Re: ACS v4.1 and Blue Coat ProxySG Radius Authentication not wor

rodmunch999 · ‎04-03-2011

Hi,

Has anyone out there managed to configure a BBlue Coat ProxySG device to authenticate with a ACS server using Radius? I am currently running v4.1 ACS and the Blue Coat device is a ProxySG Model 210.(running SGOS 6.1)

I have configured the Blue Coat device on the ACS for Radius(IETF) authentication. On the IETF Attributes I have set the Service Type to Administrative. However, when the Blue Coat tries to authenticate it fails with "ACS password invalid". I know the password is correct as the user can log onto other devices OK.

Should I be importing a specific VSA for this device and if so does anyone know what the VSA attributes should be? (I do not have access to the Blue Coat Support site at the moment)

Any advice would be greatly appreciated.

Cheers

Dave

Erick Delgado · ‎04-15-2011

Hello,

When you get a fail attempt like user password invalid is either because you password is incorrect or your shared secret key is incorrect, please notice that the key in use is the NDG key if you don’t have any the aaa client secret key will be use.

If the blue coat does not require special radius attributes and everything that it needs is the service type is no need to add a VSA, but if the device requires an additional attribute you may want to research for it.

Please check the secret keys on the blue coat and ACS side and let me know.

Erick Delgado

Cisco CSE

rodmunch999 · ‎05-12-2011

Thanks for the reply Erick,

We got it working in the end. The invalid password was due to the default timeout settings on the Blue Coat radius configuration.

The Blue Coat will authenticate using standard Radius (IETF) on the ACS. However to get this working you need configure a policy on the BC for each individual user that will connect. As this is not very practical a group policy needs to be made and a BlueCoat VSA imported to to the ACS via RDBMS.

Once imported the ACS was rebooted and then the devices on the ACS were configured to use Blue Coat (Radius) authentication. In the ACS group we now had a Radius Blue Coat attribute which could be configured with any string value.(This was given a name of fulladmin)

Then we created a group policy on the Blue Coat under "Admin Access Layer" with the same Blue Coat group name of fulladmin and it worked. We also tried a Read Only policy which worked as well.

I have also attached the VSA file I created if it helps anyone (I can't be responsible if it doesn't work though)

mustafa.papdheen · ‎10-10-2011

Hi,

I need your valuable advise to resolve authentication issue. My requirement is; bluecoat proxy SG should authenticate with Cisco Model 1113(4.2 software) once authenticated, user account created in Cisco ACS should be allowed to browse internet. We have configured proxy SG radius configuration, but we are getting "Your request could not be processed because of a configuration error: "The request timed out while trying to authenticate. The authentication server may be busy or offline." error

We verified the connectivity between proxy and Cisco ACS, everything is fine, port 1812 is allowed in firewall and CISCO ACS log says that password is incorrect. Secret code also verified

Please find the attached configuraiton.

mustafa.papdheen · ‎10-12-2011

Hi,

I am getting below error.

ACS Logs:

"Oct 12 10:31:10 CisACS_02_FailedAuth h9wcpa1g 1 0 Message-Type=Authen failed,User-Name=masir,NAS-IP-Address=10.10.10.10 ,Authen-Failure-Code=ACS password invalid,NAS-Port=masir,Group-Name=WLAN_GUEST_DB,"

Packet sniffer logs gives messages as below which means Cisco ACS rejecting the connection initiated by bluecoat proxy

Sniffer logs:

"Reply Message(18) Rejected"

Can anyone help me on this problem. Attached is the bluecoat proxy configuraiton.

Regards

Papdheen M

ACS v4.1 and Blue Coat ProxySG Radius Authentication not working