cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
0
Helpful
3
Replies

AAA CLI Integration not working

kapkale
Cisco Employee
Cisco Employee

One ISE is available at 10.78.29.107. 

As a root from PI instance, I can ping this ISE. 

 

[root@pi-common-xxx ~]# ping 10.78.29.107 -c 4

PING 10.78.29.107 (10.78.29.107) 56(84) bytes of data.

64 bytes from 10.78.29.107: icmp_seq=1 ttl=63 time=0.634 ms

64 bytes from 10.78.29.107: icmp_seq=2 ttl=63 time=0.594 ms

64 bytes from 10.78.29.107: icmp_seq=3 ttl=63 time=0.699 ms

64 bytes from 10.78.29.107: icmp_seq=4 ttl=63 time=0.723 ms

 

--- 10.78.29.107 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3000ms

rtt min/avg/max/mdev = 0.594/0.662/0.723/0.057 ms

 

Using TCPDUMP, I can see the packets are being sent with destination IP = 10.78.29.107

Second tab,

[root@pi-common-xxx ~]# tcpdump -i eth0 dst 10.78.29.107

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

03:28:01.635273 IP pi-common-135 > ccimc02.cisco.com: ICMP echo request, id 16214, seq 1, length 64

03:28:02.635681 IP pi-common-135 > ccimc02.cisco.com: ICMP echo request, id 16214, seq 2, length 64

03:28:03.635634 IP pi-common-135 > ccimc02.cisco.com: ICMP echo request, id 16214, seq 3, length 64

03:28:04.635685 IP pi-common-135 > ccimc02.cisco.com: ICMP echo request, id 16214, seq 4, length 64

 

I am trying to test the working of the command, 

aaa authentication tacacs+ server 10.78.29.107 key plain "sharedsecret"

I am under configure mode from my PI. 

From one my shell tab, I am executing, 

pi-common-xxx/admin(config)# aaa authentication tacacs+ server 10.78.29.107 key plain "sharedsecret"

pi-common-xxx/admin(config)# end 

pi-common-xxx/admin# wr mem

Generating configuration...

 

The issue is that I cannot see any packets being sent to ISE at 10.78.29.107. The TCPDUMP is not able to see any packets being sent with destination IP = 10.78.29.107.

 

I believe the problem lies in the implementation of the command, 

aaa authentication tacacs+ server "serverip" key plain "shared-secret"

 

 

Any help to get this AAA command working is much appreciated.

1 Accepted Solution

Accepted Solutions

Sorry for the typo I meant to USE the same key in both the ISE and your Cisco. anyway here is a working configuration

aaa new-model

!

aaa authentication login default group tacacs+

local aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

!

tacacs server ISE address

 ipv4 key 0 <shared key>

!

 

Now for the ISE here is a configuration with no restrictions just to keep you goinng

1. Enable device administration service under deployment --> <ISE node>

2. Create a user group and a user under Device administrations --> identity groups and then Identities ( I assume you dont have AD)

3.  Policy Elements -- > Command sets (create one with no restrictions)

4. Tacacs profile --> Add new --> default priviledge 15, maximum 15

5. Policies Set --> Add new --> Condition any device type 

6. Edit your policy set --> Authentication policy --> use local identity store (internal users)

7. Authorization policy --> Add new --> Contidion (You should see the one you entered in Policy Element)

8. Command sets --> use the one you created in your tacacs profile

 

I know it looks a little bit confusing but I hope this helps

View solution in original post

3 Replies 3

socratesp1980
Level 1
Level 1
Assuming that ISE is fully functional it seems that it drops any tacacs+ packets. Firtslty make sure that you have enabled the Device Administration service under Deployemnt. Additionally you need to add your PI under network devices and user the same key, Configure you ID stores and Policy sets for devices administration

 @socratesp1980

I can see under Administration -> System -> Deployment that I have a deployment node named as ccimc02. Under General Settings for this node, Administration option is enabled. 

My PI is added under Network devices. I have used the correct "sharedsecret" in the RADIUS and Authentication settings of this PI device. Can you please elaborate on the "user the same key, Configure you ID stores and Policy sets for devices administration" part? 

Sorry for the typo I meant to USE the same key in both the ISE and your Cisco. anyway here is a working configuration

aaa new-model

!

aaa authentication login default group tacacs+

local aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

!

tacacs server ISE address

 ipv4 key 0 <shared key>

!

 

Now for the ISE here is a configuration with no restrictions just to keep you goinng

1. Enable device administration service under deployment --> <ISE node>

2. Create a user group and a user under Device administrations --> identity groups and then Identities ( I assume you dont have AD)

3.  Policy Elements -- > Command sets (create one with no restrictions)

4. Tacacs profile --> Add new --> default priviledge 15, maximum 15

5. Policies Set --> Add new --> Condition any device type 

6. Edit your policy set --> Authentication policy --> use local identity store (internal users)

7. Authorization policy --> Add new --> Contidion (You should see the one you entered in Policy Element)

8. Command sets --> use the one you created in your tacacs profile

 

I know it looks a little bit confusing but I hope this helps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: