Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3446
Views
10
Helpful
6
Replies

ASA : AAA (ISE) Fallback to Local not working

Go to solution
InTheJuniverse
Level 1
Level 1

‎05-21-2019 04:14 AM - edited ‎02-21-2020 09:09 AM

Hello

 

I have the following config on my Firewalls for AAA

 

aaa-server ISE_TACACS protocol tacacs+
aaa-server ISE_TACACS (inside) host A.B.C.D
key *******

 

aaa authentication http console ISE_TACACS LOCAL
aaa authentication ssh console ISE_TACACS LOCAL
aaa authorization exec authentication-server
aaa accounting ssh console ISE_TACACS
aaa authentication serial console LOCAL

 

 

We are facing intermittent 'RPC Logon failures' errors on ISE and our login fail, does this event qualify for authentication fall back to Local? If yes, then it is not falling back.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GRANT3779
Spotlight
Spotlight
In response to InTheJuniverse

‎05-21-2019 05:44 AM

I believe if the ASA sees the Server as reachable then it will not fallback to device local, which is happening in your case.

Within ISE, you could potentially setup a local user account in the ISE database and fall back to the Internal Database in the event of issues with AD/ISE. In your identity source sequence you are using for device policy sets, have Internal Users next in line. I don't have access to ISE at the moment to look into this properly though.

If I was you I would focus on fixing the ISE/AD issue as your solution.

View solution in original post

6 Replies 6

Go to solution
GRANT3779
Spotlight
Spotlight

‎05-21-2019 04:47 AM

I'm assuming the RPC failures are between ISE and your AD environment?

 

I would not think this qualifies as a fallback method if the TACACs server/s are reachable/ACTIVE from the ASA, eg if showing

 

sh aaa-server
......................................truncated

Server Group: TACACS
Server Protocol: tacacs+
Server Address: 10.40.0.10
Server port: 49
Server status: ACTIVE, Last transaction at 12:43:36 BST Tue May 21 2019

Go to solution
InTheJuniverse
Level 1
Level 1
In response to GRANT3779

‎05-21-2019 05:27 AM

Thank you.

 

Yes, it is between AD and ISE (with Cisco and MS blaming each other!)

 

I can't login to the firewall when this happens, so how can I even confirm the last successfull transaction? When ISE starts working, obviously the last successful transaction will have no meaning for me.

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to InTheJuniverse

‎05-21-2019 05:44 AM

I believe if the ASA sees the Server as reachable then it will not fallback to device local, which is happening in your case.

Within ISE, you could potentially setup a local user account in the ISE database and fall back to the Internal Database in the event of issues with AD/ISE. In your identity source sequence you are using for device policy sets, have Internal Users next in line. I don't have access to ISE at the moment to look into this properly though.

If I was you I would focus on fixing the ISE/AD issue as your solution.

Go to solution
InTheJuniverse
Level 1
Level 1
In response to GRANT3779

‎05-21-2019 06:10 AM - edited ‎05-21-2019 06:47 AM

That makes sense, thanks a lot.

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to InTheJuniverse

‎05-21-2019 06:47 AM

I think you would need to amend or create a new one within the actual Identity Source Sequence itself, under identity management. Depends on what else you use it for.
0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to GRANT3779

‎05-21-2019 05:45 AM

I agree with the above post.  The server will fail to local if the AAA server is not reachable.  Examples are, the server is down or an ACL is blocking the request. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card