Thursday, August 2, 2018

Cisco ISE issue. Won't authenticate Console logins

Good afternoon. I noticed that our switches here weren't allowing login via Tacacs through the console. I have the switch configured right login authorization console, and authenticate through ssh just fine.

My ISE server is directing me toward the wrong policy set though. It missed the admin one and goes right to default (which gives me the deny shell profile). My Policy set only matches the AD group, Device location, and device type.

Looking at the tacacs log for a successful ssh connection and a failed console connection it differs on the process.

The ssh starts with a "Recieved TACACS+ Authorization Request - AD Source name"

The Console starts with "Recieved TACACS+ Authentication Start Request" and it never gets to authorizing.

If I stick the default rule to have a good shell profile, it will let me in. So I know I'm hitting the ISE server and talking fine to the identity source. The only thing I can think is that ISE sees it coming in on TTY0 or something and is interpreting that differently. I can't find anything that would indicate this though.



No comments:

Post a Comment