11-19-2019 03:51 AM
Hello Cisco,
We are struggling integrating our Nokia 7750 SR with Tacacs+ ISE 2.4
TiMOS-C-15.0.R7 cpm/hops64 Nokia 7750 SR Copyright (c) 2000-2018 Nokia.
Does anyone has integration examples for this type of device?
Kind regards,
Lieven Stubbe
Belgian railways
Solved! Go to Solution.
11-20-2019 02:40 AM
Hi @lni1 ,
In one of the images, the RST comes right after the TCP handshake. That is just plain odd.
In the other image, we can say that it's not entirely outside the realm of various implementations of TACACS by 3rd party vendors.
In most, if not all, we need RADIUS VSA for any 3rd party device.
For the command execution issues, best thing would be to capture packets (You can decrypt them in Wireshark using the shared secret you configured for this device). The image of the capture you attached is of TACACS accounting while the other is just a TCP handshake.
11-19-2019 07:58 AM
11-19-2019 01:55 PM
What kind of issues are you facing?
Do you have examples of where it works and does not work?
Does the TCP connection establish?
Have you looked at the tcpdump in Wireshark ?
TACACS+ should be standardised across the board and probably the trickiest part is knowing what attributes to return to the NAS (vendor specific). That often requires having good vendor documentation ...
Single Connect mode is possibly not supported across all vendors - I would recommend disabling that if the connection between Nokia and ISE is not working (well).
11-19-2019 11:57 PM
Hello Arne,
Thx for the swift reply, the problems we have are multiple, when entering 1 command manually it seems to work, but in ISE there are multiple entries (3). When entering a block of commands several commands are executed (also 3 times), then ISE stops and says command is not accepted (used admin account, so all commands should be executed).
When examining tcpdump we see a lot of RST,ACK packets coming from Nokia device, after a seemingly valid TCP session, or even after a 3way handshake (see attach). Nokia claims these RST packets are used for different reasons,
Nokia quote:
"If you see a completed handshake and then a RST, that is most likely a health check performed to check if the server is reachable. If they don't want to see this, they can disable healthcheck."
1) Is ISE able to cope with these RST packets because in a normal TACACS+ communication ISE closes with FIN,ACK?
2) All our other non-Cisco devices uses VSA to communicate with network device, in this case we don't know and will ask once more Nokia for more info. Is it always the case with non-Cisco devices that VSA attributes needs to be send to the network device?
Kind regards,
Lieven Stubbe
Belgian railways
11-20-2019 02:40 AM
Hi @lni1 ,
In one of the images, the RST comes right after the TCP handshake. That is just plain odd.
In the other image, we can say that it's not entirely outside the realm of various implementations of TACACS by 3rd party vendors.
In most, if not all, we need RADIUS VSA for any 3rd party device.
For the command execution issues, best thing would be to capture packets (You can decrypt them in Wireshark using the shared secret you configured for this device). The image of the capture you attached is of TACACS accounting while the other is just a TCP handshake.
06-03-2021 06:25 AM
Would appear to be a match for the ALU 7750 command authorizations getting dropped when running command scripts on the 7750s.
Was this issue resolved in a newer version of code on ISE or Alcatels? Currently we are running version 2.4 patch 11 on ISE.
Alan Markert
ACS/ISE Senior Network Security Engineer - Charter Communications
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide