Solved: TACACS+ LiveLog Entries not showing on ISE 2.0

Ilham.Perdana · ‎06-08-2017

Hi all,

Our customer using ISE 2.0 installed on VM with admin access license. ISE acts as RADIUS and TACACS+ server simultaneously.

It running properly until their datacenter's air conditioner went down causing ISE's server went down. It went up immediately after several hours.
The problem begin when our customer wants to login via AD account and always failed. TACACS LiveLog not showing anything. RADIUS service does not have this problem and running properly.

All the ISE configurations are not changed, also the switches AAA and TACACS configuration.

I unchecked TACACS Authentication Settings for this device on ISE before reconfiguration, then logged in to switch (Cat 2960, IOS 12.2) with local username then erase the TACACS configuration and reconfig with the configuration I copied earlier from the very same switch.

When reconfig done, I checked TACACS Authentication Settings on Network Device and then with different ssh session I tried to login the switch with local username. the entry showed up on TACACS LiveLog indicating error code "13011 Invalid TACACS+ request packet - possibly mismatched Shared Secrets".

I'm sure I entered the right shared secret, and tried to enter either copying and manually typing the shared secret to switch and ISE, but same error persist.

After my first session expired, I cannot login to switch with local username, even if I unchecked the TACACS service on ISE's Network Device configuration for this device.

Is this bugs on ISE 2.0.x? If yes, is there any workaround for this? Or maybe because the IOS version used in the switches is old (12.2)?

This is sample config from one of the switch:

aaa group server tacacs+ ip-ise

server 192.168.100.66

tacacs-server host 192.168.100.66 key 1234567890

tacacs-server directed-request

aaa authentication login default local

aaa authentication login CON none

aaa authentication login vty group ip-ise

aaa authentication enable default enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec CON none

aaa authorization exec vty group ip-ise local if-authenticated

aaa authorization exec ip-ise if-authenticated

aaa authorization commands 1 vty group ip-ise local if-authenticated

aaa authorization commands 15 vty group ip-ise local if-authenticated

aaa accounting exec default start-stop group ip-ise

aaa accounting commands 1 default start-stop group ip-ise

aaa accounting commands 15 default start-stop group ip-ise

Any comment will be appreciated. Thank you

Marvin Rhoads · ‎06-08-2017

ISE 2.0 was the first release to include TACACS+support. It is generally recommended to run the latest release (currently 2.1 Patch 1).

That said, if it was working before it should continue to do so following power cycle.

You can try a packet capture on your ISE node (the servicing PSN in a multi-node deployment) to see the details of what's comng through and that might tell you more.

View solution in original post

Marvin Rhoads · ‎06-08-2017

ISE 2.0 was the first release to include TACACS+support. It is generally recommended to run the latest release (currently 2.1 Patch 1).

That said, if it was working before it should continue to do so following power cycle.

You can try a packet capture on your ISE node (the servicing PSN in a multi-node deployment) to see the details of what's comng through and that might tell you more.