cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1948
Views
0
Helpful
2
Replies

Cisco Prime Infrastructure and ACS 5.8

Eric R. Jones
Level 4
Level 4

I have just upgraded our Cisco Prime 2.2.3 to 3.1.5 and need to configure access through ACS 5.8.

Right now I have configurations done and it's attempting to login but I get the window on the screen that states:

"No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and

Virtual Domain(s) in the remote server"

I'm able to login to other devices but not Prime.

The output found in the "TACACS Authentication" log shows that the username is discovered.

Has anyone had this issue and successfully resolved it?

I never got it to work under PI 2.2.3 either.

ej

2 Replies 2

simonprice1
Level 1
Level 1

Got the same issue with Prime 3.1.4 and ACS 5.5

Used to work ok with Prime 2.0 and ACS 5.5 but since we've upgraded to 3.1 I now get this.

I finally got it to work. The documentation outlines what you need to do as far as gathering the information for the shell profile and virtual domain use. On the ACS side it was a mater of getting the Access Policies and the shell profile correct.

I used the LABMinutes video to create the policies and the shell profile needed.

I recommend LABMinutes.com as good source to get a visual on how to setup the ACS and other Cisco appliance and configurations.

When you arrive select "Security" and in the search window type "acs tacacs". You should be taken tot he page with all ACS and ISE related videos. The particular video on shell profiles is sec0088. IT's not specific to prime and tacacs but it should get you what you need.

I had to create the proper "Authorization" rule in my Service Selection Rule.

I had a Service Selection Rule for full admin rights.

Within that rule I created a duplicate of the full device policy and modified the name, the identify group so it pointed to the sub group created under Network Resources for the Prime server. I then selected the shell profile I created and used the command set I made that allows access to all commands.

That command set simply has the name, a description and a check in the box for "Permit any command that is not in the table below".

The identity section of that service selection rule was also a duplicate of the other with a change in device type so it points to a particular group I created. The identity source was what we are using your's may differ.

ej

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco