05-01-2018 03:40 AM - edited 02-21-2020 10:54 AM
Hello,
I'm running ISE 2.3 and trying to get TACACS working with a Switch and an ASA. The license and NAD configuration all look good. A aaa radius test works from the switch, while the tacacs test is user rejected.
I don't see any ISE logs for TACACS.
I am able to ping the ISE node from the NAD's and have double checked the keys.
Switch configuration;
aaa group server tacacs+ ISE-TACACS
server name apollo-ise
!
aaa authentication login ISE-LOGIN group ISE-TACACS local
aaa authentication enable default group ISE-TACACS enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec ISE-LOGIN group ISE-TACACS local if-authenticated
aaa accounting update newinfo
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 1 default start-stop group ISE-TACACS
aaa accounting commands 15 default start-stop group ISE-TACACS
!
ip tacacs source-interface Loopback0
!
tacacs server apollo-ise
address ipv4 10.0.0.101
key 7 03265A080D0B711C5C
timeout 2
!
line vty 0 4
exec-timeout 15 0
authorization exec ISE-LOGIN
logging synchronous
login authentication ISE-LOGIN
transport input ssh
Any help appreciated.
05-01-2018 04:41 AM
Did you actually enabled Device Administration on one of your ISE PSN nodes (under the Deployment page)?
To review TACACS+ activity you need to run a device administration report - it doesn't integrate with the Live Log unfortunately - do you actually see any TACACS+ requests hitting ISE? Alternatively, run a tcpdump and filter on TCP/UDP 49.
Get back to us when you have some info from a report and/or packet trace....
Rich
05-01-2018 05:45 AM
Thanks for your reply Rich.
Yes I can confirm Device Admin is enabled.
Performing a packet trace and filtering port 49 (tcp.port == 49) which I have attached, we see port 49 hitting the ISE node (10.0.0105) and communication between the NAD (172.16.0.2)
I have had this working previously so don't know why it has now stopped!
05-01-2018 05:56 AM
Can't say I have much experience of packet traces with TACACS+, but there are a lot of RSTs in there. Doesn't look right to me on the face of it, though admittedly you can see it going through Authentication / Authorisation.
What do the TACACS+ reports in ISE say. Do they acknowledge even receiving any traffic?
Likewise, what does troubleshooting TACACS+ on the Switch reveal?
05-01-2018 06:24 AM
I agree the RST's are a bit of a worry, but Radius logs make it in OK.
If I look at the reports Operations>Reports>Device Administration> there are no reports to view!
The Switch tacacs debug shows the following;
May 1 13:21:31.357: TPLUS: Queuing AAA Authentication request 63 for processing
May 1 13:21:31.357: TPLUS(0000003F) login timer started 1020 sec timeout
May 1 13:21:31.357: TPLUS: processing authentication start request id 63
May 1 13:21:31.357: TPLUS: Authentication start packet created for 63(admin)
May 1 13:21:31.357: TPLUS: Using server 10.0.0.101
May 1 13:21:31.357: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.360: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.360: TPLUS(0000003F)/0/NB_WAIT: wrote entire 37 bytes request
May 1 13:21:31.360: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.360: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: read 0 bytes
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.364: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.364: TPLUS(0000003F)/0/B3B9038: Processing the reply packet
May 1 13:21:31.381: TPLUS: Queuing AAA Authorization request 63 for processing
May 1 13:21:31.381: TPLUS(0000003F) login timer started 1020 sec timeout
May 1 13:21:31.381: TPLUS: processing authorization request id 63
May 1 13:21:31.381: TPLUS: Protocol set to None .....Skipping
May 1 13:21:31.381: TPLUS: Sending AV service=shell
May 1 13:21:31.381: TPLUS: Sending AV cmd*
May 1 13:21:31.381: TPLUS: Authorization request created for 63(admin)
May 1 13:21:31.381: TPLUS: using previously set server 10.0.0.101 from group ISE-TACACS
May 1 13:21:31.385: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.385: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.388: TPLUS(0000003F)/0/NB_WAIT: wrote entire 56 bytes request
May 1 13:21:31.388: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.388: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.392: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.392: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.392: TPLUS(0000003F)/0/B3B9038: Processing the reply packet
May 1 13:21:31.392: TPLUS: Queuing AAA Accounting request 63 for processing
May 1 13:21:31.392: TPLUS: processing accounting request id 63
May 1 13:21:31.392: TPLUS: Sending AV task_id=527
May 1 13:21:31.392: TPLUS: Sending AV timezone=BST
May 1 13:21:31.395: TPLUS: Sending AV service=shell
May 1 13:21:31.395: TPLUS: Sending AV start_time=1525180891
May 1 13:21:31.395: TPLUS: Accounting request created for 63(admin)
May 1 13:21:31.395: TPLUS: using previously set server 10.0.0.101 from group ISE-TACACS
May 1 13:21:31.395: TPLUS(0000003F)/0/NB_WAIT/B3B9038: Started 2 sec timeout
May 1 13:21:31.399: TPLUS(0000003F)/0/NB_WAIT: socket event 2
May 1 13:21:31.399: TPLUS(0000003F)/0/NB_WAIT: wrote entire 99 bytes request
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: Would block while reading
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.399: TPLUS(0000003F)/0/READ: read 0 bytes
May 1 13:21:31.402: TPLUS(0000003F)/0/READ: socket event 1
May 1 13:21:31.402: TPLUS(0000003F)/0/READ: errno 254
May 1 13:21:31.402: TPLUS(0000003F)/0/B3B9038: Processing the reply packet
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide