Solved: ISE 2.3 randomly does not authenticate users

katerina.dardoufa · ‎04-11-2019

Hello all,

we are running ISE 2.3 with patch 6. I tried to add some new devices to authenticate via tacacs+, but ISE does not always authenticate the users. In the tacacs live logs, I do not see the username that was manually entered, but instead of that I see "username#random_number#", which was clearly not entered!

Any ideas?

Timothy Abbott · ‎04-11-2019

Hi,

I recommend you work with the TAC to investigate this issue further. It could be an issue with the network access device or ISE.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎04-11-2019

Hi,

I recommend you work with the TAC to investigate this issue further. It could be an issue with the network access device or ISE.

Regards,

-Tim

katerina.dardoufa · ‎04-19-2019

Hello Tim,

I was able to find what is causing the issue. The problem is with Nexus 7K with 7 VDCs. If the first attempt to authenticate to the device is unsuccessful (wrong password), then when trying for the second/third time, the tacacs logs show username followed by #vdc_number# for the second attempt, #vdc_number##vdc_number# for the third attempt and the device responds with "too many authentication failures". If I then login with the correct credentials everything is ok.

The question is why the devices adds #vdc_number# to the username, causing ISE to fail?

Thank you in advance,

Katerina