Re: ACI authentication with ISE using tacacs or Radius

JlassiAhmed0345 · ‎05-04-2021

Hi community

I have configured AAA authentication for my ACI fabric 4.2(6d) with ISE server 2.7. when I use radius for authentication, I remark that only the read-only authorization profile succeeds to authenticate the ACI , but the user that has the authorization profile of write privélge failed the authentication.

in the case when I use Tacacs+, the ACI cannot even contact the ISE in order to authenticate users that attempt to access ACI fabric . and will display this message "tcacas server athentication denied"

Any idea about this issue .?

CristobalSegovia62261 · ‎05-08-2021

https://howtoaci.com/2018/05/21/tacacs-configuration-in-aci/

julian.bendix · ‎05-09-2021

Hey!

Sounds like the issue lies on the ISE..

In case of Radius - do you have the correct AV-Pair in the Shell Profile on ISE for this authentication?

In case of TACACS - are all APICs added to ISE as Network Devices and have TACACS enabled for them?

Best regards
Julian

JlassiAhmed0345 · ‎05-10-2021

hi

all

for the radius is work properly with no problem , but in the case of tacacs i faced a problem that i didn't any log on the ise which prove that a user attempt to authenticate the APIC .

are all APICs added to ISE as Network Devices and have TACACS : all the device Fabric address are added to ISE .

julian.bendix · ‎05-10-2021

Hey!

Are any other network devices (other than ACI) working properly with TACACS?

When adding the ACI Fabric Devices to the ISE, did you enable them for TACACS and can you double check the shared secret?

Best regards
Julian