01-09-2018 04:36 AM
We are migrating device administration via TACACS from ACS to ISE. I am having a problem with a Riverbed appliance. We wish to have to have users logging via TACAS to have "system administrator" privilege. The vendor documentation gives the following:
user = tacplus {
login = cleartext "tacplus"
service = system {
riverbed-roles-list = "System Administrator"
}
}
I was able to use the following to achieve the privilege elevation in ACS:
service = system
riverbed-roles-list = System Administrator
In ISE I set up the profile:
service = system
riverbed-roles-list = System Administrator
With this I get the appliance says "Invalid Credentials"
Response {Authen-Reply-Status=Pass; }
So I assume I need quotes:
service = system
riverbed-roles-list = "System Administrator"
With this my login is successful but my privileges are not elevated.
The ISE says:
{Author-Reply-Status=PassAdd; AVPair=riverbed-roles-list = "System Administrator"; AVPair=service = system; }
I also tried 'System Administrator' (single quotes) and get the same "Invalid Credentials" Response {Authen-Reply-Status=Pass; } as I did with no quotes.
It was simple to implement with the ACS - does anyone have advice as to what needs to be done to get this done in ISE?
Thanks.
Solved! Go to Solution.
01-09-2018 04:46 AM
I solved it!
I am leaving the answer to share with others.
Lesson learned - take out the spaces/punctuation.
Correct syntax:
service=system
riverbed-roles-list=System Administrator
01-09-2018 04:40 AM
To be specific the ACS configuration looks like
Attribute Requirement Value
riverbed-roles-list Manadatory System Administator
service Mandatory system
01-09-2018 04:46 AM
I solved it!
I am leaving the answer to share with others.
Lesson learned - take out the spaces/punctuation.
Correct syntax:
service=system
riverbed-roles-list=System Administrator
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: