cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Field Notice 70545
661
Views
0
Helpful
5
Replies
Sergii Sypalo
Cisco Employee

UCS Central TACACS Authentication bug

Hi folks,

Today I faced a bug I want to report:

My setup:

OS: Windows 10 x64

UCS Central: 1.5(1b)

Browsers: Chrome 54, Firefox 49, Edge 38

I want to login to UCS Central by using Active Directory integrated authentication, but because of our security restrictions all authentication requests must be made through TACACS (which quering AD)

So I've added new authentication domain, then TACACS server, then TACACS Provider Group, which contains previously configured TACACS server, then go back to authentication domain and configured it to use just create TACACS Group

But I still wasn't able to login using TACACS, only local admin

Then I've beed tried to recreate TACACS connection in UCS Central, but this time increased retry counts from 1 to 3, also didn't create TACACS Provider group, so in my authentication domain I've specified to use TACACS for authentication, but no groups were selected. It's works fine in our currect setyp in UCSM, as we have only one TACACS server per datacenter, so no need for TACACS Provider Group

All these steps were done under local admin account, so I've logged of and tried to login under my domain account.

But after providing my creds, changing domain from Native to my on UCS Central login screen, I just see it's loading endlessly. I decided to close the page and open it again, but UCS Central or Chrome remembered that I've used domain creds and just tried to login under my domain creds, so still the same endless loading of the page, but nothing even error

Then I tried to open UCS Central in Edge, with no luck at all, it's just not working in Edge

Last chance was in Firefox, but after providing my local admin and password (not domain creds) I've got authntication failed. Restarting UCS Central VM didn't help.

Looking for your ideas guys

Best regards,

Sergii Sypalo, Cisco PlatOpsCWS engineer

5 REPLIES 5
Sergii Sypalo
Cisco Employee

Hmm, after some time I was able to log in using my domain creds, but local admin still not working

In UCSM I can choose local or TACACS authentication, but in UCS Central once TACACS started to work, I've not able to login as local admin

Hello,

For TACACS with UCS, you need to add the custom shell attribute to the ACS server:

TACACS+

Required

Required. You must extend the schema and create a custom attribute with the name cisco-av-pair.

The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.

The following syntax example shows how to specify multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales="L1 abc". Use a space as the delimiter to separate multiple values.

It should work after this.

HTH,

Wes

It's already there as we using this TACACS for another UCSM instance, and now want to use for UCS Central

Hey,

If you are trying to login and it just waits indefinitely without giving an error, it sounds like it is searching the AD tree for the correct info but not finding it. Do you have any nested loops in your AD structure? I believe you can adjust the search depth in UCSM/UCSC.

Second, are you able to run the authentication debugging commands to see what is occurring when you try and login? If you are having the same issue with the same user account in UCSC you can debug that user in UCSM:

http://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-infrastructure-ucs-manager-software/200092-UCSM-LDAP-Troubleshooting-guide.html

HTH,

Wes

Hi Wesley,

I don't know how it's possible but something was with admin password. After I've added TACACS config I wasn't able to login under loca admin. So I tried to create new local user with admin privs and logged in successfully, but default admin dind't work. So I decided to change the password to the same and voala, I'm able to login under default admin as well as under my domain account.

Br,

Sergey

Content for Community-Ad