Tacacs+ Cisco ISE config

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Tacacs+ Cisco ISE config

L3 Networker
Does anyone know how to configure the cisco ISE side? We can use tacacs now to access the gui but only local usernames and passwords work when trying to access the CLI using SSH. Does anyone have a complete cisco ISE setup? I found a guide to set up palo alto on the cisco ACS platform but ACS is end of life.
22 REPLIES 22

Again, it really depends on what you are trying to do. If it's using ISE for TACAS and authenticate via AD then CHAP will not work. I have provided chart above in this article why it will not work.

If you are going to create local accounts on ISE then CHAP will work fine.
A lot of folks if you haven't noticed yet in their TACACS articles are using CHAP, yes, but they create accounts locally. No one mentions that AD for authentication using CHAP is not supported in ISE.

Anatoliy Pshenichnykh

Article shows using CHAP but accounts are locally created in ISE? It doesn't show using AD for authentication.

Anatoliy Pshenichnykh

Oh yes, you are right. I remember configuring CHAP with AD and it didn't work so, had to revert back to PAP. CHAP will only work if you have local-ISE accounts.

This is why CHAP will not work. I will repost the chart from previous page. This is supported by ISE. Palo Alto needs to more options in TACACS than just PAP/CHAP, and honestly I don't think PAP should even be an option.


 

Protocol (Authentication Type)

Internal Database

Active Directory

LDAP

RADIUS Token Server or RSA

REST

ODBC

EAP-GTC, PAP (plain text password)

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP password hash:

MSCHAPv1/v2

EAP-MSCHAPv2 (as inner method of PEAP, EAP-FAST, EAP-TTLS or TEAP)

LEAP

Yes

Yes

No

No

No

Yes

EAP-MD5

CHAP

Yes

No

No

No

No

Yes

EAP-TLS

PEAP-TLS

(certificate retrieval)

 

Note 

For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required but can optionally be added for authorization policy conditions.

No

Yes

Yes

No

No

No

Anatoliy Pshenichnykh

L1 Bithead

I currently have this issue, Authenticatoin and Authorization passes in ISE and I can see the VSA String in the Response from ISE but I get not Authorized at the PAN GUI, anyone have luck in getting this resolved

Murph_0-1678896713261.png

Murph_1-1678896740807.pngMurph_2-1678896776465.png

 

Got it to work by following this link and these settings:

Murph_0-1678919386050.png

Typed everything in Raw View and I was able to auth....weird deal of affairs to get this to work.  "SYSTEM_RO" is the custom Role I created in PAN.

Glad that it did work for you.

Just two questions please :

- Did you use CHAP authentication protocol in PA FW ?

-Did you create local accounts on ISE & PA FW?

- Did you use CHAP authentication protocol in PA FW ? I used PAP

-Did you create local accounts on ISE & PA FW? No the only account I created was the account referenced by the VSA...which was System_RO....I then linked the account to specific AD Groups in ISE for Dynamic Role-Based Access

  • 18039 Views
  • 22 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!