cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

581
Views
10
Helpful
7
Replies
Highlighted
Enthusiast

TACACS Proxy with Service-Argument Attribute not working Issue

Hello, we are trying to utilize TACACS Proxy for the following scenario,

 

WLC < ----- > ISE2.6-Patch5 < ----- proxying ----- > Central ISE

 

We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute. 

 

thumbnail_image005.jpgthumbnail_image019.png

 

The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”.

 

 

7 REPLIES 7
Highlighted
Cisco Employee

Re: TACACS Proxy with Service-Argument Attribute not working Issue

Hi @joshhunter 

To absolutely confirm that is indeed this attribute which is not letting the Central ISE match that AuthZ rule, can you please remove the condition where you are looking for this.

So, if this attribute is really the problem, you should match that particular AuthZ rule with the other two conditions in place.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
Highlighted
Enthusiast

Re: TACACS Proxy with Service-Argument Attribute not working Issue

Sorry I forgot to mention, yes it matches rules further down, so it is definitely this attribute.
It needs this attribute to match on we cannot use location, device group, or IP.
Thanks
Highlighted
Cisco Employee

Re: TACACS Proxy with Service-Argument Attribute not working Issue

@joshhunter ,

  1. How are you "proxying" the requests from one ISE to another?
  2. Which version is the 'Central ISE'?

I'd suggest you enable DEBUG for the component called 'runtime-AAA' on the central ISE and check there. 

The log to check would be prrt-server.log.

Check out this article for debugs and logs: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc28 

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
Highlighted
Enthusiast

Re: TACACS Proxy with Service-Argument Attribute not working Issue

Central ISE is running 2.7 Patch1 but tried various versions in lab environment. 

TACACS PROXY using the external TACACS server pointing ISE to Central ISE.

I will give the debug ago 

 

Thanks

 

 

 

 

Highlighted
Enthusiast

Re: TACACS Proxy with Service-Argument Attribute not working Issue

Hello, I've since tried without TACACS 'Proxy' (Using External TACACS server). It still fails to match.

I tried to match using the service argument of “ciscowlc”.  This didn’t match the required rule – again I tried the different options.  

 

Highlighted
Enthusiast

Re: TACACS Proxy with Service-Argument Attribute not working Issue

The debugging didn't tell me much.

I suspect it is a BUG and will log.

 

Thanks

Highlighted
Cisco Employee

Re: TACACS Proxy with Service-Argument Attribute not working Issue

Alright. Please let us know the findings.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.