Unable to authenticate against ISE when using External ID Source

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Unable to authenticate against ISE when using External ID Source

L1 Bithead

So I have an interesting issue. I have a Cisco ISE server in our environment doing TACACS+ authentication for all our network devices. ISE is tied to our Active Directory environment, and users in certain OU's are authenticated and authorized based on the AD group they're in. I tried configuring one of our PA-440's to authenticate against the ISE server, however in the TACACS Live Logs I see "INVALID" as the Identity of the user.

Interestingly enough, if I create a user in the local ISE database, and add them to the firewall policy set, then authentication works and I see the correct username in the Identity column.

So authentication works for users in the ISE local ID store, but doesn't work when users are in an Ext ID Store. Is there something I'm missing to allow for external id source authentication?

 

FYI, I cannot share screenshots or paste configs as this is in an air-gapped environment.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @cullums ,

 

To see the username for failed authentications, you should uncheck "Disclose invalid usernames" under Administration > System > Settings > Security Settings.

 

To see why the user is failing you should click on the details page icon under Operations > TACACS > Live Logs.

 

I use TACACS for my NGFW administrative logon, and it works fine.  There are a couple ways to do it:

 

  1. Configure local administrators with an authentication profile to ISE.  Boom!  Done.
  2. Configure an Authentication Profile under Device/Panorama > Setup >  Management > Authentication Settings.  Here you cannot manually specify the role.  You need to configure VSAs in ISE to send the role to the NGFW.  See the URLs below.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/tacacs

 

Thanks,

 

Tom

 

Edit:  TACACS+ with CHAP will not work with AD because PA uses CHAP/MD5.  TACACS+ with PAP works fine with AD.  https://live.paloaltonetworks.com/t5/general-topics/tacacs-cisco-ise-config/td-p/230962/page/2

 

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @cullums ,

 

To see the username for failed authentications, you should uncheck "Disclose invalid usernames" under Administration > System > Settings > Security Settings.

 

To see why the user is failing you should click on the details page icon under Operations > TACACS > Live Logs.

 

I use TACACS for my NGFW administrative logon, and it works fine.  There are a couple ways to do it:

 

  1. Configure local administrators with an authentication profile to ISE.  Boom!  Done.
  2. Configure an Authentication Profile under Device/Panorama > Setup >  Management > Authentication Settings.  Here you cannot manually specify the role.  You need to configure VSAs in ISE to send the role to the NGFW.  See the URLs below.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication-types/tacacs

 

Thanks,

 

Tom

 

Edit:  TACACS+ with CHAP will not work with AD because PA uses CHAP/MD5.  TACACS+ with PAP works fine with AD.  https://live.paloaltonetworks.com/t5/general-topics/tacacs-cisco-ise-config/td-p/230962/page/2

 

Help the community: Like helpful comments and mark solutions.

So, it looks like (now that I can see the username, thanks for that tidbit) I'm getting an error that states "Current Identity Store does not support the authentication method; Skipping it xxxx_AD"

 

So for whatever reason it's not passing the username to AD. At least now I know where to hone in on the issue. I will say that for admin accounts I have created locally on the ISE server, I am able to authenticate to the firewall. It's only when trying to pass the username to AD that it fails.

I just noticed your edit regarding CHAP vs PAP. I just came to the same conclusion and was going to post, but you beat me to it LOL! Thanks for the help. I guess if I want to use ISE as my authentication method I either need to have the admin accounts local on the ISE server in order for CHAP authentication to work, or switch the firewall to PAP and manage the admins through an AD group.

Anyhow, thanks again for the help, I appreciate it!

 

Steve

  • 1 accepted solution
  • 1151 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!