Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2083
Views
10
Helpful
5
Replies

aaa/RADIUS issue on SDWAN cEdge ISR4431

Go to solution
Minnesotakid
Level 1
Level 1

‎02-13-2020 01:17 PM

We're testing one of our ISR4431's on SDWAN and we've hit an issue where we can't get aaa to work properly. 

ISR4431 - SDWAN code version 16.10.4
Controller version - 18.4.302

RADIUS/TACACS+ server we're using is Cisco ISE version 2.3 patch 5

We are using feature templates specific to our ISR's for this work. We do not use CLI templates. 

I believe it might be a vmanage configuration bug but curious if anyone here has hit this issue. Below I've included the configuration that gets pushed. Notice the quotes. Those quotes are included on the ISR side but I do not put quotes in the key field in Vmanage. 

!
aaa group server tacacs+ tacacs-1
server-private 10.51.90.100 timeout 5 key "testRadiusKey"
server-private 10.61.90.100 timeout 5 key "testRadiusKey"
ip vrf forwarding 1
!
aaa group server radius radius-1
server-private 10.51.90.100 auth-port 1812 timeout 5 retransmit 3 key "testRadiusKey"
server-private 10.61.90.100 auth-port 1812 timeout 5 retransmit 3 key "testRadiusKey"
ip radius source-interface Loopback0
ip vrf forwarding 1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Minnesotakid
Level 1
Level 1
In response to Minnesotakid

‎02-20-2020 06:59 AM

Wanted to update everyone here. 

We got around this issue by doing 2 things:

1. We updated our ISE side configuration for this device to include quotes in our key. (I'd call this a "workaround" for now)

2. Per TAC's recommendation, we verified an authorization policy was needed to allow our accounts to login with privilege level 15 rights. It was previously getting us in with priv level 1. We confirmed this by doing a show privileges after logging in. 

 

After doing those 2 things, we were able to successfully get into our cEdge. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Minnesotakid
Level 1
Level 1

‎02-14-2020 06:05 AM

If anyone is familiar with it, I'm thinking we might be hitting this bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn38487

Symptom:
vManage does not generate proper configuration for Cisco XE SD-WAN Router, TACACS authentication is not working

Conditions:
vManage AAA feature template is used to configure TACACS authentication

Workaround:
none

Further Problem Description:
- Currently vManage produce the following config:

aaa group server tacacs+ server-10.2.3.4
server-private 10.2.3.4 timeout 5 key $8$bc9w03rV0NRYX/jsZJ0/73KDZVOqEO2stQrLvHtVI4Q=
ip vrf forwarding 1
!
aaa group server tacacs+ server-10.3.4.5
server-private 10.3.4.5 timeout 5 key $8$/ILyhN49+Ll1W6dg862j4I2+ix5R8ORzjjPxWKu2rwM=
ip vrf forwarding 1
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa session-id common

- Here is how it should look like:

aaa group server tacacs+ tacacs-servers
server-private 10.2.3.4 key test
server-private 10.2.3.4 timeout 10
server-private 10.2.3.4 port 49
server-private 10.3.4.5 key test
server-private 10.3.4.5 timeout 10
server-private 10.3.4.5 port 49
ip vrf forwarding 1
ip tacacs source-interface Loopback172
!
aaa authentication login default group tacacs-servers local
aaa authorization exec default group tacacs-servers local
aaa session-id common

If multiple servers defined and all of them are in the same VRF/VPN and reachable via same source interface, then we should combine them in the same server group.

For Radius server, radius server group should look like below:

aaa group server radius radius-servers
server-private 10.2.3.4 key test
server-private 10.2.3.4 auth-port 1812
server-private 10.2.3.4 acct-port 1813
server-private 10.2.3.4 retransmit 10
server-private 10.2.3.4 timeout 12
ip vrf forwarding 1
ip radius source-interface Loopback172

0 Helpful

Go to solution
gilbert.aispuro1
Level 1
Level 1
In response to Minnesotakid

‎02-17-2020 05:13 PM

I can confirm this issue as well. I have 4431's and 4451's

Go to solution
hawaii
Level 1
Level 1

‎02-19-2020 01:41 AM

Tacacs aaa is working since upgrade to 19.2.1 for us. Not sure about 18 software line...They add new feature template called aaa-cisco. 

 

image.png

Go to solution
Minnesotakid
Level 1
Level 1
In response to hawaii

‎02-19-2020 09:12 AM

Thank you for your notes guys! I have a TAC case open for this issue and will pass on the word that others are seeing this. 

@hawaii were you also seeing this issue on a 4431 on 18.4? 

0 Helpful

Go to solution
Minnesotakid
Level 1
Level 1
In response to Minnesotakid

‎02-20-2020 06:59 AM

Wanted to update everyone here. 

We got around this issue by doing 2 things:

1. We updated our ISE side configuration for this device to include quotes in our key. (I'd call this a "workaround" for now)

2. Per TAC's recommendation, we verified an authorization policy was needed to allow our accounts to login with privilege level 15 rights. It was previously getting us in with priv level 1. We confirmed this by doing a show privileges after logging in. 

 

After doing those 2 things, we were able to successfully get into our cEdge. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents