Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6876
Views
5
Helpful
6
Replies

Prime Infrastructure & AD

Go to solution
tira li
Level 1
Level 1

‎06-13-2013 08:06 PM

Dear All,

     I'm new with the new network management tool -- Prime Infrastructure which converges the wireless and wired network devices, and my customer knew this tool and wanted to configure the wireless and wired devices through PI by whom in AD Group and audit configuration.

     I have checked the docs about PI 1.3, it can't be integrate with AD to authenticate user to login and so on. Due to lacking of AAA knowledge, hope someone can give me some suggestion or ways about the mentioned test, I will really appreciate for your help, thx in advance!

Thx,

Tira

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Atkin
Level 4
Level 4

‎06-14-2013 12:36 AM

You just need a RADIUS Server between you PI and AD. Configure the AAA Server to return the correct RADIUS Attributes (As listed in the Administration / AAA / User Groups section of the PI GUI and as relevant to the amount of access you want to give)), and the job's a good'un.

Sent from Cisco Technical Support iPad App

View solution in original post

6 Replies 6

Go to solution
Richard Atkin
Level 4
Level 4

‎06-14-2013 12:36 AM

You just need a RADIUS Server between you PI and AD. Configure the AAA Server to return the correct RADIUS Attributes (As listed in the Administration / AAA / User Groups section of the PI GUI and as relevant to the amount of access you want to give)), and the job's a good'un.

Sent from Cisco Technical Support iPad App

Go to solution
tira li
Level 1
Level 1
In response to Richard Atkin

‎06-29-2013 10:52 AM

Hi Richard,

     Firstly thx for your timely help and read some threads about NCS with TACACS on Support Forums!

     However, I have configured ACS server with AD authentication to return the TACACS Attributes copied by the Root Group of PI, not the RADIUS Attributes.  Now it can access by users of AD Group with their AD username/password and get some basic SNMP information, such as CPU、Memory and sysname etc. However, it can't collecte configuration, even push the configuration temple into device. Then I checked the fail reason of archive configuration and it claimed that Telnet can not be establishd. The test device has been configured AAA and I has made sure that entering the AD user's username/password was correct, of course I also increased the telnet timeout.

     Plz for your suggestion, thx in advance!

0 Helpful

Go to solution
tira li
Level 1
Level 1
In response to tira li

‎07-01-2013 09:27 PM

Can someone help?!

0 Helpful

Go to solution
james.doukas
Level 1
Level 1
In response to tira li

‎07-03-2013 05:58 AM

Have you made sure that the AD account being used to access the test device isn't locked out? The log says that authentication failed 3 times so the aaa server does not like the credentials Prime is trying to use to access the device.

0 Helpful

Go to solution
tira li
Level 1
Level 1
In response to james.doukas

‎07-08-2013 12:51 AM

Hi James and Cisco Support

    Sorry for late response.

    I am sure the credentials can work by telnet. Maybe let me introduce the detail POC environnment: ACS5.4、PI1.2、One Router C871 for test.

    my customer knew this tool and wanted to configure the wireless and wired devices through PI by whom in AD Group and audit configuration. Then, we configured the ACS as TACACS server for authenticate AD account to login and config the router ; And we configured the PI AAA mode according to the PI Doc and copied the Root task list and pasted into ACS Shell Profiles to authorize AD account to use PI function. Finally, we logined PI by AD account and added the test router successfully, and got some SNMP information about router. However, we can't archive the configuration of router after inventory on PI. Then I found the fail reason as mentionable attachment, and I also checked the AAA log on ACS which contains the success authorization of PI and nothing about gathering configuration of router. If you need more logs, I will attach the logs you want to check!

    I will really appreciate for your help, thx in advance!

Regards,

Tira



0 Helpful

Go to solution
tira li
Level 1
Level 1
In response to tira li

‎07-10-2013 11:49 AM

      Can Someone Help?!

tira li 编写:
Hi James and Cisco Support
    Sorry for late response.
    I am sure the credentials can work by telnet. Maybe let me introduce the detail POC environnment: ACS5.4、PI1.2、One Router C871 for test.
    my customer knew this tool and wanted to configure the wireless and wired devices through PI by whom in AD Group and audit configuration. Then, we configured the ACS as TACACS server for authenticate AD account to login and config the router ; And we configured the PI AAA mode according to the PI Doc and copied the Root task list and pasted into ACS Shell Profiles to authorize AD account to use PI function. Finally, we logined PI by AD account and added the test router successfully, and got some SNMP information about router. However, we can't archive the configuration of router after inventory on PI. Then I found the fail reason as mentionable attachment, and I also checked the AAA log on ACS which contains the success authorization of PI and nothing about gathering configuration of router. If you need more logs, I will attach the logs you want to check!
    I will really appreciate for your help, thx in advance!
Regards,
Tira


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents