CCIE Enterprise Wireless (v1.0) – 4. Wireless Security and Identity Management – 4.1.a Device administration with TACACS+/RADIUS

Posted on Posted in AAA ISE RADIUS TACACS, Cisco ISE AAA, Cisco Prime Infrastructure

Add AAA server (Cisco ISE) to Prime:



The rights that are assigned to the user via AAA can be found under:


Open the task list, copy and paste the contents which will be used as part of the AAA policy on Cisco ISE. Attributes are used to provide access to the respective menus on Cisco Prime. The attributes can be used for Radius or TACACS. TACACS is the recommended device admin method.


Important – the virtual domain is a mandatory requirement in the AAA policy. Also copy the virtual domain string.


Define how Cisco Prime will process user login – it will use TACACS+ first if it fails the fall back option will be “local”


Add Cisco Prime to the AAA server



TACACS policy

Copy and paste the text from Cisco Prime root access task list along with the virtual domain attribute. This policy will give the user root access.



This policy will give the user Help Desk access



Login as a user from the engineering group:


Login as a help desk user

fin1 user login failed do to ” no authorization information. A look at the ISE TACACS logs should indicate the problem.



the TACACS+ Authorization attributes are the ones that were extracted from Cisco Prime: the virtual-domain attribute is missing from the authorization attributes.


Once the virtual domain was added to the policy the user will be able to login:


Fin1 logged in with minimum access



Verify authorization policy returned the virutal-domain ROOT


Instead of assigning the default ROOT-DOMAIN additional virtual domains can be created:








… fin1 – virtual profile….

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.