ISE linux Tacacs_PAM

mikhailov.ivan · ‎03-06-2025

Hello colleagues! I got confused with trying to configure a linux hosts with tacacs PAM packet with Cisco ISE 3.3.

Details:There is an ISE server (standalone) 3.3 with device admin\Tacacs lic + MS_AD. It work as usual with network devices like switches, routers etc. But for the first time I got a case when I need to configure a banch of "IoT" kind of devices (someone calls it an "industrial 4G routers") based on Linux OS , some kind of xWRT + busy box with auth via tacacs and the ISE server. There is a packet called PAM_tacplus (https://www.redhat.com/en/blog/pam-configuration-file) that works as a tacacs client. Hundreds of them, but they all are very similar. For instance there is a guide from a vendor how to configure it https://wiki.teltonika-networks.com/view/TACACS%2B

but it's a bit unclear. I configured the "Device admin policy set" and got the situation when the auth process matches the policy and I see it in the log. But it says "22056 Subject not found in the applicable identity store(s) " , I can't understand what has to be matched with what. On linux devices there are 3 embedded groups (root,admin,user) and I can't change it , but can create a local users. On the ISE there are AD groups, but what I have to do for matching an AD's like RO\RW group with the local Admin\User groups? Does anyone have this expirience? Share guides please. Thanks !

Arne Bier · ‎03-06-2025

It sounds like you are familiar with configuring TACACS+ (ISE Device Admin) Policy Sets - but I am unclear why your are seeing "subject not found" - that of course means that ISE was unable to match the provided TACACS Username in any of your provided identity sources. First of all, have you done a tcpdump in ISE during such an authentication to see what TACACS username is provided?

Does that credential exist in ISE or in AD? Where do you want it to exist?

Show us your Policy Set and the Live Logs Details (Steps) to determine where it's going wrong.

Do you allow all the protocols as part of Allowed Protocols (PAP, CHAP and MSCHAPv1)? Noting that PAP will be the only method of those three that works with modern AD servers - CHAP and MSCHAPv1 should be rejected by AD servers. ISE local accounts will support all three methods. You can see the method that the Linux client used in the Live Logs details.

mikhailov.ivan · ‎03-07-2025

I've tried to get tcpdump on the only interface , but tatacs' messages are encrypted, so I see only simple request-response pairs. Do you know how to get it unencrypted? The linux device doesn't support the Tacacs+ key field empty. Yes it's obvious that we need to check which username the Linux device sends and in which format.

TACACS+
Major version: TACACS+
Minor version: 1
Type: Authentication (1)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
Session ID: 2486844635
Packet length: 46
Encrypted Request

It's a standard AD's groups and they are used for other vendors as Cisco (Tacacs), Mikrotik(Radius) etc and it works. So users are 100% exist as external id.

Legacy encryption is enabled because as far as I remember Mikrotik radius required it.

the log is:

Authentication Details

Generated Time	2025
Logged Time	2025
Epoch Time (sec)
ISE Node	ISE
Message Text	Failed-Attempt: Authentication failed
Failure Reason	22056 Subject not found in the applicable identity store(s)
Resolution	Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.
Root Cause	Subject not found in the applicable identity store(s).
Username	INVALID
Network Device Name	IoT_X_Y_Z
Network Device IP	172.20.x.x
Network Device Groups	IPSEC#Is IPSEC Device#No,Cisco_Devices#Cisco_Devices#Cisco_Switches,Location#All Locations#X#Yt#Z#Z_01_fl1,Device Type#All Device Types#Teltonika_Devices
Device Type	Device Type#All Device Types#Teltonika_Devices
Location	Location#All Locations#X#Y#Z_01#Z_01_fl1
Device Port	pamd
Remote Address	172.16..

Other Attributes

ConfigVersionId	488
Device Port	42798
DestinationPort	49
UserName	INVALID
Protocol	Tacacs
Type	Authentication
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
AuthenticationMethod	PAP_ASCII
SelectedAccessService	Default Device Admin
RequestLatency	9
SelectedAuthenticationIdentityStores	Internal Users
SelectedAuthenticationIdentityStores	All_AD_Join_Points
SelectedAuthenticationIdentityStores	Guest Users
CPMSessionID	3678157460172.20.X.X42798Authentication3678157460
StepLatency	1=1;2=0;3=0;4=1;5=1;6=0;7=0;8=2;9=0;10=0;11=2;12=0;13=0;14=0;15=0;16=0;17=0;18=0;19=2;20=0;21=0;22=0;23=0;24=0
TotalAuthenLatency	9
ClientLatency	0
IsMachineIdentity	false
Model Name	Teltonika
Network Device Profile	Cisco
IPSEC	IPSEC#Is IPSEC Device#No
Cisco_Devices	Cisco_Devices#Cisco_Devices
Response	{AuthenticationResult=UnknownUser; Authen-Reply-Status=Fail; }

I thought someone might have some expirience with the PAM_tacplus packet and just wanted to copy\paste and then dig

mikhailov.ivan · ‎03-07-2025

Ok, sorry for spaming, I've decryped tacacs+ messages and seems the Lunux PAM sends the only logins which exist localy on device. Root, Admin and User are embeded. So when I enter "admin" login and the PAM is configured as "Optional" I can see the "admin" as a user name and obviously it doesn't match. For some reason it doesn't send the AD's user creds. Looks like it's more question for Linux and PAM, but for me it makes no sense because the one of case of using tacacs is AD creds.