Solved: sporadically tacacs+ authorization problem ISE 2.3 patch 5 and nexus 7702

aeggers · ‎12-10-2018

Hi,
we have configured cisco ISE for authentication and authorization.
The setup works fine but sometimes we have the problem that users are not authorized.
In 8 of 10 login attempts the authentication is fine for the nexus 7702 but no authorization request is sent to the ISE.
Other nexus like 7706 dont have this problem, aaa and tacacs config are identically.
Also the NXOS version is the same 8.1.1. We only observed this behavior with the nexus 7702.

Anyone see the same issue?

Best regards
Andre

Surendra · ‎12-10-2018

Debugs on the N7K for tacacs, aaa authentication/authorization.

debug tacacs+ aaa-request
debug aaa authentication
debug aaa authorization

View solution in original post

aeggers · ‎02-05-2019

The problem was solved by removing the single-connection in the tacacs-server host config.
Unclear why the same config and OS works with 7706 but not with 7702.

View solution in original post

Surendra · ‎12-10-2018

We haven’t seen any known issues with N7702 as such. There is no platform dependency for TACACS+, if it is working on the same NX-OS on another switch, then it simply means it is a network and behavioural issue. Debugs should tell us what is happening if 8 out of 10 number is consistent. Would suggest you to get it checked with TAC.

aeggers · ‎12-10-2018

Hi,

which debug commands would you suggest for the nexus? On the ISE we did some TCP dumps were we can see that there are rarely authorization requests from the nexus 7702.

André

Surendra · ‎12-10-2018

Debugs on the N7K for tacacs, aaa authentication/authorization.

debug tacacs+ aaa-request
debug aaa authentication
debug aaa authorization

aeggers · ‎12-10-2018

Hi,

thank you, we will check this.

Best regards

André

aeggers · ‎02-05-2019

The problem was solved by removing the single-connection in the tacacs-server host config.
Unclear why the same config and OS works with 7706 but not with 7702.