Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)
Hi,
I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
My authentication and authorization rules relating that case are as on following screenshots:
So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
Looking in ISE's Authentication section I can see following:
Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?
Hi,
-- Please Go to Administration > Logging > set the Message level to TRACE > Click save
-- Then try to add the ISE.
-- Once it fails, collect the logs from Administration > Logging >
check the "ncs-0-0.log" & search the file for "ERROR" & paste the results here. This will give us exact reason.
- Ashok
Please rate the post or mark as correct answer as it will help others looking for similar information
Similar Messages
-
Is cisco prime infrastructure support / can be run as syslog server?
Dear All,
is cisco prime infrastructure support / can be run as syslog server?
and,
where i can see network topology diagram, using cisco prime infrastructure?
many thanks,
JerriHello. Cisco Prime LMS will be replaced by Cisco Prime Infrastructure in the near future.
In the current release of Cisco Prime Infrastructure you can't use topology diagrams. This feature is in roadmap.
About syslog, you can send syslogs to Cisco Prime Infrastructure, but I don't recommend using it as syslog server. Please see this link for more information https://supportforums.cisco.com/thread/2179520
Please rate if this helps -
Cisco Prime Infrastructure 2.0 import image via WAN link failed.
Cisco Prime Infrastructure 2.0 behind NAT that can copy image on device to Cisco Prime infra but can not deploy from Cisco Prime Infra import image from device. How to solve problem,please ?
Have you downloaded and applied the latest Device Pack updates?
PI enhanced ASA support after the initial 2.0 release and the Device Packs incorporate that change.
The README file for Device Packs explains how to install them. (A bug currently does not allow the direct download in PI so you need to follow the method for installation from local storage after you manually download. Here is a link to the download location. -
Cisco Prime Infrastructure 1.3, Mail Configuration
Hi,
I have a Cisco Prime Infrastructure 1.3 and I want to set up the mail. When I test it, I get this error:
Failed to send mail to primary SMTP server. Failed to send mail to secondary SMTP server. Please make sure that you save mail configuration by hitting 'Save' button.
I have the ip address, and the username and password. Do I need to create a new buzon for the prime? because by default the "From" field appears with
[email protected]
Thanks!!Some extra info that has just come to my attention. At one point we were running (we're actually still running) CiscoWorks with LMS3.2 and Cisco NCS 1.x. I merged these two things together into Cisco Prime Infrastructure (upgraded the licensing to get 450 lifecycle licenses to cover the APs + all of the devices coming from LMS3.2). I followed all of the documented procedures to upgrade the NCS appliance to Prime Infrastructure. But when I type "show application" from the CLI of the NCS appliance (now the Prime Infrastructure appliance) I see this:
HQ-NCS1/admin# show application
NCS Cisco Prime Network Control System
Is that normal? Maybe this is my problem. Should this output list "Cisco Prime Infrastructure" instead of (or in addtion to) Cisco Prime Network Control System? When I login to the GUI it shows "Cisco Prime Infrastructure" and the GUI has changed considerably (menus are different) so I'm assuming that the application upgrades I launched from the CLI to go to Prime Infrastructure worked fine. -
Cisco Prime Infrastructure Scheduled Configuration Archive not executing
We have a deployment of Cisco Prime Infrastrcuture 1.3 (1.3.0.20).
Configuration Archive is a feature that collects and archives the device configurations i.e. cisco switches.
You have an option to schedule this to run, say daily, weekly etc. Once scheduled you can see it in the "Jobs Dashboard" and with the "next start time" of what you configured. I have a situation whereby the time it is suppose to start - it doesnt - howevere flags the job as a "success". Not newe device configurations are archived and the "next start time" remain the same. Its almost like it is failing to execute, but some other process under the hood thinks that it was been executed correctly?
Any ideas or experience that could help here would be appreciated!Some extra info that has just come to my attention. At one point we were running (we're actually still running) CiscoWorks with LMS3.2 and Cisco NCS 1.x. I merged these two things together into Cisco Prime Infrastructure (upgraded the licensing to get 450 lifecycle licenses to cover the APs + all of the devices coming from LMS3.2). I followed all of the documented procedures to upgrade the NCS appliance to Prime Infrastructure. But when I type "show application" from the CLI of the NCS appliance (now the Prime Infrastructure appliance) I see this:
HQ-NCS1/admin# show application
NCS Cisco Prime Network Control System
Is that normal? Maybe this is my problem. Should this output list "Cisco Prime Infrastructure" instead of (or in addtion to) Cisco Prime Network Control System? When I login to the GUI it shows "Cisco Prime Infrastructure" and the GUI has changed considerably (menus are different) so I'm assuming that the application upgrades I launched from the CLI to go to Prime Infrastructure worked fine. -
Hi,
I have a Cisco Prime Infrastructure 1.3 deployment with Catalyst 2960S switches. Switches are running IOS 15.0(2) SE2. All switches have SNMPv2 configured, and all appears to be fine. I'm migrating one switch to SNMPv3, and PI have reachability to the switch, but PI doesn´t receive traps from the switch, and neither poll CPU and memory information (all displays 0.00%).
Somebody have a sample configuration of SNMPv3 with Cisco Prime (Infrastructure or LMS)? I cannot find a Cisco official (or unofficial) document related to this version, usually all mention SNMPv2.
Thank you.
EduardoHi Eduardo:
SNMPv3 is indeed supported for general administration. There's a bug with SWIM using SNMPv3 (CSCud92758), but you should be fine for just monitoring. Have you deleted the switch, waited until Prime Infrastructure told you it was gone, then readded it as SNMPv3 natively? Bug CSCug78869 keeps things from working well when changing SNMP versions.
If you don't have the new Update-1 patch for Prime Infrastructure 1.3.0.20 installed (filename PI_1.3.0.20_Update_1-12.tar.gz) installed, I'd suggest you get it. While it's not going to specifically address this issue, there are a lot of really good fixes in it.
Release Notes for Update 1 for Cisco Prime Infrastructure 1.3.0.20 -
Cisco Prime Infrastructure 1.2 - Remote FTPrepository Sizing Guide
Can anyone provide a link to a sizing guide for remote FTP repository for backing up Cisco Prime Infrastructure 1.2 to a remote FTP server?
A personal observation; In PI 1.1, with the small ova we were running around 300 AP's and I had noticable slowness and issues. At that time, TAC mentioned that I should go with the medium as it was a known problem Now, despite being on 1.2 and alot of the issues resolved (and now new ones), if faced with the need to start over and I could spare the hardware, I would still go with the medium. My personal opinion is that Cisco VM's require way to much. On the other hand, knowing that it's relying on a built in Oracle DB, which from my experience with virtual servers, databases in VM = bad, it's understandable. Not everyone agrees with this point from vm gurus to db geniuses, and I'm not a professional vm guy, just play one on tv, but personally i shove as much hardware as I can afford from my host at it if it's a db in a vm. This comes from being in an enterprise with multiple oracle db's in multiple vm environments. My 2cents.
-
Upgrade NCS 1.1.1.24 to Cisco Prime Infrastructure 1.2
Having a problem installing the ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz patch file on a virtual NCS before upgrading it to Cisco Prime Infrastructure 1.2.
I've followed the Cisco Prime Infrastructure 1.2 Quick Start Guide and did not had the same success as described in the document (see below):
gmsncs/admin# dir disk:defaultRepo/
Directory of disk:defaultRepo/
508376482 Sep 13 2012 05:38:25 backup-20120913-0530.tar.gpg
853768584 Sep 20 2012 05:40:17 backup-20120920-0530.tar.gpg
127019 Sep 26 2012 16:40:58 ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz
Usage for disk: filesystem
1544204288 bytes total used
27185573888 bytes free
30293413888 bytes available
gmsncs/admin# patch install disk:defaultRepo/ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz defaultRepo
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Patch installation...
% Local file not found
Anybody experience with this procedure.
Thank You
--- Update ---
Skipped Step 4 and followed Step 5 in the Quick Start Quide, however now I receive a diffrent error:
gmsncs/admin# dir disk:/defaultRepo
Directory of disk:/defaultRepo
926193986 Sep 26 2012 17:48:12 GRDbackup-120926-1736.tar.gpg
508376482 Sep 13 2012 05:38:25 backup-20120913-0530.tar.gpg
853768584 Sep 20 2012 05:40:17 backup-20120920-0530.tar.gpg
127019 Sep 26 2012 16:40:58 ncs_patch-1.1.1.24-upgrade-pi_1.2.tar.gz
Usage for disk: filesystem
2471309312 bytes total used
26258468864 bytes free
30293413888 bytes available
gmncs/admin# patch install GRDbackup-120926-1736.tar.gpg defaultRepo
Save the current ADE-OS running configuration? (yes/no) [yes] ? yes
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Patch installation...
% Manifest file not found in the bundle
gmsncs/admin#Hi, Thank you again for your help, but I am still stuck. I have gathered the outputs from ncs start and a ncs status afterwards. Currently I am not able to access the web-UI of NCS..
deberncs01/admin# ncs startStarting Network Control System...This may take a few minutes...Dependency Check Failed: Matlab is not running.Dependency Check Failed: Ftp is not running.Dependency Check Failed: Tftp is not running.Failure during Network Control System startup. Check launchout.log for details.startdeberncs01/admin#deberncs01/admin#deberncs01/admin#deberncs01/admin#deberncs01/admin#deberncs01/admin# ncs statHealth Monitor is running, with an error.failed to start NCS on startup Health MonitorReporting Server is StartingFtp Server is FailureDatabase server is stoppedTftp Server is runningMatlab Server is runningNMS Server is stopped.SAM Daemon is not running ...DA Daemon is not running ...Syslog Daemon is not running ...statusdeberncs01/admin#
Anyone got a clue on that? and where can I find that launchout.log on NCS? Thank you -
Cisco Prime network and cisco prime infrastructure
Hi,
What is the difference between Cisco Prime Network and Cisco Prime infrastructure.
Please advice.I assume you are asking about Cisco Prime LAN Management System (LMS) vs. Cisco Prime Infrastructure (PI).
LMS is currently the leading Cisco offering for wired infrastructure management. It is the evolution of the earlier CiscoWorks LMS, CiscoWorks RWAN CiscoWorks 2000, CWSI, VLAN Director, original CiscoWorks classic etc. products going back almost 20 years.
PI is the equivalent Cisco offering for wireless LANs and is the successor to NCS and WCS products.
The overlap and confusion comes from the fact the Cisco is positioning PI as the overall wireless and wired management platform and gradually introducing wired network management features to make it equal (and eventually exceed) LMS's capabilities.
There is a comparison table here that shows the current differences. A major new release of PI (2.0) is due out shortly which will close many (but not all) of the gaps on that table. -
Cisco Prime Infrastructure release 2.1 configuration archiving on CISCO WiSM2
Hi all,
Just wondering Cisco Prime Infrastructure release 2-1 support configuration archiving on CISCO WiSM2?
CISCO release 2.0 mentioned that it doesn't support configuration archiving for WiSM2 but release 2.1 doesn't mention anything on it.
Please assist.No, it is not supported even for PI 2.1
-
What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP's?
What are the features supported in Cisco Prime Infrastructure for WLAN for autonomous AP’s?
• PI provides visibility for autonomous clients within the same list view as lightweight and wired clients (client list page).
• Rogue AP detection for autonomous AP's is not supported (it's supported in CUWN).
• Alarms/events for client authentication issues (e.g. authentication failure) are displayed in PI.
• Config management for autonomous AP's is via CLI template. Config comparison and archiving functionality in PI leverages these same features that were brought in from LMS, so need to defer to others in terms of whether this is a cross-platform feature in PI or is only supported on a subset of platforms. Config comparison/archive is supported in CUWN.PI supports both infrastructure (e.g. AP Tx Power and Channel, busiest AP, AP utilization, etc.) and client (e.g. client count, client sessions, etc.) reports, and there are extensive reports for CUWN -
User Name and Password for Cisco Prime Infrastructure 2.1
Hi all:
I am stuck at the login page of Cisco Prime Infrastructure 2.1.
I have tried using the user name root and its password (when log in with root at Vsphere Client) and also the login user name "before" get into the appliance infrastructure, all cannot work.
Anybody knows what is the default username or password or any way to set the username and password for this Cisco Prime Infrastructure 2.1 website?
Thanks!
tangsuanHi Tangsuan,
Following is the documented procedure for password recovery..
In order to modify the GUI root user password, you will need to login to the NCS CLI
as an admin user, and enter the command
"ncs password root password <new password>" (without the quotes)
This should set the web interface root user password :
http://www.cisco.com/en/US/docs/wireless/ncs/1.1/configuration/guide/manag.html#wp1268889
If you have lost your CLI password , try the default logging that is ,
CLI user is admin and not root, so please try logging in as admin with
the password that was set during setup. If that does not work , you need
the install disk that came with the appliance to recover that password.
Follow these steps:
Recovering a Lost Admin Password
If you lose or forget the admin password for NCS appliance, follow these steps.
Step 1 Reboot the NCS appliance with the ISO DVD inserted. The Cisco Prime Network Control
System Welcome screen appears:
ISOLINUX 3.11 2005-09-02 Copyright (C) 1994-2005 H. Peter Anvin
Welcome to Cisco Prime Network Control System
To boot from hard disk, press <Enter>.
Available boot options:
[1] Network Control System Installation (Keyboard/Monitor)
[2] Network Control System Installation (Serial Console)
[3] Recover administrator password. (Keyboard/Monitor)
[4] Recover administrator password. (Serial Console)
<Enter> Boot existing OS from Hard Disk.
Enter boot option and press <return>.
boot:
Step 2 Select the desired recovery option, 3 or 4, depending on how you
are connected to the appliance and then follow the prompts.
Thanks-
Afroz
***Ratings Encourages Contributors **** -
Cisco Prime Infrastructure 2.0 - no traps/info are pushed from devices
Good evening,
I have setup Cisco Prime Infrastructure 2.0 and, though I have added manually my 4 network cores as devices without any problem, I can't get a single trap or a single SNMP information to be pushed into my Cisco Prime Infra.
Here is my SNMP config on my core :
snmp-server user *edited* *edited* v3
snmp-server group *edited* v3 noauth notify *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF.FFFFFFFF0F
snmp-server community *edited* RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps rf
snmp-server enable traps memory
snmp-server enable traps cpu_threshold
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps flex-links status
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps ether-oam
snmp-server enable traps aaa_server
snmp-server enable traps flash insertion removal
snmp-server enable traps l2tc threshold sys-threshold
snmp-server enable traps power-ethernet police
snmp-server enable traps rep
snmp-server enable traps vswitch dual-active vsl
snmp-server enable traps udld link-fail-rpt status-change
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps dot1x auth-fail-vlan guest-vlan no-auth-fail-vlan no-guest-vlan
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps entity-diag boot-up-fail hm-test-recover hm-thresh-reached scheduled-test-fail
snmp-server enable traps port-security
snmp-server enable traps ethernet evc status create delete
snmp-server enable traps energywise
snmp-server enable traps ipsla
snmp-server enable traps vstack
snmp-server enable traps bfd
snmp-server enable traps bgp
snmp-server enable traps bulkstat collection transfer
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps isis
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps errdisable
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps vlan-membership
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host *ip-address-edited* version 3 noauth *edited*
Basically all traps are enabled but absolutely nothing is showing up in my Prime Infra except that my 4 devices are "Reachable".
Here is a show snmp on the same device :
sh snmp
Chassis: *S/N Edited*
38554534 SNMP packets input
0 Bad SNMP version errors
14 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
38453185 Number of requested variables
0 Number of altered variables
17790703 Get-request PDUs
20583581 Get-next PDUs
0 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
38490708 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
38371069 Response PDUs
13 Trap PDUs
SNMP global trap: enabled
SNMP agent enabled
SNMP logging: enabled
Logging to *edited*, 0/10, 13 sent, 0 dropped.
Can anyone point out what is wrong or missing in my configuration? I can't seem to single it out myself.
Thanks
JeremyHi Jeremy,
SNMP traps are shown in the events and alerts section of PI.
SNMP config looks fine. Can you run the SNMP debug (debug snmp packets ) .check the logs and see if the device is actually sending the TRAPS to the PI server.
Thanks-
Afroz
[Do rate the useful post]
****Ratings Encourages Contributors **** -
Ciscoworks LMS 3.0 to Cisco Prime Infrastructure LMS 4.2
In order to complete the upgrade the LMS 3.x runs over a physical server that ends with the upgrade(server its gona be retired), the think is that the Cisco Prime comes with an UCS and its gona run over a VM. The question here is the "Cisco Prime Infrastructure 1.1 - Maj Upg from LMS 2.x/3.x" media could be runs as clean install, I mean with no LMS 3.x intalled before? an the "Prime Infrastructure LMS 4.2 - 1.5K Device Maj Upg Lic" could be registered with no license installed of LMS 3.x?
There are a couple of things to distinguish:
1. The product SKU you need to order to migrate from LMS 3 to LMS 4.2.
2. The license file that is installed on that new LMS server.
#1 is based on Cisco agreeing, usually through the partner or reseller you are working with, that you are entitled to order the upgrade SKU (vs. buy a complete new product). The upgrade SKUs are all listed in the ordering guide here.
L-PI12-1.5K-UP (note - NOT the 1.1 product description you noted in the original post) would be the SKU for a major upgrade from LMS 2.x/3.x to the current Prime Infrastructure 1.2 release at the 1500 device license level. That upgrade includes licenses for both PI 1.2 and Prime LMS 4.2. You may choose which to install - most LMS customers stick with LMS for now as PI 1.2 does not yet have full feature parity. Your managed devices should not exceed 1500 combined (in this case) but that combined number is not enforced technically by the product's license daemon.
Once you have purchased the product and have the media you can install it on any host that meets the installation prerequisites as far as OS, memory, disk etc. A clean installation of LMS does not check for or require a previous installation as far as technical checks.
#2 - Once you have installed the new LMS server (and optionally a step near the end of installation, you need to add in the license file (*.lic file). That is obtained through the Cisco licensing portal (or via the TAC if you prefer) using the Product Activation Key (PAK) received with your product. -
UPS monitoring support with Cisco Prime Infrastructure 1.2
Dear Members,
Good day,
I am having a project implemented wherein i have the UPS power redudancy solution for our network devices.
Now can anyone gide that is it possible for below :-
UPS units installed with SNMP cards be monitored via Cisco Prime Infrastructure 1.2 as our monitoring & management solution is Cisco Prime Infrastructure 1.2 ?
if yes
Can you guide if following action would be possible to export the below logs from UPS unit to our Cisco Prime Infrastructure 1.2
a) UPS fault status information
b) UPS operational status(input power available Y/N)
c) Battery fault status
d) Battery charging current
e) Battery charge level
f) Output current
Conclusion is we need to confirm that would it be posible to achieve remote monitoring of these UPS units via our CPI 1.2
Thanks in Advance for your support & replies to this query.
Regards,
Muzammil N.Prime Infrastructure 1.2 can manage non-Cisco devices in a limited fashion via SNMP query and trap processing. It cannot import logs and does not have a generic syslog server,
So if your devices have snmp read only support and can generate SNMP traps for the above you can add them to PI. Follow the manual add device procedure here.
Maybe you are looking for
-
Downloaded Apps. After download. We tap it to play and it flashes, then returns to home screen. Brand New IPod.
-
The 'DBMS_JAVA' package is mentioned in Java Sored Procedures Developer's Guide (Release 9.0.1) but I am not able to find the package when I query user_objects even though we are using Oracle 9i version 9.0.1.2.0. Why is this? Also, I was not able ab
-
Dear All, kindly tell me the reporting t.code for seeing list of excise invoice cancelled during the fiscal year 2008. Also to see list of excise invoice posted in this fiscal year. Rgds Srini
-
Outlook 2013: Imported or copied items from .pst file disappear after a few seconds
I am migrating from an open source email platform (Axigen) to Outlook/Exchange 2013. The Axigen system uses a connector for Outlook allowing users to use Outlook as a client. To move from Outlook 2010 with the Axigen server to Outlook 2013 with Excha
-
As an example: http://sportsillustrated.cnn.com/?xid=cnnnav == Crash ID(s) == acdf5062-ad04-4b4c-ac58-426ca2100623