TACACS Livelog only displays Failed attempts

mitali02 · ‎02-27-2018

I am deploying Cisco ISE 2.3.0.298 for Device administration in our network. We have a Distributed deployment with one node Primary Admin node and second node Primary Monitoring node. I have Base license and Device admin license installed.

I did a Manual failover test for PAN which didn't go quite as expected. I had to Deregister and Register the node to revert back to the Original setup. I had to also add the Licenses again after this.

Since this change, TACACS livelogs have stopped displaying Successful AAA attempts. It only shows Failed Authentication attempts. I already verified that AAA is actually working using TCP dumps. I am logging in as Super admin with full permissions.

It seems like a License issue or a Logging level issue. I checked both of them and everything seems like the previous setup. Has anyone seen a similar issue in their deployment?

Jatin Katyal · ‎02-27-2018

Can you check inside work centers > device administration > reports > device administration reports > Tacacs Authentication. Let me know.

~Jatin

mitali02 · ‎02-27-2018

It only shows the Failed attempts that are visible under Livelogs. Before I tried the Manual failover, I could see all attempts under Tacacs Auth, All accounting statements under Tacacs Acct, etc.

mitali02 · ‎03-12-2018

Hi Jatin,

Do you have any other suggestions to fix this issue? I have Base with Device Admin license running on my node. Could you please confirm if there is some additional License needed? I am running out of Options with this behavior.

Thanks.

mitali02 · ‎03-30-2018

Finally managed to get this issue fixed! I opened a TAC case and the engineer reported we are hitting the bug CSCvd79546. Some logging categories are deleted and so those logs are not reported. TAC engineer ran a SQL script to add those categories.