02-27-2018 05:21 AM - edited 02-21-2020 10:46 AM
I am deploying Cisco ISE 2.3.0.298 for Device administration in our network. We have a Distributed deployment with one node Primary Admin node and second node Primary Monitoring node. I have Base license and Device admin license installed.
I did a Manual failover test for PAN which didn't go quite as expected. I had to Deregister and Register the node to revert back to the Original setup. I had to also add the Licenses again after this.
Since this change, TACACS livelogs have stopped displaying Successful AAA attempts. It only shows Failed Authentication attempts. I already verified that AAA is actually working using TCP dumps. I am logging in as Super admin with full permissions.
It seems like a License issue or a Logging level issue. I checked both of them and everything seems like the previous setup. Has anyone seen a similar issue in their deployment?
02-27-2018 10:08 AM
Can you check inside work centers > device administration > reports > device administration reports > Tacacs Authentication. Let me know.
02-27-2018 02:05 PM
It only shows the Failed attempts that are visible under Livelogs. Before I tried the Manual failover, I could see all attempts under Tacacs Auth, All accounting statements under Tacacs Acct, etc.
03-12-2018 06:55 AM
Hi Jatin,
Do you have any other suggestions to fix this issue? I have Base with Device Admin license running on my node. Could you please confirm if there is some additional License needed? I am running out of Options with this behavior.
Thanks.
03-30-2018 04:08 AM
Finally managed to get this issue fixed! I opened a TAC case and the engineer reported we are hitting the bug CSCvd79546. Some logging categories are deleted and so those logs are not reported. TAC engineer ran a SQL script to add those categories.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide