Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1468
Views
0
Helpful
0
Replies

ISE v2.4 Issue with Nexus 9318 switch

alanb
Level 1
Level 1

‎12-20-2018 05:33 AM

ISE Issue

Cisco ISE installed on VM (Hyper-V) machine

ISE Version 2.4

Setup iaw Cisco documentation

Two Cisco switches to be administered by ISE

  1. (MSW) Management SW (Cisco 2960)
  2. (ASW) Access SW Nexus Chassis - 9180YC-FX, SW nxos.7.0.3.I7.3.bin        (7.0(3)I7(3))

ISE Configured iaw LLD and Cisco Configuration Guides

For Evaluation and Testing

Profiles created for IOS and NXOS

Policy sets created for IOS and NXOS

External Identity Store (Active Directory) dl groups associated

Active Directory

AD Configured with 4 domain local groups, (dl-msw-admin, dl-msw-operator, dl-asw-admin, dl-asw-operator).

Users created and made members of dl groups

 

Switches Configured iaw Cisco Config guide

ASW (NXOS) NX 9318 V7.0(3)

feature tacacs+

ip tacacs source-interface mgmt0

tacacs-server host w.x.y.z key 7 "afhjiiwke"

aaa group server tacacs+ AAAservers

    server w.x.y.z

    use-vrf management

aaa authentication login default group AAAservers local

aaa authorization config-commands default group AAAservers local

aaa authorization commands default group AAAservers local

aaa accounting default group AAAservers

tacacs-server directed-request

interface mgmt0

  vrf member management

  ip address w.x.y.z/24

Problem

When trying to log in using credentials (username, password), from AD

Management SW (2960) works correctly, authenticates and authorises using Active directory data.

Access SW (9318) has problem

Access is denied.

ISE logging shows Authentication correct, but no Authorisation takes place.

Different users, password, and groups tried with same result.

On ASW switch can ping ISE correctly

Test aaa server tacacs+ w.x.y.z vrf management username password

And Test aaa group AAAservers username password

Give response -- error authenticating to server, status 7

No obvious indication from debug tacacs+

I am running with the ISE 90 day evaluation licence, for testing, could this be an issue?

I have noticed that the Cisco ISE (v2.4) - Network Component Compatibility document  has no Nexus devices listed, could this be an issue?

Grateful for any suggestions?

 

Alan (Network Design Engineer)

 

 

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents