cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1848
Views
0
Helpful
5
Replies
lni1
Beginner

ISE Tacacs+ integration with Alcatel Nokia 7750 SR (Service Router)

Hello Cisco,

We are struggling integrating our Nokia 7750 SR with Tacacs+ ISE 2.4

TiMOS-C-15.0.R7 cpm/hops64 Nokia 7750 SR Copyright (c) 2000-2018 Nokia.

Does anyone has integration examples for this type of device?

 

Kind regards,

Lieven Stubbe

Belgian railways

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @lni1 ,

 

In one of the images, the RST comes right after the TCP handshake. That is just plain odd. 

In the other image, we can say that it's not entirely outside the realm of various implementations of TACACS by 3rd party vendors.

In most, if not all, we need RADIUS VSA for any 3rd party device. 

For the command execution issues, best thing would be to capture packets (You can decrypt them in Wireshark using the shared secret you configured for this device). The image of the capture you attached is of TACACS accounting while the other is just a TCP handshake.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

5 REPLIES 5
Jason Kunst
Cisco Employee

Please also check with Nokia as we don’t have any http://cs.co/ise-guides on that
Arne Bier
VIP Advisor

What kind of issues are you facing?

Do you have examples of where it works and does not work?

Does the TCP connection establish?

Have you looked at the tcpdump in Wireshark ?

 

TACACS+ should be standardised across the board and probably the trickiest part is knowing what attributes to return to the NAS (vendor specific). That often requires having good vendor documentation ...

 

Single Connect mode is possibly not supported across all vendors - I would recommend disabling that if the connection between Nokia and ISE is not working (well).

Hello Arne,

 

Thx for the swift reply, the problems we have are multiple, when entering 1 command manually it seems to work, but in ISE there are multiple entries (3). When entering a block of commands several commands are executed (also 3 times), then ISE stops and says command is not accepted (used admin account, so all commands should be executed).

When examining tcpdump we see a lot of RST,ACK packets coming from Nokia device, after a seemingly valid TCP session, or even after a 3way handshake (see attach). Nokia claims these RST packets are used for different reasons, 

Nokia quote:

"If you see a completed handshake and then a RST, that is most likely a health check performed to check if the server is reachable. If they don't want to see this, they can disable healthcheck."

1) Is ISE able to cope with these RST packets because in a normal TACACS+ communication ISE closes with FIN,ACK?

2) All our other non-Cisco devices uses VSA to communicate with network device, in this case we don't know and will ask once more Nokia for more info. Is it always the case with non-Cisco devices that VSA attributes needs to  be send to the network device?

 

Kind regards,

Lieven Stubbe

Belgian railways

 

 

Hi @lni1 ,

 

In one of the images, the RST comes right after the TCP handshake. That is just plain odd. 

In the other image, we can say that it's not entirely outside the realm of various implementations of TACACS by 3rd party vendors.

In most, if not all, we need RADIUS VSA for any 3rd party device. 

For the command execution issues, best thing would be to capture packets (You can decrypt them in Wireshark using the shared secret you configured for this device). The image of the capture you attached is of TACACS accounting while the other is just a TCP handshake.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

alanmarkert
Beginner

Would appear to be a match for the ALU 7750 command authorizations getting dropped when running command scripts on the 7750s.

Was this issue resolved in a newer version of code on ISE or Alcatels? Currently we are running version 2.4 patch 11 on ISE.

 

Alan Markert

ACS/ISE Senior Network Security Engineer - Charter Communications

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel