Solved: Like Abdollah said - I was

zhiqiang.yan · ‎06-19-2017

hi,

I have 4xISE-VM-K9 before, and with TACACS+ license, they work fine. then I added two more ISE-VM-K9, and promote the two new ISE-VM to be PAN. things seem looking good, but when I test the TACACS with these two new ISE, It never works. I can't see anything from live logs.

I try to make them to be just PSN, but still the same.

I can telnet port 49 from my network switches to them, tcpdump shows like this:

01:55:44.231643 IP (tos 0x0, ttl 243, id 57424, offset 0, flags [none], proto TCP (6), length 44)
10.7.80.174.31835 > xx.xx.xx.xx.49: Flags [S], cksum 0x8ae7 (correct), seq 1642638051, win 4128, options [mss 536], length 0

01:55:44.231680 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 44)
xx.xx.xx.xx.49 > 10.7.80.174.31835: Flags [S.], cksum 0x7781 (incorrect -> 0x178d), seq 178062112, ack 1642638052, win 29200, options [mss 1460], length 0

01:55:44.250486 IP (tos 0x0, ttl 243, id 57425, offset 0, flags [none], proto TCP (6), length 40)
10.7.80.174.31835 > xx.xx.xx.xx.49: Flags [.], cksum 0x913a (correct), seq 1, ack 1, win 4128, length 0

01:55:44.250517 IP (tos 0x0, ttl 243, id 57426, offset 0, flags [none], proto TCP (6), length 82)
10.7.80.174.31835 > xx.xx.xx.xx.49: Flags [.], cksum 0x9db7 (correct), seq 1:43, ack 1, win 4128, length 42

01:55:44.250530 IP (tos 0x0, ttl 64, id 25162, offset 0, flags [DF], proto TCP (6), length 40)
xx.xx.xx.xx.49 > 10.7.80.174.31835: Flags [.], cksum 0x777d (incorrect -> 0x2f20), seq 1, ack 43, win 29200, length 0

01:55:44.250783 IP (tos 0x0, ttl 64, id 25163, offset 0, flags [DF], proto TCP (6), length 40)
xx.xx.xx.xx.49 > 10.7.80.174.31835: Flags [R.], cksum 0x777d (incorrect -> 0x2f1c), seq 1, ack 43, win 29200, length 0

I am wondering, because I installed the TACACS license before adding these two ISE-VM, is this causing the problem?

Thanks,

Ryan

B. BELHADJ · ‎06-20-2017

Hi

In a distributed deployement, if you don't enable the "Policy Service" and choose "Enable Device Admin Service" you cannot use an ISE as a TACACS server.

You can check by going to: Administration ==> System ==> Deployment ==> General Settings

I have attached a screenshot.

Best regards

View solution in original post

B. BELHADJ · ‎06-19-2017

Hi

The PAN (Primary Administration Node) is used to manage the different nodes in your ISE distributed deployment. You cannot use it for TACACS Devices Administration.

You have to select these new nodes as a PSN (Policy Service Node) to be able to authenticate user for device administration with TACACS.

For TACACS you have to configure new "TACACS Command Sets" and new "TACACS Profiles" from the "Device Administration" work center.

I hope that will help you.

If you have the always the same issue, please share with us a further detail.

Best regards

zhiqiang.yan · ‎06-19-2017

Doesn't sound this is true, the small and Split deployment show two ISE node can do everything, is there a reason when grow to Medium-Sized, the two PAN have to be only doing Admin and logging?

I remember when I have 4xISE VM before, I can use the primary PAN for TACACS and I was using it to build my policy/command set stuff. how come when I add two more the PAN stop doing AAA?

B. BELHADJ · ‎06-20-2017

Hi

In a distributed deployement, if you don't enable the "Policy Service" and choose "Enable Device Admin Service" you cannot use an ISE as a TACACS server.

You can check by going to: Administration ==> System ==> Deployment ==> General Settings

I have attached a screenshot.

Best regards

Marvin Rhoads · ‎06-20-2017

Like Abdollah said - I was thinking the same as I scrolled through this thread.

Here's the relevant Admin Guide section:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0111.html

TACACS doesn't work on two new added ISE-VM-K9