Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5561
Views
5
Helpful
10
Replies

Prime Infrastructure AAA with ISE

Go to solution
grabonlee
Level 4
Level 4

ā€Ž12-04-2014 06:27 AM - edited ā€Ž03-10-2019 10:14 PM

Hello,

 

I have configured Authc and Authz policies as follows:

 

Authc:

If Radius-NAS-Port-Type EQUALS Virtual the Default Network Access and use AD

Authz:

If Radius-NAS-Port-Type EQUALS Virtual

   AND AD Specific User Group

   then Authz Profile Permissions (Cisco av-pair = NCS:role0=Root and NCS:virtual-domain0=ROOT-DOMAIN)

 

I am able to authenticate successfully and the Authorisation permission is applied and I can see this from the Authentication logs, but after that it seems ISE goes back to the Default Authentication policy of Deny Access.

Please could any one explain why this failure as the Prime Admin guide doesn't have the proper configuration steps.

  

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seth Bjorn
Level 1
Level 1

ā€Ž03-03-2015 10:29 AM

For my authorization profile result in ISE for PI, I use the following:

 

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
cisco-av-pair = NCS:role0=Root
 

Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using.

 

My successful login is shown below (however I don't see the Virtual port type):

 

Source Timestamp2015-03-03 10:23:56.123
Received Timestamp2015-03-03 10:23:56.123
Policy ServerMYISESERVER
Event5200 Authentication succeeded
Failure Reason 
Resolution 
Root cause 
Usernamemycoolusername
User Type 
Endpoint Id 
Endpoint Profile 
IP Address 
Identity StoreMYADIDENTITYSTORE
Identity Group 
Audit Session Id 
Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII
Service Type 
Network DevicePISERVERNAME
Device TypeNetwork Management
LocationCorporate Office
NAS IP AddressPI-IP-ADDRESS
NAS Port Id 
NAS Port Type 
Authorization ProfileCisco-Prime-Infrastructure
Posture StatusNotApplicable
Security Group 
Response Time19

 

 

Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.

View solution in original post

10 Replies 10

Go to solution
nspasov
Cisco Employee
Cisco Employee

ā€Ž12-04-2014 09:12 AM

Are you saying that you are initially able to login as an administrator to Prime but then any subsequent authentications fail?

0 Helpful

Go to solution
grabonlee
Level 4
Level 4
In response to nspasov

ā€Ž12-04-2014 11:09 AM

No. What I am saying is that I successfully authenticate and the authorisation policy+profile above is applied. But this fails despite the fact it's just a Cisco-av-pair as shown above. 

I can see from Operations > Authentication that Authentication is successful and Auth profile applied.

After this, I see fail and when I check the details, the message is Authentication > Default policy, subject not found in ID store.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to grabonlee

ā€Ž12-04-2014 05:51 PM

I am not sure I fully understand exact flow and the problem. Can you post screenshots of the following:

1. Prime radius and AAA configurations

2. ISE Policy Configuration 

3. Authentication screen of the failed/pass authentication

0 Helpful

Go to solution
grabonlee
Level 4
Level 4
In response to nspasov

ā€Ž12-05-2014 03:50 AM

Please see attached

ise-prime.zip
0 Helpful

Go to solution
grabonlee
Level 4
Level 4
In response to grabonlee

ā€Ž04-02-2015 03:08 AM

I should've updated long ago. Removed the NAS-Port-Type=Virtual and replaced with NDG  created for Prime i.e Device:DeviceType=Prime.

 

For Authentication, the I left the Radius=Virtual in the Policy
 

0 Helpful

Go to solution
ALAN MURRAY
Level 1
Level 1

ā€Ž03-01-2015 05:06 PM

Hi,

Does anybody have a solution to this issue? I am having the same problem - it's as though a second request is sent to ISE which only matches up to the Default policy which, in my case, is deny access.

 

Thanks

0 Helpful

Go to solution
Seth Bjorn
Level 1
Level 1

ā€Ž03-03-2015 10:29 AM

For my authorization profile result in ISE for PI, I use the following:

 

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
cisco-av-pair = NCS:role0=Root
 

Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using.

 

My successful login is shown below (however I don't see the Virtual port type):

 

Source Timestamp2015-03-03 10:23:56.123
Received Timestamp2015-03-03 10:23:56.123
Policy ServerMYISESERVER
Event5200 Authentication succeeded
Failure Reason 
Resolution 
Root cause 
Usernamemycoolusername
User Type 
Endpoint Id 
Endpoint Profile 
IP Address 
Identity StoreMYADIDENTITYSTORE
Identity Group 
Audit Session Id 
Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII
Service Type 
Network DevicePISERVERNAME
Device TypeNetwork Management
LocationCorporate Office
NAS IP AddressPI-IP-ADDRESS
NAS Port Id 
NAS Port Type 
Authorization ProfileCisco-Prime-Infrastructure
Posture StatusNotApplicable
Security Group 
Response Time19

 

 

Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.

Go to solution
ALAN MURRAY
Level 1
Level 1
In response to Seth Bjorn

ā€Ž03-03-2015 02:53 PM

Thanks, Seth. I'll try that.

0 Helpful

Go to solution
Alex White-Robinson
Level 1
Level 1
In response to Seth Bjorn

ā€Ž03-03-2015 03:31 PM

Taking out the port-type=virtual in the authorization profile sorted things out for Alan and I. Thanks for taking the time to answer, Seth.

 

(We're still using role0=Admin, though, as appropriate for the permissions setup we're using)

0 Helpful

Go to solution
Marco Aresu
Level 1
Level 1

ā€Ž02-19-2016 01:28 AM

Hello,

i am expecting the same problem.

Where i will remove port type=virtual?

In my authorization profile i have :

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:role0=Root

Thanks

Marco

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents