AAA, NAC, Guest Access & BYOD

Problem:

Cisco Prime TACACS+ login error "No authorization information found for Remote Authenticated User"

• We can see that the Web UI access granted in the Access Tracker ( i.e Authentication succeeded with no error or alerts in the CPPM Access Tracker )
• But we can notice that still get the same error message on the Cisco Prime website when we try to login

The Cisco Prime needs to receive TACACS+ attributes from the AAA server to grant access and assign privileges and tasks to the user.

• Collect the TACACS+ attributes from the Virtual Domain configuration in the CISCO Prime. In the menu options navigate to Administration Users Virtual Domains. At the upper right corner, you have the option to "Export Custom Attributes".

• Collect the list of TACACS+ Attributes from the Cisco Prime User Group  ( Navigate to Administration / Users / Users, Role & AAA / User Groups. Click the "Task List" option next to the User Group to get the attributes )

TACACS+ Attributes from the Cisco Prime User Group :

role0=Admin
task0=Mesh Reports
task1=Discovery Schedule Privilege
task2=Saved Reports List
task3=Monitor Menu Access
task4=Device WorkCenter
task5=Inventory Menu Access
task6=Add Device Access
task7=Config Audit Dashboard
task8=Custom NetFlow Reports
task9=Apic Controller Read Access
task10=Configuration Templates Read Access
task11=Alarm Policies Edit Access
task12=High Availability Configuration
task13=View Job
task14=Incidents Alarms Events Access
task15=TAC Case Management Tool
task16=Configure Autonomous Access Point Templates
task17=Import Policy Update
task18=PnP Profile Read-Write Access
task19=SSO Server AAA Mode
task20=Alarm Browser Access
task21=Client Location
task22=Configure WIPS Profiles
task23=System Settings
task24=Appliance
task25=Credential Profile Add_Edit Access
task26=Users and Groups
task27=Edit Device Access
task28=Wireless FRAConfiguration Groups Access
task29=Monitor Ethernet Switches
task30=Remove Clients
task31=Unsanitized Device Config Export
task32=Monitor Mobility Devices
task33=Auto Provisioning
task34=Wireless Configuration Groups Access
task35=View Compute Devices
task36=Configure Third Party Controllers and Access Point
task37=Monitor Chokepoints
task38=Application Server Management Access
task39=Home Menu Access
task40=Run Reports List
task41=Configure Config Groups
task42=Performance Dashboard Access
task43=Apic Global PnP Read Access
task44=Swim Upgrade Analysis
task45=Advanced search access
task46=View Alerts and Events
task47=Swim Collection
task48=License Check
task49=Configure Templates
task50=Monitor Security
task51=Service Health Access
task52=Site Visibility Access
task53=Device View configuration Access
task54=Approve Job
task55=Discovery CRUD Privilege
task56=RADIUS Servers
task57=Monitor Spectrum Experts
task58=Email Notification
task59=Alarm Stat Panel Access
task60=System Jobs Tab Access
task61=Apic Global PnP Write Access
task62=Maps Read Write
task63=Administrative privileges under Manage and Monitor Servers page
task64=Export Groups
task65=Maps Menu Access
task66=Monitor Tags
task67=System Monitoring Dashboard
task68=Monitor Interferers
task69=Device Bulk Import Access
task70=View Audit Logs Access
task71=Configure Guest Users
task72=Configure Menu Access
task73=Configure Controllers
task74=Configure Switch Location Configuration Templates
task75=Mobility Service Management
task76=WIPS Service
task77=Configure Mobility Devices
task78=Swim Info Update
task79=Help Menu Access
task80=Scheduled Tasks and Data Collection
task81=Monitoring Policies
task82=Pick and Unpick Alerts
task83=Rogue Location
task84=Delete Device Access
task85=Search Access
task86=Swim Recommondation
task87=Track Clients
task88=Voice Audit Report
task89=SSO Servers
task90=Delete and Clear Alerts
task91=Pause Job
task92=Admin Dashboard Access
task93=Network Topology Edit
task94=Configure ACS View Servers
task95=Application and Services Access
task96=Edit Job
task97=Device Reports
task98=Logging
task99=Configure ISE Servers
task100=CleanAir Reports
task101=OnlineHelp
task102=Compliance Audit PAS Access
task103=Raw NetFlow Reports
task104=Credential Profile View Access
task105=View CAS Notifications Only
task106=Delete Group Members
task107=Custom Trap Event
task108=System Monitoring Reports
task109=Audit Trails
task110=Compliance Audit Fix Access
task111=Custom Syslog Event
task112=Ack and Unack Security Index Issues
task113=Software Updates UBF Upload
task114=Configure Access Points
task115=Maps Read Only
task116=Cancel Job
task117=TrustSec Readiness Assessment
task118=Delete Groups
task119=Automated Feedback
task120=Scheduled Configuration Tasks
task121=Voice Diagnostics
task122=Product Feedback
task123=View Alert Condition
task124=Configure Ethernet Switches
task125=PfR Monitoring Access
task126=Performance Reports
task127=Manage and Monitor Servers Page Access
task128=PnP Preferences Read-Write Access
task129=Device Detail UDF
task130=Delete Job
task131=Schedule Job
task132=Configure Spectrum Experts
task133=Add Group Members
task134=Lync Monitoring Access
task135=Network Summary Reports
task136=Reports Menu Access
task137=Design Configuration Template Access
task138=Import Groups
task139=Custom Composite Report
task140=Security Reports
task141=Identify Unknown Users
task142=Tools Menu Access
task143=Design Endpoint Site Association Access
task144=Export Audit Logs Access
task145=Alarm Policies
task146=Health Monitor Details
task147=Guest Reports
task148=Apic Controller Write Access
task149=Credential Profile Delete Access
task150=Compliance Reports
task151=Services Menu Access
task152=Compliance Audit Profile Access
task153=Discovery View Privilege
task154=Device Config Backup Job Edit Access
task155=Planning Mode
task156=Export Device Access
task157=Virtual Elements Tab Access
task158=Config Archive Read-Write Task
task159=Modify Groups
task160=Configure Lightweight Access Point Templates
task161=Monitor Access Points
task162=User Preferences
task163=Monitor Clients
task164=License Center/Smart License
task165=Disable Clients
task166=Monitor WiFi TDOA Receivers
task167=Ack and Unack Alerts
task168=Deploy Configuring Access
task169=Data Collection Management Access
task170=Identity Search Engine
task171=Report Launch Pad
task172=Report Run History
task173=Configure Choke Points
task174=Administration Menu Access
task175=Context Aware Reports
task176=Allow report/dashlet use for users with only NBI Read access
task177=Global SSID Groups
task178=Configure WiFi TDOA Receivers
task179=Swim Preference Save
task180=RRM Dashboard
task181=Client Reports
task182=Autonomous AP Reports
task183=PnP Deploy History Read-Write Access
task184=Global Variable Access
task185=Configure Ethernet Switch Ports
task186=PnP Profile Deploy Read-Write Access
task187=Wireless Dashboard Access
task188=Add Groups
task189=Migration Templates
task190=Run Job
task191=Virtual Domains List
task192=Packet Capture Access
task193=TACACS+ Servers
task194=Monitor Controllers
task195=Troubleshoot
task196=Swim Delete
task197=Monitor Media Streams
task198=Compliance Audit Policy Access
task199=View Security Index Issues
task200=Virtual Domain Management
task201=Manage Protocol
task202=Add Software Image Management Servers
task203=Network Topology
task204=MSAP Reports

• The User Group Root contains 204 tasks and roles which need to be added to the Enforcement Profile in ClearPass
• Adding all the attributes to the Enforcement Profiles assigns the correct authorization for the administrator users in Cisco Prime.
• Create a new enforcement profile with the all the TACACS+ attributes from the Cisco Prime "User Group" and the "Virtual Domain configuration" in the CISCO Prime

• Map the above enforcement profile to be returned to the TACACS+ user and you can notice successful WEB UI login