Hi Chris thank you for replying,

Both Gaia web UI and Console access are effected. Our devices in this particular environment are mostly R81.10 Take 156. I did recently remove old Radius configurations that have not worked thinking that there may have been a conflict between the two. Unfortunately that too did not resolve the underlying issue. 

Hey @Fatalis 

I would confirm with tcpdump and fw monitor that you see the communication from the fw itself, not sure what port this is related to, but lets assume, for argument sake its 777, you can try below:

tcpdump -enni any port 777

fw monitor -e "accept port(777);"

See what you get...based on output of those, it should give us better idea.

Best.

Andy

Hi Rock,

The tcpdump over TACACS port 49 shows a three way handshake between the security gateway and the TACACS server. However, at the very start with tail -f /var/log/messages | grep i tac the following error pops up. 
PAM-tacplus[…] auth failed: 2 tac_connect:                  [Still finishes the three way handshake with the fail]

with fw monitor we can see it going in and out the designated ports to reach the TACACS server and to come back ie i,I,o,O.

There is a firewall that sits in front of the TACACS server which picks up on the cluster VIP when running the fw monitor command. Which should be as expected. 

Attempting login to that firewall I just mentioned which sits directly Infront of that TACACS server also results in the same errors.

I would think it could be related to AD permissions but to my knowledge TACACS ISE will pull the AD group associated with the AD user and then give it the Shell Profile privilege that is configured within ISE for privilege levels

Based on all you said, sounds to me that CP side appears to be fine.

Yeah i’m also coming to that same conclusion just needed some sanity checks.

Have a scheduled TAC call with Cisco Monday with hopefully more information and a hopefully a resolution.

I’ll post here for any findings or resolutions after the troubleshooting with Cisco 

Sounds good, please keep us posted.

Andy

Hi

From what I remember, you should not be defining the usernames on the gateway itself. Try deleting one of the users on the gateway and then try that user again via tacacs.

remove these lines below

add user <AD_Username> uid 0 homedir /home/<AD_Username>
add rba user <AD_Username> roles TACP-15
set user <AD_Username> gid 100 shell /bin/bash
set user <AD_Username> realname "<AD_Username>"

Is there a SK for this?  It would be really good to know how to integrate ISE so there is R/W and RO accounts.  With the ISE 3.x/4.x configuration steps as well.

There are SKs relating to this, for example sk98733 and sk101573

Note - All TACACS+ users must log in to Gaia OS with the password assigned to the default role TACP-0.

Note 2.To get their applicable TACP role in Gaia OS, after this initial login, TACACS+ users must log in for the second time with the password assigned to their applicable TACP role.

Also check - Configuring Gaia as a TACACS+ Client

Thats very good to know @Peter_Lyndley 

Andy

good to know, thanks.

Latest troubleshooting with TAC I discovered the the Firewall VIP is making it's way to the firewall which sits in front of the TACACS server (i) but never (I, o, O) leaving that firewall to TACACS

I do see return traffic from the source firewall mgmt IP. Just need to figure out why the traffic hits the port on that TACACS border firewall but never leaves to make it's way to that TACACS server. The mgmt IP takes the same exact route and can see that communication back and forth. 

Edit- It was taking the accelerated path. Updated fw monitor command and verified that communication is returning back to the VIP

What did Cisco TAC say?

Andy

In the current working environment I tried this as well without a matching local user assigned TACP-15 and it wouldn't work. Only until I manually created each user with the assigned role TACP-15 in the firewall were we able to finally able to gain access. 

Also tried both ways in the broken environment by removing the users and re-adding the user accounts which resulted in the same errors.

That pretty much want we all want i.e. don't create any accounts on the gateway.

Funny enough I removed the accounts in the working environment and it did in fact work as it was supposed to be intended. I may keep the actual local accounts which auth to TACACS since it'll default our admins into bin/bash. I'll leave the decision up to them once both environments are working

I've had another go with this but this time with R82 VSX.  What I would like to see is a clearly defined instruction guide for Cisco ISE intergration to allow ReadOnly and Admin access. This does not seem to exist (Yes there are some really old Sks).

Anyway I got to the point where I had to have a user created on  GAIA (Not what I want),  assigned it TACP-15 role.  The when I logged in got hit by virtual system access not allowed, I can't assign virtual systems to the role, some features are not allowed. So stuck.

How on earth do I get an admin user authenticated against ISE without creating the user locally and also ensure it can access virtual system with admin rights.

This seems to be the link to look at for a standard gateway (Nothing really in there for VSX that I could see)  Configuring TACACS+ Servers for Non-Local Gaia Users
This takes you to a SK then related to Cisco ACS which went EoL years ago.

Maybe an RFE?

Perhaps - but considering this is a pretty standard authentication method across many vendors, why would a RFE be needed, I must be missing something.

Agree. Lets see if someone from CP can confirm.

Andy

So I've delete the user on the firewall and attempted again,  it almost looks like it logged in and then bombed me out within a split second.

This is what I see in the logs:
Sep 22 13:17:33 2025 TESTFW cp_tacp_helper_1: Non-local user 'TESTUSER' given role 'TACP-0' in domain(s) 'MRMA_ALL'(if that exists)
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:mrma:users:user:TESTUSER:15873:pid 15873
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:pid:15873 TESTUSER
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:ppid:15873 15873
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:set_clish_flag t
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:mrma:users:user:TESTUSER:15873:access_mechanism:Web t
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:mrma:users:user:TESTUSER:15873:access_mechanism:CLI t
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:mrma:users:user:TESTUSER:15873 t
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:mrma:users:user:TESTUSER:15873:role:TACP-0 t
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:mrma:users:user:TESTUSER:15873:role:TACP-0:domainname:MRMA_ALL t
Sep 22 13:17:33 2025 TESTFW xpand[19703]: admin localhost t +volatile:mrma:users:user:TESTUSER:15873:uid t
Sep 22 13:17:33 2025 TESTFW authentication: SSH connection by TESTUSER user with client IP 1.2.3.4 at 13:17 22-Sep-2025 was a success
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:set_clish_flag
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:pid:15873
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:ppid:15873
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:mrma:users:user:TESTUSER:15873
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:mrma:users:user:TESTUSER:15873:access_mechanism:CLI
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:mrma:users:user:TESTUSER:15873:access_mechanism:Web
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:mrma:users:user:TESTUSER:15873:pid
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:mrma:users:user:TESTUSER:15873:role:TACP-0
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:mrma:users:user:TESTUSER:15873:role:TACP-0:domainname:MRMA_ALL
Sep 22 13:17:33 2025 TESTFW xpand[19703]: TESTUSER localhost t -volatile:mrma:users:user:TESTUSER:15873:uid
Sep 22 13:17:33 2025 TESTFW clish[16049]: User TESTUSER logged out from CLI shell

Wow...does not give a reason at all, just says logged out.

I've raised a TAC case see if they can help.

Keep us posted on how it goes please.

Cheers,

Andy

Will do.  

FWIW, I always give them community post about the subject and they actually appreciate that, since it shows the whole discussion, so certainly saves time.

Andy

So I've found out why the ssh connection drops,  basically when the NON-Local User attempts to login which has admin rights, the system does not allow access to the virtual systems.

sk98733 (last updated in 2021!) Implies this:

HostName> add rba role TACP-15 domain-type System all-features
HostName> save config
HostName> show configuration rba

Note for VSX:HostName > add rba role TACP-15 virtual-system-access <0, ALL_Relevant VS>

However you this does not work.  
TESTFW:0> add rba role TACP-15 virtual-system-access all
NMSRBA0429 The following features: CloningGroup, aaa-servers, backup, command, configuration, cron, expert, expert-authentication-method, expert-password, expert-password-hash, ftw, group, grub2-password, grub2-password-hash, rba, scheduled_backup, snapshot, user, are restricted to global users only, and therefore cannot be added to roles with specific VS access.
TESTFW:0>