Solved: Re: TACACS failures on ISE 3.2

kyle311 · ‎02-20-2024

Alright, after fighting w/ TAC to get my SLR licenses for TACACS, I'm running into a bit of an issue. I'm just trying a basic config to utilize TACACS to authenticate SSH sessions to our switches.

I ran the debug cisco recommends but I'm not seeing what it is that I'm missing. the device is created in ISE, TACACS passwords match on both ends.

I put a copy of the debug below. Any help would be greatly appreciated!

#test aaa group tacacs+ (username) (password) legacy
Attempting authentication test to server-group tacacs+ using tacacs+

Jul 17 23:27:52.596: AAA: parse name=<no string> idb type=-1 tty=-1
Jul 17 23:27:52.596: AAA/MEMORY: create_user (0x86738F8) user='kyurick' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Jul 17 23:27:52.596: TAC+: send AUTHEN/START packet ver=192 id=1120545143
Jul 17 23:27:52.596: TAC+: Using default tacacs server-group "tacacs+" list.
Jul 17 23:27:52.596: TAC+: OpUser authentication request was rejected by server.

ISE_TEST#ening TCP/IP to 158.157.232.4/49 timeout=5
Jul 17 23:27:52.596: TCB076F3060 created
Jul 17 23:27:52.596: TCB076F3060 setting property TCP_GIVEUP (41) 8890E98
Jul 17 23:27:52.596: TCB076F3060 setting property TCP_VRFTABLEID (20) 8890EC8
Jul 17 23:27:52.596: tcp_uniqueport: using ephemeral max 65535
Jul 17 23:27:52.596: TCP: Random local port generated 46154, network 1
Jul 17 23:27:52.596: Reserved port 46154 in Transport Port Agent for TCP IP type 1
Jul 17 23:27:52.596: TCP: sending SYN, seq 559074
ISE_TEST#741, ack 0
Jul 17 23:27:52.599: TCP0: Connection to 158.157.232.4:49, advertising MSS 1460
Jul 17 23:27:52.599: TCP0: state was CLOSED -> SYNSENT [46154 -> 158.157.232.4(49)]
Jul 17 23:27:52.599: TCP0: state was SYNSENT -> ESTAB [46154 -> 158.157.232.4(49)]
Jul 17 23:27:52.599: TCP: tcb 76F3060 connection to 158.157.232.4:49, peer MSS 1460, MSS is 1460
Jul 17 23:27:52.599: TCB076F3060 connected to 158.157.232.4.49
Jul 17 23:27:52.599: TAC+: Opened TCP/IP handle 0x76F3060 to 158.157.232.4/49 using sou
ISE_TEST#rce UNKNOWN
Jul 17 23:27:52.599: TAC+: 158.157.232.4 (1120545143) AUTHEN/START/LOGIN/ASCII queued
Jul 17 23:27:52.802: TAC+: (1120545143) AUTHEN/START/LOGIN/ASCII processed
Jul 17 23:27:52.802: TAC+: ver=192 id=1120545143 received AUTHEN status = GETPASS
Jul 17 23:27:52.802: TAC+: send AUTHEN/CONT packet id=1120545143
Jul 17 23:27:52.802: TAC+: 158.157.232.4 (1120545143) AUTHEN/CONT queued
Jul 17 23:27:52.914: TCP0: FIN processed
Jul 17 23:27:52.914: TCP0: state was ESTAB -> CLOSEWAIT [46154 -> 158.
ISE_TEST#157.232.4(49)]
Jul 17 23:27:53.001: TAC+: (1120545143) AUTHEN/CONT processed
Jul 17 23:27:53.001: TAC+: ver=192 id=1120545143 received AUTHEN status = FAIL
Jul 17 23:27:53.001: TAC+: Closing TCP/IP 0x76F3060 connection to 158.157.232.4/49
Jul 17 23:27:53.001: TCP0: state was CLOSEWAIT -> LASTACK [46154 -> 158.157.232.4(49)]
Jul 17 23:27:53.001: TCP0: sending FIN
Jul 17 23:27:53.001: AAA/MEMORY: free_user (0x86738F8) user='kyurick' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN p
ISE_TEST#riv=1 vrf= (id=0)
Jul 17 23:27:53.001: TCP0: Got ACK for our FIN
Jul 17 23:27:53.001: TCP0: state was LASTACK -> CLOSED [46154 -> 158.157.232.4(49)]
Jul 17 23:27:53.001: Released port 46154 in Transport Port Agent for TCP IP type 1 delay 240000
Jul 17 23:27:53.001: TCB 0x76F3060 destroyed
ISE_TEST#

kyle311 · ‎02-22-2024

Heh, so...I found the issue..It kind of helps if you create a policy...since it was going to the default deny

Thank you all for you help and input!!!

View solution in original post

balaji.bandi · ‎02-20-2024

what is the basic config - what device mode and IOS code running :

1. on ISE make sure you have add NAD IP of the switch and created users (Local ISE or fro AD)

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

below config always works for me :

username cisco privilege 15 secret 5 cisco

aaa new-model

tacacs server ISE1

address ipv4 192.100.1.1

key Mykey

tacacs server ISE2

address ipv4 192.200.1.1

key MyKey

ip tacacs source-interface Loopback0

aaa group server tacacs+ ISE_GRP

server name ISE1

server name ISE2

aaa authentication login default group ISE_GRP local

aaa authorization config-commands

aaa authorization exec default group ISE_GRP local

aaa authorization commands 0 default group ISE_GRP local

aaa authorization commands 1 default group ISE_GRP local

aaa authorization commands 15 default group ISE_GRP local

aaa accounting exec default start-stop group ISE_GRP

aaa accounting commands 0 default start-stop group ISE_GRP

aaa accounting commands 1 default start-stop group ISE_GRP

aaa accounting commands 15 default start-stop group ISE_GRP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kyle311 · ‎02-20-2024

Thank you very much. my config pretty much is identical, except I'm testing on a single server. I'm still getting a user rejected when I perform the test aaa testing from the switch. I see the packets sent, sockets opened/closed increasing when I perform the testing, but no other time.

Am I missing something?

MHM Cisco World · ‎02-20-2024

debug aaa authentication <- run this second

debug tacacs <- run this second 

debug ip tcp transaction <- run this first

Access via ssh and run first command then disable it then run two other commands

Share reuslt here

Thanks

MHM

balaji.bandi · ‎02-20-2024

Am I missing something?

i presume yes, that is where we are troubleshooting here ?

what is the logs show on the ISE side ?

show tacacs

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kyle311 · ‎02-20-2024

Well, I am getting live log info now..

Message Text	Failed-Attempt: Authentication failed
Failure Reason	22056 Subject not found in the applicable identity store(s)

Resolution

Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped due to identity resoultion settings or if they do not support the current authentication protocol.

The user exists - what may be missing now?

MHM Cisco World · ‎02-20-2024

https://www.wiresandwi.fi/blog/cisco-ise-configuring-tacacs-authentication-for-device-administration

Check this guide

Your ISE config maybe wrong

MHM

balaji.bandi · ‎02-21-2024

what may be missing now?

there is no information provided to miss here anything.

Looks like rather you addressing our question, the reply going one way, so its hard to addres the issue here.

there is no relation to our questions and your reply.

i suggest to please read below how to ask question in the community before you posting any new.

explain your setup

explain what is configured

explain how are you testing

explain what user soruces (AD) or Local ISE users ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kyle311 · ‎02-22-2024

Heh, so...I found the issue..It kind of helps if you create a policy...since it was going to the default deny

Thank you all for you help and input!!!

MHM Cisco World · ‎02-22-2024

You are so so welcome

MHM