Solved: Lost connection when i shift from ACS to ISE

khaled bay · ‎09-25-2022

Hello Dears,

I had a project to shift from TACACS+ ACS to ISE So I created a new local user with privilege 15 and by mistake remove the command tacacs-server host 192.168.1.100 before I put the new ISE command tacacs-server host 192.168.1.90 key X
Now I cannot log in local even from the console.

my running config is

username admin privilege 15 secret 5

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa authentication dot1x default group radius
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!

any clues ?

Thank you in advance

Greg Gibbs · ‎09-25-2022

Your command authorization list does not have 'local' as a secondary method to fall back.

aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+

You likely were not able to save the running-config, so you will need to reboot the switch so it will recover your previous saved working config.

View solution in original post

Rob Ingram · ‎09-25-2022

@khaled bay have you defined the TACACS servers with a shared secret on the switch/router?

Have you configured the switch/router as a network device on ISE (with the correct shared secret)?

Check the Device Administration logs to determine whether that provides a clue as to why command authorisation failed.

Do you have the correct licensing installed on ISE for Device Administration?

Do you have the correct policies defined on ISE for Device Administration?

Refer to this ISE Device Administration guide for more information: https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

khaled bay · ‎09-25-2022

@Rob Ingram I removed the command for old ACS before I put the new command for ISE ( tacacs-server host 192.168.1.100 before I put the new ISE command tacacs-server host 192.168.1.90 key X ) so the switch has no clue about ACS or TACACS servers but there is the local user on the switch, why when I log in with local and try to show any commands it gives me" % Authorization failed. " .
I have many other devices are connected to network and working with ISE after shifting.

switch model is : WS-C2960XR-48FPD-I (Staked)

Rob Ingram · ‎09-25-2022

@khaled bay so have you defined the switch as a Network Device on ISE? With the same shared secret as defined on the switch.

What about checking the ISE logs? Provide the output for review if required.

Take a tcpdump on ISE to determine whether the switch is even communicating with ISE.

khaled bay · ‎09-25-2022

No the ISE is not configured on the switch at all.
as i mentioned before i removed the command and cannot login locally it’s response with " % Authorization failed. " .

Greg Gibbs · ‎09-25-2022

Your command authorization list does not have 'local' as a secondary method to fall back.

aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+

You likely were not able to save the running-config, so you will need to reboot the switch so it will recover your previous saved working config.