03-09-2019 03:15 PM
Hello, we currently are transitioning from ACS to Cisco ISE to control our AAA. I have Prime configured for TACACS+; however, when logging in I can see that Prime is using the local login rather than the ACS login. When I configured ISE as the TACACS server I can see in ISE's TACACS Live logs that it reaches out to ISE but fails. We are trying to leverage our access to prime by taking advantage of CAC usage so no more passwords are required. The documents I have read address the configuration of TACACS or RADIUS but none address the use of PKI/CAC. Is it possible to access Prime GUI via ISE?
ej
Solved! Go to Solution.
03-15-2019 06:06 PM
I fixed the issue.
The problem was that the network device section wasn't completely filled in with the path that the policy was expecting. So the policy says starts with Wired>Edge>Prime Infrastructure; however, the network device section only had Edge>Wired so the device wasn't in the correct identity group.
Got the policy and group aligned problem solved.
ej
03-10-2019 04:45 AM
Sure thing - ISE TACACS is a perfect place to authenticate your Cisco Prime Infrastructure logins. We do it all the time. You can return very granular RBAC authorization to Prime depending on what access the Prime user needs.
You need to explain what you see in the ISE TACACS+ Live Logs when things don't work. Share some screenshots.
03-10-2019 03:56 PM
We are using internal local username/passwords for access to Prime right now.
The usernames/passwords in Prime are the ones in ISE as the internal accounts.
when I attempt to use that username/password combination ISE doesn't see the request so returns nothing in the live logs.
I do gain access to Prime due to the fail to local setup.
Of course the ISE IP and secrect key are configured in Prime.
I had it configured with ACS and we are migrating over, thank goodness.
So under Administration > Admin Access > Admin users
I have a username/password combination.
I can use this when we put ISE in safemode to access the server.
If I use this username/password combination to access Cisco Prime ISE doesn't get a hit in the TACACS Live logs.
If I enter ISE Administration > Identities > Users
and attempt to enter that same combination I get a failure to create due to that name already in use.
If I intend to have ISE authenticate Prime users will the Administration > Identities > Users section require a username/password?
Shouldn't it be able to use my ISE Administration account?
ej
03-10-2019 09:28 PM
I have been plugging away at it today and have gotten to the point where it is looking at the proper path; however, I am getting a rejection from Cisco Prime.
Here are two screen shots, please note in the live log shot under Device Port it shows "NCS HTTP".
In the status column it shows green and the information states it's authenticating properly.
I'm not sure why I'm being rejected by Prime as the username/password match the Prime local account.
ej
03-15-2019 06:06 PM
I fixed the issue.
The problem was that the network device section wasn't completely filled in with the path that the policy was expecting. So the policy says starts with Wired>Edge>Prime Infrastructure; however, the network device section only had Edge>Wired so the device wasn't in the correct identity group.
Got the policy and group aligned problem solved.
ej
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: