Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
0
Helpful
4
Replies

ISE 3.1 Authorization Failed on C8500 SDWAN

Go to solution
Dakenrick
Level 1
Level 1

‎12-26-2023 05:36 PM

We configured ISE to authenticate and authorized our SDWAN controllers successfully using AD as the identity source. Now we are having a problem with our C8500s and vEdges and ISE/AD. The C8500s are configure for TACACS through the AAA Feature Template. The TACACS profile has "netadmin" as the attribute mandatory and Default privilege 15 set.

The ISE logs show that authentication and authorization are successful for the C8500 but the C8500 shows below when you ssh:

% Authorization failed.
Connection to X.X.X.X closed by remote host.
Connection to X.X.X.X closed.

AAA Config Example:

aaa group server tacacs+ TACACS
server-private X.X.X.X port 49 timeout 5 key XXXXXXX
ip tacacs source-interface GigabitEthernet0
ip vrf forwarding Mgmt-intf
!
aaa authentication login default group TACACS local
aaa authorization commands 15 default group TACACS local if-authenticated
aaa authorization exec default group TACACS local
aaa accounting commands 15 default start-stop group TACACS
aaa accounting exec default start-stop group TACACS

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanan Huseynli
VIP
VIP

‎12-28-2023 12:51 PM

Hi,

can you remove "netadmin" attribute in profile and re-test? This is normally needed for Viptela based devices. C8500 is IOS XE.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-28-2023 10:21 AM

@Dakenrick As the failure is on the C8500 side, please debug on the C8500 side. I moved your post to SD-WAN and Cloud Networking because the provisioning is done via SD-WAN templates.

0 Helpful

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎12-28-2023 10:35 AM

@Dakenrick 

 
 

Below are the two main sections where the problem can be, also the guide here 

RubenCocheno_2-1703788311901.png

RubenCocheno_4-1703788354546.png

@hslai 

I would love to have that power too, to move things around

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

Go to solution
Kanan Huseynli
VIP
VIP

‎12-28-2023 12:51 PM

Hi,

can you remove "netadmin" attribute in profile and re-test? This is normally needed for Viptela based devices. C8500 is IOS XE.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
Dakenrick
Level 1
Level 1
In response to Kanan Huseynli

‎01-02-2024 08:28 AM

I realized I have to have two separate authorization policies. One with "netadmin" or "operator" for SDWAN controller access. The other with just privilege level set to "15" or "1".

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card