topic Re: Unable to login to DNAc after upgrading Cisco ISE 2.7 p4 in Cisco Catalyst Center

Unable to login to DNAc after upgrading Cisco ISE 2.7 p4

victor.mansson — Wed, 18 Aug 2021 22:14:06 GMT

We have RADIUS login for our DNA center via ISE. After we upgraded ISE to 2.7 patch 4 from 2.6 we are no longer able to login to DNA Center.

We can see the RADIUS in ISE and everything looks OK. We see that ISE returns accept with cisco-av-pair Role=SUPER-ADMIN-ROLE.

But DNA Center display: Invalid Login Credentials.

We can't login with the local admin account, same message in DNA: Invalid Login Credentials.

We have reset the admin password via SSH to DNA Center > maglev > magctl user password update admin TNT0.

But with no luck, still Invalid Login Credentials.

We have also tesed with and ACL on the interface that connects the DNA to our network with deny to ISE-servers to stop any RADIUS traffic, but still can't access it with local admin account.

Before we upgraded Cisco ISE the login worked fine.

Have any of you had the same problem or have any idea where to go from here?
We will try to open an TAC-case for this.

Re: Unable to login to DNAc after upgrading Cisco ISE 2.7 p4

victor.mansson — Thu, 01 Jul 2021 12:33:31 GMT

I have found a solution for this.
Im posting it here if anyone else get this problem.

In Cisco DNA realse 2.1.x and after fallback to local account is disabled.

I had to SSH in to DNA Center using maglev account.
Enter this command: magctl rbac external_auth_fallback enable

Now I could login to DNA Center with the local admin account.

To get RADIUS woring again I had to update from Cisco-av-pair to Cisco-service-info

So in ISE I had to change the Authorization Profile to:

Access Type = ACCESS_ACCEPT
cisco-service-info = Role=SUPER-ADMIN-ROLE

And in DNA I had to go to System > Users & Roles > External Authentication and change the AAA Attribute to cisco-service-info.

Re: Unable to login to DNAc after upgrading Cisco ISE 2.7 p4

jamessciortino0060 — Fri, 23 Jul 2021 14:57:43 GMT

Thanks for this. Can confirm I observed this issue on DNA-C 2.1.2.7 and ISE 2.6 Patch 4. This workaround fixes it and applies to both RADIUS and TACACS. Is their a Bug ID associated with it?

Re: Unable to login to DNAc after upgrading Cisco ISE 2.7 p4

apanesar — Sat, 24 Jul 2021 09:12:05 GMT

Very helpful, thanks for posting

Re: Unable to login to DNAc after upgrading Cisco ISE 2.7 p4

franklinb — Wed, 25 Aug 2021 02:31:44 GMT

Thanks for the info however this is not working for me. Our situation is slightly different however - it was working fine with 2.6 patch 7 but patch 9 introduced the issue. Unlike Op our local account still worked fine.

~~Changing the AuthZ result to cisco-service-info and the DNAC "AAA Attribute" from "Cisco-AVPair" to "cisco-service-info" did not resolve the issue.~~

Working! I'm not sure why it didn't work the first time but I tried again today and it now works. We did not experience the issue of losing admin access to DNAC however, but otherwise saw exactly the same issue - now resolved.

Re: Unable to login to DNAc after upgrading Cisco ISE 2.7 p4

rasmus.elmholt — Mon, 23 Aug 2021 22:28:47 GMT

There are a couple of bugs relate to this.

CSCvy56771

CSCvu83230