Good evening,

I am hoping someone here has run into this and found a solution. I am working with a site that has Infinera Transmode for intersite DWDM. Currently there are a couple of users on the systems with generic usernames and we would like to move to TACACS for authentication.

The policy in ISE is configured to deliver a TACACS profile named "Infinera Administrator", looking at live logs my username passes authentication and it pushes the "Infinera Administrator" profile to the device I am testing with. The device sits and "thinks" for about 15 seconds and fails. 

The log in the Infinera holds this message for my attempt(s):

mgmt_webauth.c:728:mod_tmauth:ERROR:pam_authenticate() failed, user=<USERNAME_REDACTED>, rc=7, Authentication failure

The document Infinera sent me has only this snippet for the configuration of TACACS.

You can assign a privilege level (priv-lvl) in the TACAS+ server using priv-lvl values

1 = readonly
10 = operator
15 = administrator
Service needs to be "raccess".

Here is an simple server configuration example for an administrator user in tac_plus, an updated version of Cisco's TACACS+ server:
key = secret
ser = myuser {
default service = permit
global = cleartext kale
service=raccess {
priv_lvl = 15 } }

My current TACACS profile includes the following custom attributes:

service=raccess
priv_lvl = 15

I have tried, one and not the other... priv-lvl vs priv_lvl, I have added a user-name attribute mapping to the root user, etc. I feel like I am missing something, and unfortunately their support person only pastes in that configuration example above and bids me adieu without any other context. 

Sorry so long winded, but any help would be greatly appreciated.