Solved: Cisco Prime PKI/CAC login

Eric R. Jones · ‎03-09-2019

Hello, we currently are transitioning from ACS to Cisco ISE to control our AAA. I have Prime configured for TACACS+; however, when logging in I can see that Prime is using the local login rather than the ACS login. When I configured ISE as the TACACS server I can see in ISE's TACACS Live logs that it reaches out to ISE but fails. We are trying to leverage our access to prime by taking advantage of CAC usage so no more passwords are required. The documents I have read address the configuration of TACACS or RADIUS but none address the use of PKI/CAC. Is it possible to access Prime GUI via ISE?

ej

Eric R. Jones · ‎03-15-2019

I fixed the issue.

The problem was that the network device section wasn't completely filled in with the path that the policy was expecting. So the policy says starts with Wired>Edge>Prime Infrastructure; however, the network device section only had Edge>Wired so the device wasn't in the correct identity group.

Got the policy and group aligned problem solved.

ej

View solution in original post

Arne Bier · ‎03-10-2019

Sure thing - ISE TACACS is a perfect place to authenticate your Cisco Prime Infrastructure logins. We do it all the time. You can return very granular RBAC authorization to Prime depending on what access the Prime user needs.

You need to explain what you see in the ISE TACACS+ Live Logs when things don't work. Share some screenshots.

Eric R. Jones · ‎03-10-2019

We are using internal local username/passwords for access to Prime right now.

The usernames/passwords in Prime are the ones in ISE as the internal accounts.

when I attempt to use that username/password combination ISE doesn't see the request so returns nothing in the live logs.

I do gain access to Prime due to the fail to local setup.

Of course the ISE IP and secrect key are configured in Prime.

I had it configured with ACS and we are migrating over, thank goodness.

So under Administration > Admin Access > Admin users

I have a username/password combination.

I can use this when we put ISE in safemode to access the server.

If I use this username/password combination to access Cisco Prime ISE doesn't get a hit in the TACACS Live logs.

If I enter ISE Administration > Identities > Users

and attempt to enter that same combination I get a failure to create due to that name already in use.

If I intend to have ISE authenticate Prime users will the Administration > Identities > Users section require a username/password?

Shouldn't it be able to use my ISE Administration account?

ej

Eric R. Jones · ‎03-10-2019

I have been plugging away at it today and have gotten to the point where it is looking at the proper path; however, I am getting a rejection from Cisco Prime.

Here are two screen shots, please note in the live log shot under Device Port it shows "NCS HTTP".

In the status column it shows green and the information states it's authenticating properly.

I'm not sure why I'm being rejected by Prime as the username/password match the Prime local account.

ej

Eric R. Jones · ‎03-15-2019

I fixed the issue.

The problem was that the network device section wasn't completely filled in with the path that the policy was expecting. So the policy says starts with Wired>Edge>Prime Infrastructure; however, the network device section only had Edge>Wired so the device wasn't in the correct identity group.

Got the policy and group aligned problem solved.

ej