You have to provide user role and allowed task list in cisco-av pairs in Access-Accept message. Those attributes are used for authorization and assigning privileges for users authenticated against external Radius. You can't authenticate user with Radius and authorize based on local task mapping to user role on NCS, if authentication is configured against external RADIUS then authorization is performed based on attributes received in response.
Please, refer to configuration details for NCS (same as PI ):
I'm having the same issue and have a few questions/comments.
I can get root/admin access working via NPS/radius by justing telling NPS to send PI the NCS:role0=Root (or Admin) and NCS:virtual-domain0=ROOT-DOMAIN radius attributes.
But I also have some users who I just want to give read only access. I cannot seem to get this to work. At first I configured NPS to send PI the NCS:role0=Monitor Lite and NCS:virtual-domain0=ROOT_DOMAIN attributes. A user could login, but would immediate get a "You do not have access to the page Monitoring Dashboards" error. Not to mention almost nothing shows in the menu. So I tried adding all of the individual tasks related to the "Monitor Lite" role into the radius policy:
NCS:role0=Monitor Lite NCS:task0=Services Menu Access NCS:task1=Alarm Stat Panel Access NCS:task2=Automated Feedback NCS:task3=Monitor Menu Access NCS:task4=Theme Changer Access NCS:task5=Maps Read Only NCS:task6=Help Menu Access NCS:task7=License Check NCS:task8=Rogue Location NCS:task9=Reports Menu Access NCS:task10=Monitor Tags NCS:task11=Alarm Browser Access NCS:task12=Configure Menu Access NCS:task13=Search Access NCS:task14=Tools Menu Access NCS:task15=Administration Menu Access NCS:task16=Monitor Clients NCS:task17=Home Menu Access NCS:task18=Client Location NCS:task19=OnlineHelp NCS:task20=TAC Case Management Tool
but I'm not having any luck. The NPS radius logs always show success, but the read-only users always get the same error and almost nothing visible in the menus.
Has anyone successfully configured radius with something other than Admin or Root privileges?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...