Re: Service definition example for Cisco Prime NCS

934 views
Skip to first unread message

Michel Pedersen

unread,
Jan 4, 2013, 8:19:26 AM1/4/13
to event-driv...@googlegroups.com
Hi Juergen,

at the moment it's disabled because I ran into problems with it after upgrading til Cisco Prime Infrastructure 1.2 which I unfortunately haven't had the time to sort out yet.

If you're still interested though I can send you what configuration I have. Do you have tacacs up and running or do you need the whole configuration including the AD bits?

regards
Michel


On Fri, Jan 4, 2013 at 1:23 PM, juergen <ccie...@gmail.com> wrote:
Hello Michel,

could you be so kind and provide your config ?
I,m beginning to test with NCSand AD and it would be easier for me to start with a working config.

Best Regards!

Am Dienstag, 7. August 2012 13:47:29 UTC+2 schrieb Michel:
First of all I would like to say thank you for a great product! After trying some other free tacacs servers we've found this one to be the best and most versatile of them especially with regards to Active Directory integration.

For those who might be interested I would like to share a simple service definition for using tac_plus with a Cisco Prime NCS server (formerly Cisco WCS).
In our configuration we have done the service definition under a group but it can also be done directly for a user. Authentication is done via Active Directory.
Tacacs configuration in Cisco Prime NCS is done using PAP as the authentication type with all other setting standard. The task definitions listed below in my example is for a super-user with full access to everything (virtual domains can be added successively below the currently listed two). For other task definitions you can get these from your Cisco Prime NCS server by going to Administration -> AAA -> User Groups and then exporting the task list for the wanted usergroup (you'll need to edit this to add " " to the task names and "set " at the start of the line.

If anyone needs to see the full tac_plus config with AD auth and everything I can provide this (after sanitizing it for sensitive information/IP's)

service = NCS {
   default protocol = permit
   set role = All
   set role0 = Admin
   set role1 = "Config Managers"
   set role2 = "Super Users"
   set role3 = "System Monitoring"
   set task0="View Alerts and Events"
   set task1="Device Reports"
   set task2="RADIUS Servers"
   set task3="Network Summary Reports"
   set task4="Configure ACS View Servers"
   set task5="Run Reports List"
   set task6="View CAS Notifications Only"
   set task7="Administration Menu Access"
   set task8="Monitor Clients"
   set task9="Monitor Media Streams"
   set task10="Configure Guest Users"
   set task11="Configure Lightweight Access Point Templates"
   set task12="Monitor Chokepoints"
   set task13="Maps Read Write"
   set task14="Configure Access Points"
   set task15="Virtual Domains List"
   set task16="Users and Groups"
   set task17="Migration Templates"
   set task18="Saved Reports List"
   set task19="Monitor Spectrum Experts"
   set task20="Configure Autonomous Access Point Templates"
   set task21="Audit Trails"
   set task22="Client Location"
   set task23="Monitor Access Points"
   set task24="CleanAir Reports"
   set task25="Configure Ethernet Switches"
   set task26="Configure Ethernet Switch Ports"
   set task27="TACACS+ Servers"
   set task28="Autonomous AP Reports"
   set task29="Mobility Service Management"
   set task30="Performance Reports"
   set task31="Help Menu Access"
   set task32="Configure Controllers"
   set task33="MSAP Reports"
   set task34="Monitor Tags"
   set task35="Scheduled set tasks and Data Collection"
   set task36="Search Access"
   set task37="Scheduled Configuration set tasks"
   set task38="Configure WIPS Profiles"
   set task39="Client Reports"
   set task40="Services Menu Access"
   set task41="Configure Templates"
   set task42="System Settings"
   set task43="Report Launch Pad"
   set task44="Remove Clients"
   set task45="Configure Config Groups"
   set task46="Alarm Browser Access"
   set task47="Mesh Reports"
   set task48="High Availability Configuration"
   set task49="License Center"
   set task50="Lobby Ambassador Defaults Configuration"
   set task51="Monitor Controllers"
   set task52="Monitor Security"
   set task53="Monitor Menu Access"
   set task54="Track Clients"
   set task55="Monitor Interferers"
   set task56="Configure Switch Location Configuration Templates"
   set task57="Configure WiFi TDOA Receivers"
   set task58="TAC Case Attachment Tool"
   set task59="Voice Audit Report"
   set task60="Global SSID Groups"
   set task61="Report Run History"
   set task62="Compliance Reports"
   set task63="Maps Read Only"
   set task64="Disable Clients"
   set task65="WIPS Service"
   set task66="Security Reports"
   set task67="Configure Spectrum Experts"
   set task68="Appliance"
   set task69="View Security Index Issues"
   set task70="Home Menu Access"
   set task71="ContextAware Reports"
   set task72="Monitor WiFi TDOA Receivers"
   set task73="Health Monitor Details"
   set task74="User Preferences"
   set task75="Guest Reports"
   set task76="Logging"
   set task77="Automated Feedback"
   set task78="Identity Search Engine"
   set task79="Delete and Clear Alerts"
   set task80="Email Notification"
   set task81="License Check"
   set task82="Rogue Location"
   set task83="Identify Unknown Users"
   set task84="Reports Menu Access"
   set task85="Tools Menu Access"
   set task86="Config Audit Dashboard"
   set task87="Configure ISE Servers"
   set task88="Virtual Domain Management"
   set task89="Monitor Ethernet Switches"
   set task90="Configure Choke Points"
   set task91="RRM Dashboard"
   set task92="Planning Mode"
   set task93="Configure Menu Access"
   set task94="Ack and Unack Security Index Issues"
   set task95="Pick and Unpick Alerts"
   set task96="Ack and Unack Alerts"
   set task97="Auto Provisioning"
   set virtual-domain0=ROOT-DOMAIN
   set virtual-domain1=Virtual-Domain1
   }

-Michel

--
 
 

juergen test

unread,
Jan 4, 2013, 9:26:03 AM1/4/13
to event-driv...@googlegroups.com

Hi Michel,
It would be great to get the whole config with AD.
Regards
Juergen

Michel Pedersen

unread,
Jan 7, 2013, 1:23:50 AM1/7/13
to event-driv...@googlegroups.com
Hi Juergen,

here is a santizied copy of my configuration. As you'll see I've split it up into separate parts to make it easier to read. The main config is the tac_plus.cfg which refers to the other files using the "include" statement.

With our current setup we define the users locally (username and access) instead of using a group in AD (the reason for this being better control since the network team does not have administrative rights to AD in our organization) so we only do the password authentication using AD. This can easily be changed though and there are some good examples on the website for this.

The NCS part I belive should be working for NCS (currently not working for Prime Infrastructure). The rights and virtual domains you need to put in there you'll need to get from NCS but these values can all be exported (under Administration -> AAA -> User groups there is a button for each group to export the policy. You'll need to edit it slightly but compare what you export with what I've got and you should be fine).

Good luck! :-)

regards
Michel


--
 
 

tac_config.zip

juergen

unread,
Jan 7, 2013, 4:20:15 AM1/7/13
to event-driv...@googlegroups.com
Michel,

thank you very much!

Regards
Juergen
Reply all
Reply to author
Forward
0 new messages