topic Re: Unable to authenticate against ISE when using External ID Source in General Topics

Unable to authenticate against ISE when using External ID Source

cullums — Wed, 22 Nov 2023 20:14:47 GMT

So I have an interesting issue. I have a Cisco ISE server in our environment doing TACACS+ authentication for all our network devices. ISE is tied to our Active Directory environment, and users in certain OU's are authenticated and authorized based on the AD group they're in. I tried configuring one of our PA-440's to authenticate against the ISE server, however in the TACACS Live Logs I see "INVALID" as the Identity of the user.

Interestingly enough, if I create a user in the local ISE database, and add them to the firewall policy set, then authentication works and I see the correct username in the Identity column.

So authentication works for users in the ISE local ID store, but doesn't work when users are in an Ext ID Store. Is there something I'm missing to allow for external id source authentication?

FYI, I cannot share screenshots or paste configs as this is in an air-gapped environment.

Re: Unable to authenticate against ISE when using External ID Source

TomYoung — Fri, 24 Nov 2023 13:26:27 GMT

Hi @cullums ,

To see the username for failed authentications, you should uncheck "Disclose invalid usernames" under Administration > System > Settings > Security Settings.

To see why the user is failing you should click on the details page icon under Operations > TACACS > Live Logs.

I use TACACS for my NGFW administrative logon, and it works fine. There are a couple ways to do it:

Configure local administrators with an authentication profile to ISE. Boom! Done.
Configure an Authentication Profile under Device/Panorama > Setup > Management > Authentication Settings. Here you cannot manually specify the role. You need to configure VSAs in ISE to send the role to the NGFW. See the URLs below.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/tacacs

Thanks,

Tom

Edit: TACACS+ with CHAP will not work with AD because PA uses CHAP/MD5. TACACS+ with PAP works fine with AD. https://live.paloaltonetworks.com/t5/general-topics/tacacs-cisco-ise-config/td-p/230962/page/2

Re: Unable to authenticate against ISE when using External ID Source

cullums — Mon, 27 Nov 2023 15:17:23 GMT

So, it looks like (now that I can see the username, thanks for that tidbit) I'm getting an error that states "Current Identity Store does not support the authentication method; Skipping it xxxx_AD"

So for whatever reason it's not passing the username to AD. At least now I know where to hone in on the issue. I will say that for admin accounts I have created locally on the ISE server, I am able to authenticate to the firewall. It's only when trying to pass the username to AD that it fails.

Re: Unable to authenticate against ISE when using External ID Source

cullums — Mon, 27 Nov 2023 15:42:03 GMT

I just noticed your edit regarding CHAP vs PAP. I just came to the same conclusion and was going to post, but you beat me to it LOL! Thanks for the help. I guess if I want to use ISE as my authentication method I either need to have the admin accounts local on the ISE server in order for CHAP authentication to work, or switch the firewall to PAP and manage the admins through an AD group.

Anyhow, thanks again for the help, I appreciate it!

Steve