Guest

Preview Tool

Cisco Bug: CSCvu67941 - TACACS+ Login fails due to dot in AV pair domain name

Last Modified

Aug 27, 2020

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

4.2(2f) 4.2(3l)

Description (partial)

Symptom:
TACACS+ users are unable to login to a Cisco APIC when an AV pair is in use with a dot '.' character in the domain portion. Users may be able to login with minimal permissions if the "Remote user login policy" allows it. The following example shows an AV pair that causes the issue:

	shell:domains = aci.domain/admin/

Additionally, NGINX logs on the Cisco APIC show the following log line:

23392||2020-06-16T21:04:56.534944300+00:00||aaa||INFO||||Failed to parse AVPair string (shell:domains = aci.domain/admin/) into required data components - error was Invalid shell:domains string (shell:domains = aci.domain/admin/) received from AAA server||../svc/extXMLApi/src/gen/ifc/app/./pam/PamRequest.cc||813

This log can be found at /var/log/dme/log/nginx.bin.log on the Cisco APIC.

Conditions:
+ Using remote authentication
+ Having a Security Domain with a "." in the name
+ This results in the cisco-AV-pair having  a dot '.' character in it.
+ nginx logs show a "Failed to parse AVPair string" error for the AV pair
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.