Hi,
I have set up the following in a lab:
Prime Infrastructure 2.0 (2.0.0.0.294)
Cisco Secure ACS 5.4.0.46.0a
Windows 2003 Domain Controller för AD Authentication
Goal: Admin access to network devices requires Authentication via TACACS+ to ACS (-> Active Directory). Network devices need to be managed by Prime. SSH access to Network Devices via putty and authentication against ACS/AD works just fine.
Problem: During device discovery in Prime, I get a "Partial Collection Failure" with possible cause "Could not connect to device via CLI (SSH/telnet). Check device credentials and SSH/telnet reachability". The device gets inserted into the device work center with blank SSH credentials If SSH redentials are configured manually, the device synch is successful. So basically the discovered devices need to be manually configured with SSH credentials in the device work center in order for the synch to work, which is a pain in a large environment.
Troubleshooting done:
- I have double-checked the credentials, and everything seems fine.
- Same result with local ACS user.
- Installed the latest patch pi_update_2.0-3.zip
- tacacs debug on network devices shows PASS
Network Device TACACS+ config:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login LOGINLIST group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common
!
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key ************
!
line vty 0 4
password 7 ************
logging synchronous
login authentication LOGINLIST
length 20
width 200
transport input ssh