cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
465
Views
0
Helpful
3
Replies

Prime 2.2 and ACS5.6 - Radius authentication - Login issues

3iron
Beginner
Beginner

Hello,

 

Has anyone had any luck setting up Prime to use Radius authentication for administration users against ACS5.6?

 

At the moment the ACS is returning successful authentication '11002 Returned RADIUS Access-Accept' on an attempted Prime login although Prime returns incorrect username/password / access denied.

Two schools of though based on previous posts / online searches;

 

1. Within the Access Service > Allowed Protocols tab > 'Send as User-Name in RADIUS Access-Accept' radio buttons

Currently set as the 'Principal User Name', which as I understand provides the certificate name, would 'RADIUS Access-Request User-Name' make more sense?

 

2. RADIUS attribute requirement 

Post located but this refers to TACACS+ attributes - exporting task lists

https://supportforums.cisco.com/discussion/12394496/cisco-prime-radius-users 

Would a similar task need to be completed for RADIUS?

 

 

Thanks

1 Accepted Solution

Accepted Solutions

M. Wisely
Enthusiast
Enthusiast

You will need to send  attributes for radius authentication to work. For example for super user permissions to the root virtual domain you need the following:

cisco-av-pair = NCS:role0=Super Users

cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN

In the user group list you'll see next to each  group you'll see task list links. Usually you only need to put in the role and the virtual domain.

View solution in original post

3 Replies 3

M. Wisely
Enthusiast
Enthusiast

You will need to send  attributes for radius authentication to work. For example for super user permissions to the root virtual domain you need the following:

cisco-av-pair = NCS:role0=Super Users

cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN

In the user group list you'll see next to each  group you'll see task list links. Usually you only need to put in the role and the virtual domain.

 

Hi Martin,

Thanks for the comment - that makes sense - I have created a new authorisation profile with the values specified, will update tomorrow once completed some further testing.

Cheers

Testing and working a treat!

Can see the two additional attributes in the ACS Reporting and Monitoring logs passing to Prime.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers