Solved: ISE TACACS Profiles issue

EduardR · ‎11-20-2017

Hi all,

I got an issue with an ISE, I was trying to configure AV-pair to authenticate my Cisco ACI APIC users from the ISE and when I created a new TACACS profile I got an error saying "Passed values may compromise the security of ISE. Please remove malicious scripting terms", but no one of the profiles appear in the screen and I cant delete the created profile.

I used 2 of the recommendations of the article: b_APIC_Basic_Config_Guide_2_x.pdf. I used the "shell:domains = all/admin/" and one that says " shell:domains = all/admin|read-all|read-all(16001) "before that pop up start appearing.

I tried creating another profile with the same name and even realoading the ISE but the error remains, did some one knows what can i do?

Thanks at advance. I attached a screenshot of the issue

EduardR · ‎11-21-2017

Hi all, just found how I can get rid of that error, it seems is a Bug (CSCve33558) and the workaround can be found here -> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve33558/

Just in case someone has issues with this, in this implementation we applied the workaround and the error message dissapear but the TACACS auth stopped working, for some reason the Authentication Policy changed the ID store to another one and we should return it to the correct one.

Hope this helps if anyone has the same case.

View solution in original post

EduardR · ‎11-21-2017

Hi all, just found how I can get rid of that error, it seems is a Bug (CSCve33558) and the workaround can be found here -> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve33558/

Just in case someone has issues with this, in this implementation we applied the workaround and the error message dissapear but the TACACS auth stopped working, for some reason the Authentication Policy changed the ID store to another one and we should return it to the correct one.

Hope this helps if anyone has the same case.