Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
5
Helpful
7
Replies

ISE 2.7 Patch 2 on VM: TACACS broken?

gaigl
Level 3
Level 3

‎07-29-2020 12:39 AM

Hello,

 

we've got a ISE Test-Device on VM and a Deployment on Hardware.

When I install Patch 2 on the virtual machine, TACACS is broken, I get a " 13078 Invalid TACACS+ authorization request packet - possibly malformed packet"

 

rolling back Patch 2, everything is fine again.

 

The same Patch on the Hardware-Deployment is working fine.

 

Has anyone installed the Patch on a VM and is running TACACS Policy?

 

Radius is fine

0 Helpful
7 Replies 7

Arne Bier
VIP
VIP

‎07-29-2020 04:54 PM

I had a horrid experience with 2.7 p1 and I eventually killed it off in favour of the old ISE 2.4 - but thanks for your valuable feedback - if you could open a TAC case to get confirmation of a bug, then it would be very helpful in avoiding this patch. If it is a bug then Cisco ought to reconsider making this a golden/recommended release. There is no reason for TACACS to stop working so late in the game.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-30-2020 10:53 PM

Hello @gaigl

I have tested device admin with ISE VM 2.7 on a 3750 switch and it works even after upgrading ISE to patch 2.

 

Were you able to gather packet capture from ISE during the time of the issue ?

 

If yes, what do you see when you decrypt Tacacs+ packet exchange in wireshark by entering the shared secret?

 

Thanks,

Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

gaigl
Level 3
Level 3
In response to Dinesh Moudgil

‎08-02-2020 10:48 PM

no I didn't take a capture, when I saw the error, I instantly rolled back.

But maybe I try the patch once again.

thanks for your test

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to gaigl

‎08-02-2020 10:58 PM

Please do take packet captures and debugs on both ISE and switch or perhaps open a TAC case if you can, to investigate further.

 

Thanks,

Dinesh Moudgil

 

 

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-03-2020 05:08 AM

I have ISE 2.7 Patch 2 (single node VM deployment) in my lab with TACACS (Device Admin role) and it is working fine.

ISE 2.7 P2 TACACS Live LogISE 2.7 P2 TACACS Live Log

gaigl
Level 3
Level 3
In response to Marvin Rhoads

‎08-03-2020 06:36 AM

I've tried patch-install a decond time: now it's ok.

strange but ok

thanks guys

0 Helpful

Jamie1107
Level 1
Level 1
In response to Marvin Rhoads

‎11-18-2020 01:20 AM

I see your Tacacs Live logs are working?  I cant get mine working, not sure what's happening.  I am same version and patch as yourself.

Tacacs reports are fine.  

0 Helpful
Customers Also Viewed These Support Documents