Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2983
Views
10
Helpful
7
Replies

TACACS Proxy with Service-Argument Attribute not working Issue

joshhunter
Level 4
Level 4

‎06-15-2020 05:45 AM

Hello, we are trying to utilize TACACS Proxy for the following scenario,

 

WLC < ----- > ISE2.6-Patch5 < ----- proxying ----- > Central ISE

 

We are using the 'Service-Argument' attribute in the proxied request as below screenshot and we see this on both ISE and in packet captures. When we create a rule however it is not matched using this attribute. 

 

thumbnail_image005.jpgthumbnail_image019.png

 

The Central ISE does not match this in any of the following cases “EQUALS, CONTAINS, IN, STARTSWITH or MATCHES”.

 

 

0 Helpful
7 Replies 7

Anurag Sharma
Cisco Employee
Cisco Employee

‎06-15-2020 06:09 AM

Hi @joshhunter 

To absolutely confirm that is indeed this attribute which is not letting the Central ISE match that AuthZ rule, can you please remove the condition where you are looking for this.

So, if this attribute is really the problem, you should match that particular AuthZ rule with the other two conditions in place.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

joshhunter
Level 4
Level 4
In response to Anurag Sharma

‎06-15-2020 06:47 AM

Sorry I forgot to mention, yes it matches rules further down, so it is definitely this attribute.
It needs this attribute to match on we cannot use location, device group, or IP.
Thanks
0 Helpful

Anurag Sharma
Cisco Employee
Cisco Employee
In response to joshhunter

‎06-15-2020 10:17 AM - edited ‎06-15-2020 10:20 AM

@joshhunter ,

  1. How are you "proxying" the requests from one ISE to another?
  2. Which version is the 'Central ISE'?

I'd suggest you enable DEBUG for the component called 'runtime-AAA' on the central ISE and check there. 

The log to check would be prrt-server.log.

Check out this article for debugs and logs: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html#anc28 

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

joshhunter
Level 4
Level 4
In response to Anurag Sharma

‎06-15-2020 11:24 AM

Central ISE is running 2.7 Patch1 but tried various versions in lab environment. 

TACACS PROXY using the external TACACS server pointing ISE to Central ISE.

I will give the debug ago 

 

Thanks

 

 

 

 

0 Helpful

joshhunter
Level 4
Level 4
In response to joshhunter

‎06-16-2020 01:47 AM

Hello, I've since tried without TACACS 'Proxy' (Using External TACACS server). It still fails to match.

I tried to match using the service argument of “ciscowlc”.  This didn’t match the required rule – again I tried the different options.  

 

0 Helpful

joshhunter
Level 4
Level 4
In response to joshhunter

‎06-16-2020 08:59 AM

The debugging didn't tell me much.

I suspect it is a BUG and will log.

 

Thanks

0 Helpful

Anurag Sharma
Cisco Employee
Cisco Employee
In response to joshhunter

‎06-16-2020 09:51 AM

Alright. Please let us know the findings.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents