Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with A...

Shahin Suleymanov · ‎04-06-2015

Hi,

I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:

My authentication and authorization rules relating that case are as on following screenshots:

So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:

Looking in ISE's Authentication section I can see following:

Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:

So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

johncaston_2 · ‎09-22-2015

Hi Shahin,

I think the problem is the "Default - Internal Users" in your Authentication rule, it's likely hitting that after you've already successfully been authenticated and then it will fail.

Attached is my rule - if the condition is met, the default action is to check AD

Hope that helps

Cheers,

John

Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)