10-04-2018 03:55 AM - edited 03-11-2019 01:50 AM
Dear All,
i am facing the following problem:
I have a basic TACACS+ configuration as far as the tacacs policy is concerned and is described in the attached PNG.
I also have a local user test and a network device.
Overview
Request Type Authentication
Status Fail
Session Key tacacs-server/327859046/169
Message Text TACACS: TACACS+ will use the password prompt from global TACACS+ configuration
Username test
Authentication Policy
Selected Authorization Profile
Authentication Details
Generated Time 2018-10-04 13:25:43.840000 +03:00
Logged Time 2018-10-04 13:25:43.841
Epoch Time (sec) 1538648743
ISE Node tacacs-server
Message Text TACACS: TACACS+ will use the password prompt from global TACACS+ configuration
Failure Reason
Resolution
Root Cause
Username test
Network Device Name
Network Device IP 1.1.1.1
Network Device Groups
Device Type
Location
Device Port tty3
Remote Address 192.168.1.2
TACACS Protocol
Authentication Action Login
Authentication Privilege Level 1
Authentication Type ASCII
Authentication Service Login
Other Attributes
ConfigVersionId 86
Device Port 15896
MajorVersion Default
MinorVersion Default
Type Authentication
Sequence-Number 1
Header-Flags Encrypted
SessionId 2246432117
EnableSingleConnect false
CiscoIOS false
UseSingleConnect false
SelectedAccessService Default Device Admin
Sequence-Number 2
CPMSessionID 22464321171.1.1.115896Authentication2246432117
Response {AuthenticationResult=NotPerformed; }
Any ideas?
Ditter.
10-04-2018 04:37 AM
Asking our SME on this one.
10-04-2018 05:05 AM
Perhaps, it was not clear from my previous answer, the problem with this configuration is that the authentication fails, although the users logs in the switch. I would suppose that the ISE would show in the logs a green tickbox instead of a red circle as far as the authentication is concerned. The message that show in the logs is the following:
TACACS: TACACS+ will use the password prompt from global TACACS+ configuration which confuses me.
Thanks,
Ditter
10-04-2018 06:19 AM
Can you please provide the logs from the right side under "Steps" (its the same page you provided for "Overview" and "Authorization Details")
If you can also provide a debug of the runtime-AAA log file that would also help.
thanks,
Danny
10-04-2018 06:37 AM
The problem is that the right side of the log window is blank ! I have nothing there....
10-04-2018 06:42 AM
10-05-2018 04:50 AM
Any ideas why the Steps column in the ISE log is empty? What could be wrong?
Thanks.
10-05-2018 11:14 AM
Not sure why your not seeing "Steps" on the right of that same page , seems very odd . You might want to follow up with TAC on that.
The log file which you need to change the status to debug is runtime-AAA
Its in the list.
10-09-2018 11:15 PM
Just following up if you have had a chance to provide us the debug file as you mention you cannot see anything under "Steps"
10-10-2018 05:45 AM
Thank you for your followup.
I found out the culprit why the live log file was partially empty.
More specifically as i was trying to reduce the mass of logged messages, i accidentally erased LogCollector from passed authentication logging categories.
The strange thing was that i got Authentication Fail in the Live logs (the red circle with the x on it). When i
re-enabled the LogCollector the authentication succeeded again with the green tick box !! Please note that i did not change anything except from adding back the LogCollector in the Passed Authentication Category !
It seems to me more of a bug and not a normal behavior.
One idea would be the admin user not to be able to remove logcollector from this logging event.
Any ideas why there is this dependency between logcollector and authentication behavior?
Thank you,
Ditter
11-03-2018 12:12 PM - edited 11-03-2018 12:12 PM
More specifically as i was trying to reduce the mass of logged messages, i accidentally erased LogCollector from passed authentication logging categories.
The strange thing was that i got Authentication Fail in the Live logs (the red circle with the x on it). When i
re-enabled the LogCollector the authentication succeeded again with the green tick box !! Please note that i did not change anything except from adding back the LogCollector in the Passed Authentication Category !
It seems to me more of a bug and not a normal behavior.
This could be a bug. Please engage Cisco TAC to recreate this behavior so TAC may file a bug. I tried it by removing LogCollector from Passed Authentication but did not observed any auth failure events.
One idea would be the admin user not to be able to remove logcollector from this logging event.
ISE allows three types (UDP SysLog, TCP SysLog, and Secure SysLog) of remote syslog targets so LogCollector needs not be the one forwarding the events to MnT.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: