Hello, we are trying to utilize TACACS Proxy for the following scenario,
WLC < ----- > ISE2.6-Patch5 < ----- proxying ----- > Central ISE
We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute.
The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”.
To absolutely confirm that is indeed this attribute which is not letting the Central ISE match that AuthZ rule, can you please remove the condition where you are looking for this.
So, if this attribute is really the problem, you should match that particular AuthZ rule with the other two conditions in place.
I'd suggest you enable DEBUG for the component called 'runtime-AAA' on the central ISE and check there.
The log to check would be prrt-server.log.
Check out this article for debugs and logs: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc28
Hello, I've since tried without TACACS 'Proxy' (Using External TACACS server). It still fails to match.
I tried to match using the service argument of “ciscowlc”. This didn’t match the required rule – again I tried the different options.