This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Login via TACACS not working with Cisco ISE

Login via TACACS not working with Cisco ISE

Go to solution
RobertD1
Contributor II

4 weeks ago

Hello,

Customer needs guidance on how to configure Cisco ISE to send AVP back to XIQ Site Engine to allow TACACS login.

We understand the following from the KB article:

Q A: HOW TO Configure TACACS+ Authentication In Extreme Management Center or ExtremeCloud IQ - Site ...

For ExtremeCloud IQ - Site Engine (XIQ-SE) the default group is "XIQ-SE Administrator".

But the customer would like to know how to configure Cisco ISE and has no documented example or screen shots to refer to, so if someone can provide where to configure the AVP that would be appreciated. I'm thinking it will need to be some kind of custom attribute with the group name as the AVP.

Thanks

Rob

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
RobertD1
Contributor II
In response to RobertD1

4 weeks ago

Got it to work by specifying AVP in a Custom Attribute for a shell profile (with no commands). Two phases. User was authenticated and then authorised for service group.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
Robert_Haynes
Extreme Employee

4 weeks ago

This may sound crass but isn't this a question for Cisco to answer?

The article provides an example of the AVP pair to return XMC-Authorization-Group="NetSight Administrator" which today is XMC-Authorization-Group="XIQ-SE Administrator". The role or service would also need to be defined in ISE. Our default is "Extreme-XMC-Auth" but this can be any string.

To debug Administration -> Diagnostics -> Server -> Server Diagnostics -> ExtremeCloud IQ - Site Engine User Authentication -> Verbose.

0 Kudos

Go to solution
RobertD1
Contributor II
In response to Robert_Haynes

4 weeks ago - last edited 4 weeks ago

Thanks Robert. It is absolutely an issue on the Cisco ISE but we have a customer that is moving from Cisco to Extreme and is unfamiliar with XIQ SE. I was reaching out to see if anyone had experience of doing this that could shed some light. Thanks for the debug tip.

0 Kudos

Go to solution
RobertD1
Contributor II
In response to RobertD1

4 weeks ago

Got it to work by specifying AVP in a Custom Attribute for a shell profile (with no commands). Two phases. User was authenticated and then authorised for service group.

0 Kudos
GTM-P2G8KFN