12-26-2023 05:36 PM
We configured ISE to authenticate and authorized our SDWAN controllers successfully using AD as the identity source. Now we are having a problem with our C8500s and vEdges and ISE/AD. The C8500s are configure for TACACS through the AAA Feature Template. The TACACS profile has "netadmin" as the attribute mandatory and Default privilege 15 set.
The ISE logs show that authentication and authorization are successful for the C8500 but the C8500 shows below when you ssh:
% Authorization failed.
Connection to X.X.X.X closed by remote host.
Connection to X.X.X.X closed.
AAA Config Example:
aaa group server tacacs+ TACACS
server-private X.X.X.X port 49 timeout 5 key XXXXXXX
ip tacacs source-interface GigabitEthernet0
ip vrf forwarding Mgmt-intf
!
aaa authentication login default group TACACS local
aaa authorization commands 15 default group TACACS local if-authenticated
aaa authorization exec default group TACACS local
aaa accounting commands 15 default start-stop group TACACS
aaa accounting exec default start-stop group TACACS
Solved! Go to Solution.
12-28-2023 12:51 PM
Hi,
can you remove "netadmin" attribute in profile and re-test? This is normally needed for Viptela based devices. C8500 is IOS XE.
12-28-2023 10:21 AM
@Dakenrick As the failure is on the C8500 side, please debug on the C8500 side. I moved your post to SD-WAN and Cloud Networking because the provisioning is done via SD-WAN templates.
12-28-2023 10:35 AM
Below are the two main sections where the problem can be, also the guide here
I would love to have that power too, to move things around
12-28-2023 12:51 PM
Hi,
can you remove "netadmin" attribute in profile and re-test? This is normally needed for Viptela based devices. C8500 is IOS XE.
01-02-2024 08:28 AM
I realized I have to have two separate authorization policies. One with "netadmin" or "operator" for SDWAN controller access. The other with just privilege level set to "15" or "1".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide