cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8618
Views
21
Helpful
15
Replies

Prime and ACS View Server Integration

Ben Meagher
Level 1
Level 1

Can anyone point me in the right direction for a good doc on implenting Prime (1.3) with an ACS View Server (5.1)?

1 Accepted Solution

Accepted Solutions

Guys: I was doing little research on this topic and just wanted to add that there is not much config we have to perform on ths ACS.

All you need to have this command on ACS via CLI "acs config-web-interface view enable"

On the Prime, we already have ACS view server ip and port information. In addition to that we have to integrate Prime with ACS using a super admin privilige account. By-default acsadmin has super admin rights so we can use it on the prime side or you can create a specific account on ACS and assign super admin rights under system administrator > administrators > accounts > create new account.

Once done, please try to pull the logs from NCS and let me know how it goes.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

15 Replies 15

Jatin Katyal
Cisco Employee
Cisco Employee

The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.

Administration > AAA > TACACS+ Servers > add tacacs server.

Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.

The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"

http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935

Jatin Katyal


- Do rate helpful posts -

~Jatin

Keep in mind that you have the below listed attribute added in the policy elements > shell profiles > customer attribute

virtual-domain0  mandatory ROOT

Please post any error you may see while working on it.

Jatin Katyal


- Do rate helpful posts -

~Jatin

minkumar
Level 1
Level 1

Hey Ben,

  Is it ACS view server 5.1 or Acess control system 5.1 (ACS 5.1)?

If its ACS 5.1, you can follow the below link:

https://supportforums.cisco.com/docs/DOC-32603

Regards

Minakshi (Rate it if its helpful )

Ben Meagher
Level 1
Level 1

My apologies, I should have been more precise. I already have tacacs running for user authC with all the attributes and vd parameters. I am trying to leverage the ACS View Server feature that is available within Prime under the Users and Clients troubleshooting section. I have tried setting the External Server to both the ACS primary and the dedicated logging server with no luck. I tried verifying on the ACS server that Prime (also a NAD in ACS) was indeed creating any logs against ACS as admin logins but did not see any... With ACS View now running native since 5.1 is there any additional config within ACS that is necessary?

Hi Ben,

  May be i am not able to udnerstand your question properly, Could you please share some screen shots for better understanding as in what exactly are you trying to achieve for better understanding.

Regards

Minakshi (Do rate the helpful posts )

harvisin
Level 3
Level 3

Hello,

I went throuh your query and found certain steps which may help you out in solving your query.

Configuring ACS View Servers

To facilitate communication  between Prime Infrastructure and the ACS View Server and to access the  ACS View Server tab, you must add a view server with credentials.


Note Prime Infrastructure only supports  ACS View Server 5.1 or later.


To configure the ACS View  Server Credentials, follow these steps:


Step 1 Choose Design > External  Management > ACS View Servers.

Step 2 Enter the port number of the ACS  View Server you are adding. (Some ACS View Servers do not allow you to  change the port on which HTTPS runs.)

Step 3 Enter the password that was  established on the ACS View Server. Confirm the password.

Step 4 Specify the time in seconds after  which the authentication request times out and a retransmission is  attempted by the controller.

Step 5 Specify the number of retries to be  attempted.

Step 6 Click Save.


Configuring TFTP or FTP Servers


Step 1 Choose Design > External  Management > TFTP/FTP Servers.

Step 2 From the Select a command drop-down  list, choose Add TFTP/FTP Server.

Step 3 From the Server Type drop-down list,  choose TFTP, FTP, or Both.

Step 4 Enter a TFTP/FTP server name. This  is a user-defined name for the server.

Step 5 Enter the IP address of the TFTP/FTP  server.

Step 6 Click Save.


Next Steps

Now that you have completed  the basic setup steps, you might want to do the following tasks:

Table 2-3  Next Steps after   Completing Setup Tasks

Task

GUI   Path

Documentation   Reference

Set up  additional users

Administration  > Users, Roles   & AAA, then click Users

Controlling    User Access

Add additional  virtual domains

Administration   > Virtual Domains

Setting    Up Virtual Domains

Refine your  sites

Design >  Site Map Design

Designing    Sites

Create  additional port groups and   change existing port groups

Design >  Port Grouping

Changing    Port Groups

Start monitoring  and responding to   alarms

Operate >  Alarms & Events

Monitoring    Alarms

Ben Meagher
Level 1
Level 1

I have already completed the initial configuration steps, my original question, is there anything additional needed to configure on the ACS server for this feature? Any additional config or enablements?

David Jaoui
Level 1
Level 1

any chance you figured this one out? the documentation kinda sucks on this topic...

Havent been able to make it a priority lately...

Yea I know what you mean ... If I have a chance I'll try to bug TAC about it

Sent from Cisco Technical Support iPhone App

Guys: I was doing little research on this topic and just wanted to add that there is not much config we have to perform on ths ACS.

All you need to have this command on ACS via CLI "acs config-web-interface view enable"

On the Prime, we already have ACS view server ip and port information. In addition to that we have to integrate Prime with ACS using a super admin privilige account. By-default acsadmin has super admin rights so we can use it on the prime side or you can create a specific account on ACS and assign super admin rights under system administrator > administrators > accounts > create new account.

Once done, please try to pull the logs from NCS and let me know how it goes.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Hey Jatin,

That missing command was the issue!

It would be nice if the PI documentation referenced that...

Thanks!

-David

huh...thanks david for updating this thread. I'll surely create a doc on this soon and post it here.

In case you are all set, would appreciate if you can mark this long going thread stands resolved.

Jatin Katyal
- Do rate helpful posts -

~Jatin

I was able to create a small doc on this issue.

https://supportforums.cisco.com/docs/DOC-34210

Jatin Katyal

- Do rate helpful posts -

~Jatin