04-28-2016 07:20 AM
Our organization has both Prime Infrastructure (for wireless) as well as Prime (CiscoWorks) LMS for all of our routing/switching equipment. Prime Infrastructure has an easy method to download a TACACS or RADIUS task list that I was able to add into Policy Manager to map a user into a definied role in the tool. I am not able to find this same task list with the CiscoWorks LMS tool.
I have asked Cisco and they have not been able to assist me with this and was wondering if anyone in the community has a working example of what the enforcement profile syntax would look like from the service attributes perspective.
CCNP, ACMP, ACCP, CWNA
05-02-2016 05:02 PM
I am not at work right now, but we are using ClearPass RADIUS to authenticate Cisco Prime users using the Cisco Prime roles..
Is there any specific reason you wish to use TACACS?
05-03-2016 05:20 AM
When using RADIUS, the Cisco Prime roles control the access details. The CPPM Enforcement Profile is quite simple. You need to return, at a minimim, 2 attributes.
Radius:Cisco Cisco-AVPair = NCS:role0=Admin
Radius:Cisco Cisco AVPair = NCS:virtual-domain0=ROOT-DOMAIN
This is for a Prime Admin user, of course.
You can see the role information by going to:
Administration / Users / Users, Roles, & AAA / User Groups and click on the Task List link beside the desired role. The top line is the role information needed. Note that this page says
"If the size of the RADIUS attributes on your AAA server is more than 4096 bytes, Please copy ONLY role attributes,PI will retrieve the associated TASKS"
This is the key to simplify this. I believe TACACS would need to sent all the Custom Attributes.
There is a Cisco authentication document online, focussed on Cisco ACS. Contact me off-list if you want a link. I hesitate to post a competitor's link on this forum.
05-03-2016 05:50 AM
I am not having an issue with Prime. I have successfully ported the custom task list from Prime into the service attributes in ClearPass.
My issue is with CiscoWorks LMS. There is no task list option for this tool and no concept of root-domain. With that being said, I was hoping someone had experience setting up LMS in ClearPass.
CCNP, ACMP, ACCP, CWNA
4 weeks ago
May I ask if you were ever able to have TACACS authorization done for LMS in ClearPassPM?
I'm trying to do the same thing now so was curious if you did figure it out and how I can find the attributes.