cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6032
Views
10
Helpful
4
Replies

Using Windows Network Policy Server to authenticate Prime Infrastructure 1.2 admin access

dennis-lee
Level 1
Level 1

Dear all,

How can I authenticate admin access to the Prime infrastructure 1.2 using AAA mode RADIUS with Windows Network Policy Server as RADIUS server? I find some information using ACS as RADIUS server but cannot find how to for Windows NPS.

I try to configure the NPS but an error prompted when logging in to PI using an account in the NPS server, "No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"

Thanks for your help.

Dennis

1 Accepted Solution

Accepted Solutions

schaef350
Level 1
Level 1

Ok, I was able to resolve this over the weekend.  The actual fix is a little complicated.  You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure

The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius.  They are as as follows:

NCS:role0=Admin

NCS:virtual-domain0=ROOT-DOMAIN

"Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.

For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that.

- Be sure to rate all helpful posts

View solution in original post

4 Replies 4

root_taker
Level 1
Level 1

Had you ever found a resolution for this?  I am fighting with the same thing right now...

Andre Toms
Level 1
Level 1

I am running into a similar issue, but I'm trying to use tac_plus (tacacs+) on linux instead of radius. Like Adam, I'd like to know if you've solved the issue, as this could help me out as well.

schaef350
Level 1
Level 1

Ok, I was able to resolve this over the weekend.  The actual fix is a little complicated.  You can find the full explination here: http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure

The basics are that Prime (1.3 is the version I am using at this point) expects two AV pairs from radius.  They are as as follows:

NCS:role0=Admin

NCS:virtual-domain0=ROOT-DOMAIN

"Admin" is the name of the group you would like your users to have access at and "ROOT-DOMAIN" is the name of the domain you would like them to have access to.

For TACACS+ I suspect the AV Pairs are going to be the same but I have not been able to test that.

- Be sure to rate all helpful posts

Adam,

That's a nice writeup over on your blog. It would make a nice addition here on CSC as a Document in this forum.

Thanks for sharing the resolution.