Accepted Solutions
Hi Mike,
Thanks for thinking with me!
Meanwhile I discovered the solution after a zillion tries
I was wondering what ‘service’ I needed to use in tacacs+, because it’s not ‘exec’.
And I notice following from ISE details in that document;
- Wonder where this comes from? you don’t set it as far as I know?!
And indeed, when I’m using “cas-service” it works!
service = cas-service {
cisco-av-pair="Role=SUPER-ADMIN-ROLE"
}
Very nice!
Beware DNA does PAP authentication, it does not work with login (as IOS device do)
If I understand it well, login and PAP are both cleartext ASCII so level of security is the same, there is none.
However Tacacs+ is using encryption (based on the shared secret) for the complete session, so this shouldn’t be an issue right?
(I assume there is no way to change DNA from PAP to something else?)
Thanks community!
K
Hi Mike,
Thanks for thinking with me!
Meanwhile I discovered the solution after a zillion tries
I was wondering what ‘service’ I needed to use in tacacs+, because it’s not ‘exec’.
And I notice following from ISE details in that document;
- Wonder where this comes from? you don’t set it as far as I know?!
And indeed, when I’m using “cas-service” it works!
service = cas-service {
cisco-av-pair="Role=SUPER-ADMIN-ROLE"
}
Very nice!
Beware DNA does PAP authentication, it does not work with login (as IOS device do)
If I understand it well, login and PAP are both cleartext ASCII so level of security is the same, there is none.
However Tacacs+ is using encryption (based on the shared secret) for the complete session, so this shouldn’t be an issue right?
(I assume there is no way to change DNA from PAP to something else?)
Thanks community!
K
