cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3791
Views
5
Helpful
10
Replies

TACACS: TACACS+ will use the password prompt from global TACACS+ configuration

Ditter
Level 3
Level 3

Dear All,

 

i am facing the following problem:

 

I have a basic TACACS+ configuration as far as the tacacs policy is concerned and is described in the attached PNG.

 

I also have a local user test and a network device.

 

Overview
Request Type     Authentication
Status     Fail
Session Key     tacacs-server/327859046/169
Message Text     TACACS: TACACS+ will use the password prompt from global TACACS+ configuration
Username     test
Authentication Policy     
Selected Authorization Profile     

Authentication Details
Generated Time     2018-10-04 13:25:43.840000 +03:00
Logged Time     2018-10-04 13:25:43.841
Epoch Time (sec)     1538648743
ISE Node     tacacs-server
Message Text     TACACS: TACACS+ will use the password prompt from global TACACS+ configuration
Failure Reason     
Resolution     
Root Cause     
Username     test
Network Device Name     
Network Device IP     1.1.1.1
Network Device Groups     
Device Type     
Location     
Device Port     tty3
Remote Address     192.168.1.2

 

TACACS Protocol
Authentication Action     Login
Authentication Privilege Level     1
Authentication Type     ASCII
Authentication Service     Login

Other Attributes
ConfigVersionId     86
Device Port     15896
MajorVersion     Default
MinorVersion     Default
Type     Authentication
Sequence-Number     1
Header-Flags     Encrypted
SessionId     2246432117
EnableSingleConnect     false
CiscoIOS     false
UseSingleConnect     false
SelectedAccessService     Default Device Admin
Sequence-Number     2
CPMSessionID     22464321171.1.1.115896Authentication2246432117
Response     {AuthenticationResult=NotPerformed; }

 

Any ideas?

 

Ditter.

10 Replies 10

Nidhi
Cisco Employee
Cisco Employee

Asking our SME on this one.

Ditter
Level 3
Level 3

Perhaps, it was not clear from my previous answer, the problem with this configuration is that the authentication fails, although the users logs in the switch. I would suppose that the ISE would show in the logs a green tickbox instead of a red circle as far as the authentication is concerned. The message that show in the logs is the following:

TACACS: TACACS+ will use the password prompt from global TACACS+ configuration   which confuses me.

 

Thanks,

 

Ditter

 

ldanny
Cisco Employee
Cisco Employee

Can you please provide the logs from the right side under "Steps" (its the same page you provided for "Overview" and "Authorization Details")

If you can also provide a debug of the runtime-AAA log file that would also help.

 

thanks,

Danny

The problem is that the right side of the log window is blank ! I have nothing there....

in addition i do not see the aaa log in debug level menu, see attached

Any ideas why the Steps column in the ISE log is empty?  What could be wrong?

 

Thanks.

ldanny
Cisco Employee
Cisco Employee

Not sure why your not seeing "Steps" on the right of that same page , seems very odd . You might want to follow up with TAC on that.

 

The log file which you need to change the status to debug is runtime-AAA

Its in the list.

ldanny
Cisco Employee
Cisco Employee

Just following up if you have had a chance to provide us the debug file as you mention you cannot see anything under "Steps"

Thank you for your followup.

 

I found out the culprit why the live log file was partially empty.

 

More specifically as i was trying to reduce the mass of logged messages, i accidentally erased LogCollector from passed authentication logging categories.

 

The strange thing was that i got Authentication Fail in the Live logs (the red circle with the x on it). When i

re-enabled the LogCollector the authentication succeeded again with the green tick box !!  Please note that i did not change anything except from adding back the LogCollector in the Passed Authentication Category !

 

It seems to me more of a bug and not a normal behavior.

 

One idea would be the admin user not to be able to remove logcollector from this logging event.

 

Any ideas why there is this dependency between logcollector and authentication behavior?

 

Thank you,

 

Ditter

hslai
Cisco Employee
Cisco Employee

 

More specifically as i was trying to reduce the mass of logged messages, i accidentally erased LogCollector from passed authentication logging categories.

 

The strange thing was that i got Authentication Fail in the Live logs (the red circle with the x on it). When i

re-enabled the LogCollector the authentication succeeded again with the green tick box !!  Please note that i did not change anything except from adding back the LogCollector in the Passed Authentication Category !

 

It seems to me more of a bug and not a normal behavior.

This could be a bug. Please engage Cisco TAC to recreate this behavior so TAC may file a bug. I tried it by removing LogCollector from Passed Authentication but did not observed any auth failure events.

 

One idea would be the admin user not to be able to remove logcollector from this logging event.


ISE allows three types (UDP SysLog, TCP SysLog, and Secure SysLog) of remote syslog targets so LogCollector needs not be the one forwarding the events to MnT.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: