cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2107
Views
0
Helpful
4
Replies
Jelena Mitrovic
Beginner

Cisco Prime Infrastructure 1.3 Tacacs+ authorization problem

Hello,

We are having trouble setting our new installation of Cisco PI 1.3 to work with Tacacs+ configured on ACS 4.2.

We have followed procedure explained in Cisco PI 1.3 configuration guide and in Tacacs+ logs we can see that we have successful authentification but authorization is unsuccessful:

21/05/2013,16:36:44,Authen OK,pradoicic,admins,192.168.187.109,,192.168.187.109,wifi-prime-p-vm01,AP,ACS1AERO,1,,,192.168.187.109,No Filters activated.,,,No,

21/05/2013,16:36:44,Author failed,pradoicic,admins,192.168.187.109,,Service denied,protocol=HTTP service=NCS,NCS HTTP,192.168.187.109,wifi-prime-p-vm01,AP

We have added user group into ACS as is explained in configuration gude and we have also tried to add virtual domain at the beggining or at the and of the list but that didn't solve our problem.

Is there anything that we can do in order to make Cisco PI to authentificate users using Tacacs+?

Any help in finding solution for this problem will be very appreciated.

Regards,

Jelena

4 REPLIES 4
predrag2006
Beginner

Hi,

Mind explaining relevant configuration parts of Prime and ACS.

Regards,

P.

Predrag Petrovic

Hi,

On the Cisco PI side we have:

1. Added Tacacs+ server under Administration > AAA > TACACS+

    We have entered all required parameters

2. Enabled AAA Tacacs+ mode under Administration > AAA > AAA Mode and we have choosed on auth failure or no server response oprion.

On the ACS side:

1. Under Network Configuration > New Entry we have added Cisco PI

2.  Under Interface Configuration >TACACS+ (Cisco IOS) > New Services >

we have added Prime and HTTP (we have checked box infront of these service).

3. Under Group Setup > Edit Settings > prime HTTP service we have added custom attributes that we have copied from Cisco PI Admin group. We have also exported virtual domain information from Prime and have imported them on the beggining of the custom attributes and we have also tried to place that virtual domain information on the end but we have the same behavior.

For some reason ACS doesn't know how to return authorization information.

Regards,

Jelena

Hi,

I have managed to make Cisco PI communicate with TACACS+.

The problem was the service name -> Name has to be NCS! After i have changed name for service on ACS to NCS we can now log on Cisco PI using TACACS+.

Regards,

Jelena

artemepishov
Beginner

Hi!

I had problem with autorization on Linux-based Tacacs+ server.

Solution - you need to add service NCS to your admins group in .../tac_plus.cfg with all tasks from Prime Task List, like:

        service = NCS {

                virtual-domain0=ROOT-DOMAIN

                role0=Admin

                task0="View Alerts and Events"

                task1="Run Job"

                task2="Device Reports"

.......

Without " " it wont work!