topic Prime 2.2 and ACS5.6 - Radius authentication - Login issues in Network Access Control

Prime 2.2 and ACS5.6 - Radius authentication - Login issues

3iron — Mon, 11 Mar 2019 06:07:58 GMT

Hello,

Has anyone had any luck setting up Prime to use Radius authentication for administration users against ACS5.6?

At the moment the ACS is returning successful authentication '11002 Returned RADIUS Access-Accept' on an attempted Prime login although Prime returns incorrect username/password / access denied.

Two schools of though based on previous posts / online searches;

1. Within the Access Service > Allowed Protocols tab > 'Send as User-Name in RADIUS Access-Accept' radio buttons

Currently set as the 'Principal User Name', which as I understand provides the certificate name, would 'RADIUS Access-Request User-Name' make more sense?

2. RADIUS attribute requirement

Post located but this refers to TACACS+ attributes - exporting task lists

https://supportforums.cisco.com/discussion/12394496/cisco-prime-radius-users

Would a similar task need to be completed for RADIUS?

Thanks

You will need to send

M. Wisely — Wed, 07 Oct 2015 09:12:57 GMT

You will need to send attributes for radius authentication to work. For example for super user permissions to the root virtual domain you need the following:

cisco-av-pair = NCS:role0=Super Users

cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN

In the user group list you'll see next to each group you'll see task list links. Usually you only need to put in the role and the virtual domain.

Hi Martin,Thanks for the

3iron — Wed, 07 Oct 2015 15:36:56 GMT

Hi Martin,

Thanks for the comment - that makes sense - I have created a new authorisation profile with the values specified, will update tomorrow once completed some further testing.

Cheers

Testing and working a treat

3iron — Thu, 08 Oct 2015 10:03:10 GMT

Testing and working a treat!

Can see the two additional attributes in the ACS Reporting and Monitoring logs passing to Prime.

Thanks