Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3791
Views
0
Helpful
3
Replies

ISE - "TACACS: Received TACACS+ packet with invalid length"

Go to solution
Yazeed Fataar
Level 1
Level 1

‎08-15-2017 10:24 AM

Hi

I have setup and configured tacacs on Cisco ISE 2.2 and have successfully migrated 70+ device (IOS,ASA,WLC) to tacacs+. I am now facing the following strange issue with a few newly added devices I am trying to add. The authentication status continues to show "fail" for a few devices and I recieve an error message stating "TACACS: Received TACACS+ packet with invalid length" . Am I missing something in my tacacs config please advise ?


Below is my tacacs config

#####

START

#####

!

aaa new-model

!

tacacs server ise-1

address ipv4 x.x.x.x

key xxxxxx

!

!

tacacs server ise-2

address ipv4 x.x.x.x

key xxxxxx

!

aaa group server tacacs+ ISE-GROUP

server name ise-1

server name ise-2

!

aaa authentication login VTY group ISE-GROUP local

aaa authentication enable default group ISE-GROUP enable

!

aaa authorization exec CON local

aaa authorization console

aaa authorization exec VTY group ISE-GROUP local if-authenticated

!

aaa authorization config-commands

aaa authorization commands 1 VTY group ISE-GROUP local if-authenticated

aaa authorization commands 15 VTY group ISE-GROUP local if-authenticated

!

aaa accounting exec default start-stop group ISE-GROUP

aaa accounting commands 1 default start-stop group ISE-GROUP

aaa accounting commands 15 default start-stop group ISE-GROUP

!

!

line vty 0 4

login authentication VTY

authorization exec VTY

authorization commands 1 VTY

authorization commands 15 VTY

logging synchronous

!

!

!

line con 0

authorization exec CON

logging synchronous

!

#####

END

#####

error.png

error2.png

Regards

Yazeed

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-16-2017 09:04 AM

I would suggest to engage Cisco TAC on this.

The configuration seems fine.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-16-2017 09:04 AM

I would suggest to engage Cisco TAC on this.

The configuration seems fine.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to hslai

‎08-16-2017 04:54 PM

Couple of more things. Please make sure if you have good connectivity between the network devices and ISE.

See if any other device is working with the same configuration in the same subnet.

I am hoping that you have checked the shared secret etc. Turn on tacacs debugs on the switch and runtime logs in ISE to see what is going on.

Troubleshoot TACACS Authentication Issues - Cisco

Also, make sure the IP address of the network device is the same as the IP of the incoming packets to ISE.

-Krishnan

0 Helpful

Go to solution
Yazeed Fataar
Level 1
Level 1
In response to kthiruve

‎08-22-2017 01:49 AM

Hi Krishnan

We are currently checking the link between the HQ and branches as it appears to be related to that. I will post update once confirmed. Thank you for support.

0 Helpful
Customers Also Viewed These Support Documents