We would like to enable radius authorization to the WAAS Central Manager GUI. We are having some problems doing this. Also this is only documented for TACACS and not for Radius.
We've seen the waas_rbac_groups attribute that can be delivered via Tacacs, can this attribute also travel in the radius attributes? We've already tried: shell:waas_rbac_groups on a Cisco-AV-Pair but that doesn't do it.
There should be a way; knowning that the TACACS is very rare these days.
Please help us
I received a message from Cisco TAC about this case and he sads that there's no possible to use radius to authenticate in WAAS.
They are mistaken....
I can get RADIUS authentication working with my WAAS devices using a window 2008 NPS. The thing you have to do is on the WAAS appliance issue the sshd allow-non-admin-users command. Then you can authenticate using Radius Login and password at the user prompt level as normal user. The problem is passing the privilege level 15 or what every it is on WAAS with the right Radius Attributes from the NPS server. The standard Cisco AV-PAIR "shell:priv-lvl=15" does not work, so you can not automatically login with enable prompt. However you can force the authentication enable to local and then use a local enable password and gain access.....if that makes sense.
If radius is not possible then why the heck do they have all the configuration built into the WAAS central manager GUI and doc that somewhat explains how to configure but they leave out the radius server side settings.
Try the attribute "Radius:Service-Type=Administrative" instead of the Cisco AV-PAIR.
We use ISE 1.4 as Radius Server and with this attribute also CLI privilege 15 access works well
Thanks for the info from both of you. Do you use radius on both the physical WAAS devices i.e. for CLI and on the WAAS Central manager? I had read there was similar issues with the central manager using radius.
Yes, Radius for both, they use the same Radius attributes - if you need I can tell you the exact settings on CM and WAAS devices. But it definetly works.
That would be great...if not to much trouble. It's always good to have a working example! Plus I'm new to the WAAS, as just inherited a network that has about 4 and couple virtuals.
I'm also using Windows NPS as my radius server currently.
Sure thing, it's actually quite straight forward:
- Configure Radius servers on your central manager/waas
- Configure it to use Radius as the first Authentication method
- Configure your radius so it accepts the request and gives back the attribute Radius:Service-Type = Administrative
No local users needed on central manager or waas itself.
I have exactly the same config but after login in CM i receive this message:
"Your account does not have privileges to access any of the Central Manager pages. Please check with your administrator about provisioned roles and domains."
Edit: just saw that you're not the guy who responded first, so which Radius server are you using? Can you confirm that Radius will send "access accept" and "service-type = 6"?
Same problem as well and can't get the individual WAAS to authenticate with Radius. I was able to disable "allow only admins to ssh" to this device which got me the login prompt but will not elevate to enable. What the heck are the WAAS Radius attributes??? Can't find any combo that works!!
I opened a TAC case with Cicso and below was the final results:
Issue with Radius Authorization for WAAS CM GUI. Radius server is using ISE.
Authentication to WAAS CM GUI is successful, but with error message "Your account does not have privileges to access any of the Central Manager pages. Please check with your administrator about provisioned roles and domains."
On ISE authorization profile the attribute setting is configured:
Radius:Service-Type = Administrative
With this attribute setting, authentication and authorization to WAAS CM using CLI are successful. But using GUI, only authentication is successful .
WAAS will use local authorization and will not consider what the Radius is returning. This is expected behaviour and dynamic assignment to different roles via Radius is not supported as this stage.
What we have did as a workaorund, we have to create same user in WAAS local database as we have in AD (same username, password doesn't matter) then we assign that local user to admin group in WAAS authorization. So now when we login to WAAS, it passess username and password to ISE to authenticate and ISE will check it with AD and send ACCEPT to WAAS, then WAAS consider that username as local user and authorize using local database.
If you try this, and try to create a user in local database same as AD, it will give you an error while creating user, that is due to Cache - When we try AD account, it cache the username and doesn't allow to create same username in local database - workaround -> the WAAS caches the remote users for 60 days by default and that what prevented you from adding these users. We had changed the setting to the minimum value (1 day). Waieted for 25 hours then tried to add your usernames to CM and verified that it was working.
So end result, Authentication from ISE, Authorization local, but atleast you can use AD credentials.