cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1606
Views
25
Helpful
5
Replies
victor.mansson
Beginner

Unable to login to DNAc after upgrading Cisco ISE 2.7 p4

Hi

 

We have RADIUS login for our DNA center via ISE. After we upgraded ISE to 2.7 patch 4 from 2.6 we are no longer able to login to DNA Center.

We can see the RADIUS in ISE and everything looks OK. We see that ISE returns accept with cisco-av-pair Role=SUPER-ADMIN-ROLE.

But DNA Center display: Invalid Login Credentials.

 

We can't login with the local admin account, same message in DNA: Invalid Login Credentials.

We have reset the admin password via SSH to DNA Center > maglev >  magctl user password update admin TNT0.

But with no luck, still Invalid Login Credentials.

 

We have also tesed with and ACL on the interface that connects the DNA to our network with deny to ISE-servers to stop any RADIUS traffic, but still can't access it with local admin account.

 

Before we upgraded Cisco ISE the login worked fine.

Have any of you had the same problem or have any idea where to go from here?
We will try to open an TAC-case for this.

1 ACCEPTED SOLUTION

Accepted Solutions
victor.mansson
Beginner

I have found a solution for this. 
Im posting it here if anyone else get this problem.

 

In Cisco DNA realse 2.1.x and after fallback to local account is disabled. 

I had to SSH in to DNA Center using maglev account.
Enter this command: magctl rbac external_auth_fallback enable

 

Now I could login to DNA Center with the local admin account.

To get RADIUS woring again I had to update from Cisco-av-pair to Cisco-service-info

So in ISE I had to change the Authorization Profile to:

Access Type = ACCESS_ACCEPT
cisco-service-info = Role=SUPER-ADMIN-ROLE

 

And in DNA I had to go to System > Users & Roles > External Authentication and change the AAA Attribute to cisco-service-info.

 

View solution in original post

5 REPLIES 5
victor.mansson
Beginner

I have found a solution for this. 
Im posting it here if anyone else get this problem.

 

In Cisco DNA realse 2.1.x and after fallback to local account is disabled. 

I had to SSH in to DNA Center using maglev account.
Enter this command: magctl rbac external_auth_fallback enable

 

Now I could login to DNA Center with the local admin account.

To get RADIUS woring again I had to update from Cisco-av-pair to Cisco-service-info

So in ISE I had to change the Authorization Profile to:

Access Type = ACCESS_ACCEPT
cisco-service-info = Role=SUPER-ADMIN-ROLE

 

And in DNA I had to go to System > Users & Roles > External Authentication and change the AAA Attribute to cisco-service-info.

 

View solution in original post

Thanks for this. Can confirm I observed this issue on DNA-C 2.1.2.7 and ISE 2.6 Patch 4. This workaround fixes it and applies to both RADIUS and TACACS. Is their a Bug ID associated with it? 

There are a couple of bugs relate to this.

 

CSCvy56771

CSCvu83230

Very helpful, thanks for posting

franklinb
Beginner

Thanks for the info however this is not working for me. Our situation is slightly different however - it was working fine with 2.6 patch 7 but patch 9 introduced the issue. Unlike Op our local account still worked fine. 

 

Changing the AuthZ result to cisco-service-info and the DNAC "AAA Attribute" from "Cisco-AVPair" to "cisco-service-info" did not resolve the issue. 

 

Working! I'm not sure why it didn't work the first time but I tried again today and it now works. We did not experience the issue of losing admin access to DNAC however, but otherwise saw exactly the same issue - now resolved.