cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1818
Views
3
Helpful
4
Replies

SSM On-Prem TACACS+ login after upgrade not working

tobiasdreyer
Level 1
Level 1

Hello,

I upgraded our On-Prem server from Release 8-202201 to 8-202206. After the upgrade I'm not able to login to the GUI. We used TACACS+ (ISE) to authenticate. Also the local admin user is not working: "The requested user is not found".

From the CLI I checked the TACACS config via "tacacs_config" and found out, that the configuration was removed during the upgrade. So I configured and enabled TACACS again. I also added a local TACACS user, but without any improvements. 

When checking the TACACS+ live log on the ISE I can see, that authorization is failing. Prior to the upgrade there was no user authorization. So there must have been a change in the newer release. 

Can someone help me how to configure the ISE so that authorization is working for the On-Prem server?

Thank you and regards

Tobias

4 Replies 4

pmuellerstgt
Level 1
Level 1

Hello,

create a shell Profile with "Default Privilege 15" and "Maximum Privilege 15" and bind it to the authorization rule.
That has fixed the problem for us.

It is also documentated in the current Release Notes.

Hello,

thank you for your reply.

I found a section about TACACS in the user guide, but unfortunately it does not specify, how to setup the config in ISE to get it work.

So I did some troubleshooting and found out, that the authentication type the On-Prem server is using is CHAP. In the authentication policy we set up in our policy set, we only check for ASCII and PAP. After adding CHAP, it worked again. 

So I doublechecked the TACACS configuration on the On-Prem server, but the configured authentication method is PAP and not CHAP. So it seems to be a bug. 

Opening a support case for the On-Prem server was not successful because of missing SN or PAK, which does not exist for a free virtual server or?

Best regards,

Tobias

did this ever get fixed for you?   I recently started having the same error - but we didn't upgrade. 

 

Could you specify how to do that? I am using Clearpass and still trying to figure out how to send the SSM user roles with it. The authentication test in SSM works fine, but the login is not working. I guess it is due to missing user roles assigned to the authenticating user.

Review Cisco Networking for a $25 gift card