Solved: DCNM 11.2.1 Authorization with Cisco ISE 2.2

pbosman · ‎08-16-2019

Hi, we have recently installed Cisco DCNM 11.2.1 and enabled AAA with Cisco ISE as TACACS+ server. At the Cisco ISE server I have configured the TACACS profile with the custom attribute set to Mandatory name shell:roles and value network-admin. Authentication works fine, so I can login, only not as an admin. In the tacacs log there are messages that the right tacacs profile is selected and the attribute is send in the response:

Authorization Attributes

All Request Attribues	cisco-av-pair* ,shell:roles*
All Response Attribues	shell:roles=network-admin

and the response is also send, it does mention AVPair not cisco-av-pair, so maybe that is the problem:

Response

{Author-Reply-Status=PassRepl; AVPair=shell:roles=network-admin; }

pbosman · ‎08-19-2019

problem is fixed. in ISE I have created a separate tacacs profile with the name cisco-av-pair and the value shell:roles="network-admin".

View solution in original post

pbosman · ‎08-19-2019

problem is fixed. in ISE I have created a separate tacacs profile with the name cisco-av-pair and the value shell:roles="network-admin".

wkusnetsov · ‎04-14-2021

The same problem with DCNM 11.3.1 and TACACS+ with ISE 2.x

But ISE rejected recommended cisco-av-pair=shell:roles="network-admin" due to "Invalid Character" message.

It appears ISE don't accept quotes (both single' and double" ones), so in our case correct value proved to be:
shell:roles=network-admin (without any quotation)