Has anyone had any luck setting up Prime to use Radius authentication for administration users against ACS5.6?
At the moment the ACS is returning successful authentication '11002 Returned RADIUS Access-Accept' on an attempted Prime login although Prime returns incorrect username/password / access denied.
Two schools of though based on previous posts / online searches;
1. Within the Access Service > Allowed Protocols tab > 'Send as User-Name in RADIUS Access-Accept' radio buttons
Currently set as the 'Principal User Name', which as I understand provides the certificate name, would 'RADIUS Access-Request User-Name' make more sense?
2. RADIUS attribute requirement
Post located but this refers to TACACS+ attributes - exporting task lists
Would a similar task need to be completed for RADIUS?
Go to Solution.
You will need to send attributes for radius authentication to work. For example for super user permissions to the root virtual domain you need the following:
cisco-av-pair = NCS:role0=Super Users
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
In the user group list you'll see next to each group you'll see task list links. Usually you only need to put in the role and the virtual domain.
View solution in original post
Thanks for the comment - that makes sense - I have created a new authorisation profile with the values specified, will update tomorrow once completed some further testing.
Testing and working a treat!
Can see the two additional attributes in the ACS Reporting and Monitoring logs passing to Prime.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: