This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello, we are trying to utilize TACACS Proxy for the following scenario,
WLC < ----- > ISE2.6-Patch5 < ----- proxying ----- > Central ISE
We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute.
The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”.
To absolutely confirm that is indeed this attribute which is not letting the Central ISE match that AuthZ rule, can you please remove the condition where you are looking for this.
So, if this attribute is really the problem, you should match that particular AuthZ rule with the other two conditions in place.
I'd suggest you enable DEBUG for the component called 'runtime-AAA' on the central ISE and check there.
The log to check would be prrt-server.log.
Check out this article for debugs and logs: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc28
Central ISE is running 2.7 Patch1 but tried various versions in lab environment.
TACACS PROXY using the external TACACS server pointing ISE to Central ISE.
I will give the debug ago
Hello, I've since tried without TACACS 'Proxy' (Using External TACACS server). It still fails to match.
I tried to match using the service argument of “ciscowlc”. This didn’t match the required rule – again I tried the different options.