Forum Discussion

c1randy_358779's avatar
c1randy_358779
Icon for Nimbostratus rankNimbostratus
Apr 16, 2018

TACACS+ to VIP with pool of ISE nodes

I want to send TACACS+ requests from Network Devices to an F5 VIP that will load balance several Cisco Identity Service Engine nodes that run the service.

 

Is there a configuration guide out there? The ISE portion is configured and work but when I point the TACACS+ AAA configuration on my network device to the F5 VIP I created, TACACS+ fails with a network device log entry; ex (ignore IPs)

 

Apr 11 2018 15:36:02 PDT: TAC+: Opened TCP/IP handle 0xFFB4E70CE0 to 1.1.1.1/49 using source 1.1.1.1 Apr 11 2018 15:36:02 PDT: TAC+: Opened 1.1.1.1 index=1 Apr 11 2018 15:36:02 PDT: TAC+: 1.1.1.1 (2473493593) AUTHOR/START queued Apr 11 2018 15:36:02 PDT: TAC+: (2473493593) AUTHOR/START processed Apr 11 2018 15:36:02 PDT: TAC+: received bad AUTHOR packet: type = 0, expected 2 Apr 11 2018 15:36:02 PDT: TAC+: Invalid AUTHOR/START packet (check keys). Apr 11 2018 15:36:02 PDT: TAC+: Closing TCP/IP 0xFFB4E70CE0 connection to 1.1.1.1/49

 

BIG-IP
devops

4 Replies

Sort By
  • amintej's avatar
    amintej
    Icon for Cirrus rankCirrus
    Apr 17, 2018

    How is SNAT configuration for the VS? If snat is enabled, ISE server won't receive original network device IP and maybe this is the reason of failed authentication.

     

  • prath1991's avatar
    prath1991
    Icon for Nimbostratus rankNimbostratus
    Aug 25, 2019

    i am struggling with the same , even though SNAT Is disabled and i can clearly see the source : NAD device AND Destination : F5 VIP is getting trasnlated by F5 as source : NAD and Destination : One of the ISE Nodes.

     

    aaa group server tacacs+ ISE_GROUP

     server name F5-VIP

     server name ISE-2

     server name ISE-3

     

    weird thing is , whenever i send traffic to F5 VIP for TACACS i dont see anything or logs on ISE too .I am not sure why ?

    Can you suggest ?

  • Erfan_Ahmed's avatar
    Erfan_Ahmed
    Icon for Nimbostratus rankNimbostratus
    Aug 24, 2023

    Hi  c1randy_358779 ,

    Please can you share your inputs whether you are able to solve the issue . As I have configured same topology for ISE Nodes .

    For your information , I have confiured VIP with standard Virtual server for port TACACS 49 port and associated backend ISE PSN Nodes for load balancing . I am going to test the device connection for TACACS using VIP ip address a AAA Server .

    Please can you share your inputs if you tested AAA connection using TACACS .

    with regards 

    Erfan