07-29-2024 05:04 AM
I have implemented SD-WAN LAB on 20.6.2 version. Dual Transport with end to end reachability.
Physical LAN subnet of management PC redistributed into SD-WAN overlay, static routes are configured for loopbacks of all Service VPNs for all vEDGE Routers, towards point A from physical machine.
ISE is configured with Loopback IPs of all vEDGE Routers with policy enforcement for TACACS+ users, when I initiate ssh session to any of the vedge routers on loopback its connected, as I enter the credentials everything goes well, but I get one response from the server saying "user group returned by tacacs+ server is invalid".
I have two users, and two roles created on Manager. Using custom attributes in TACACS+ Profiles I am providing the same names as created on Manager.
Also attaching snaps here.
07-30-2024 05:07 AM
Just to confirm, when you configure aaa template, did you use the loopback as source interface for aaa connectivity to ISE server?
07-31-2024 02:38 AM
Yes loopback set as source for AAA traffic.
07-30-2024 02:00 PM
Did you check TACACS logs on ISE server?
07-31-2024 02:39 AM
The logs shows authentication and authorization successful and return with the user group role name.
08-01-2024 01:42 PM
How did you configure TACACS shell profile?
Raw data should be as below:
Viptela-Group-Name=netadmin
Viptela-Group-Name=operator
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide