This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

TACACS authentication with Cisco ISE not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TACACS authentication with Cisco ISE not working

fhassan
L1 Bithead

‎05-14-2025 07:27 PM

Hello, I would like to ask currently I have two firewall that needs to be configure TACACS. One of the firewall is working fine and I'm able to login using my credentials from ISE. However, another firewall is not working for the TACACS authentication. I have followed the same steps based on the working firewall.

 

Below here is the error I got when doing the test command:

xx@Txx> test authentication authentication-profile Tacacs_auth_profile username xxxx password
Enter password :

Target vsys is not specified, user "xxxx" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "xxxx" has exact match in allow list

Authentication to TACACS+ server at '10.x.x.x' for user 'xxxx'
Server port: 49, timeout: 5, flag: 0
Egress: 10.x.x.x
Attempting CHAP authentication ...
CHAP authentication request is created
Sending credential: xxxxxx
Failed to send CHAP authentication request: connect: timed out

Returned status: -1
Authentication/authorization failed against TACACS+ server at 10.x.x.x for user Axxx

 

Appreciate the help on how I can troubleshoot this issue.

0 Likes Likes
1 REPLY 1

BPry
Cyber Elite
Cyber Elite

‎05-15-2025 10:02 AM

@fhassan,

Are these firewalls independent or part of an active/passive setup? If part of an active/passive pair, do you utilize the MGMT interface or do you have a service route configured to utilize a dataplane interface?

 

If these are standalone make sure that ISE is actually accepting connections. Your error message indicates you aren't getting a return; I'm pretty sure that ISE won't respond to requests if the source address isn't included as a network device, so you'd want to check that the ISE side of this configuration is actually correct.

  • 408 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks