Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vaibhav_Parmar
Participant

TACACS+ Config is not working as expected

Hi Mates,

 

I am facing some weird issue here , I had changed  Tacacs+ config for admin users , Earlier authenticating from Cisco ACS only and now some users authenticating from Cisco ISE and some from Cisco ACS.

In Dashboard I have setup some admin users to authenticate from Cisco ISE and some from Cisco ACS.   but somehow some users who are setup to authenticate from Cisco ISE are getting authenticate Cisco ACS,  How this is happening ?

 

When I created users I did install Database and Install Policy .

 

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

I'm not clear what these users are authenticating to: Gaia OS, SmartConsole, or?

0 Kudos
Vaibhav_Parmar
Participant

There Authenticating to SmartConsole locally 

0 Kudos
PhoneBoy
Admin
Admin

How precisely did you change the config on the Check Point side to support your goal?

0 Kudos
Vaibhav_Parmar
Participant

 

We are facing some weird issues here. We have changed  Tacacs+ config for admin users , Earlier authenticating from Cisco ACS only and now some users authenticating from Cisco ISE and some from Cisco ACS.

 In Checkpoint SmartDashboard we have set up some admin users to authenticate from Cisco ISE and some from Cisco ACS.   But somehow some users who are setup to authenticate from Cisco ISE are getting authenticated Cisco ACS. I have taken different traffic captures from the command line and found users traffic who set up to authenticate from Cisco ISE are not initiating to authenticate for Cisco ISE , But Same traffic is initiating for Cisco ACS. 

 

######################

:

 

 

When I capture logs for one user accounts1 :

01:29:53.794056 IP END-CP-MGMT-01.47747 > end-ise-01.next-uk.next.loc.tacacs: Flags [S], seq 934938609, win 29200, options [mss 1460,sackOK,TS val 3002153689 ecr 0,nop,wscale 10], length 0

01:29:53.794364 IP end-ise-01.next-uk.next.loc.tacacs > END-CP-MGMT-01.47747: Flags [S.], seq 1346839268, ack 934938610, win 28960, options [mss 1460,sackOK,TS val 38800155 ecr 3002153689,nop,wscale 7], length 0

01:29:53.794382 IP END-CP-MGMT-01.47747 > end-ise-01.next-uk.next.loc.tacacs: Flags [.], ack 1, win 29, options [nop,nop,TS val 3002153689 ecr 38800155], length 0

 

Similar setup is with is with another  account :

  

03:32:48.827151 IP END-CP-MGMT-01.46293 > end-iprs14.next-uk.next.loc.tacacs: Flags [S], seq 1368525070, win 29200, options [mss 1460,sackOK,TS val 3009528722 ecr 0,nop,wscale 10], length 0
03:32:48.827456 IP end-iprs14.next-uk.next.loc.tacacs > END-CP-MGMT-01.46293: Flags [S.], seq 4286673841, ack 1368525071, win 14480, options [mss 1460,sackOK,TS val 2678212123 ecr 3009528722,nop,wscale 7], length 0

But  authenticated from Cisco ACS server although the account is set up to authenticate from Cisco ISE only. 

 

Please config is same for both the users which also verified from CP TAC

0 Kudos