Add AAA server (Cisco ISE) to Prime:
The rights that are assigned to the user via AAA can be found under:
Open the task list, copy and paste the contents which will be used as part of the AAA policy on Cisco ISE. Attributes are used to provide access to the respective menus on Cisco Prime. The attributes can be used for Radius or TACACS. TACACS is the recommended device admin method.
Important – the virtual domain is a mandatory requirement in the AAA policy. Also copy the virtual domain string.
Define how Cisco Prime will process user login – it will use TACACS+ first if it fails the fall back option will be “local”
Add Cisco Prime to the AAA server
TACACS policy
Copy and paste the text from Cisco Prime root access task list along with the virtual domain attribute. This policy will give the user root access.
This policy will give the user Help Desk access
Login as a user from the engineering group:
Login as a help desk user
fin1 user login failed do to ” no authorization information. A look at the ISE TACACS logs should indicate the problem.
the TACACS+ Authorization attributes are the ones that were extracted from Cisco Prime: the virtual-domain attribute is missing from the authorization attributes.
Once the virtual domain was added to the policy the user will be able to login:
Fin1 logged in with minimum access
Verify authorization policy returned the virutal-domain ROOT
Instead of assigning the default ROOT-DOMAIN additional virtual domains can be created:
… fin1 – virtual profile….