In this issue, logs on the Cisco Secure ACS show that authentication has passed, but Optical Networking Subtechnology (ONS) shows that authentication login failed with the Exception = Invalid Login error message.
Complete these steps in order to resolve this issue:
Make sure an attribute-value (AV) is properly configured. An AV pair represents a variable and one of the possible values that the variable can hold. Within ONS, users are mapped to different security groups based on Cisco AV Pair. This is an example:
"shell:priv-lvl=X" where X can be value of 0 to 3: