10-20-2021 09:05 AM
Hello
I am setting up DNA Center for external auth via Juniper radius. I set up AAA external server IP and ports and it seems I need to do something else to get my AAA server to Authenticated my users. Reading the documents notes below
"For most cases, the default AAA attribute setting (Cisco-AVPair) is sufficient, as long as you have set the Cisco DNA Center user profile on the AAA server with Cisco-AVPair as the AAA attribute"
Which I selected the reset to default button and that populated the AAA Attribute to Cisco-AVPair now I would like to know how the flow works. If I enter a username and password in the GUI login page I get an error. looking at the activity log I see I do not have the correct creds but what is missing. There has to be something that take the reply from juniper and links it to a role on DNA center. I would expect DNA sends the request to Juniper then Juniper send the reply but how and what is DNA expecting in the reply to allow this user access to admin role or any role on DNA.
If you have a document or give me some data how I should set up DNA AAA external auth without ISE I would love that.
thank you
Eddy
Solved! Go to Solution.
10-22-2021 06:12 AM
Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server
-What I meant by this is make sure DNAC is added as a network device on the AAA server side with Tacacs+ enabled with the respective shared secret.
10-21-2021 03:40 AM
See below:
Inside DNAC as you alluded to set the AAA attribute pair to: Cisco-AVPair
Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server
For shell profile setup custom attribute:
Type: MANDATORY
Name: Cisco-AVPair
Value: Role=SUPER-ADMIN-ROLE
See (External Auth) section here: Cisco DNA Center Administrator Guide, Release 2.1.2 - Manage Users [Cisco DNA Center] - Cisco
10-22-2021 05:59 AM
I understand DNAC is expecting : Cisco-AVPair from the juniper with a role SUPER-ADMIN-ROLE . I will set a new profile on Radius for this but I do not know what you ref to the following "Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server" this is not noted in the document you provided. I am new and the abbreviation I do not understand.
Thank you
Eddy
10-22-2021 06:12 AM
Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server
-What I meant by this is make sure DNAC is added as a network device on the AAA server side with Tacacs+ enabled with the respective shared secret.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide