05-04-2017 04:13 AM - edited 03-11-2019 12:41 AM
Hi Experts
I am configuring Nexus version 7.0(3) with ISE 2.1 for aaa authentication ( TACACS )
During the configuration am facing a problem that when i try to login to the nexus , all the domain users gets authenticated ( identity store is AD in ISE ) and it comes in the # prompt in Nexus . ( attached ISE auth configuration )
Once after the login is success only the authorised users configured under the authorization rule will have permission to run the commands ,
Does anyone had came across the similar issue on the Nexus that authentication happens first and then it checks for the authorization .
I am facing the issue only on Nexus , other devices are working fine
aaa configuration
aaa authentication login default group TACACS
aaa authentication login console local
aaa authorization config-commands default group TACACS
aaa authorization commands default group TACACS
aaa accounting default group TACACS
tacacs-server directed-request
thnx
Angus
05-04-2017 02:03 PM
Unfortunately, this is a known problem with Nexus and ISE Tacacs implementation. This is because ISE decouples Authentication and Authorization with Tacacs. The following post has a workaround to get this to work:
https://communities.cisco.com/thread/70638?start=0&tstart=0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide