Security

Reply
Occasional Contributor II

Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

Our organization has both Prime Infrastructure (for wireless) as well as Prime (CiscoWorks) LMS for all of our routing/switching equipment.  Prime Infrastructure has an easy method to download a TACACS or RADIUS task list that I was able to add into Policy Manager to map a user into a definied role in the tool.  I am not able to find this same task list with the CiscoWorks LMS tool.

 

I have asked Cisco and they have not been able to assist me with this and was wondering if anyone in the community has a working example of what the enforcement profile syntax would look like from the service attributes perspective.

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
Frequent Contributor II

Re: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

I am not at work right now, but we are using ClearPass RADIUS to authenticate Cisco Prime users using the Cisco Prime roles..

 

Is there any specific reason you wish to use TACACS?


Bruce Osborne - Wireless Engineer
ACCP, ACMP
Frequent Contributor II

Re: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

When using RADIUS, the Cisco Prime roles control the access details. The CPPM Enforcement Profile is quite simple. You need to return, at a minimim, 2 attributes.

 

For example,

Radius:Cisco Cisco-AVPair = NCS:role0=Admin

Radius:Cisco Cisco AVPair = NCS:virtual-domain0=ROOT-DOMAIN

 

This is for a Prime Admin user, of course.

You can see the role information by going to:

Administration / Users / Users, Roles, & AAA / User Groups and click on the Task List link beside the desired role.  The top line is the role information needed. Note that this page says

  "If the size of the RADIUS attributes on your AAA server is more than 4096 bytes, Please copy ONLY role attributes,PI will retrieve the associated TASKS"

This is the key to simplify this. I believe TACACS would need to sent all the Custom Attributes. 

 

There is a Cisco authentication document online, focussed on Cisco ACS. Contact me off-list if you want a link. I hesitate to post a competitor's link on this forum. 


Bruce Osborne - Wireless Engineer
ACCP, ACMP
Occasional Contributor II

Re: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

I am not having an issue with Prime.  I have successfully ported the custom task list from Prime into the service attributes in ClearPass.

 

My issue is with CiscoWorks LMS.  There is no task list option for this tool and no concept of root-domain.  With that being said, I was hoping someone had experience setting up LMS in ClearPass.

Joseph Slawinski :: Mobility Architect
CCNP, ACMP, ACCP, CWNA
New Contributor

Re: Policy Manager TACACS authorization for Prime (CiscoWorks) LMS

Hi Joseph, 

 

May I ask if you were ever able to have TACACS authorization done for LMS in ClearPassPM?

 

I'm trying to do the same thing now so was curious if you did figure it out and how I can find the attributes.

 

thank you!

Nicole

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: