Showing results for 
Search instead for 
Did you mean: 

TACACS Proxy with Service-Argument Attribute not working Issue


Hello, we are trying to utilize TACACS Proxy for the following scenario,


WLC < ----- > ISE2.6-Patch5 < ----- proxying ----- > Central ISE


We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute. 




The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”.



7 Replies 7

Anurag Sharma
Cisco Employee
Cisco Employee

Hi @joshhunter 

To absolutely confirm that is indeed this attribute which is not letting the Central ISE match that AuthZ rule, can you please remove the condition where you are looking for this.

So, if this attribute is really the problem, you should match that particular AuthZ rule with the other two conditions in place.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Sorry I forgot to mention, yes it matches rules further down, so it is definitely this attribute.
It needs this attribute to match on we cannot use location, device group, or IP.

@joshhunter ,

  1. How are you "proxying" the requests from one ISE to another?
  2. Which version is the 'Central ISE'?

I'd suggest you enable DEBUG for the component called 'runtime-AAA' on the central ISE and check there. 

The log to check would be prrt-server.log.

Check out this article for debugs and logs: 


Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Central ISE is running 2.7 Patch1 but tried various versions in lab environment. 

TACACS PROXY using the external TACACS server pointing ISE to Central ISE.

I will give the debug ago 







Hello, I've since tried without TACACS 'Proxy' (Using External TACACS server). It still fails to match.

I tried to match using the service argument of “ciscowlc”.  This didn’t match the required rule – again I tried the different options.  


The debugging didn't tell me much.

I suspect it is a BUG and will log.



Alright. Please let us know the findings.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers