07-08-2018 10:54 PM
Estoy configurando un equipos ASR 1002 con tacas+ integrandolo a ISE 2.2.
Yo configure dos usuarios en el ISE para pruebas de tacacs+ uno con privilegio 15 (test) y otro con privilegio 1,7 (test1).
Nota: en otros equipos estos dos usuarios me funcionan sin problema.
Con el usuario (test) me autentica el ASR sin problema y veo logs en el ise.
El problema es con el usuario (test1) ya que me pide password de enable lo ingreso y no me autentica. No soy experto en ASR y segui algunas guias para la configuración pero aun es el mismo error.
Me falta algun comando que aplicar ?
TRANSLATION:
I am configuring an ASR 1002 equipment with tacks + integrating it to ISE 2.2.
I configured two users in the ISE for tacacs + one with privilege 15 (test) and another with privilege 1.7 (test1).
Note: in other equipment these two users work for me without problem.
With the user (test) I authenticated the ASR without problem and I see logs in the ise.
The problem is with the user (test1) since he asks me for the password to enable the login and does not authenticate me. I am not an expert in ASR and I followed some guidelines for the configuration but it is still the same error.
I need some command to apply?
07-09-2018 01:20 PM
Hi Nestor,
Have you consulted the configuration guide?
How To: ISE TACACS+ Configuration for IOS Network Devices
If you are still facing an issue please post your ASR configuration along with the error. Else you could open a TAC case & get a resolution.
- Krish
07-09-2018 05:11 PM
if I followed the guide, but I continue with the same error I can only authenticate with the user of privilege 15 but with the user of privigelio 1.7 no, he still does not accept the password of the enable.
aaa new-model
!
!
aaa group server tacacs+ DemoISE
server 11.22.33.44
!
aaa authentication login default group DemoISE local
aaa authorization config-commands
aaa authorization exec default group DemoISE local
aaa authorization exec EXEC group DemoISE local
!
tacacs-server host 11.22.33.44
tacacs-server directed-request
tacacs-server key 7 20D88951F
!
line con 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
authorization exec EXEC
logging synchronous
transport input all
line vty 5 15
logging synchronous
What is the mistake I'm making?????
07-09-2018 05:57 PM
Please use the T+ live logs and check what are the failure reasons when "enable" issued for test1. If no failure in the live logs, then, it could be that this particular NAD not liking some attributes returned from ISE. In such case, you need consult with ASR support teams.
It seems strange with a privilege of 1.7, as the privilege levels are integers.
07-10-2018 06:52 AM
I will share you mine config in our ASR 1000 series you must add for privilige 7
aaa group server tacacs+ ISE
server-private x.x.x.x key xxxxx
server-private x.x.x.x key xxxxx
ip vrf forwarding bg_mgmt_lan
ip tacacs source-interface Loopback1
!
aaa authentication login default group ISE local
aaa authentication login console none
aaa authentication login CON group ISE local
aaa authentication login VTY group ISE local
aaa authentication enable default group ISE line enable none
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group ISE local
aaa authorization exec CON none
aaa authorization exec VTY group ISE local if-authenticated
aaa authorization commands 1 VTY group ISE local if-authenticated
aaa authorization commands 15 VTY group ISE local if-authenticated
aaa accounting exec default start-stop group ISE
aaa accounting commands 1 default start-stop group ISE
aaa accounting commands 15 default start-stop group ISE
tacacs-server host x.x.x.x key 7 xxxxxxxx
tacacs-server host x.x.x.x key 7 xxxxxxxx
tacacs-server directed-request
Just Add :
aaa authorization commands 7 VTY group ISE local if-authenticated
aaa accounting commands 7 default start-stop group ISE
and add on line vty
line vty 0 4
authorization commands 7 VTY
line con 0
exec-timeout 0 0
authorization exec CON
logging synchronous
login authentication CON
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 1 in vrf-also
exec-timeout 60 0
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
line vty 5 15
access-class 1 in vrf-also
exec-timeout 60 0
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
logging synchronous
login authentication VTY
And this is our version :
Cisco IOS XE Software, Version 03.13.00.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.4(3)S, RELEASE SOFTWARE (fc11)
07-10-2018 09:01 AM
Please try this configuration changes & give it a shot. Else try the TAC route.
- Krish
07-10-2018 12:20 PM
Hi
I followed the configuration of ognyan sabev, but unfortunately I did not succeed i have IOS XE 16.06.03.
07-10-2018 07:58 PM
HI again can you make a screen shot of tacacs policy sets,and one for privilege where you allow commandas
07-11-2018 09:52 AM
I am guessing test1 actually having the default privilege of 1 and the max privilege of 7. In that case, the enable command should be "enable 7". I am not sure whether that is what you did.
If "enable 7" still failing for you, please do check the T+ livelogs and see what the failure reason is.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide