Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

Hi,
I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
My authentication and authorization rules relating that case are as on following screenshots:
So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
Looking in ISE's Authentication section I can see following:
Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

Hi,
-- Please Go to Administration > Logging > set the Message level to TRACE > Click save
-- Then try to add the ISE.
-- Once it fails, collect the logs from Administration > Logging > 
check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
- Ashok
Please rate the post or mark as correct answer as it will help others looking for similar information

Similar Messages

  • Is cisco prime infrastructure support / can be run as syslog server?

    Dear All,
    is cisco prime infrastructure support / can be run as syslog server?
    and,
    where i can see network topology diagram, using cisco prime infrastructure?
    many thanks,
    Jerri

    Hello. Cisco Prime LMS will be replaced by Cisco Prime Infrastructure in the near future.
    In the current release of Cisco Prime Infrastructure you can't use topology diagrams. This feature is in roadmap.
    About syslog, you can send syslogs to Cisco Prime Infrastructure, but I don't recommend using it as syslog server. Please see this link for more information https://supportforums.cisco.com/thread/2179520
    Please rate if this helps

  • Cisco Prime Infrastructure 2.0 import image via WAN link failed.

    Cisco Prime Infrastructure 2.0 behind NAT that can copy image on device to Cisco Prime infra but can not deploy from Cisco Prime Infra import image from device. How to solve problem,please ?

    Have you downloaded and applied the latest Device Pack updates?
    PI enhanced ASA support after the initial 2.0 release and the Device Packs incorporate that change.
    The README file for Device Packs explains how to install them. (A bug currently does not allow the direct download in PI so you need to follow the method for installation from local storage after you manually download. Here is a link to the download location.

  • Cisco Prime Infrastructure 1.3, Mail Configuration

    Hi,
    I have a Cisco Prime Infrastructure 1.3 and I want to set up the mail. When I test it,  I get this error:
    Failed  to send mail to primary SMTP server. Failed to send mail to secondary  SMTP server. Please make sure that you save mail configuration by  hitting 'Save' button.
    I have the ip  address, and the username and password. Do I need to create a new buzon  for the prime? because by default the "From" field appears with
    [email protected]
    Thanks!!

    Some extra info that has just come to my attention.  At one point we were running (we're actually still running) CiscoWorks with LMS3.2 and Cisco NCS 1.x.  I merged these two things together into Cisco Prime Infrastructure (upgraded the licensing to get 450 lifecycle licenses to cover the APs + all of the devices coming from LMS3.2).  I followed all of the documented procedures to upgrade the NCS appliance to Prime Infrastructure.  But when I type "show application" from the CLI of the NCS appliance (now the Prime Infrastructure appliance) I see this:
    HQ-NCS1/admin# show application
    NCS             Cisco Prime Network Control System
    Is that normal?  Maybe this is my problem.  Should this output list "Cisco Prime Infrastructure" instead of (or in addtion to) Cisco Prime Network Control System?  When I login to the GUI it shows "Cisco Prime Infrastructure" and the GUI has changed considerably (menus are different) so I'm assuming that the application upgrades I launched from the CLI to go to Prime Infrastructure worked fine.

  • Cisco Prime Infrastructure Scheduled Configuration Archive not executing

    We have a deployment of Cisco Prime Infrastrcuture 1.3 (1.3.0.20).
    Configuration Archive is a feature that collects and archives the device configurations i.e. cisco switches.
    You have an option to schedule this to run, say daily, weekly etc. Once scheduled you can see it in the "Jobs Dashboard" and with the "next start time" of what you configured. I have a situation whereby  the time it is suppose to start - it doesnt - howevere flags the job as a "success". Not newe device configurations are archived and the "next start time" remain the same. Its almost like it is failing to execute, but some other process under the hood thinks that it was been executed correctly?
    Any ideas or experience that could help here would be appreciated!

    Some extra info that has just come to my attention.  At one point we were running (we're actually still running) CiscoWorks with LMS3.2 and Cisco NCS 1.x.  I merged these two things together into Cisco Prime Infrastructure (upgraded the licensing to get 450 lifecycle licenses to cover the APs + all of the devices coming from LMS3.2).  I followed all of the documented procedures to upgrade the NCS appliance to Prime Infrastructure.  But when I type "show application" from the CLI of the NCS appliance (now the Prime Infrastructure appliance) I see this:
    HQ-NCS1/admin# show application
    NCS             Cisco Prime Network Control System
    Is that normal?  Maybe this is my problem.  Should this output list "Cisco Prime Infrastructure" instead of (or in addtion to) Cisco Prime Network Control System?  When I login to the GUI it shows "Cisco Prime Infrastructure" and the GUI has changed considerably (menus are different) so I'm assuming that the application upgrades I launched from the CLI to go to Prime Infrastructure worked fine.

  • Cisco Prime Infrastructure 1.3 - SNMPv3 can´t get CPU, memory info.

    Hi,
    I have a Cisco Prime Infrastructure 1.3 deployment with Catalyst 2960S switches. Switches are running IOS 15.0(2) SE2. All switches have SNMPv2 configured, and all appears to be fine. I'm migrating one switch to SNMPv3, and PI have reachability to the switch, but PI doesn´t receive traps from the switch, and neither poll CPU and memory information (all displays 0.00%).
    Somebody have a sample configuration of SNMPv3 with Cisco Prime (Infrastructure or LMS)? I cannot find a Cisco official (or unofficial) document related to this version, usually all mention SNMPv2.
    Thank you.
    Eduardo

    Hi Eduardo:
    SNMPv3 is indeed supported for general administration.  There's a bug with SWIM using SNMPv3 (CSCud92758), but you should be fine for just monitoring.  Have you deleted the switch, waited until Prime Infrastructure told you it was gone, then readded it as SNMPv3 natively?  Bug CSCug78869 keeps things from working well when changing SNMP versions. 
    If you don't have the new Update-1 patch for Prime Infrastructure 1.3.0.20 installed (filename PI_1.3.0.20_Update_1-12.tar.gz) installed, I'd suggest you get it.  While it's not going to specifically address this issue, there are a lot of really good fixes in it.
    Release Notes for Update 1 for Cisco Prime Infrastructure 1.3.0.20

  • Cisco Prime Infrastructure 1.2 - Remote FTPrepository Sizing Guide

    Can anyone provide a link to a sizing guide for remote FTP repository for backing up Cisco Prime Infrastructure 1.2 to a remote FTP server?                  

    A personal observation; In PI 1.1, with the small ova we were running around 300 AP's and I had noticable slowness and issues.  At that time, TAC mentioned that I should go with the medium as it was a known problem  Now, despite being on 1.2 and alot of the issues resolved (and now new ones), if faced with the need to start over and I could spare the hardware, I would still go with the medium.   My personal opinion is that Cisco VM's require way to much.  On the other hand, knowing that it's relying on a built in Oracle DB, which from my experience with virtual servers, databases in VM = bad, it's understandable.  Not everyone agrees with this point from vm gurus to db geniuses, and I'm not a professional vm guy, just play one on tv, but personally i shove as much hardware as I can afford from my host at it if it's a db in a vm.  This comes from being in an enterprise with multiple oracle db's in multiple vm environments.  My 2cents.

  • Upgrade NCS 1.1.1.24 to Cisco Prime Infrastructure 1.2

    Having a problem installing the ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz patch file on a virtual NCS before upgrading it to Cisco Prime Infrastructure 1.2.
    I've followed the Cisco Prime Infrastructure 1.2 Quick Start Guide and did not had the same success as described in the document (see below):
    gmsncs/admin# dir disk:defaultRepo/
    Directory of disk:defaultRepo/
      508376482 Sep 13 2012 05:38:25  backup-20120913-0530.tar.gpg
      853768584 Sep 20 2012 05:40:17  backup-20120920-0530.tar.gpg
         127019 Sep 26 2012 16:40:58  ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz
               Usage for disk: filesystem
                     1544204288 bytes total used
                    27185573888 bytes free
                    30293413888 bytes available
    gmsncs/admin# patch install disk:defaultRepo/ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz defaultRepo
    Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
    Generating configuration...
    Saved the ADE-OS running configuration to startup successfully
    Initiating Application Patch installation...
    % Local file not found
    Anybody experience with this procedure.
    Thank You
    --- Update ---
    Skipped Step 4 and followed Step 5 in the Quick Start Quide, however now I receive a diffrent error:
    gmsncs/admin# dir disk:/defaultRepo
    Directory of disk:/defaultRepo
      926193986 Sep 26 2012 17:48:12  GRDbackup-120926-1736.tar.gpg
      508376482 Sep 13 2012 05:38:25  backup-20120913-0530.tar.gpg
      853768584 Sep 20 2012 05:40:17  backup-20120920-0530.tar.gpg
         127019 Sep 26 2012 16:40:58  ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz
               Usage for disk: filesystem
                     2471309312 bytes total used
                    26258468864 bytes free
                    30293413888 bytes available
    gmncs/admin# patch install GRDbackup-120926-1736.tar.gpg defaultRepo
    Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
    Generating configuration...
    Saved the ADE-OS running configuration to startup successfully
    Initiating Application Patch installation...
    % Manifest file not found in the bundle
    gmsncs/admin#

    Hi, Thank you again for your help, but I am still stuck. I have gathered the outputs from ncs start and a ncs status afterwards. Currently I am not able to access the web-UI of NCS..
    deberncs01/admin# ncs startStarting Network Control System...This may take a few minutes...Dependency Check Failed: Matlab is not running.Dependency Check Failed: Ftp is not running.Dependency Check Failed: Tftp is not running.Failure during Network Control System startup.  Check launchout.log for details.startdeberncs01/admin#deberncs01/admin#deberncs01/admin#deberncs01/admin#deberncs01/admin#deberncs01/admin# ncs statHealth Monitor is running, with an error.failed to start NCS on startup Health MonitorReporting Server is StartingFtp Server is FailureDatabase server is stoppedTftp Server is runningMatlab Server is runningNMS Server is stopped.SAM Daemon is not running ...DA Daemon is not running ...Syslog Daemon is not running ...statusdeberncs01/admin#
    Anyone got a clue on that? and where can I find that launchout.log on NCS? Thank you

  • Cisco Prime network and cisco prime infrastructure

    Hi,
    What is the difference between Cisco Prime Network and Cisco Prime infrastructure.
    Please advice.

    I assume you are asking about Cisco Prime LAN Management System (LMS) vs. Cisco Prime Infrastructure (PI).
    LMS is currently the leading Cisco offering for wired infrastructure management. It is the evolution of the earlier CiscoWorks LMS, CiscoWorks RWAN CiscoWorks 2000, CWSI, VLAN Director, original CiscoWorks classic etc. products going back almost 20 years.
    PI is the equivalent Cisco offering for wireless LANs and is the successor to NCS and WCS products.
    The overlap and confusion comes from the fact the Cisco is positioning PI as the overall wireless and wired management platform and gradually introducing wired network management features to make it equal (and eventually exceed) LMS's capabilities.
    There is a comparison table here that shows the current differences. A major new release of PI (2.0) is due out shortly which will close many (but not all) of the gaps on that table.

  • Cisco Prime Infrastructure release 2.1 configuration archiving on CISCO WiSM2

    Hi all,
    Just wondering Cisco Prime Infrastructure  release 2-1 support configuration archiving on CISCO WiSM2?
    CISCO  release 2.0 mentioned that it doesn't support configuration archiving for WiSM2 but release 2.1 doesn't mention anything on it.
    Please assist.

    No, it is not supported even for PI 2.1

  • What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP's?

    What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP’s?

    • PI provides visibility for autonomous  clients within the same list view as lightweight and wired clients (client list  page).
    • Rogue AP detection for autonomous AP's is not supported (it's  supported in CUWN). 
    • Alarms/events for client authentication issues (e.g.  authentication failure) are displayed in PI.
    • Config management for  autonomous AP's is via CLI template.  Config comparison and archiving  functionality in PI leverages these same features that were brought in from LMS,  so need to defer to others in terms of whether this is a cross-platform feature  in PI or is only supported on a subset of platforms.  Config comparison/archive  is supported in CUWN.PI supports both infrastructure (e.g. AP Tx Power and  Channel, busiest AP, AP utilization, etc.) and client (e.g. client count, client  sessions, etc.) reports, and there are extensive reports for CUWN

  • User Name and Password for Cisco Prime Infrastructure 2.1

    Hi all:
    I am stuck at the login page of Cisco Prime Infrastructure 2.1.
    I have tried using the user name root and its password (when log in with root at Vsphere Client) and also the login user name "before" get into the appliance infrastructure, all cannot work.
    Anybody knows what is the default username or password or any way to set the username and password for this Cisco Prime Infrastructure 2.1 website?
    Thanks!
    tangsuan

    Hi Tangsuan,
    Following is the documented procedure for password recovery..
    In order to modify the GUI root user password, you will need to login to the NCS CLI
    as an admin user, and enter the command
    "ncs password root password <new password>" (without the quotes)
    This should set the web interface root user password :
    http://www.cisco.com/en/US/docs/wireless/ncs/1.1/configuration/guide/manag.html#wp1268889
    If you have lost your CLI password , try the default logging that is  ,
    CLI user is admin and not root, so please try logging in as admin with
    the password that was set during setup. If that does not work , you need
    the install disk that came with the appliance to recover that password.
    Follow these steps:
    Recovering a Lost Admin Password
    If you lose or forget the admin password for NCS appliance, follow these steps.
    Step 1 Reboot the NCS appliance with the ISO DVD inserted. The Cisco Prime Network Control
    System Welcome screen appears:
    ISOLINUX 3.11 2005-09-02  Copyright (C) 1994-2005 H. Peter Anvin
                 Welcome to Cisco Prime Network Control System
    To boot from hard disk, press <Enter>.
    Available boot options:
       [1] Network Control System Installation (Keyboard/Monitor)
       [2] Network Control System Installation (Serial Console)
       [3] Recover administrator password. (Keyboard/Monitor)
       [4] Recover administrator password. (Serial Console)
    <Enter> Boot existing OS from Hard Disk.
    Enter boot option and press <return>.
    boot:
    Step 2 Select the desired recovery option, 3 or 4, depending on how you
    are connected to the appliance and then follow the prompts.
    Thanks-
    Afroz
    ***Ratings Encourages Contributors ****

  • Cisco Prime Infrastructure 2.0 - no traps/info are pushed from devices

    Good evening,
    I have setup Cisco Prime Infrastructure 2.0 and,  though I have added manually my 4 network cores as devices without any  problem, I can't get a single trap or a single SNMP information to be  pushed into my Cisco Prime Infra.
    Here is my SNMP config on my core :
    snmp-server user *edited* *edited* v3
    snmp-server  group *edited* v3 noauth notify  *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
    snmp-server community *edited* RO
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps flowmon
    snmp-server enable traps transceiver all
    snmp-server enable traps call-home message-send-fail server-fail
    snmp-server enable traps tty
    snmp-server enable traps rf
    snmp-server enable traps memory
    snmp-server enable traps cpu_threshold
    snmp-server enable traps eigrp
    snmp-server enable traps ospf state-change
    snmp-server enable traps ospf errors
    snmp-server enable traps ospf retransmit
    snmp-server enable traps ospf lsa
    snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
    snmp-server enable traps ospf cisco-specific state-change shamlink interface
    snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
    snmp-server enable traps ospf cisco-specific errors
    snmp-server enable traps ospf cisco-specific retransmit
    snmp-server enable traps ospf cisco-specific lsa
    snmp-server enable traps flex-links status
    snmp-server enable traps fru-ctrl
    snmp-server enable traps entity
    snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
    snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
    snmp-server enable traps ether-oam
    snmp-server enable traps aaa_server
    snmp-server enable traps flash insertion removal
    snmp-server enable traps l2tc threshold sys-threshold
    snmp-server enable traps power-ethernet police
    snmp-server enable traps rep
    snmp-server enable traps vswitch dual-active vsl
    snmp-server enable traps udld link-fail-rpt status-change
    snmp-server enable traps vtp
    snmp-server enable traps vlancreate
    snmp-server enable traps vlandelete
    snmp-server enable traps auth-framework sec-violation
    snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
    snmp-server enable traps envmon fan shutdown supply temperature status
    snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail
    snmp-server enable traps port-security
    snmp-server enable traps ethernet evc status create delete
    snmp-server enable traps energywise
    snmp-server enable traps ipsla
    snmp-server enable traps vstack
    snmp-server enable traps bfd
    snmp-server enable traps bgp
    snmp-server enable traps bulkstat collection transfer
    snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps config-ctid
    snmp-server enable traps event-manager
    snmp-server enable traps hsrp
    snmp-server enable traps ipmulticast
    snmp-server enable traps isis
    snmp-server enable traps msdp
    snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
    snmp-server enable traps bridge newroot topologychange
    snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
    snmp-server enable traps syslog
    snmp-server enable traps isakmp policy add
    snmp-server enable traps isakmp policy delete
    snmp-server enable traps isakmp tunnel start
    snmp-server enable traps isakmp tunnel stop
    snmp-server enable traps ipsec cryptomap add
    snmp-server enable traps ipsec cryptomap delete
    snmp-server enable traps ipsec cryptomap attach
    snmp-server enable traps ipsec cryptomap detach
    snmp-server enable traps ipsec tunnel start
    snmp-server enable traps ipsec tunnel stop
    snmp-server enable traps ipsec too-many-sas
    snmp-server enable traps errdisable
    snmp-server enable traps ethernet cfm alarm
    snmp-server enable traps vlan-membership
    snmp-server enable traps mac-notification change move threshold
    snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
    snmp-server host *ip-address-edited* version 3 noauth *edited*
    Basically all traps are enabled but absolutely nothing is showing up in my Prime Infra except that my 4 devices are "Reachable".
    Here is a show snmp on the same device :
    sh snmp
    Chassis: *S/N Edited*
    38554534 SNMP packets input
        0 Bad SNMP version errors
        14 Unknown community name
        0 Illegal operation for community name supplied
        0 Encoding errors
        38453185 Number of requested variables
        0 Number of altered variables
        17790703 Get-request PDUs
        20583581 Get-next PDUs
        0 Set-request PDUs
        0 Input queue packet drops (Maximum queue size 1000)
    38490708 SNMP packets output
        0 Too big errors (Maximum packet size 1500)
        0 No such name errors
        0 Bad values errors
        0 General errors
        38371069 Response PDUs
        13 Trap PDUs
    SNMP global trap: enabled
    SNMP agent enabled
    SNMP logging: enabled
        Logging to *edited*, 0/10, 13 sent, 0 dropped.
    Can anyone point out what is wrong or missing in my configuration? I can't seem to single it out myself.
    Thanks
    Jeremy

    Hi Jeremy,
    SNMP traps are shown in the events and alerts section of PI.
    SNMP config looks fine. Can  you run the SNMP debug (debug snmp packets ) .check the logs and see if the device is actually sending the TRAPS to the PI server.
    Thanks-
    Afroz
    [Do rate the useful post]
    ****Ratings Encourages Contributors ****

  • Ciscoworks LMS 3.0 to Cisco Prime Infrastructure LMS 4.2

    In order to complete the upgrade the LMS 3.x runs over a physical server that ends with the upgrade(server its gona be retired), the think is that the Cisco Prime comes with an UCS and its gona run over a VM. The question here is the "Cisco Prime Infrastructure 1.1 - Maj Upg from LMS 2.x/3.x" media could be runs as clean install, I mean with no LMS 3.x intalled  before? an the "Prime Infrastructure LMS 4.2 - 1.5K Device Maj Upg Lic" could be registered with no license installed of LMS 3.x?

    There are a couple of things to distinguish:
    1. The product SKU you need to order to migrate from LMS 3 to LMS 4.2.
    2. The license file that is installed on that new LMS server.
    #1 is based on Cisco agreeing, usually through the partner or reseller you are working with, that you are entitled to order the upgrade SKU (vs. buy a complete new product). The upgrade SKUs are all listed in the ordering guide here.
    L-PI12-1.5K-UP (note - NOT the 1.1 product description you noted in the original post) would be the SKU for a major upgrade from LMS 2.x/3.x to the current Prime Infrastructure 1.2 release at the 1500 device license level. That upgrade includes licenses for both PI 1.2 and Prime LMS 4.2. You may choose which to install - most LMS customers stick with LMS for now as PI 1.2 does not yet have full feature parity. Your managed devices should not exceed 1500 combined (in this case) but that combined number is not enforced technically by the product's license daemon.
    Once you have purchased the product and have the media you can install it on any host that meets the installation prerequisites as far as OS, memory, disk etc. A clean installation of LMS does not check for or require a previous installation as far as technical checks.
    #2 - Once you have installed the new LMS server (and optionally a step near the end of installation, you need to add in the license file (*.lic file). That is obtained through the Cisco licensing portal (or via the TAC if you prefer) using the Product Activation Key (PAK) received with your product.

  • UPS monitoring support with Cisco Prime Infrastructure 1.2

    Dear Members,
    Good day,
    I am having a project implemented wherein i have the UPS power redudancy solution for our network devices.
    Now can anyone gide that is it possible for below :-
    UPS units installed with SNMP cards be monitored via Cisco Prime Infrastructure 1.2 as our monitoring & management solution is Cisco Prime Infrastructure 1.2 ?
    if yes
    Can you guide if following action would be possible to export the below logs from UPS unit to our Cisco Prime Infrastructure 1.2
       a) UPS fault status information
       b) UPS operational status(input power available Y/N)
       c) Battery fault status
       d) Battery charging current
       e) Battery charge level
       f) Output current
    Conclusion is we need to confirm that would it be posible to achieve remote monitoring of these UPS units via our CPI 1.2
    Thanks in Advance for your support & replies to this query.
    Regards,
    Muzammil N.

    Prime Infrastructure 1.2 can manage non-Cisco devices in a limited fashion via SNMP query and trap processing. It cannot import logs and does not have a generic syslog server,
    So if your devices have snmp read only support and can generate SNMP traps for the above you can add them to PI. Follow the manual add device procedure here.

Maybe you are looking for