Solved: DNAC unable to add TACACS to existing Authentication & Policy Servers

Sylvain_Che · ‎02-28-2022

Hello,

In DNAC, I'm unable to turn on TACACS protocol to an existing Authentication & Policy Server (ISE).

Observed in DNAC 2.2.2.8 and 2.2.3.4.

As soon as I check the TACACS checkbox, the "Add" button is greyed out and the TACACS port is set to '0' without being able to modify it.

Anyone else faced this issue?

How can I turn it on so I can use TACACS on the Network Settings page?

Best regards,

Sylvain.

Sylvain_Che · ‎03-10-2022

Hi guys,

I finally opened a TAC case and the engineer manually modified the database in DNAC to set the TACACS port to 49.

The reason she gave me is: DNAC<->ISE integration has been performed with an older DNAC version (1.3.1.2 in my case) and at that time, there was some kind of a bug in DNAC. We (client) viewed the issue only now because we never tried before to enable TACACS as part of the integration.

She has to confirm us if it was publicly documented or internal to Cisco only.

And the multiple upgrades we've done to reach 2.2.3.4 never fixed the issue. As stated by the TAC, this has to be manually fixed. It is not corrected via upgrades.

We still currently have an issue to integrate ISE into DNAC but this is because of another issue (pxgrid).

Once this 2nd issue and TACACS is correctly enabled and available in the Network Settings page, I will make this post as the Accepted Solution so you guys know how to progress and fix the issue.

Have a good day folks,

Sylvain.

View solution in original post

Mike.Cifelli · ‎02-28-2022

Anyone else faced this issue?

-FYSA I have also seen this issue in existing deployments when attempting to add T+ server to existing AAA servers in DNAC. I believe the port 0 is simply a cosmetic issue (I suggest pinging TAC to be sure).

As soon as I check the TACACS checkbox, the "Add" button is greyed out and the TACACS port is set to '0' without being able to modify it.

-IMO another cosmetic issue, re-type in the account password used for integration with ISE. The add button will appear afterwards.

Sylvain_Che · ‎03-02-2022

Hi Mike,

Thanks for the answer.

Unfortunately the Add button stays greyed out even after re-entering the password.

Regards,

Sylvain.

Sylvain_Che · ‎03-10-2022

Hi guys,

I finally opened a TAC case and the engineer manually modified the database in DNAC to set the TACACS port to 49.

The reason she gave me is: DNAC<->ISE integration has been performed with an older DNAC version (1.3.1.2 in my case) and at that time, there was some kind of a bug in DNAC. We (client) viewed the issue only now because we never tried before to enable TACACS as part of the integration.

She has to confirm us if it was publicly documented or internal to Cisco only.

And the multiple upgrades we've done to reach 2.2.3.4 never fixed the issue. As stated by the TAC, this has to be manually fixed. It is not corrected via upgrades.

We still currently have an issue to integrate ISE into DNAC but this is because of another issue (pxgrid).

Once this 2nd issue and TACACS is correctly enabled and available in the Network Settings page, I will make this post as the Accepted Solution so you guys know how to progress and fix the issue.

Have a good day folks,

Sylvain.