Re: TACACS authentication failing

CSCO12938204 · ‎09-23-2021

Hi Expert - i am using Cisco ISE V2.6 as TACACS server for user authentication.

Everything seems good but for some user authentication is getting failed. It shows INVALID identify in report/logs

Whereas it is working good for other users with same policy. Not sure why is this weird behaviour on ISE.

Can you please advise what can be the issue and how to fix this ?

FYI - users are configured locally on ISE but password authentication is set to AD.

MHM Cisco World · ‎09-23-2021

is MAB is failover for 802.1x?

CSCO12938204 · ‎09-23-2021

We have not configured MAB on ISE.

Is this something that i neee to check on user Laptop if it is enabled ?

Greg Gibbs · ‎09-23-2021

I'm not sure about your comment "users are configured locally on ISE but password authentication is set to AD". Can you explain more about this, why it is configured this way, and what you are trying to achieve by doing this?

You are likely seeing 'INVALID' due to the default setting in Administration > System > Settings > Security Settings for 'Disclose invalid usernames'. You can enable this setting and the logs should reflect the actual identity that ISE is receiving for the session.

You might also have a look at the ISE Device Administration Prescriptive Deployment Guide for examples of best-practice policy configurations.

CSCO12938204 · ‎09-24-2021

Hi Greg - I Mean to say User account/ID is configured local in ISE identity but their password is set to authenticate with AD server (not local on ISE). So whenever user access any NAD device then ISE check the user ID in local database and forward the request to AD server for password match.

We are limiting the device access for specific users only . On AD server there can be 100000+ user but lets say we are allowing access only to 100 Users.

I hope , i am clear to you now.

Greg Gibbs · ‎09-26-2021

Ok, so you are creating local Network Access User accounts with the same name as the AD user accounts and using the Password Type: <AD> option, is that correct?

If so, your Device Admin AuthC Policy should be configured to use the Internal Users ID store. If you want to provide local AuthZ from ISE as well, you should create an internal User Identity Group and ensure the internal user account is using that group.

I tested a similar setup in my lab and it worked as expected.

1. Created a User Identity Group called 'Net_Admin_Local'

2. Created an internal Network Access User with the same account name in AD 'netadmin1' and mapped it to the internal Group

3. Created the AuthC/AuthZ policies for the session

PradeepSingh · ‎09-24-2021

Hi,

From your comments "users are configured locally on ISE but password authentication is set to AD" it seems you are authenticating from AD but using ISE local groups to authorize users. How authentication source is defined in authentication rule ? You should try to use authentication sequence first 'AD then internal users' in such case.

But rather creating duplicate users in ISE you should think creating groups in AD and then use those groups as conditions in authorizing policies.