topic Thanks Ian, that has helped in Network Access Control

ISE v1.2 RADIUS - Authentication of access to a Riverbed Steelhead

Ian Cowley — Mon, 11 Mar 2019 04:26:12 GMT

VENDOR RBT 17163

ATTRIBUTE Local-User 1 string RBT

TACACS+ docs

TACACS+ (Shell Profile)

Attribute(s): service ; local-user-name

Value(s): rbt-exec ; <username>

Usage: In order to grant the user read-only access, the <username> value must be set to monitor. In order to grant the user read-write access, the <username> value must be set to admin. If you have another account defined in addition to admin and monitor, configure that name to be returned.

Example – Add Attributes to a Shell Profile (for read-only access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory monitor

Example – Add Attributes to a Shell Profile (for read-write access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory

I have successfully achieved getting the profile to identify the unit and to apply the correct Result.

But my 'Result' is clearly incorrectly defined.

The dictionary attribute value for Riverbed 17163

local-user-name 1 STRING BOTH NO

I'm sure this is wrong!

Access Type = ACCESS_ACCEPT

local-user-name = shell:local-username=admin

Service-Type = 1

From the authenttication log it would appear it doesn't send this at all to the device

Regards

Ian Cowley

Hi Ian,Did you ever resolve

mojocoops — Tue, 22 Jul 2014 00:47:14 GMT

Hi Ian,

Did you ever resolve this issue?

I am trying to get the same working on ISE 1.1.2 (soon upgrading to 1.2.1).

I have the Authorization Profile configured to send local-user=admin attribute (at recommendation of Riverbed support) but this is not sent by ISE according to packet captures.

Sending Access Accept gives full access to Steelhead web GUI.

I think the attribute ID configured in the dictionary entry could be wrong (I currently have ID as 1).

Thanks,

Stephen.

Attributes DetailsService

Ian Cowley — Tue, 22 Jul 2014 13:18:36 GMT

Attributes Details
Service Template         false
Access Type                 ACCESS_ACCEPT
Radius:Service-Type   Administrative(6)
Riverbed:Local-User    admin

Local user Dictionary Attribute ID is also '1'

The AuthProfile sends this if user is in correct AD group and device is Riverbed.

Seems to work. RiOS 8.5.2 through 8.6.0

IanC

Thanks Ian.I've changed my

mojocoops — Tue, 22 Jul 2014 22:26:40 GMT

Thanks Ian.

I've changed my authorization profile to have Radius:Service-Type as Administrative(6), still works.

Packet capture shows ISE sending AVP type 6 as Shell-User.

Riverbed user logs don't show anything pertaining to role being admin, apart from CLI login:

user stephencooper.adm: CLI launched for user stephencooper.adm and rbm admin

I tried creating an authorization profile for monitor, same settings but set local-user to monitor and Service-Type to NAS-Prompt (only going on Cisco WLC access example). This causes ISE to send AVP type 6 as Exec-user, and same entry in user logs for CLI login. I get full access to the web GUI.

Could you please advise how you confirmed role access upon login, and also provide your config for monitor access?

Thank you!

Stephen.

StephenLet me check...I might

Ian Cowley — Tue, 29 Jul 2014 14:53:39 GMT

Stephen

Let me check...

I might not have been as thorough as you!

IanC

OK it works..though perhaps

Ian Cowley — Tue, 29 Jul 2014 15:16:40 GMT

OK it works..though perhaps not as granularly as I'd like.

2 Authorization Rules; both identify the Riverbed device; VTY, PAP, Riverbed Device Group.

and either AD Group for Admins, or Service Desk (in my case).

The Permsisions responses [Policy - Results - Authorization - Authorization Profiles] are:

Riverbed Admins:

Radius:Service-Type = Administrative

Riverbed:Local-User = admin [Policy - Policy Elements - Dictionary - System - Radius - RADIUS Vendors - Riverbed (17163) - Dictionary Attrubutes - Local-User 1 STRING BOTH ]

[result of this is Service Type =6, Local-User=admin]

Riverbed Monitor

Radius:Service-Type = Administrative

Riverbed:Local-User = monitor

[result of this is Service Type =6, Local-User=monitor]

It greys out the Configuration - Network and Optimization pages

Hope this helps

IanC

Thanks Ian, that has helped

mojocoops — Tue, 29 Jul 2014 23:19:54 GMT

Thanks Ian, that has helped me figure out my issue.

I had admin and monitor as allowed values in the VSA setting, so it was sending a 1 or a 2 as the index for these allowed values which obviously the Steelhead didn't recognise.

I removed these and manually entered admin and monitor for Local-User in the Authorization Profiles and have confirmed it is now working.

Regards,

Stephen.

Re: Thanks Ian, that has helped

jacob.parker — Tue, 22 Oct 2019 10:20:16 GMT

Hello together,

i have the same problem and i don't unterstand how to remove the index 1 and 2 manually.

I try several settings and i always have admin access.

Only monitor don't work for me.

What means VSA settings?

Kind Regards,

Jacob