Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1845
Views
40
Helpful
6
Replies

TACACS authentication failing

CSCO12938204
Level 1
Level 1

‎09-23-2021 12:26 PM

Hi Expert - i am using Cisco ISE V2.6 as TACACS server for user authentication.

Everything seems good but for some user authentication is getting failed. It shows INVALID identify in report/logs

Whereas it is working good for other users with same policy. Not sure why is this weird behaviour on ISE.

 

Can you please advise what can be the issue and how to fix this ?

 

FYI - users are configured locally on ISE but password authentication is set to AD.

 

6 Replies 6

MHM Cisco World
VIP
VIP

‎09-23-2021 12:54 PM

is MAB is failover for 802.1x?

CSCO12938204
Level 1
Level 1
In response to MHM Cisco World

‎09-23-2021 08:56 PM

We have not configured MAB on ISE.

 

Is this something that i neee to check on user Laptop if it is enabled ?

Greg Gibbs
Cisco Employee
Cisco Employee

‎09-23-2021 11:18 PM

I'm not sure about your comment "users are configured locally on ISE but password authentication is set to AD". Can you explain more about this, why it is configured this way, and what you are trying to achieve by doing this?

You are likely seeing 'INVALID' due to the default setting in Administration > System > Settings > Security Settings for 'Disclose invalid usernames'. You can enable this setting and the logs should reflect the actual identity that ISE is receiving for the session.

You might also have a look at the ISE Device Administration Prescriptive Deployment Guide for examples of best-practice policy configurations.

CSCO12938204
Level 1
Level 1
In response to Greg Gibbs

‎09-24-2021 09:56 AM

Hi Greg - I Mean to say User account/ID is configured local in ISE identity but their password is set to authenticate with AD server (not local on ISE). So whenever user access any NAD device then ISE check the user ID in local database and forward the request to AD server for password match.

 

We are limiting the device access for specific users only . On AD server there can be 100000+ user but lets say we are allowing access only to 100 Users. 

 

I hope , i am clear to you now.

 

 

Greg Gibbs
Cisco Employee
Cisco Employee
In response to CSCO12938204

‎09-26-2021 06:13 PM

Ok, so you are creating local Network Access User accounts with the same name as the AD user accounts and using the Password Type: <AD> option, is that correct?

If so, your Device Admin AuthC Policy should be configured to use the Internal Users ID store. If you want to provide local AuthZ from ISE as well, you should create an internal User Identity Group and ensure the internal user account is using that group.

I tested a similar setup in my lab and it worked as expected.

1. Created a User Identity Group called 'Net_Admin_Local'

2. Created an internal Network Access User with the same account name in AD 'netadmin1' and mapped it to the internal Group

Screen Shot 2021-09-27 at 11.08.15 am.png

Screen Shot 2021-09-27 at 11.08.26 am.png

3. Created the AuthC/AuthZ policies for the session

Screen Shot 2021-09-27 at 11.10.46 am.png

Screen Shot 2021-09-27 at 11.11.16 am.png

 

 

0 Helpful

PradeepSingh
Level 1
Level 1

‎09-24-2021 11:55 AM

Hi,

 

From your comments "users are configured locally on ISE but password authentication is set to AD" it seems you are authenticating from AD but using ISE local groups to authorize users. How authentication source is defined in authentication rule ? You should try to use authentication sequence first 'AD then internal users' in such case.

 

But rather creating duplicate users in ISE you should think creating groups in AD and then use those groups as conditions in authorizing policies. 

Customers Also Viewed These Support Documents