04-06-2015 05:44 AM - edited 03-10-2019 10:36 PM
Hi,
I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
My authentication and authorization rules relating that case are as on following screenshots:
So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
Looking in ISE's Authentication section I can see following:
Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?
09-22-2015 02:33 PM
Hi Shahin,
I think the problem is the "Default - Internal Users" in your Authentication rule, it's likely hitting that after you've already successfully been authenticated and then it will fail.
Attached is my rule - if the condition is met, the default action is to check AD
Hope that helps
Cheers,
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide