cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2245
Views
40
Helpful
6
Replies

TACACS authentication failing

CSCO12938204
Level 1
Level 1

Hi Expert - i am using Cisco ISE V2.6 as TACACS server for user authentication.

Everything seems good but for some user authentication is getting failed. It shows INVALID identify in report/logs

Whereas it is working good for other users with same policy. Not sure why is this weird behaviour on ISE.

 

Can you please advise what can be the issue and how to fix this ?

 

FYI - users are configured locally on ISE but password authentication is set to AD.

 

6 Replies 6

is MAB is failover for 802.1x?

We have not configured MAB on ISE.

 

Is this something that i neee to check on user Laptop if it is enabled ?

Greg Gibbs
Cisco Employee
Cisco Employee

I'm not sure about your comment "users are configured locally on ISE but password authentication is set to AD". Can you explain more about this, why it is configured this way, and what you are trying to achieve by doing this?

You are likely seeing 'INVALID' due to the default setting in Administration > System > Settings > Security Settings for 'Disclose invalid usernames'. You can enable this setting and the logs should reflect the actual identity that ISE is receiving for the session.

You might also have a look at the ISE Device Administration Prescriptive Deployment Guide for examples of best-practice policy configurations.

Hi Greg - I Mean to say User account/ID is configured local in ISE identity but their password is set to authenticate with AD server (not local on ISE). So whenever user access any NAD device then ISE check the user ID in local database and forward the request to AD server for password match.

 

We are limiting the device access for specific users only . On AD server there can be 100000+ user but lets say we are allowing access only to 100 Users. 

 

I hope , i am clear to you now.

 

 

Ok, so you are creating local Network Access User accounts with the same name as the AD user accounts and using the Password Type: <AD> option, is that correct?

If so, your Device Admin AuthC Policy should be configured to use the Internal Users ID store. If you want to provide local AuthZ from ISE as well, you should create an internal User Identity Group and ensure the internal user account is using that group.

I tested a similar setup in my lab and it worked as expected.

1. Created a User Identity Group called 'Net_Admin_Local'

2. Created an internal Network Access User with the same account name in AD 'netadmin1' and mapped it to the internal Group

Screen Shot 2021-09-27 at 11.08.15 am.png

Screen Shot 2021-09-27 at 11.08.26 am.png

3. Created the AuthC/AuthZ policies for the session

Screen Shot 2021-09-27 at 11.10.46 am.png

Screen Shot 2021-09-27 at 11.11.16 am.png

 

 

PradeepSingh
Level 1
Level 1

Hi,

 

From your comments "users are configured locally on ISE but password authentication is set to AD" it seems you are authenticating from AD but using ISE local groups to authorize users. How authentication source is defined in authentication rule ? You should try to use authentication sequence first 'AD then internal users' in such case.

 

But rather creating duplicate users in ISE you should think creating groups in AD and then use those groups as conditions in authorizing policies.