10-13-2016 02:17 AM - edited 03-01-2019 12:55 PM
Today I faced a bug I want to report:
OS: Windows 10 x64
UCS Central: 1.5(1b)
Browsers: Chrome 54, Firefox 49, Edge 38
I want to login to UCS Central by using Active Directory integrated authentication, but because of our security restrictions all authentication requests must be made through TACACS (which quering AD)
So I've added new authentication domain, then TACACS server, then TACACS Provider Group, which contains previously configured TACACS server, then go back to authentication domain and configured it to use just create TACACS Group
But I still wasn't able to login using TACACS, only local admin
Then I've beed tried to recreate TACACS connection in UCS Central, but this time increased retry counts from 1 to 3, also didn't create TACACS Provider group, so in my authentication domain I've specified to use TACACS for authentication, but no groups were selected. It's works fine in our currect setyp in UCSM, as we have only one TACACS server per datacenter, so no need for TACACS Provider Group
All these steps were done under local admin account, so I've logged of and tried to login under my domain account.
But after providing my creds, changing domain from Native to my on UCS Central login screen, I just see it's loading endlessly. I decided to close the page and open it again, but UCS Central or Chrome remembered that I've used domain creds and just tried to login under my domain creds, so still the same endless loading of the page, but nothing even error
Then I tried to open UCS Central in Edge, with no luck at all, it's just not working in Edge
Last chance was in Firefox, but after providing my local admin and password (not domain creds) I've got authntication failed. Restarting UCS Central VM didn't help.
Looking for your ideas guys
Sergii Sypalo, Cisco PlatOpsCWS engineer
10-13-2016 02:30 AM
Hmm, after some time I was able to log in using my domain creds, but local admin still not working
In UCSM I can choose local or TACACS authentication, but in UCS Central once TACACS started to work, I've not able to login as local admin
10-13-2016 04:41 AM
For TACACS with UCS, you need to add the custom shell attribute to the ACS server:
Required. You must extend the schema and create a custom attribute with the name cisco-av-pair.
The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.
The following syntax example shows how to specify multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales="L1 abc". Use a space as the delimiter to separate multiple values.
It should work after this.
10-13-2016 05:08 AM
It's already there as we using this TACACS for another UCSM instance, and now want to use for UCS Central
10-13-2016 05:13 AM
If you are trying to login and it just waits indefinitely without giving an error, it sounds like it is searching the AD tree for the correct info but not finding it. Do you have any nested loops in your AD structure? I believe you can adjust the search depth in UCSM/UCSC.
Second, are you able to run the authentication debugging commands to see what is occurring when you try and login? If you are having the same issue with the same user account in UCSC you can debug that user in UCSM:
10-20-2016 02:31 AM
I don't know how it's possible but something was with admin password. After I've added TACACS config I wasn't able to login under loca admin. So I tried to create new local user with admin privs and logged in successfully, but default admin dind't work. So I decided to change the password to the same and voala, I'm able to login under default admin as well as under my domain account.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: