Buy or Renew
Buy or Renew
Cisco DNA Center is now Catalyst Center. New name, same great product. Learn more about Catalyst Center here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1666
Views
15
Helpful
2
Replies

DNA external User authentication via Tacacs+

Go to solution
KristofB
Level 1
Level 1

‎03-14-2022 01:21 AM

Hi Community,

 

I’m trying to setup External User authentication via Ubuntu Tacacs+ for DNA.

However I cannot get it to work?!

 

My tac_plus.conf is something like this;

 

group = netadmin {

        default service = permit

        service = exec {

                priv-lvl = 15

                cisco-av-pair="Role=SUPER-ADMIN-ROLE"

                }

 

user = tacadmin {

        login = cleartext "password"

        pap = cleartext "password"

        member = netadmin

 

Whatever syntax I try; “Cisco-AVPair”, no priv-lvl, other AAA attribute, other service name,….  None of them seem work?

 

Authentication seem to work;

Mar 14 08:10:00 Ubuntu-Tacacs tac_plus[17968]: connect from x.x.x.x [x.x.x.x]

 

Kibana;

Error : Exception with authenticating or authorizing Tacacs server:

In some situations the error was something about “null” response

 

(Testing with DNA 2.2.3.4)

 

Anyone any idea?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
KristofB
Level 1
Level 1

‎03-15-2022 01:33 AM

Hi Mike,

Thanks for thinking with me!

 

Meanwhile I discovered the solution after a zillion tries

I was wondering what ‘service’ I needed to use in tacacs+, because it’s not ‘exec’.

And I notice following from ISE details in that document;

KristofB_0-1647332622130.png

  • Wonder where this comes from? you don’t set it as far as I know?!

And indeed, when I’m using “cas-service” it works!

        service = cas-service  {

                cisco-av-pair="Role=SUPER-ADMIN-ROLE"

                }

 

Very nice!

Beware DNA does PAP authentication, it does not work with login (as IOS device do)

If I understand it well, login and PAP are both cleartext ASCII so level of security is the same, there is none.

However Tacacs+ is using encryption (based on the shared secret) for the complete session, so this shouldn’t be an issue right?

 

(I assume there is no way to change DNA from PAP to something else?)

 

Thanks community!

 

K

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-14-2022 09:54 AM

Are you able to set the type to mandatory and test again?  Try taking a peek at the attached document to see if it helps assist with troubleshooting.

Preview file
7535 KB

Go to solution
KristofB
Level 1
Level 1

‎03-15-2022 01:33 AM

Hi Mike,

Thanks for thinking with me!

 

Meanwhile I discovered the solution after a zillion tries

I was wondering what ‘service’ I needed to use in tacacs+, because it’s not ‘exec’.

And I notice following from ISE details in that document;

KristofB_0-1647332622130.png

  • Wonder where this comes from? you don’t set it as far as I know?!

And indeed, when I’m using “cas-service” it works!

        service = cas-service  {

                cisco-av-pair="Role=SUPER-ADMIN-ROLE"

                }

 

Very nice!

Beware DNA does PAP authentication, it does not work with login (as IOS device do)

If I understand it well, login and PAP are both cleartext ASCII so level of security is the same, there is none.

However Tacacs+ is using encryption (based on the shared secret) for the complete session, so this shouldn’t be an issue right?

 

(I assume there is no way to change DNA from PAP to something else?)

 

Thanks community!

 

K

Customers Also Viewed These Support Documents