cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2717
Views
0
Helpful
2
Replies

DCNM 11.2.1 Authorization with Cisco ISE 2.2

pbosman
Beginner
Beginner

Hi, we have recently installed Cisco DCNM 11.2.1 and enabled AAA with Cisco ISE as TACACS+ server. At the Cisco ISE server I have configured the TACACS profile with the custom attribute set to Mandatory name shell:roles  and value network-admin. Authentication works fine, so I can login, only not as an admin. In the tacacs log there are messages that the right tacacs profile is selected and the attribute is send in the response:

Authorization Attributes

All Request Attribuescisco-av-pair* ,shell:roles*
All Response Attribuesshell:roles=network-admin

and the response is also send, it does mention AVPair not cisco-av-pair, so maybe that is the problem:

Response{Author-Reply-Status=PassRepl; AVPair=shell:roles=network-admin; }

 

 

1 Accepted Solution

Accepted Solutions

pbosman
Beginner
Beginner

problem is fixed. in ISE I have created a separate tacacs profile with the name cisco-av-pair and the value shell:roles="network-admin". 

View solution in original post

2 Replies 2

pbosman
Beginner
Beginner

problem is fixed. in ISE I have created a separate tacacs profile with the name cisco-av-pair and the value shell:roles="network-admin". 

wkusnetsov
Beginner
Beginner

The same problem with DCNM 11.3.1 and TACACS+ with ISE 2.x

But ISE rejected recommended cisco-av-pair=shell:roles="network-admin" due to "Invalid Character" message.

It appears ISE don't accept quotes (both single' and double" ones), so in our case correct value proved to be:
shell:roles=network-admin (without any quotation)

photo_2021-04-14_15-38-49.jpg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: