Solved: Cisco DNAC External Authentication.

titusroz03 · ‎01-30-2025

Hi,

I have installed new DNAC on our VM infra with DNAC-SW-2.3.7.5-VA.ova image. I have integrated our ISE with DNAC, and now I am trying to make the GUI authentication through Tacacs. While checking the External Authentication on Users/roles in DNAC on the AAA servers I am seeing the update option to be freeze(attached image) and not able to change to tacacs.Does anyone help me with this..? Is it kind of bug on the software..?

And another clarification, I am seeing the below status(Attached Screenshot) in DNAC from the time of installation. Can anyone help me with this.?

And another one is I could see DNAC is able to login through port 2222 and default maglev account, can anyone help me to make this CLI auth to go through Tacacs..?

Thanks

maflesch · ‎04-15-2025

It's however ISE is mapping the device through the profile. This doesn't have anything to do with Catalyst Center. Also, if you are running multiple Catalyst Centers to the same ISE deployment then you should be running the mdnac feature.

View solution in original post

maflesch · ‎02-03-2025

Hi,

Let me try to address your questions in order they were asked.

1. The update button will not let you click it until you put in the shared secret. You have to do that each time you want to change anything in the advanced settings section for the Primary and/or Scondary AAA server options in Users and Roles → External Authentication.

Although the section looks like the shared secret is already there, that's just a default view, there is no content in the shared secret box, unless you input it first.

2. There were a lot of known issues with External Auth in the OVA for 2.3.7.4 and 2.3.7.5. I would suggest upgrading to 2.3.7.6 as this fixed the majority of them. Without further information, there is no telling what may be causing the error as it could be service related or integration related with Cisco ISE.

3. No, we do not offer CLI authentication with the TACACS/Radius servers. I don't believe that is something on the roadmap either. Setting up External Authentication in the GUI is only for the GUI credentials, there is no mechanism for the CLI.

titusroz03 · ‎02-03-2025

Hi,

Yes, I can see the update option if I enter the shared secret ,but once I provide the secret and try to change it to Tacacs, it is throwing an error and again reverting back to radius.Same case repeats for Seindary AAA as well

Could you pls help me with this, I have tried to delete and re add the ISE in authentication/policy servers, but still no luck.

maflesch · ‎02-04-2025

I would strongly suggest upgrading to 2.3.7.6 or 2.3.7.7 as this is probably one of the external authentication issues that existed in 2.3.7.4/2.3.7.5 that were fixed as part of the upgrade path.

titusroz03 · ‎02-04-2025

Sure..I will try this upgrade and check for the workaround. Thank you very much for your help.

titusroz03 · ‎04-14-2025

@maflesch I am able to resolve the above error after upgrading my DNAC to 2.3.7.7-7505, but my Tacacs authentication didn't work.

While checking the tacacs logs it hits the default rule instead of DNAC auth rule which we configured for all DNAC devices.Have shared the working DNAC and this non working dnac logs .

Any clue on which if I am missing anything or do I need to check with TAC..?

maflesch · ‎04-14-2025

Catalyst Center doesn't tell ISE/AAA which policies to use, so if it is mapping to the default and not whatever one was defined in ISE, then it's something to do with the profile in ISE. I don't work on the ISE side so I'm of little help here. If you need help defining the profiles, I would open a TAC ticket with the ISE team.

titusroz03 · ‎04-14-2025

@maflesch But we have other DNACs which work in the same policy profile, only concern is they are all identified by ISE as DNAC but this one is not.

maflesch · ‎04-15-2025

It's however ISE is mapping the device through the profile. This doesn't have anything to do with Catalyst Center. Also, if you are running multiple Catalyst Centers to the same ISE deployment then you should be running the mdnac feature.

titusroz03 · ‎05-04-2025

@maflesch Thanks for suggesting this to check in ISE, as you told one of the policy in profile was modified to Fix this issue.

Upnext I am planning to integrate my WLC with DNAC, Could you help me with planning for prequisities before integration,especially on the Certificate perspective.. Do I need to create a trustpoint for DNAC in WLC and add the third party certificate..or will it automatically get's loaded in WLC when discovered..?

maflesch · ‎05-05-2025

As part of the site assignment operation, the certificate from Catalyst Center gets provisioned to the WLC automatically.