Solved: ISE - TACACS Authorization Domain Issues

bradleyordner · ‎03-22-2018

I have a user in another AD domain, which we have visibility of from the ISE. The user is identified and authenticated correctly via this sub domain. When it moves to authorization the exact same domain is checked for identification and now gets an error.

Authentication passing -

24313	Search for matching accounts at join point - ad.company.com
24320	Multiple matching accounts in forest - ad.company.com

Authorization failing -

	24313	Search for matching accounts at join point - ad.company.com
	24317	LDAP search in domain failed - ad.company.com,ERROR_DOMAIN_IS_OFFLINE

Is there any checks or logs I can find to debug this? It happens everytime I check and its checking the same domain as it authenticated against.

Thanks

Brad

Francesco Molino · ‎04-07-2018

Ok no pb let us know after you applied the new patch

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-22-2018

Hi

Can you share your policie you want to be pushed? Also, on ISE, under active directory join point, you can test the user. Can you run that test and tell if the test is successful (it should be if it's authenticated.)

You're getting multiple matching message, does this user exists multiple times?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bradleyordner · ‎03-22-2018

Hi,

I will attempt the test and let you know.

The multiple matching is as follows -

User exists in - sub.ad.company.com & 3rdparty.ad.company.com which is a subdomain of ad.company.com

When authenticating, it matches on 3rdparty.ad.company.com first and then says wrong username and password, because that's not the account the user used, It then finds the user in sub.ad.company.com.

The policy set I am trying to push is -

Default Rule (if no match)

Allow Protocols : Default Device Admin

Use - TACACS identity sequence

If user has AD group sub.ad.company.com/TACACS then allow all command sets shell profile Read Only.

I have a rule above this rule that allows me, a user from ad.company.com/TACACS Full Access on the same device.

Thanks

Brad

bradleyordner · ‎03-23-2018

Authentication test is fine.

Francesco Molino · ‎03-23-2018

Can you share the full ISE log when this user authenticates? (please join the screenshot)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bradleyordner · ‎04-04-2018

Hi,

Sorry, been very busy. Is this what you are after? I had to remove a few identifying details.

13013 Received TACACS+ Authentication START Request
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - DEVICE.Location
15006 Matched Default Rule
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - TACACS_Identity_Sequence
15013 Selected Identity Source - _AD
13045 TACACS+ will use the password prompt from global TACACS+ configuration
13015 Returned TACACS+ Authentication Reply
13014 Received TACACS+ Authentication CONTINUE Request (Step latency=4277ms Step latency=4277ms)
15041 Evaluating Identity Policy
15004 Matched rule - Default
15006 Matched Default Rule
22072 Selected identity source sequence - TACACS_Identity_Sequence
15013 Selected Identity Source - _AD
24430 Authenticating user against Active Directory - _AD
24325 Resolving identity - <user name>
24313 Search for matching accounts at join point - ad.com
24320 Multiple matching accounts in forest - ad.com
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24367 Skipping unusable domain - xxx,Domain trust is one-way
24324 Identity resolution detected multiple matching accounts
24344 RPC Logon request failed - STATUS_WRONG_PASSWORD,ERROR_INVALID_PASSWORD,<username>@3rdparty.ad.com
24343 RPC Logon request succeeded - <user name>@pg.ad.com
24402 User authentication against Active Directory succeeded - _AD
22037 Authentication Passed
13015 Returned TACACS+ Authentication Reply

Francesco Molino · ‎04-05-2018

We see a first login dropped because of wrong password and then ok on another AD.

You didn't share the full ise log because i don't the authorization given the user.

Can you share this information?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bradleyordner · ‎04-05-2018

Hi,

Ah yes, sorry I only added the authentication log. Before I do, I have
noticed something that I wanted to run by you.

We have a distributed ISE model, and when I test the user on our primary
device I get authenticated and the ISE box pulls the groups.

When i try this on our last ISE box, the box that usually authenticates and
authorises this user, they get authenticated and no groups are pulled. It
says -

Groups fetch failed : The domain is offline.
Attribute fetch failed : The domain is offline.

On our primary it says -

Groups : 32 found.
Attributes : 69 found.

Francesco Molino · ‎04-05-2018

Is your box correctly joined to AD?

You can run AD test or box. Run it on this non working box and share results.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bradleyordner · ‎04-05-2018

Im convinced we might have a bug or a cross domain issue. We are upgrading to a new patch new week so I might test after that, AD connectivity is fine from the tests.

I'll check after patch install.

Francesco Molino · ‎04-07-2018

Ok no pb let us know after you applied the new patch

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bradleyordner · ‎04-12-2018

Although installing the patch had its own issues, it has resolved this issue. Rebooting the server also helped.

Thanks

Brad

Eric Glodowski · ‎06-04-2018

I too, am in the same boat, but this is a fresh 2.4 install, and we are at the latest patch.

ISE is finding the username multiple times, but TACACS auth fails even though one of the user/pass was successful.

I had to resort to appending the FQDN in order to get shortname to work, but I'm concerned that this bandaid will become a problem as ISE assumes more responsibilities in the future.

Have a TAC case open, and will be happy to report back so this post has a bit more substance, but in the meantime, any suggestions are welcome!

Alexsandro Reimann · ‎06-27-2018

Have you found a way to fix your issue?

Francesco Molino · ‎06-28-2018

His answer was patch applied and server reboot. Have you tried that?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question