Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2472
Views
0
Helpful
4
Replies

Cisco Prime Infrastructure 1.3 Tacacs+ authorization problem

Jelena Mitrovic
Level 1
Level 1

‎05-21-2013 11:56 AM

Hello,

We are having trouble setting our new installation of Cisco PI 1.3 to work with Tacacs+ configured on ACS 4.2.

We have followed procedure explained in Cisco PI 1.3 configuration guide and in Tacacs+ logs we can see that we have successful authentification but authorization is unsuccessful:

21/05/2013,16:36:44,Authen OK,pradoicic,admins,192.168.187.109,,192.168.187.109,wifi-prime-p-vm01,AP,ACS1AERO,1,,,192.168.187.109,No Filters activated.,,,No,

21/05/2013,16:36:44,Author failed,pradoicic,admins,192.168.187.109,,Service denied,protocol=HTTP service=NCS,NCS HTTP,192.168.187.109,wifi-prime-p-vm01,AP

We have added user group into ACS as is explained in configuration gude and we have also tried to add virtual domain at the beggining or at the and of the list but that didn't solve our problem.

Is there anything that we can do in order to make Cisco PI to authentificate users using Tacacs+?

Any help in finding solution for this problem will be very appreciated.

Regards,

Jelena

2 people had this problem
Labels:
0 Helpful
4 Replies 4

predrag2006
Level 1
Level 1

‎05-21-2013 10:19 PM

Hi,

Mind explaining relevant configuration parts of Prime and ACS.

Regards,

P.

Predrag Petrovic
0 Helpful

Jelena Mitrovic
Level 1
Level 1
In response to predrag2006

‎05-21-2013 11:19 PM

Hi,

On the Cisco PI side we have:

1. Added Tacacs+ server under Administration > AAA > TACACS+

    We have entered all required parameters

2. Enabled AAA Tacacs+ mode under Administration > AAA > AAA Mode and we have choosed on auth failure or no server response oprion.

On the ACS side:

1. Under Network Configuration > New Entry we have added Cisco PI

2.  Under Interface Configuration >TACACS+ (Cisco IOS) > New Services >

we have added Prime and HTTP (we have checked box infront of these service).

3. Under Group Setup > Edit Settings > prime HTTP service we have added custom attributes that we have copied from Cisco PI Admin group. We have also exported virtual domain information from Prime and have imported them on the beggining of the custom attributes and we have also tried to place that virtual domain information on the end but we have the same behavior.

For some reason ACS doesn't know how to return authorization information.

Regards,

Jelena

0 Helpful

Jelena Mitrovic
Level 1
Level 1
In response to Jelena Mitrovic

‎05-22-2013 02:38 AM

Hi,

I have managed to make Cisco PI communicate with TACACS+.

The problem was the service name -> Name has to be NCS! After i have changed name for service on ACS to NCS we can now log on Cisco PI using TACACS+.

Regards,

Jelena

0 Helpful

artemepishov
Level 1
Level 1

‎05-22-2013 05:58 AM

Hi!

I had problem with autorization on Linux-based Tacacs+ server.

Solution - you need to add service NCS to your admins group in .../tac_plus.cfg with all tasks from Prime Task List, like:

        service = NCS {

                virtual-domain0=ROOT-DOMAIN

                role0=Admin

                task0="View Alerts and Events"

                task1="Run Job"

                task2="Device Reports"

.......

Without " " it wont work!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card