Re: unable to login to DNAC web interface with AD

michael18 · ‎12-08-2023

configuration to use external AD login has been configured.

When enable external user is checked and a login attempt is made using AD account, it fails with invalid credentials.

ISE tacacs live logs show a successful authentication and authorisation. everything looks correct but the login fails on the DNAC GUI.

also is there a way to enable local login as well as external. if I enable external I cant use local. If I log out while configured for external, the above scenario means I wont have access.

guy-mckinney · ‎03-13-2024

from SSH cli maglev, type:

magctl rbac external_auth_fallback enable

allows for local and external login via web GUI. I too am having issues with logging in via web browser despite AAA passing in ISE TACSCS logs...

KenSteidle · ‎08-08-2024

You are a life saver. Thank you.

maflesch · ‎08-10-2024

Typically this happens when the AAA attribute is set incorrectly. I would confirm what you have configured in Cisco ISE for the TACACS profile, usually cisco-av-pair or Cisco-AVpair, copy that value you defined in Cisco ISE, and then update the field in the Catalyst Center under Menu -> System -> Users and Roles -> External Authentication.

Also, under AAA servers in that same section, click Advanced Settings and ensure TACACS is selected and not Radius. You can also inspect the identitymgmt logs in the Catalyst Center to determine what is failing:

magctl service logs -rf identitymgmt -c cas-service

Then while the logs are running, attempt to log in with your AD credentials again.