Hello,

I am trying to get the authentication on the NetMRI to use TACACS+. When I apply the server IP and shared secret and then try to test the username and password, I get the message "Unauthorized User - No NetMRI-UserRole assigned to this user". I checked with the other network gear and my username and password works with switches and firewalls. I checked with the documentation on the NetMRI for the TACACS+ setup and not sure about the command line sequence that it is referring to. I created the same username on NetMRI that is on our ACS server and still get the same message when I test out the username/password. I also checked the logs on the ACS for failed attempts but it shows that my username and password that I tested with showed good. Just NetMRI is saying that the username/password is not valid. Is there a step that I am missing?

Thanks   

I had the same issue when I started using RADIUS.  TACACS and RADIUS are only used to authenticate the user.  The NetMRI user database is still required for the autherization. 

It says this no where in the documentation, but the user still needs to exist in NetMRI and be assigned a role.  Only the password is via TACACS.

 I have a user built in NetMRI and a role assigned to it. Should I leave the password blank since it uses TACACS?

For me with RADIUS turned on the option to set/change passwords is disabled. 

If you can set the password on a non-admin user, then external authentication is not setup on the NetMRI.

Yeah, the TACACS is set up right because the password field is missing for all the users except the NetMRI username. When I try logging in through the web GUI, I get the message that the username and password is valid through the ACS but there is no NetMRI user role assigned to this user. I then go to the ACS server and changed the user roles to everything the ACS has to offer to the username I am using and I still get the same message through the NetMRI GUI. Is there something special I have to do on the ACS to have the NetMRI accept the login credentials of the username?

NetMRI uses TACACS for authentication only, not for user role assignment. 

The user roles are defined and assigned locally on the NetMRI.  You will need to go into Settings -> User admin -> Users, and assign a Role to each user.

I know it has been a long time since this last post, but I am still have issues in authentications. I assign the users with their roles and privileges, and still get the error that there is no NetMRI - UserRoles assigned to that account. I just wonder if I am missing something when I configure the authentication in the setting section.

I am having the samne issue.  Roles are assigned to the account including sysadmin.  I have added other roles as well and same problem persists with No NetMRI-UserRole assigned to this user

 I am having the same issue using Cisco ACS 5.1

 just to add to this this is the message i am getting

The Authentication Server user account entered is valid, but no NetMRI user roles have been assigned to the account. Please contact your system administrator.

For comparison ours works fine with ACS 4.2.  Users created and roles assigned on the NetMRI and shared secret entered on both.

Is there anything special you did with your ACS? Did you have to add roles to the ACS unit or just tell it about the secret shared key that the NetMRI and ACS will share?

 I did the same thing but it does not work. Also I wanted to point out that our ACS server is using active directory for the identity store, instead of a local account on ACS. I wouldn't think this shouldn't matter because as far as ACS is concerned my username passed authentication.

-------------------------------------------------------------------------------

I also tried an internal ACS user just now and had the same result.

Nothing special on ACS -- just specified the TACACS/IOS authentication method (and not RADIUS) for the NetMRI NAS.