topic Prime Infrastructure AAA with ISE in Network Access Control

Prime Infrastructure AAA with ISE

grabonlee — Mon, 11 Mar 2019 05:14:29 GMT

Hello,

I have configured Authc and Authz policies as follows:

Authc:

If Radius-NAS-Port-Type EQUALS Virtual the Default Network Access and use AD

Authz:

If Radius-NAS-Port-Type EQUALS Virtual

AND AD Specific User Group

then Authz Profile Permissions (Cisco av-pair = NCS:role0=Root and NCS:virtual-domain0=ROOT-DOMAIN)

I am able to authenticate successfully and the Authorisation permission is applied and I can see this from the Authentication logs, but after that it seems ISE goes back to the Default Authentication policy of Deny Access.

Please could any one explain why this failure as the Prime Admin guide doesn't have the proper configuration steps.

Are you saying that you are

nspasov — Thu, 04 Dec 2014 17:12:05 GMT

Are you saying that you are initially able to login as an administrator to Prime but then any subsequent authentications fail?

No. What I am saying is that

grabonlee — Thu, 04 Dec 2014 19:09:11 GMT

No. What I am saying is that I successfully authenticate and the authorisation policy+profile above is applied. But this fails despite the fact it's just a Cisco-av-pair as shown above.

I can see from Operations > Authentication that Authentication is successful and Auth profile applied.

After this, I see fail and when I check the details, the message is Authentication > Default policy, subject not found in ID store.

I am not sure I fully

nspasov — Fri, 05 Dec 2014 01:51:35 GMT

I am not sure I fully understand exact flow and the problem. Can you post screenshots of the following:

1. Prime radius and AAA configurations

2. ISE Policy Configuration

3. Authentication screen of the failed/pass authentication

Please see attached

grabonlee — Fri, 05 Dec 2014 11:50:26 GMT

Please see attached

Hi,Does anybody have a

ALAN MURRAY — Mon, 02 Mar 2015 01:06:16 GMT

Hi,

Does anybody have a solution to this issue? I am having the same problem - it's as though a second request is sent to ISE which only matches up to the Default policy which, in my case, is deny access.

Thanks

For my authorization profile

Seth Bjorn — Tue, 03 Mar 2015 18:29:34 GMT

For my authorization profile result in ISE for PI, I use the following:

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
cisco-av-pair = NCS:role0=Root

Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using.

My successful login is shown below (however I don't see the Virtual port type):

Source Timestamp	2015-03-03 10:23:56.123
Received Timestamp	2015-03-03 10:23:56.123
Policy Server	MYISESERVER
Event	5200 Authentication succeeded
Failure Reason
Resolution
Root cause
Username	mycoolusername
User Type
Endpoint Id
Endpoint Profile
IP Address
Identity Store	MYADIDENTITYSTORE
Identity Group
Audit Session Id
Authentication Method	PAP_ASCII
Authentication Protocol	PAP_ASCII
Service Type
Network Device	PISERVERNAME
Device Type	Network Management
Location	Corporate Office
NAS IP Address	PI-IP-ADDRESS
NAS Port Id
NAS Port Type
Authorization Profile	Cisco-Prime-Infrastructure
Posture Status	NotApplicable
Security Group
Response Time	19

Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.

Thanks, Seth. I'll try that.

ALAN MURRAY — Tue, 03 Mar 2015 22:53:25 GMT

Thanks, Seth. I'll try that.

Taking out the port-type

Alex White-Robinson — Tue, 03 Mar 2015 23:31:19 GMT

Taking out the port-type=virtual in the authorization profile sorted things out for Alan and I. Thanks for taking the time to answer, Seth.

(We're still using role0=Admin, though, as appropriate for the permissions setup we're using)

I should've updated long ago.

grabonlee — Thu, 02 Apr 2015 10:08:55 GMT

I should've updated long ago. Removed the NAS-Port-Type=Virtual and replaced with NDG created for Prime i.e Device:DeviceType=Prime.

For Authentication, the I left the Radius=Virtual in the Policy

Hello,

Marco Aresu — Fri, 19 Feb 2016 09:28:20 GMT

Hello,

i am expecting the same problem.

Where i will remove port type=virtual?

In my authorization profile i have :

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:role0=Root

Thanks

Marco