Solved: Re: ISE TACACS - compound A/V pair

tgraham · ‎01-09-2018

We are migrating device administration via TACACS from ACS to ISE. I am having a problem with a Riverbed appliance. We wish to have to have users logging via TACAS to have "system administrator" privilege. The vendor documentation gives the following:

user = tacplus {

login = cleartext "tacplus"

service = system {

riverbed-roles-list = "System Administrator"

}

I was able to use the following to achieve the privilege elevation in ACS:

service = system

riverbed-roles-list = System Administrator

In ISE I set up the profile:

service = system

riverbed-roles-list = System Administrator

With this I get the appliance says "Invalid Credentials"

Response {Authen-Reply-Status=Pass; }

So I assume I need quotes:

service = system

riverbed-roles-list = "System Administrator"

With this my login is successful but my privileges are not elevated.

The ISE says:

{Author-Reply-Status=PassAdd; AVPair=riverbed-roles-list = "System Administrator"; AVPair=service = system; }

I also tried 'System Administrator' (single quotes) and get the same "Invalid Credentials" Response {Authen-Reply-Status=Pass; } as I did with no quotes.

It was simple to implement with the ACS - does anyone have advice as to what needs to be done to get this done in ISE?

Thanks.

tgraham · ‎01-09-2018

I solved it!

I am leaving the answer to share with others.

Lesson learned - take out the spaces/punctuation.

Correct syntax:

service=system

riverbed-roles-list=System Administrator

View solution in original post

tgraham · ‎01-09-2018

To be specific the ACS configuration looks like

Attribute Requirement Value

riverbed-roles-list Manadatory System Administator

service Mandatory system

tgraham · ‎01-09-2018

I solved it!

I am leaving the answer to share with others.

Lesson learned - take out the spaces/punctuation.

Correct syntax:

service=system

riverbed-roles-list=System Administrator