Re: TACACS: TACACS+ will use the password prompt from global TACACS+ c

Ditter · ‎10-04-2018

Dear All,

i am facing the following problem:

I have a basic TACACS+ configuration as far as the tacacs policy is concerned and is described in the attached PNG.

I also have a local user test and a network device.

Overview
Request Type    Authentication
Status    Fail
Session Key     tacacs-server/327859046/169
Message Text    TACACS: TACACS+ will use the password prompt from global TACACS+ configuration
Username    test
Authentication Policy
Selected Authorization Profile

Authentication Details
Generated Time    2018-10-04 13:25:43.840000 +03:00
Logged Time    2018-10-04 13:25:43.841
Epoch Time (sec)    1538648743
ISE Node     tacacs-server
Message Text    TACACS: TACACS+ will use the password prompt from global TACACS+ configuration
Failure Reason
Resolution
Root Cause
Username    test
Network Device Name
Network Device IP    1.1.1.1
Network Device Groups
Device Type
Location
Device Port    tty3
Remote Address    192.168.1.2

TACACS Protocol
Authentication Action    Login
Authentication Privilege Level    1
Authentication Type    ASCII
Authentication Service    Login

Other Attributes
ConfigVersionId    86
Device Port    15896
MajorVersion    Default
MinorVersion    Default
Type    Authentication
Sequence-Number    1
Header-Flags    Encrypted
SessionId    2246432117
EnableSingleConnect    false
CiscoIOS    false
UseSingleConnect    false
SelectedAccessService    Default Device Admin
Sequence-Number    2
CPMSessionID    22464321171.1.1.115896Authentication2246432117
Response    {AuthenticationResult=NotPerformed; }

Any ideas?

Ditter.

Nidhi · ‎10-04-2018

Asking our SME on this one.

Ditter · ‎10-04-2018

Perhaps, it was not clear from my previous answer, the problem with this configuration is that the authentication fails, although the users logs in the switch. I would suppose that the ISE would show in the logs a green tickbox instead of a red circle as far as the authentication is concerned. The message that show in the logs is the following:

TACACS: TACACS+ will use the password prompt from global TACACS+ configuration which confuses me.

Thanks,

Ditter

ldanny · ‎10-04-2018

Can you please provide the logs from the right side under "Steps" (its the same page you provided for "Overview" and "Authorization Details")

If you can also provide a debug of the runtime-AAA log file that would also help.

thanks,

Danny

Ditter · ‎10-04-2018

The problem is that the right side of the log window is blank ! I have nothing there....

Ditter · ‎10-04-2018

in addition i do not see the aaa log in debug level menu, see attached

Ditter · ‎10-05-2018

Any ideas why the Steps column in the ISE log is empty? What could be wrong?

Thanks.

ldanny · ‎10-05-2018

Not sure why your not seeing "Steps" on the right of that same page , seems very odd . You might want to follow up with TAC on that.

The log file which you need to change the status to debug is runtime-AAA

Its in the list.

ldanny · ‎10-09-2018

Just following up if you have had a chance to provide us the debug file as you mention you cannot see anything under "Steps"

Ditter · ‎10-10-2018

Thank you for your followup.

I found out the culprit why the live log file was partially empty.

More specifically as i was trying to reduce the mass of logged messages, i accidentally erased LogCollector from passed authentication logging categories.

The strange thing was that i got Authentication Fail in the Live logs (the red circle with the x on it). When i

re-enabled the LogCollector the authentication succeeded again with the green tick box !! Please note that i did not change anything except from adding back the LogCollector in the Passed Authentication Category !

It seems to me more of a bug and not a normal behavior.

One idea would be the admin user not to be able to remove logcollector from this logging event.

Any ideas why there is this dependency between logcollector and authentication behavior?

Thank you,

Ditter

hslai · ‎11-03-2018

More specifically as i was trying to reduce the mass of logged messages, i accidentally erased LogCollector from passed authentication logging categories.

The strange thing was that i got Authentication Fail in the Live logs (the red circle with the x on it). When i

re-enabled the LogCollector the authentication succeeded again with the green tick box !! Please note that i did not change anything except from adding back the LogCollector in the Passed Authentication Category !

It seems to me more of a bug and not a normal behavior.

This could be a bug. Please engage Cisco TAC to recreate this behavior so TAC may file a bug. I tried it by removing LogCollector from Passed Authentication but did not observed any auth failure events.

One idea would be the admin user not to be able to remove logcollector from this logging event.

ISE allows three types (UDP SysLog, TCP SysLog, and Secure SysLog) of remote syslog targets so LogCollector needs not be the one forwarding the events to MnT.

piotr1970 · ‎07-04-2024

was the issue resolve ? I have identical error adding ADVA box on tacacs

13045 TACACS+ will use the password prompt from global TACACS+ configuration ( [Step latency=0ms] Step latency=0ms)
13015 Returned TACACS+ Authentication Reply ( [Step latency=0ms] Step latency=0ms)
13014 Received TACACS+ Authentication CONTINUE Request ( [Step latency=2191ms] Step latency=2191ms)