cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2751
Views
5
Helpful
10
Replies
Enthusiast

Prime Infrastructure AAA with ISE

Hello,

 

I have configured Authc and Authz policies as follows:

 

Authc:

If Radius-NAS-Port-Type EQUALS Virtual the Default Network Access and use AD

Authz:

If Radius-NAS-Port-Type EQUALS Virtual

   AND AD Specific User Group

   then Authz Profile Permissions (Cisco av-pair = NCS:role0=Root and NCS:virtual-domain0=ROOT-DOMAIN)

 

I am able to authenticate successfully and the Authorisation permission is applied and I can see this from the Authentication logs, but after that it seems ISE goes back to the Default Authentication policy of Deny Access.

Please could any one explain why this failure as the Prime Admin guide doesn't have the proper configuration steps.

  

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

For my authorization profile

For my authorization profile result in ISE for PI, I use the following:

 

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
cisco-av-pair = NCS:role0=Root
 

Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using.

 

My successful login is shown below (however I don't see the Virtual port type):

 

Source Timestamp2015-03-03 10:23:56.123
Received Timestamp2015-03-03 10:23:56.123
Policy ServerMYISESERVER
Event5200 Authentication succeeded
Failure Reason 
Resolution 
Root cause 
Usernamemycoolusername
User Type 
Endpoint Id 
Endpoint Profile 
IP Address 
Identity StoreMYADIDENTITYSTORE
Identity Group 
Audit Session Id 
Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII
Service Type 
Network DevicePISERVERNAME
Device TypeNetwork Management
LocationCorporate Office
NAS IP AddressPI-IP-ADDRESS
NAS Port Id 
NAS Port Type 
Authorization ProfileCisco-Prime-Infrastructure
Posture StatusNotApplicable
Security Group 
Response Time19

 

 

Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.

View solution in original post

10 REPLIES 10
Cisco Employee

Are you saying that you are

Are you saying that you are initially able to login as an administrator to Prime but then any subsequent authentications fail?

Enthusiast

No. What I am saying is that

No. What I am saying is that I successfully authenticate and the authorisation policy+profile above is applied. But this fails despite the fact it's just a Cisco-av-pair as shown above. 

I can see from Operations > Authentication that Authentication is successful and Auth profile applied.

After this, I see fail and when I check the details, the message is Authentication > Default policy, subject not found in ID store.

Cisco Employee

I am not sure I fully

I am not sure I fully understand exact flow and the problem. Can you post screenshots of the following:

1. Prime radius and AAA configurations

2. ISE Policy Configuration 

3. Authentication screen of the failed/pass authentication

Enthusiast

Please see attached

Please see attached

Enthusiast

I should've updated long ago.

I should've updated long ago. Removed the NAS-Port-Type=Virtual and replaced with NDG  created for Prime i.e Device:DeviceType=Prime.

 

For Authentication, the I left the Radius=Virtual in the Policy
 

Beginner

Hi,Does anybody have a

Hi,

Does anybody have a solution to this issue? I am having the same problem - it's as though a second request is sent to ISE which only matches up to the Default policy which, in my case, is deny access.

 

Thanks

Beginner

For my authorization profile

For my authorization profile result in ISE for PI, I use the following:

 

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
cisco-av-pair = NCS:role0=Root
 

Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using.

 

My successful login is shown below (however I don't see the Virtual port type):

 

Source Timestamp2015-03-03 10:23:56.123
Received Timestamp2015-03-03 10:23:56.123
Policy ServerMYISESERVER
Event5200 Authentication succeeded
Failure Reason 
Resolution 
Root cause 
Usernamemycoolusername
User Type 
Endpoint Id 
Endpoint Profile 
IP Address 
Identity StoreMYADIDENTITYSTORE
Identity Group 
Audit Session Id 
Authentication MethodPAP_ASCII
Authentication ProtocolPAP_ASCII
Service Type 
Network DevicePISERVERNAME
Device TypeNetwork Management
LocationCorporate Office
NAS IP AddressPI-IP-ADDRESS
NAS Port Id 
NAS Port Type 
Authorization ProfileCisco-Prime-Infrastructure
Posture StatusNotApplicable
Security Group 
Response Time19

 

 

Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.

View solution in original post

Beginner

Thanks, Seth. I'll try that.

Thanks, Seth. I'll try that.

Taking out the port-type

Taking out the port-type=virtual in the authorization profile sorted things out for Alan and I. Thanks for taking the time to answer, Seth.

 

(We're still using role0=Admin, though, as appropriate for the permissions setup we're using)

Highlighted
Beginner

Hello,

Hello,

i am expecting the same problem.

Where i will remove port type=virtual?

In my authorization profile i have :

Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:role0=Root

Thanks

Marco