08-15-2017 10:24 AM
Hi
I have setup and configured tacacs on Cisco ISE 2.2 and have successfully migrated 70+ device (IOS,ASA,WLC) to tacacs+. I am now facing the following strange issue with a few newly added devices I am trying to add. The authentication status continues to show "fail" for a few devices and I recieve an error message stating "TACACS: Received TACACS+ packet with invalid length" . Am I missing something in my tacacs config please advise ?
Below is my tacacs config
#####
START
#####
!
aaa new-model
!
tacacs server ise-1
address ipv4 x.x.x.x
key xxxxxx
!
!
tacacs server ise-2
address ipv4 x.x.x.x
key xxxxxx
!
aaa group server tacacs+ ISE-GROUP
server name ise-1
server name ise-2
!
aaa authentication login VTY group ISE-GROUP local
aaa authentication enable default group ISE-GROUP enable
!
aaa authorization exec CON local
aaa authorization console
aaa authorization exec VTY group ISE-GROUP local if-authenticated
!
aaa authorization config-commands
aaa authorization commands 1 VTY group ISE-GROUP local if-authenticated
aaa authorization commands 15 VTY group ISE-GROUP local if-authenticated
!
aaa accounting exec default start-stop group ISE-GROUP
aaa accounting commands 1 default start-stop group ISE-GROUP
aaa accounting commands 15 default start-stop group ISE-GROUP
!
!
line vty 0 4
login authentication VTY
authorization exec VTY
authorization commands 1 VTY
authorization commands 15 VTY
logging synchronous
!
!
!
line con 0
authorization exec CON
logging synchronous
!
#####
END
#####
Regards
Yazeed
Solved! Go to Solution.
08-16-2017 09:04 AM
I would suggest to engage Cisco TAC on this.
The configuration seems fine.
08-16-2017 09:04 AM
I would suggest to engage Cisco TAC on this.
The configuration seems fine.
08-16-2017 04:54 PM
Couple of more things. Please make sure if you have good connectivity between the network devices and ISE.
See if any other device is working with the same configuration in the same subnet.
I am hoping that you have checked the shared secret etc. Turn on tacacs debugs on the switch and runtime logs in ISE to see what is going on.
Troubleshoot TACACS Authentication Issues - Cisco
Also, make sure the IP address of the network device is the same as the IP of the incoming packets to ISE.
-Krishnan
08-22-2017 01:49 AM
Hi Krishnan
We are currently checking the link between the HQ and branches as it appears to be related to that. I will post update once confirmed. Thank you for support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide