topic Re: CIsco ISE vs Prime Infrastructure 3.0 in Network Access Control

CIsco ISE vs Prime Infrastructure 3.0

exmode — Fri, 21 Feb 2020 18:33:08 GMT

Hi,

can i use ISE as a TACACS+ server for login to Cisco Prime Infra 3.0?

Re: CIsco ISE vs Prime Infrastructure 3.0

agrissimanis — Wed, 30 Aug 2017 07:57:18 GMT

Absolutely, you can.

Have a look at the Prime admin guide - https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/administrator/guide/PIAdminBook/maint_user_access.html#95932

Let me know if you get stuck with the config

The only bit I found tricky was to get the TACACS profile for Prime correct.

Re: CIsco ISE vs Prime Infrastructure 3.0

exmode — Wed, 30 Aug 2017 08:48:49 GMT

In this paragraph Creating a New Authorization Profile in ISE it is written :

Step 5 In the Advanced Attribute Settings area, add Prime Infrastructure user group RADIUS custom attributes one after another along with the virtual domain attributes at the end.

User group RADIUS custom attributes are located in Prime Infrastructure at Administration > Users > Users, Roles & AAA > User Groups . Click Task List for the group with appropriate permissions.

a. Select cisco - av - pair and paste Prime Infrastructure user group RADIUS custom attribute next to it. Keep adding one after another.

b. Add the Virtual Domain attribute at the end of the last RADIUS custom attribute for each group (for RADIUS custom attributes, see “Exporting Virtual Domain RADIUS and TACACS+ Attributes”).

If i see on Prime Task List for User Groups > SuperUser (see atttach file - Prime User Groups.png) its many attributes.

Should I add them all in this way (see atttach file - ISE New Authorization Profile for Prime .png)?

Re: CIsco ISE vs Prime Infrastructure 3.0

exmode — Wed, 30 Aug 2017 09:37:08 GMT

If I understand correctly, when create Authorization Profile then you need only to specify attributes: role and virtual-domain

Access Type = ACCESS_ACCEPT

cisco-av-pair = NCS:role0=Super Users

cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN

Re: CIsco ISE vs Prime Infrastructure 3.0

agrissimanis — Wed, 30 Aug 2017 10:20:21 GMT

Your original question was about TACACS and ISE, in your screenshots you are configuring RADIUS authentication. For TACACS you need to go to Work Centers -> Device Administration -> Device Administration policy sets and also Policy elements. In TACACS Policy elements create a new TACACS profile, set type to Generic and add the attributes. I added all attributes from Prime. I have attached the list of what I have.

In TACACS profiles you can click Raw View and copy/paste all these attributes, without having to add them one by one.. 🙂

Re: CIsco ISE vs Prime Infrastructure 3.0

exmode — Wed, 30 Aug 2017 12:01:38 GMT

Yes, the first question was about TACACS+, but after you gave me the link I saw Authenticating AAA Users Through RADIUS Using ISE: Workflow and tried to make settings for the RADIUS, for TACACS+ also did the work.

In your list, the attribute virtual-domain0=ROOT-DOMAIN is added to the beginning, when configure Authorization Profiles for RADIUS, attribute Virtual Domain add at the end list.