cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1712
Views
0
Helpful
2
Replies
Beginner

ACS 5.2 - TACACS for Network Access

Hi team,

I found that TACACS should be available for network access with ACS 5.2:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp180662

CSCte16911

ACS 5 did not support the PPP TACACS service type for authentication.


But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error...

ScreenHunter_31 Mar. 01 11.23.gif

As you can see - there are 36 hitcounts with the policy

And there is only one default rule at the moment:

ScreenHunter_32 Mar. 01 11.25.gif

ScreenHunter_33 Mar. 01 11.28.gif

in the logs I see only errors... ussername and password of course verified troughly:

ScreenHunter_34 Mar. 01 11.30.gif

Are there any ideas? Don't want to change all the configs for remote access devices to RADIUS.

2 REPLIES 2
Cisco Employee

Re: ACS 5.2 - TACACS for Network Access

Hi,

Looking at the output you provided I can see a service selection rule being matched, but not proceeding to an Identity store,

Under the identity section of the "TACACS Network Access" acces service, what identity policy rules do you have configured? Which identity store do you plan to authenticate your users from?

Thanks,

Steve.

Highlighted

Re: ACS 5.2 - TACACS for Network Access

I am having the exact same problem utilising TACACS+ / CHAP through ACS 5.2.

Using the older version 4.2 it works without issue.

During troubleshooting the problem we discovered that if we cahnge the router to use PAP and not CHAP the authentication works fine and passes information via the identity store. Changing it back to CHAP breaks the connection andw e are unable to authorise a user, complains about being in the wrong domain.

Still do not have a solution, other than move to PAP which is obviously less secure.

It is potentially an issue with CHAP and TACACS not working properly together on ACS 5.2, all documentation discusses RADIUS / CHAP.

Look forward to any other information / assistance any has to offer.