05-04-2021 02:46 AM
Hi community
I have configured AAA authentication for my ACI fabric 4.2(6d) with ISE server 2.7. when I use radius for authentication, I remark that only the read-only authorization profile succeeds to authenticate the ACI , but the user that has the authorization profile of write privélge failed the authentication.
in the case when I use Tacacs+, the ACI cannot even contact the ISE in order to authenticate users that attempt to access ACI fabric . and will display this message "tcacas server athentication denied"
Any idea about this issue .?
05-08-2021 02:33 PM
05-09-2021 09:50 AM
Hey!
Sounds like the issue lies on the ISE..
In case of Radius - do you have the correct AV-Pair in the Shell Profile on ISE for this authentication?
In case of TACACS - are all APICs added to ISE as Network Devices and have TACACS enabled for them?
Best regards
Julian
05-10-2021 06:36 AM
hi
all
for the radius is work properly with no problem , but in the case of tacacs i faced a problem that i didn't any log on the ise which prove that a user attempt to authenticate the APIC .
are all APICs added to ISE as Network Devices and have TACACS : all the device Fabric address are added to ISE .
05-10-2021 07:32 AM
Hey!
Are any other network devices (other than ACI) working properly with TACACS?
When adding the ACI Fabric Devices to the ISE, did you enable them for TACACS and can you double check the shared secret?
Best regards
Julian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide