cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

615
Views
0
Helpful
6
Replies
Beginner

bluecoat proxy ssg 300-25 administration access using ISE

Hi experts,

 

my customer needs to migrate from acs to ise. this will be for administration access of their devices. they have non-cisco devices and 1 of them is bluecoat proxy. i have tried to configure the way i think it will work but unfortunately no luck. so far below are what have i done:

 

1. added bluecoat vendor id(14501) on ise dictionary

2.  added attribute for admin access. admin access id = 2

3. added attribute for read only access. read only = 1

4. created device profile for bluecoat. using the newly added radius attribute

5. created a policy with the result of "administrative" for admin access. and "login" for read only access. 

 

during testing authentication is successful but doesnt go thru to proxy gui access. the device is re-prompting to username and password window. 

 

anybody have tried this setup ? or maybe can point me to a good document. thanks in advance.

 

regards,

chris 

6 REPLIES 6

Re: bluecoat proxy ssg 300-25 administration access using ISE

Hi Chris,

Add Bluecoat Proxy under Radius Vendor in ISE Dictionary with vendor id 14501

Under dictionary attribute add 2 new attribute with

Attribute Name : Blue-Coat-Authorization

Data Type: UINT32

Direction: Both

ID: 2

Another attribute with Attribute Name: Blue-Coat-Group

Data Type: UINT32

Direction: Both

ID: 1

 

Under Authorization profile,use network device profile as Bluecoat,then in Advance attribute call the above 2 attributes as:

Blue-Coat-Authorization = 2
Blue-Coat-Group = 2 

-Aravind
Beginner

Re: bluecoat proxy ssg 300-25 administration access using ISE

Hi,

 

thanks for the reply. I have tried what you have suggested but sorry to say that it doesn't work. im talking to cisco tac about it. thanks

 

regards,

Chris

Beginner

Re: bluecoat proxy ssg 300-25 administration access using ISE

I see that there has not been anything posted as to a resolution on this. I have tried the same process and found it to not work as expected.

 

Can someone that has been able to verify a working configuration please respond.

 

Thank you,

Highlighted
Cisco Employee

Re: bluecoat proxy ssg 300-25 administration access using ISE

Hello :)

 

on the authorization profile how did you create it and what was the response from ISE, kindly note i don't have a verified test

 

however will help you here to have the profile as per this

VENDOR BlueCoat 14501
 
BEGIN-VENDOR BlueCoat
 
ATTRIBUTE Blue-Coat-Group 1 string
# Accepts multiple groups as comma-separated list.
 
ATTRIBUTE Blue-Coat-Authorization 2 integer
 
VALUE Blue-Coat-Authorization No-Access 0
VALUE Blue-Coat-Authorization Read-Only-Access 1
VALUE Blue-Coat-Authorization Read-Write-Access 2
 

END-VENDOR BlueCoat

 

in some of the answers i am seeing a respond for group with integer which is not correct since in group we should send group name,

 

based on your explanation you are only pushing read only or read-write which is identified as integer

1 for read

2 for read write

 

can you please double check the dictionary

then make sure your authorization profile pushing something like this.

 

 

Access Type = ACCESS_ACCEPT
Blue-Coat-Authorization = 2 

 

 

let me know how it goes

 

Wishes,

 

Beginner

Re: bluecoat proxy ssg 300-25 administration access using ISE

Hi,

for bluecoat admin access "result":

under "Advanced attributes settings" choose:

Radius:Service-Type = Administrative

 

this will give attribute details as:

access type = ACCESS_ACCEPT

service-type = 5

 

for bluecoat read-only access "result":

under "Advanced attributes settings" choose:

Radius:Service-Type = Login

 

this will give attribute details as:

access type = ACCESS_ACCEPT

service-type = 1

 

i believe on bluecoat side you also need to do some configurations unfortunately i cant remember what and where it should be configured.   

 

hope this helps.

 

Beginner

Re: bluecoat proxy ssg 300-25 administration access using ISE

p.s. that usnig the built-in ietf radius attributes