Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1791
Views
0
Helpful
4
Replies

Cisco Prime and TACACS

ed_rs
Level 1
Level 1

‎09-27-2017 02:43 PM

I have a user where their TACACS accounts is unable to login to the Cisco Prime server after they run our Java client that connects to Cisco Prime using the HTTP REST API calls.

  1. The user showed us that he could login with the TACACS account to the Cisco Prime gui via the browser.
  2. Runs the Java Client that is using a local Cisco Prime account to execute the HTTP REST API calls.
  3. Tries to login with the TACACS account to the Cisco Prime gui via the browser after the Java client completes.  The message after attempting the login is: "invalid username or password please try again"
  4. In order to login to Cisco Prime, the user, logins with his local Cisco Prime account, non TACACS account.
  5. Navigates to the Administration / Users / User,Roles & AAA screen.
    1. Changes the AAA mode from TACACS+ to Local then clicks on the save button
    2. Changes the AAA mode from Local to TACACS+ then clicks on the save button
  6. Now when the user tries to login with his TACACS+ account, he is able to login

Below are the APIs used by our Java Client.  We may make several ConfigVersions and extractUnsanitizedFile  calls since our Java client is pulling the device configurations from Cisco Prime.

/webacs/api/v1/data/Devices

/webacs/api/v1/op/devices/exportDevices

/webacs/api/v1/data/ConfigVersions

/webacs/api/v1/op/configArchiveService/extractUnsanitizedFile

Any ideas on what could cause this behavior?  The version of Cisco Prime is 3.1.

Thanks,

Eddy

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Spencer Zier
Cisco Employee
Cisco Employee

‎10-02-2017 02:29 PM

I want to make sure I understand here: on steps 1-4, Prime Infrastructure is configured to use TACACS+ in the AAA mode settings?  Does the API client succeed in step 2?  If not, what is the response?  In step 4, what local account do they use?  What fallback settings do they have configured (I assume they've changed from the defaults, because unless it's the root account logging in with a local account shouldn't work when AAA mode is TACACS+)?  Is the user that they are logging in as the same one used by their API client?

https://developer.cisco.com/site/prime-infrastructure/
0 Helpful

ed_rs
Level 1
Level 1
In response to Spencer Zier

‎10-03-2017 05:56 PM

Hi Spencer,

Please see responses in line.

I want to make sure I understand here: on steps 1-4, Prime Infrastructure is configured to use TACACS+ in the AAA mode settings? 

  • That is correct.

Does the API client succeed in step 2?  If not, what is the response? 

  • There are 5 threads created to execute the API calls to Cisco Prime by the Java Client.  Some of the calls succeed and some returned with a 401 error code from the HTTP Get.

In step 4, what local account do they use? 

  • His local account is a member of "Admin, NBI Credential".  This is a different local account from the one used by the Java Client making the API calls to Cisco Prime.

What fallback settings do they have configured (I assume they've changed from the defaults, because unless it's the root account logging in with a local account shouldn't work when AAA mode is TACACS+)? 

  • on authentication failure or no server response

Is the user that they are logging in as the same one used by their API client?

  • The user they are logging in is a different user from the Java Client making the API call.  The Java Client is a member of: NBI Read, NBI Credential, System Monitoring

Thanks,

Eddy

0 Helpful

Spencer Zier
Cisco Employee
Cisco Employee
In response to ed_rs

‎10-04-2017 11:47 AM

Understood.  Well, enabling fallback on auth failure or no ACS response does make issues like this harder to diagnose.  That's because at any given moment, we could be authenticating against the local or TACACS+ service; and the reasons could be varied.  For instance, we could be authenticating against local because the TACACS server was unresponsive, or because it rejected the credentials we sent it.  I'd recommend disabling fallback (be sure to have root or super user credentials for Prime Infrastructure handy, because if anything goes wrong, they will be the only users able to login).  By disabling fallback, you should get a more consistent picture of what's happening, which will allow you to identify users that may be misconfigured in TACACS+.

https://developer.cisco.com/site/prime-infrastructure/
0 Helpful

DaveCooper
Level 1
Level 1

‎05-08-2018 06:43 AM

Hi, not sure if this is still relevant! we had the same issue when authenticating to a TACACS server with Prime 3.4 the TACACS stated that the connection and authentication had happened but Prime still wouldn't load in with the same errors. We checked against known devices that are compatible and our TACACS wasn't on the list so we assumed this was the reason.  Did you ever find a fix ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents