Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1411
Views
0
Helpful
4
Replies

SSM On-Prem TACACS+ login after upgrade not working

tobiasdreyer
Level 1
Level 1

‎09-07-2022 03:21 AM

Hello,

I upgraded our On-Prem server from Release 8-202201 to 8-202206. After the upgrade I'm not able to login to the GUI. We used TACACS+ (ISE) to authenticate. Also the local admin user is not working: "The requested user is not found".

From the CLI I checked the TACACS config via "tacacs_config" and found out, that the configuration was removed during the upgrade. So I configured and enabled TACACS again. I also added a local TACACS user, but without any improvements. 

When checking the TACACS+ live log on the ISE I can see, that authorization is failing. Prior to the upgrade there was no user authorization. So there must have been a change in the newer release. 

Can someone help me how to configure the ISE so that authorization is working for the On-Prem server?

Thank you and regards

Tobias

3 people had this problem
Labels:
0 Helpful
4 Replies 4

pmuellerstgt
Level 1
Level 1

‎09-07-2022 04:29 AM - edited ‎09-07-2022 04:31 AM

Hello,

create a shell Profile with "Default Privilege 15" and "Maximum Privilege 15" and bind it to the authorization rule.
That has fixed the problem for us.

It is also documentated in the current Release Notes.

0 Helpful

tobiasdreyer
Level 1
Level 1
In response to pmuellerstgt

‎09-08-2022 03:53 AM

Hello,

thank you for your reply.

I found a section about TACACS in the user guide, but unfortunately it does not specify, how to setup the config in ISE to get it work.

So I did some troubleshooting and found out, that the authentication type the On-Prem server is using is CHAP. In the authentication policy we set up in our policy set, we only check for ASCII and PAP. After adding CHAP, it worked again. 

So I doublechecked the TACACS configuration on the On-Prem server, but the configured authentication method is PAP and not CHAP. So it seems to be a bug. 

Opening a support case for the On-Prem server was not successful because of missing SN or PAK, which does not exist for a free virtual server or?

Best regards,

Tobias

0 Helpful

don.click1
Level 4
Level 4
In response to tobiasdreyer

‎11-27-2023 09:10 AM

did this ever get fixed for you?   I recently started having the same error - but we didn't upgrade. 

 

0 Helpful

Counterdoc
Level 1
Level 1
In response to pmuellerstgt

‎04-24-2024 01:43 AM

Could you specify how to do that? I am using Clearpass and still trying to figure out how to send the SSM user roles with it. The authentication test in SSM works fine, but the login is not working. I guess it is due to missing user roles assigned to the authenticating user.

0 Helpful
Customers Also Viewed These Support Documents