Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3641
Views
0
Helpful
5
Replies

ISE Tacacs+ integration with Alcatel Nokia 7750 SR (Service Router)

Go to solution
lni1
Level 1
Level 1

‎11-19-2019 03:51 AM

Hello Cisco,

We are struggling integrating our Nokia 7750 SR with Tacacs+ ISE 2.4

TiMOS-C-15.0.R7 cpm/hops64 Nokia 7750 SR Copyright (c) 2000-2018 Nokia.

Does anyone has integration examples for this type of device?

 

Kind regards,

Lieven Stubbe

Belgian railways

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to lni1

‎11-20-2019 02:40 AM

Hi @lni1 ,

 

In one of the images, the RST comes right after the TCP handshake. That is just plain odd. 

In the other image, we can say that it's not entirely outside the realm of various implementations of TACACS by 3rd party vendors.

In most, if not all, we need RADIUS VSA for any 3rd party device. 

For the command execution issues, best thing would be to capture packets (You can decrypt them in Wireshark using the shared secret you configured for this device). The image of the capture you attached is of TACACS accounting while the other is just a TCP handshake.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎11-19-2019 07:58 AM

Please also check with Nokia as we don’t have any http://cs.co/ise-guides on that
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎11-19-2019 01:55 PM

What kind of issues are you facing?

Do you have examples of where it works and does not work?

Does the TCP connection establish?

Have you looked at the tcpdump in Wireshark ?

 

TACACS+ should be standardised across the board and probably the trickiest part is knowing what attributes to return to the NAS (vendor specific). That often requires having good vendor documentation ...

 

Single Connect mode is possibly not supported across all vendors - I would recommend disabling that if the connection between Nokia and ISE is not working (well).

0 Helpful

Go to solution
lni1
Level 1
Level 1
In response to Arne Bier

‎11-19-2019 11:57 PM

Hello Arne,

 

Thx for the swift reply, the problems we have are multiple, when entering 1 command manually it seems to work, but in ISE there are multiple entries (3). When entering a block of commands several commands are executed (also 3 times), then ISE stops and says command is not accepted (used admin account, so all commands should be executed).

When examining tcpdump we see a lot of RST,ACK packets coming from Nokia device, after a seemingly valid TCP session, or even after a 3way handshake (see attach). Nokia claims these RST packets are used for different reasons, 

Nokia quote:

"If you see a completed handshake and then a RST, that is most likely a health check performed to check if the server is reachable. If they don't want to see this, they can disable healthcheck."

1) Is ISE able to cope with these RST packets because in a normal TACACS+ communication ISE closes with FIN,ACK?

2) All our other non-Cisco devices uses VSA to communicate with network device, in this case we don't know and will ask once more Nokia for more info. Is it always the case with non-Cisco devices that VSA attributes needs to  be send to the network device?

 

Kind regards,

Lieven Stubbe

Belgian railways

 

 

Preview file
12 KB
Preview file
21 KB
0 Helpful

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to lni1

‎11-20-2019 02:40 AM

Hi @lni1 ,

 

In one of the images, the RST comes right after the TCP handshake. That is just plain odd. 

In the other image, we can say that it's not entirely outside the realm of various implementations of TACACS by 3rd party vendors.

In most, if not all, we need RADIUS VSA for any 3rd party device. 

For the command execution issues, best thing would be to capture packets (You can decrypt them in Wireshark using the shared secret you configured for this device). The image of the capture you attached is of TACACS accounting while the other is just a TCP handshake.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful

Go to solution
alanmarkert
Level 1
Level 1

‎06-03-2021 06:25 AM

Would appear to be a match for the ALU 7750 command authorizations getting dropped when running command scripts on the 7750s.

Was this issue resolved in a newer version of code on ISE or Alcatels? Currently we are running version 2.4 patch 11 on ISE.

 

Alan Markert

ACS/ISE Senior Network Security Engineer - Charter Communications

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents