Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2066
Views
0
Helpful
2
Replies

Authorization fails on Switch, but ISE indicates success

RAMAN AZIZIAN
Level 1
Level 1

‎08-17-2021 06:49 PM

Hello Friends,

I have been chasing the following issue and can't seem to figure out what is going on.

I have ISE appliance running 2.7. I have applied the latest patch as well.

TACACS has been configured for device management.

I have multiple IOS 93k Switches, and multiple NxOS 93K switches in my network.

Last week I configured all the policies for both the NxOS and IOS devices on ISE and I was able to successfully login using my AD account credentials.

I am not sure what happened since last week but now I can't successfully login to the IOS switches, but I can successfully login to the nexus switches.

Here's quick overview of the problem:

I try to ssh to the IOS Switch using my AD user name/password, and the switch right away indicates "Authorization Failed".

However, ISE indicates in the log file that I have successfully authenticated and authorized.

I have removed the policy and re=applied it on the ISE and got the same result. I have tried it on multiple same platform switches and I get the same result. I just don't get whey ISE thinks it has successfully processed all the TACACS.

I have attached a file that shows the steps ISE goes through in regard to TACACS commands.

 

Here's my AAA config:

aaa new-model
!
!
aaa group server tacacs+ XXXXXX
server-private X.X.X.X key YYYYYYYYYYY
ip tacacs source-interface vlan XXX
!
aaa authentication login default group XXXX local
aaa authentication enable default group XXXXX enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group XXXXX local
aaa authorization commands 0 default group XXXXX local
aaa authorization commands 15 default group XXXXXX local
aaa accounting exec default start-stop group XXXXXX
aaa accounting commands 15 default start-stop group XXXXXX
aaa accounting system default start-stop group XXXXX

 

I have another environment exactly like this and I don't have any of the issues that I am seeing. The only difference is the current working environment is running different IOS than the new one that I'm trying to bring up. The new enviroment is running on code train 17.x.x

Any suggestions/Tips would greatly be appreciated and I be glad to provide more info if needed.

Thanks for taking the time to read this.

 

1 person had this problem
Labels:
Preview file
3 KB
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎08-17-2021 10:19 PM

Do you have access to a switch having the issue (console or anything else)? If so it might be helpful to see the output of debug tacacs and of debug aaa authorization.

HTH

Rick
0 Helpful

RAMAN AZIZIAN
Level 1
Level 1
In response to Richard Burts

‎08-18-2021 05:46 AM

Thanks Richard for looking at this.

I will try it this afternoon and see if I can get the debug output. I did look at the log on the switch, and the switch clearly indicates that I have successfully logged in. There is no indication at all that it failed.

The only other possible issue that I can think of, it may have something to do with smart license. Unfortunately my environment is air gapped and there is no access to the internet/outside the boundaries. 

0 Helpful
Customers Also Viewed These Support Documents