Solved: ISE 2.4 || Tacacs username condition (TACACS.User or Network Access.Username)

musultan · ‎09-03-2018

Hello,

I am trying to configure the TACACS - Device Admin policy in ISE 2.4. 
In the AuthC policy condition, if we use the TACACS.User as a condition to identify the username, it never works. 
When i use the Network Access.Username, it works.

See the following, AuthC-TACPlus_2 works;

while on the AuthZ Policy, we can use the TACACS.User as a condition and it works fine.

Is this a known issue? Please advise or file a bug....

musultan · ‎09-14-2018

CSCvd12326 ISE 2.1 p3 TACACS User cond in AuthC does not match user for telnet auth

View solution in original post

Arne Bier · ‎09-03-2018

Your Authentication Policy looks a bit suspect.

The condition TACACS User EQUALS tacp1 is correct syntax.

The other Condition below is (I believe) not correct - at least, I have never used it that way

Network Access UserName EQUALS tacp1

Are you saying that you always end up in the Default Deny Access rule ? You need to provide the output from the Authentication attempt (steps) to see why. Are you allowing the default Allowed Protocols, and is your TACACS client using one of those (e.g. ASCII, PAP, CHAP etc) - I have seen cases where a client was using a protocol that I was not allowing. Or, using CHAP for internal users does not work, because ISE doesn't store the passwords that way.

If in doubt, get a tcpdump.

ISE has bugs ... but this is not a bug.

musultan · ‎09-03-2018

it never hits to TACACS User EQUALS tacp1 and goes to default until i added the Network Access UserName EQUALS tacp1....

Now, current policy is hitting to Network Access UserName EQUALS tacp1 and working fine... and trying to know why?

musultan · ‎09-03-2018

Frame 55: 76 bytes on wire (608 bits), 76 bytes captured (608 bits)
Ethernet II, Src: CiscoInc_4d:4e:49 (64:a0:e7:4d:4e:49), Dst: Vmware_9c:71:4e (00:50:56:9c:71:4e)
Internet Protocol Version 4, Src: 10.201.172.222, Dst: 10.201.228.238
Transmission Control Protocol, Src Port: 29643, Dst Port: 49, Seq: 30, Ack: 28, Len: 22
TACACS+
    Major version: TACACS+
    Minor version: 0
    Type: Authentication (1)
    Sequence number: 3
    Flags: 0x00 (Encrypted payload, Multiple Connections)
        .... ...0 = Unencrypted: Not set
        .... .0.. = Single Connection: Not set
    Session ID: 3493935468
    Packet length: 10
    Encrypted Request
    Decrypted Request
        Flags: 0x00
        User length: 5
        User: tacp2
        Data length: 0

++++++++++++++++

Looks like it is a bug to me. Any more advise.

Arne Bier · ‎09-03-2018

Ok now I understand what you mean. Yes, one would expect the first set of rules to match a TACACS username, and not the last two.

It's not uncommon for ISE to fail to program the PSN (Policy Services) and then this could happen - you can configure till you're blue in the face, and nothing seems to change on the PSN. In a distributed environment this is clearly evident when the sync count increases on the PSN node (as seen in the Deployment screen). The fix is to perform manual re-sync of that PSN. If you're on a all in one node, then perform application stop/start.

if it doesn't sort it, then I'd be surprised.

What is your TACACS client (router/switch/emulator?)

musultan · ‎09-03-2018

it is a lab switch 6500 and same can be reproduced with my customer too.

paul · ‎09-03-2018

Just curious why you even want to complicate your authentication policy. My authentication section is always generic. Default is check AD then internal users sequence typically. Then all the magic happens in the authorization phase which is where it should occur.

musultan · ‎09-03-2018

my customer was doing it this way and than later we found this issue.
We will have to file a bug. My 2 cents.

musultan · ‎09-14-2018

CSCvd12326 ISE 2.1 p3 TACACS User cond in AuthC does not match user for telnet auth