Solved: ISE not authenticating connections over console port. AD issue?

cylemmulo1 · ‎08-06-2018

So I haven't been able to find anything googling. I keep just finding people who don't want the console to hit tacacs.

However, I'm trying to get a normal setup of authentication Tacacs local. I've got things setup, and I can login perfectly fine with my AD login through SSH on the switch. I try when plugged into the console port and it won't authenticate me. ISE shoots me to the default deny policy set.

Now in the log I noticed it's showing the communication to active directory slightly different. On my policy set I have: ISE-AD External Groups = *AD location*. Device location = WAN, Device type = IOS. If I set External groups not equal instead of equal, it allows me in. I just have no idea why it would be trying to do that different via console.

I trimmed down the config on a switch in case anything was causing issue. On my 3750 I have the tacacs server and group configured. My login authentication default to tacacs. aaa authorization console is configured.

All pretty standard, and correctly done, as I can see with the successful logins over over SSH and change policy sets. So, how would my connection coming in on tty0 be influencing the decision of ISE?

Thanks for any help.

hslai · ‎08-10-2018

...
On my policy set I have: ISE-AD External Groups = *AD location*. ...

This AD group condition looks odd. ISE 1.3+ AD external groups are using SIDs so we have to pick from the drop-down list of AD groups and it won't work to match on text strings.

Other than that, you are correct that AD username lookup should have work the same way regardless of client line connections.

I would suggest to try turning debug on the components for "Active Directory" and check on the debug log ad_agent.log. If you need help to decipher the log messages in the debug log or you find a bug, please engage Cisco TAC.

View solution in original post

Nidhi · ‎08-10-2018

Checking with our SME on this.

RichardAtkin · ‎08-10-2018

Assuming your switch configs are all fine, look in to the detail of your successful and failed authentication attempts and you will see there is a difference between them as Console traffic is identified differently than SSH in ISE.

Once you've spotted the difference you'll be able to create a condition to match it and off you go. Unfortunately I don't have access to an ISE at the moment so show you where - hopefully some kind soul will past a screenshot to show you the exact bits to look for.

cylemmulo1 · ‎08-10-2018

So the only difference I see is that they are showing TTL0 for console and TTL1-5 for SSH. However, I can't find anything that will even allow me to limit that.

Though when it comes down to it, if I change the AD setting it works, so that shouldn't even be it.

hslai · ‎08-10-2018

...
On my policy set I have: ISE-AD External Groups = *AD location*. ...

This AD group condition looks odd. ISE 1.3+ AD external groups are using SIDs so we have to pick from the drop-down list of AD groups and it won't work to match on text strings.

Other than that, you are correct that AD username lookup should have work the same way regardless of client line connections.

I would suggest to try turning debug on the components for "Active Directory" and check on the debug log ad_agent.log. If you need help to decipher the log messages in the debug log or you find a bug, please engage Cisco TAC.

cylemmulo1 · ‎08-10-2018

Thanks I'll check that out. The AD group does show as a SID when listed in the ISE policy. I will give the debug a try when I get back into work. I appreciate the help!