Solved: RADIUS Authentication for PI 2.1 with Windows Server 2008 (Windows NPS)

belessing · ‎07-11-2014

Hello Community,

can someone please provide a step-by-step guide (or at least the VSA part) for RADIUS configuration on a Windows 2008 R2 server for Prime Infrastructure 2.1 please?

We already tried several setups with guides for PI 1.4 without success. The NPS itself authenticates and grants access, but on PI the login always fails.

Thank you in advance,

Benjamin

Vinod Arya · ‎07-11-2014

Dont have exact details, but I think this document would be a lot helpful.

Please check here and update if it was. It has step by step instructions on how to set NPS/Windows server configuration with PI.

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **

View solution in original post

AFROJ AHMAD · ‎07-11-2014

Hi Benjamin,

You have to provide user role and allowed task list in cisco-av pairs in Access-Accept message. Those attributes are used for authorization and assigning privileges for users authenticated against external Radius. You can't authenticate user with Radius and authorize based on local task mapping to user role on NCS, if authentication is configured against external RADIUS then authorization is performed based on attributes received in response.

Please, refer to configuration details for NCS (same as PI ):

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/admin.html#wp1119838

If above all is fine, then make sure the "shared secret key is atleast of 16 character" and no special characters. ( you can try with special characters but it may not work)

Thanks-

Afroz

***Ratings Encourages Contributors****

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

ds6123 · ‎08-21-2014

I'm having the same issue and have a few questions/comments.

I can get root/admin access working via NPS/radius by justing telling NPS to send PI the NCS:role0=Root (or Admin) and NCS:virtual-domain0=ROOT-DOMAIN radius attributes.

But I also have some users who I just want to give read only access. I cannot seem to get this to work. At first I configured NPS to send PI the NCS:role0=Monitor Lite and NCS:virtual-domain0=ROOT_DOMAIN attributes. A user could login, but would immediate get a "You do not have access to the page Monitoring Dashboards" error. Not to mention almost nothing shows in the menu. So I tried adding all of the individual tasks related to the "Monitor Lite" role into the radius policy:

NCS:role0=Monitor Lite
NCS:task0=Services Menu Access
NCS:task1=Alarm Stat Panel Access
NCS:task2=Automated Feedback
NCS:task3=Monitor Menu Access
NCS:task4=Theme Changer Access
NCS:task5=Maps Read Only
NCS:task6=Help Menu Access
NCS:task7=License Check
NCS:task8=Rogue Location
NCS:task9=Reports Menu Access
NCS:task10=Monitor Tags
NCS:task11=Alarm Browser Access
NCS:task12=Configure Menu Access
NCS:task13=Search Access
NCS:task14=Tools Menu Access
NCS:task15=Administration Menu Access
NCS:task16=Monitor Clients
NCS:task17=Home Menu Access
NCS:task18=Client Location
NCS:task19=OnlineHelp
NCS:task20=TAC Case Management Tool

but I'm not having any luck. The NPS radius logs always show success, but the read-only users always get the same error and almost nothing visible in the menus.

Has anyone successfully configured radius with something other than Admin or Root privileges?

Thanks!

James Johnston · ‎09-26-2014

@ds6123@sbc.com

Let me start off saying that i don't have an answer for you.

It took a lot of work getting our NPS to authentication users from NCS and PI. And since we are a smaller IT department I only needed to configure the admin role.

What you may need to do is get a packet capture going on your NPS server to see what is exactly coming in from your NCS / PI requests.

You will need to see what role the NCS/PI server is requesting and then configure a new network policy to match it.

What seems to be happening is that the authentication is matching because they are apart of the group. However the roles aren't being transported over to tell NCS/PI what they can do.

Vinod Arya · ‎07-11-2014

Dont have exact details, but I think this document would be a lot helpful.

Please check here and update if it was. It has step by step instructions on how to set NPS/Windows server configuration with PI.

-Thanks

Vinod

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Scott Fella · ‎07-15-2014

Take a look at this:

http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure

Scott

-Scott
*** Please rate helpful posts ***

belessing · ‎07-16-2014

Thank you very much for the input. This detailed instruction is great, it points out the configuration differences between NCS and Prime Infrastructure. We had several issues...

- in case of CHAP between NPS and Prime you need "store reversed password" checked in NPS user checkbox

- shared secret between NPS and Prime should be identical

- be aware of typos in NPS attribute fields! (ROOT-DMOAIN....)

It works now! Have a nice day,

Benjamin