/0/NB_WAIT: wrote entire 37 bytes request
May 1 13:21:31.360: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.360: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: read 0 bytes
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.364: TPLUS(0000003F)/0/B3B9038: Processing the reply packet
May 1 13:21:31.381: TPLUS: Queuing AAA Authorization request 63 for processing
May 1 13:21:31.381: TPLUS(0000003F) login timer started 1020 sec timeout
May 1 13:21:31.381: TPLUS: processing authorization request id 63
May 1 13:21:31.381: TPLUS: Protocol set to None .....Skipping
May 1 13:21:31.381: TPLUS: Sending AV service=shell
May 1 13:21:31.381: TPLUS: Sending AV cmd*
May 1 13:21:31.381: TPLUS: Authorization request created for 63(admin)
May 1 13:21:31.381: TPLUS: using previously set server 10.0.0.101 from group ISE-TACACS
May 1 13:21:31.385: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.385: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.388: TPLUS(0000003F)/0/NB_WAIT: wrote entire 56 bytes request
May 1 13:21:31.388: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.388: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.392: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.392: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.392: TPLUS(0000003F)/0/B3B9038: Processing the reply packet
May 1 13:21:31.392: TPLUS: Queuing AAA Accounting request 63 for processing
May 1 13:21:31.392: TPLUS: processing accounting request id 63
May 1 13:21:31.392: TPLUS: Sending AV task_id=527
May 1 13:21:31.392: TPLUS: Sending AV timezone=BST
May 1 13:21:31.395: TPLUS: Sending AV service=shell
May 1 13:21:31.395: TPLUS: Sending AV start_time=1525180891
May 1 13:21:31.395: TPLUS: Accounting request created for 63(admin)
May 1 13:21:31.395: TPLUS: using previously set server 10.0.0.101 from group ISE-TACACS
May 1 13:21:31.395: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.399: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.399: TPLUS(0000003F)/0/NB_WAIT: wrote entire 99 bytes request
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: read 0 bytes
May 1 13:21:31.402: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.402: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.402: TPLUS(0000003F)/0/B3B9038: Processing the reply packet