cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1166
Views
5
Helpful
3
Replies

DNA Center working with Juniper Radius no ISE

EddyFonseca3815
Level 1
Level 1

Hello

I am setting up DNA Center for external auth via Juniper radius.  I set up AAA external server IP and ports and it seems I need to do something else to get my AAA server to Authenticated my users.  Reading the documents notes below

 

"For most cases, the default AAA attribute setting (Cisco-AVPair) is sufficient, as long as you have set the Cisco DNA Center user profile on the AAA server with Cisco-AVPair as the AAA attribute"  

 

Which I selected the reset to default button and that populated the AAA Attribute to Cisco-AVPair now I would like to know how the flow works.  If I enter a username and password in the GUI login page I get an error. looking at the activity log I see I do not have the correct creds but what is missing.  There has to be something that take the reply from juniper and links it to a role on DNA center.  I would expect DNA sends the request to Juniper then Juniper send the reply but how and what is DNA expecting in the reply to allow this user access to admin role or any role on DNA. 

 

If you have a document or give me some data how I should set up DNA AAA external auth without ISE I would love that.

 

thank you

 

Eddy

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni

Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server

-What I meant by this is make sure DNAC is added as a network device on the AAA server side with Tacacs+ enabled with the respective shared secret.

View solution in original post

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

See below:

Inside DNAC as you alluded to set the AAA attribute pair to: Cisco-AVPair

Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server

For shell profile setup custom attribute:

Type: MANDATORY
Name: Cisco-AVPair
Value: Role=SUPER-ADMIN-ROLE

See (External Auth) section here: Cisco DNA Center Administrator Guide, Release 2.1.2 - Manage Users [Cisco DNA Center] - Cisco

I understand  DNAC is expecting : Cisco-AVPair from the juniper with a role SUPER-ADMIN-ROLE .  I will set a new profile on Radius for this but I do not know what you ref to the following "Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server"   this is not noted in the document you provided.   I am new and the abbreviation I do not understand. 

 

Thank you

 

Eddy

 

 

Mike.Cifelli
VIP Alumni
VIP Alumni

Ensure DNAC is setup as a NAD with proper T+ shared secret in AAA server

-What I meant by this is make sure DNAC is added as a network device on the AAA server side with Tacacs+ enabled with the respective shared secret.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: