03-22-2013 04:37 AM - edited 03-10-2019 08:13 PM
ACS Guru's
We have a requirement to install Juniper CTP's at a customer site with it authenticating to our Cisco ACS via Radius. I'm a little unsure on how the accountsActions file is to be created based on what I have from Juniper in regards to the custom VSA's. I am able to authenticate sucessfully but it requires a different attribute to be sent back from the ACS to allow a user to launch CTPView. Below is the information I received from Juniper and any help or support would be greatly appreciated.
ATTRIBUTE Juniper‐CTP‐Group Juniper‐VSA(21, integer) r
VALUE Juniper‐CTP‐Group Read_Only 1
VALUE Juniper‐CTP‐Group Admin 2
VALUE Juniper‐CTP‐Group Privileged_Admin 3
VALUE Juniper‐CTP‐Group Auditor 4
ATTRIBUTE Juniper‐CTPView‐APP‐Group Juniper‐VSA(22,integer) r
VALUE Juniper‐CTPView‐APP‐Group Net_View 1
VALUE Juniper‐CTPView‐APP‐Group Net_Admin 2
VALUE Juniper‐CTPView‐APP‐Group Global_Admin 3
ATTRIBUTE Juniper‐CTPView‐OS‐Group Juniper‐VSA(23, integer) r
VALUE Juniper‐CTPView‐OS‐Group Web_Manager 1
VALUE Juniper‐CTPView‐OS‐Group System_Admin 2
VALUE Juniper‐CTPView‐OS‐Group Auditor 3
03-22-2013 10:26 AM
When you choose the protocol under the juniper device you added to the ACS, choose RADIUS-Juniper if it is available. (I dont remember if it is listed). If it is available and chosen then the Juniper attributes will appear under the group or user config where you can enable.
Otherwise, you need to add the custom VSAs as per this link:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_CSUtil.html#wp365540
HTH
Amjad
Sent from Cisco Technical Support iPad App
03-22-2013 10:42 AM
I found those attributes that can be used by default when choosing RADIUS-Juniper:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html#wp148509
Your attributes do not seem to be listed so you may need to follow the link I provided earlier.
Regards,
Amjad
Sent from Cisco Technical Support iPad App
03-22-2013 10:48 AM
Thanks for the response. That is where I'm at now and trying to dig through the documentation and right syntax for the .csv file which is a bit painful. I'm just not sure how to add the additional Juniper attributes to the Juniper group that already exists on the ACS server. I've tried a couple different ways and the RDBMS always kicks it back with an error.
03-23-2013 01:09 AM
To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
V2 = IETF vendor ID
V3 = VSA attribute ID
For example, to add the Cisco IOS/PIX RADIUS cisco-av-pair attribute with a value of "addr-pool=pool1":
V2 = "9"
V3 = "1"
V1 = "addr-pool=pool1"
RADIUS attribute values can be one of the following:
INTEGER
TIME
IP ADDRESS
STRING
source:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/user/ag.htm
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
03-23-2013 01:42 AM
Jeff:
we value you rate useful posts.
so, with your case,
VN ="26"
V1="Juniper‐CTP‐Group=1"
Note {put =1 if read only, put 1 if admin, put 3 if privileged admin or put 4 if auditor. meaning of each number provided by your vendor as per your first post"}
V2="2636"
{this is the IETF-Vendor ID for Juniper}.
V3="21"
{This is the attribute number for Juniper‐CTP‐Group. Use attribute 22 if you are adding Juniper‐CTPView‐APP‐Group or use attribute 23 if you are configuring
Juniper‐CTPView‐OS‐Group{
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
03-25-2013 07:20 AM
Amjad,
That is what I was using intitally. However, when I add it via the RDBMS Sync I received an "Unknown Attribute Name" error. I'm assuming that I should be using the Action Code of 163 which also requies a username or group name (according to the errors when it sync's). Below is the output of the csv file. Do you see anything wrong or something that I'm misssing or needs added.
SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
15,7,jeffersw,,163,26,Juniper-CTP-Group=2,2636,21,25/09/2007 13:00,,,,0
16,6,jeffersw,,163,26,Juniper-CTPView-APP-Group=2,2636,22,25/09/2007 13:00,,,,0
17,5,jeffersw,,163,26,Juniper-CTPView-OS-Group=2,2636,23,25/09/2007 13:00,,,,0
18,0,,,355,,,,,25/09/2007 13:00,,,,0
03-27-2013 09:55 AM
FYI,
I was able to correct this issue by importing a UDV with the attributes needed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: