Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
0
Helpful
5
Replies

Cisco ISE Tacacs+ Authentication

yogedinesh
Level 1
Level 1

‎01-23-2017 09:08 AM - edited ‎03-03-2019 08:27 AM

We have Cisco ISE 2.0, which we are using for Wireless authentication using Active directory. We are looking to implement tacas+ authentication for our Network devices as well, but we dont want to use AD which is used for Wireless.

I could see we have LDAP option, can we use LDAP to integrate with AD and use it TACACS+ authentication. When i did try this, Authentication was unsuccessful with an error "22056 Subject not found in the application Identity store".

Just wanted to know, if we can use LDAP for TACACS+ authentication??.

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎01-23-2017 04:02 PM

Hi

I'm not sure I'm getting you well.

Anyway, Cisco ISE can join an AD to be able to authenticate through it from whatever Radius or Tacacs protocol.

Right now, I don't have any ISE where I can connect to make some screenshots but the config is straight forward.

Here a Cisco link, showing a step by step:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc8

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

yogedinesh
Level 1
Level 1
In response to Francesco Molino

‎01-23-2017 08:35 PM

Hi,

Yes we have directly Joined the AD to the ISE and using it for other Wi-Fi Authentication, but i dont want to use this as an Identity store Sequence to Authenticate Network devices.

Inst ed, i have joined a same AD under LDAP option, can we use this an Identity store sequence to authenticate Network devices(tacacs).

Thanks,

Yogesh.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to yogedinesh

‎01-23-2017 09:09 PM

Yes you can. Tacacs user identity could be ldap, local or even another tacacs.

You need to create there identity site under work center / device administration and then use this identity under the policy conditions always in device administration. 

I don't have any ISE right now but I can try to get one tomorrow if possible.

Thanks

PS: Please don't forget to rate and mark add correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

yogedinesh
Level 1
Level 1
In response to Francesco Molino

‎01-24-2017 08:54 AM

Hi,

Thanks for the reply.

Yes, i did setup LDAP, linked the required groups and created an Identity store sequence to only use LDAP. But i do get authentication failed. 

Reason: "22056 Subject not found in the application Identity store".

Thanks.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to yogedinesh

‎01-24-2017 10:32 AM

Hi

Could you paste here the output of the authentication error details?

Are you getting this error only for a particular user or everyone?

Have you tested to found the user sent by ISE using a LDAP browser tool?

Have you tried this rule by using AD instead of LDAP?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card