Friday, February 1, 2013

Logging into a Cisco Prime Network Control System set up with RADIUS authentication with Windows NPS server throws the error: “No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server”

Problem

You attempt to log into a Cisco Prime Network Control System after setting it up with AAA RADIUS authentication with Windows NPS (Network Policy Server) server but receive the following error when you log in with an Active Directory account:

No authorization information found for Remote Authenticated User.
Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server

image image

Solution

It took me awhile to figure this error out because the documentation and forum posts I found with responses wasn’t too clear on what I was missing even though I’ve copied all of the RADIUS Custom Attributes into my policy configured on the NPS.  After spending a few hours to finally discover I was missing 1 line in Cisco-AV-Pair attribute values, I thought it would be helpful to blog the configuration.

Navigate to Administrator –> AAA:

image

Click on the User Groups item on the left then the Task List for the group you want to grant permissions with.  For the purpose of this example, we’ll use the Admin group:

image

You’ll need to first copy all of the RADIUS Custom Attributes into your policy on the NPS server as shown in the following:

image clip_image001[4]

The above configuration isn’t complete and if you proceed with trying to log into the Cisco NCS, you would receive the message as shown at the beginning of this post.  The configuration that fixes this issue is found by clicking on the here link at the line located at the bottom:

To add custom attributes related to Virtual Domains, please click here.

image

Note the additional line should be copy and pasted into the attributes as such:

image

clip_image001[6]clip_image001[8]

Logging into your NCS with Active Directory accounts authenticated via NPS should work now:

image

11 comments:

Anonymous said...

Blah Blah Blah you are a real piece of work.

Anonymous said...

Worked like a charm! Thanks!

JP said...

Saved my day, thanks!

Anonymous said...

Wish I found your post faster, thank you VERY much!

Anonymous said...

Only the first 2 lines are mandatory in Prime 2.0.

Anonymous said...

Thanks, this worked for TACACS too!

Anonymous said...

Thanks so much!!!

Anonymous said...

Thanks! Fixed TACACS for me also.

Roel Bobis said...

Where do i find the best radius manager billing system because other radius billing system but it's not good for me.

Anonymous said...

You rock! Thanks so much. Docs from Cisco wont clear.

Anonymous said...

Also see this post http://www.wificert.org/cisco-prime-ad-login/