Re: Session disconnects immediately after connecting with ISE

patrickbyrne456305724 · ‎06-05-2020

Hi there,

I am have configured a new HP5510 switch for Tacacs auth via CISCO ISE. However, I am having issues;

It connects but disconnects immediately.

Cisco ISE has device profile set up correctly and the logs actually show connection via my tacacs creds but disconnects immediatly. The log on the HP switch also show it connecting but disconnecting straight away. See below;

%Jun 5 12:59:17:867 2020 HPE SSHS/6/SSHS_CONNECT: SSH user pbyrne06 (IP: 25.*****) connected to the server successfully.
%Jun 5 12:59:19:024 2020 HPE SSHS/6/SSHS_LOG: User pbyrne06 logged out from 25.***** port 58151.
%Jun 5 12:59:19:024 2020 HPE SSHS/6/SSHS_DISCONNECT: SSH user pbyrne06 (IP: 25.****) disconnected from the server.

Any help all welcome; incidentally ISE is pushing out the "net-admin" profile role for the switch

Anurag Sharma · ‎06-05-2020

Hi @patrickbyrne456305724 ,

Need some background:

1) Are you seeing any TACACS live logs on ISE, from this HP switch?

2) Is 'Device Admin' Service enabled on the ISE?

3) What attributes are you pushing from ISE? Share a screenshot of the Authentication Live log.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

patrickbyrne456305724 · ‎06-05-2020

Hi there,

Many thanks for getting back to me. On all 3 question you asked the answer is Yes to all!

Ive attached file illustrating ISE connection, also, please see below on logs for HP switch, showing connection, log-out and disconnect!!

HPE]%Jun  5 14:46:25:572 2020 HPE SSHS/6/SSHS_LOG: Accepted password for mbyrne02 from 25**** port 60345 ssh2.

%Jun  5 14:46:25:600 2020 HPE SSHS/6/SSHS_CONNECT: SSH user mbyrne02 (IP: 25.*****) connected to the server successfully.
%Jun  5 14:46:26:758 2020 HPE SSHS/6/SSHS_LOG: User mbyrne02 logged out from 25**** port 60345.
%Jun  5 14:46:26:758 2020 HPE SSHS/6/SSHS_DISCONNECT: SSH user mbyrne02 (IP: 25.*****) disconnected from the server.

Anurag Sharma · ‎06-05-2020

@patrickbyrne456305724 ,

Even though Authorization may be successful on ISE, it doesn't guarantee that we are pushing the attributes to the device (NAD) that it needs.

It's evident that the Authentication is successful, however, I see you are passing the Nexus Shell profile. Try with HP attribute as in the picture below. However, I would urge you to check HP's documentation to figure out what attributes/config is needed on the HP switch to allow remote authentication for SSH.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

patrickbyrne456305724 · ‎06-05-2020

Thanks so much for your response; I will try that!! I will not be able to do that until Monday morning now.
Just wondering if there is a combatability issue between ISE and HP switch?

Anurag Sharma · ‎06-05-2020

There might be limitations of what HP switch can leverage with TACACS+.
ISE is quite accepting and flexible with many things. It all depends on the vendor/product requesting particular things. And on ISE you just push what parameters (attributes) are needed. In all cases, HP can confirm on that.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

thomas · ‎06-06-2020

Cisco ISE - like Cisco ACS before it - is the defacto industry applications for TACACS.

See the ISE Compatibility Guide for statements about RADIUS and TACACS protocol support.

See Does ISE Support My Network Access Device? for even more details about how network device platforms vary in capabilities. See ISE Device Administration resources for TACACS+ and RADIUS for docs and videos for configuring TACACS in ISE and on a variety of devices.

When you get it working on your HP device, please share your HP device's TACACS configuration on this thread or create a document here to to help others wanting to do the same and I will link to it from ISE Device Administration resources for TACACS+ and RADIUS and ISE Security Ecosystem Integration Guides .