Solved: Re: CIsco ISE vs Prime Infrastructure 3.0

exmode · ‎08-30-2017

Hi,

can i use ISE as a TACACS+ server for login to Cisco Prime Infra 3.0?

agrissimanis · ‎08-30-2017

Your original question was about TACACS and ISE, in your screenshots you are configuring RADIUS authentication. For TACACS you need to go to Work Centers -> Device Administration -> Device Administration policy sets and also Policy elements. In TACACS Policy elements create a new TACACS profile, set type to Generic and add the attributes. I added all attributes from Prime. I have attached the list of what I have.

In TACACS profiles you can click Raw View and copy/paste all these attributes, without having to add them one by one.. :)

View solution in original post

agrissimanis · ‎08-30-2017

Absolutely, you can.

Have a look at the Prime admin guide - https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1/administrator/guide/PIAdminBook/maint_user_access.html#95932

Let me know if you get stuck with the config

The only bit I found tricky was to get the TACACS profile for Prime correct.

exmode · ‎08-30-2017

In this paragraph Creating a New Authorization Profile in ISE it is written :

Step 5 In the Advanced Attribute Settings area, add Prime Infrastructure user group RADIUS custom attributes one after another along with the virtual domain attributes at the end.

User group RADIUS custom attributes are located in Prime Infrastructure at Administration > Users > Users, Roles & AAA > User Groups . Click Task List for the group with appropriate permissions.

a. Select cisco - av - pair and paste Prime Infrastructure user group RADIUS custom attribute next to it. Keep adding one after another.

b. Add the Virtual Domain attribute at the end of the last RADIUS custom attribute for each group (for RADIUS custom attributes, see “Exporting Virtual Domain RADIUS and TACACS+ Attributes”).

If i see on Prime Task List for User Groups > SuperUser (see atttach file - Prime User Groups.png) its many attributes.

Should I add them all in this way (see atttach file - ISE New Authorization Profile for Prime .png)?

exmode · ‎08-30-2017

If I understand correctly, when create Authorization Profile then you need only to specify attributes: role and virtual-domain

Access Type = ACCESS_ACCEPT

cisco-av-pair = NCS:role0=Super Users

cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN

agrissimanis · ‎08-30-2017

Your original question was about TACACS and ISE, in your screenshots you are configuring RADIUS authentication. For TACACS you need to go to Work Centers -> Device Administration -> Device Administration policy sets and also Policy elements. In TACACS Policy elements create a new TACACS profile, set type to Generic and add the attributes. I added all attributes from Prime. I have attached the list of what I have.

In TACACS profiles you can click Raw View and copy/paste all these attributes, without having to add them one by one.. :)

exmode · ‎08-30-2017

Yes, the first question was about TACACS+, but after you gave me the link I saw Authenticating AAA Users Through RADIUS Using ISE: Workflow and tried to make settings for the RADIUS, for TACACS+ also did the work.

In your list, the attribute virtual-domain0=ROOT-DOMAIN is added to the beginning, when configure Authorization Profiles for RADIUS, attribute Virtual Domain add at the end list.