Re: SDWAN-ISE Integration TACACS+ no supported authentication method

riazgul72112 · ‎07-29-2024

I have implemented SD-WAN LAB on 20.6.2 version. Dual Transport with end to end reachability.
Physical LAN subnet of management PC redistributed into SD-WAN overlay, static routes are configured for loopbacks of all Service VPNs for all vEDGE Routers, towards point A from physical machine.

ISE is configured with Loopback IPs of all vEDGE Routers with policy enforcement for TACACS+ users, when I initiate ssh session to any of the vedge routers on loopback its connected, as I enter the credentials everything goes well, but I get one response from the server saying "user group returned by tacacs+ server is invalid".

I have two users, and two roles created on Manager. Using custom attributes in TACACS+ Profiles I am providing the same names as created on Manager.
Also attaching snaps here.

Mohammed al Baqari · ‎07-30-2024

Just to confirm, when you configure aaa template, did you use the loopback as source interface for aaa connectivity to ISE server?

riazgul72112 · ‎07-31-2024

Yes loopback set as source for AAA traffic.

Kanan Huseynli · ‎07-30-2024

Did you check TACACS logs on ISE server?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

riazgul72112 · ‎07-31-2024

The logs shows authentication and authorization successful and return with the user group role name.

Kanan Huseynli · ‎08-01-2024

How did you configure TACACS shell profile?

Raw data should be as below:

Viptela-Group-Name=netadmin

Viptela-Group-Name=operator

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.