11-13-2023 04:22 AM - edited 11-13-2023 05:51 AM
Hi folks.
I've been looking at adding a CIMC for an ACI APIC to TACACS / ISE. It's currently running on 4.1(3f) so does support TACACS+ (supported since 4.1(3b)).
The ISE server already has several CIMC devices authenticating against it (although these are non-ACI, for whatever that's worth).
It has been confirmed that the non-working device is hitting the same CIMC-Tacacs>>Full-Access authorization policy on ISE that a working device is hitting.
It has been confirmed both the non-working and working CIMC are configured the same at the CIMC-end (enabled, same ISE servers listed, etc.).
When logging into the working device, all works as expected. The privileged user is able to make changes.
But when logging into the non-working device using the same privileged account, changes cannot be made. Insufficient privileges message is received.
Worth noting that the working device is on a slightly newer code (4.2(2f)).
I did search for known bugs relating to CIMC TACACS privileges but have been unsuccessful. Any ideas would be appreciated.
Solved! Go to Solution.
12-28-2023 01:27 AM
This has been resolved with Cisco TAC. The following details I am copying from the case (SR 696571024) should they prove useful for anyone else:
I also tested the following av pair on version 4.1(3f):
By these tests, this confirms this bug: https://cdetsng.cisco.com/summary/#/defect/CSCwi38236
12-28-2023 01:27 AM
This has been resolved with Cisco TAC. The following details I am copying from the case (SR 696571024) should they prove useful for anyone else:
I also tested the following av pair on version 4.1(3f):
By these tests, this confirms this bug: https://cdetsng.cisco.com/summary/#/defect/CSCwi38236
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide