Forum Discussion
TACACS+ to VIP with pool of ISE nodes
I want to send TACACS+ requests from Network Devices to an F5 VIP that will load balance several Cisco Identity Service Engine nodes that run the service.
Is there a configuration guide out there? The ISE portion is configured and work but when I point the TACACS+ AAA configuration on my network device to the F5 VIP I created, TACACS+ fails with a network device log entry; ex (ignore IPs)
Apr 11 2018 15:36:02 PDT: TAC+: Opened TCP/IP handle 0xFFB4E70CE0 to 1.1.1.1/49 using source 1.1.1.1 Apr 11 2018 15:36:02 PDT: TAC+: Opened 1.1.1.1 index=1 Apr 11 2018 15:36:02 PDT: TAC+: 1.1.1.1 (2473493593) AUTHOR/START queued Apr 11 2018 15:36:02 PDT: TAC+: (2473493593) AUTHOR/START processed Apr 11 2018 15:36:02 PDT: TAC+: received bad AUTHOR packet: type = 0, expected 2 Apr 11 2018 15:36:02 PDT: TAC+: Invalid AUTHOR/START packet (check keys). Apr 11 2018 15:36:02 PDT: TAC+: Closing TCP/IP 0xFFB4E70CE0 connection to 1.1.1.1/49
- amintejCirrus
How is SNAT configuration for the VS? If snat is enabled, ISE server won't receive original network device IP and maybe this is the reason of failed authentication.
- prath1991Nimbostratus
i am struggling with the same , even though SNAT Is disabled and i can clearly see the source : NAD device AND Destination : F5 VIP is getting trasnlated by F5 as source : NAD and Destination : One of the ISE Nodes.
aaa group server tacacs+ ISE_GROUP
server name F5-VIP
server name ISE-2
server name ISE-3
weird thing is , whenever i send traffic to F5 VIP for TACACS i dont see anything or logs on ISE too .I am not sure why ?
Can you suggest ?
- paredes_hNimbostratus
Hello,
Did you ever get this resolved?
- Erfan_AhmedNimbostratus
Please can you share your inputs whether you are able to solve the issue . As I have configured same topology for ISE Nodes .
For your information , I have confiured VIP with standard Virtual server for port TACACS 49 port and associated backend ISE PSN Nodes for load balancing . I am going to test the device connection for TACACS using VIP ip address a AAA Server .
Please can you share your inputs if you tested AAA connection using TACACS .
with regards
Erfan
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com