Re: ISE Ver 2.7 authentication Error

okoroji80 · ‎07-10-2020

I istalled an ISE server recently ,configured by Cisco Switch for tacacs authentication,

I constantly get failed login attempts while trying to login.

Attached herewith is the error log. Below is my switch Configuration:

aaa group server tacacs+ ISE-DMO
server 16.128.15.75
server-private 16.128.15.75 key man&woman
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group packetfence
aaa authorization exec default group tacacs+ local
aaa authorization network default group packetfence
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 16.128.15.75
tacacs-server directed-request
radius-server host 10.128.10.150 auth-port 1812 acct-port 1813 timeout 2 key man&men
radius-server vsa send authentication
!
control-plane
!
!
line con 0
line vty 0 4
password done2020
line vty 5 15
password done2020

marius.jakevicius · ‎07-10-2020

How does policy on ISE looks like?

okoroji80 · ‎07-10-2020

Hello Marius.,

Attached is my policy set on the ISE.

thank you

hslai · ‎07-11-2020

Both of your two non-default authorization rules have conditions on user identity groups. ISE appears not finding the user in either groups so it applies the default; hence, Deny All Shell Profile.

okoroji80 · ‎07-11-2020

Kindly advice on the steps to have this resolved

thanks

hslai · ‎07-11-2020

okoroji80,

Please verify whether the user in one of the user groups.

Or, you may change the shell profile and the command set for the default rule and give some limited access.