cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3366
Views
10
Helpful
7
Replies

TACACS Proxy with Service-Argument Attribute not working Issue

joshhunter
Level 4
Level 4

Hello, we are trying to utilize TACACS Proxy for the following scenario,

 

WLC < ----- > ISE2.6-Patch5 < ----- proxying ----- > Central ISE

 

We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute. 

 

thumbnail_image005.jpgthumbnail_image019.png

 

The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”.

 

 

7 Replies 7

Anurag Sharma
Cisco Employee
Cisco Employee

Hi @joshhunter 

To absolutely confirm that is indeed this attribute which is not letting the Central ISE match that AuthZ rule, can you please remove the condition where you are looking for this.

So, if this attribute is really the problem, you should match that particular AuthZ rule with the other two conditions in place.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Sorry I forgot to mention, yes it matches rules further down, so it is definitely this attribute.
It needs this attribute to match on we cannot use location, device group, or IP.
Thanks

@joshhunter ,

  1. How are you "proxying" the requests from one ISE to another?
  2. Which version is the 'Central ISE'?

I'd suggest you enable DEBUG for the component called 'runtime-AAA' on the central ISE and check there. 

The log to check would be prrt-server.log.

Check out this article for debugs and logs: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc28 

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Central ISE is running 2.7 Patch1 but tried various versions in lab environment. 

TACACS PROXY using the external TACACS server pointing ISE to Central ISE.

I will give the debug ago 

 

Thanks

 

 

 

 

Hello, I've since tried without TACACS 'Proxy' (Using External TACACS server). It still fails to match.

I tried to match using the service argument of “ciscowlc”.  This didn’t match the required rule – again I tried the different options.  

 

The debugging didn't tell me much.

I suspect it is a BUG and will log.

 

Thanks

Alright. Please let us know the findings.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.