Michael,
Did you ever resolve this? I am able to auth TACACS just fine on all Cisco devices, but having a hell of a time getting the actual DNA Center to auth to ClearPass. I've tried what you have adding the Cisco-AVPair and confirming that "all shell commands not listed are permitted" is checked, however im still getting the following error message in ClearPass:
--Authorization Requests Messages--
*Command*--
Error Message: No enforcement profiles matched to perform command authorization
Error Group: Tacacs authorization
*Alerts for this Request:*
Tacacs server: Tacacs service=cas-service not enabled
I'm stumped but hopefully you figured out the proper settings and can save the day! Thanks, and Happy Friday.
-Chris
------------------------------
Chris Chovanec
------------------------------
Original Message:
Sent: Jan 26, 2021 10:03 AM
From: Michael Haring
Subject: Cisco DNA Center WebUI Login (TACACS)
Hello,
I'm trying to configure TACACS login using AD credentials to Cisco DNA Center using ClearPass, but struggling to get the correct syntax. In DNA Center's config it states -
"The value of the AAA attribute to be configured for authorization on AAA server would be in the format of "Role=role1". On ISE server, choose the cisco-av-pair attribute from cisco specific AAA attributes list. A sample configuration inside Authorization profile would look like "cisco-av-pair= Role=SUPER-ADMIN-ROLE".
An example configuration in the case of manually defining the AAA attribute would be "Cisco-AVPair=Role=SUPER-ADMIN-ROLE"."
I've tried using the Shell service with cisco-av-pair attribute and various values including the role name of "SUPER-ADMIN-ROLE" and the role value of "Role=role2" and simply just "role2". None of these combinations seemed to work, so I created a new TACACS service called "Cisco-AVPair" to match the same from DNA Center with Role attribute and value of both role name and number, but neither of those appear to work either.
Wondering if anybody set this up successfully or any suggestions on what I may be missing?
Thanks in advance!
------------------------------
Michael Haring
------------------------------