Showing results for 
Search instead for 
Did you mean: 

bluecoat proxy ssg 300-25 administration access using ISE

Level 1
Level 1

Hi experts,


my customer needs to migrate from acs to ise. this will be for administration access of their devices. they have non-cisco devices and 1 of them is bluecoat proxy. i have tried to configure the way i think it will work but unfortunately no luck. so far below are what have i done:


1. added bluecoat vendor id(14501) on ise dictionary

2.  added attribute for admin access. admin access id = 2

3. added attribute for read only access. read only = 1

4. created device profile for bluecoat. using the newly added radius attribute

5. created a policy with the result of "administrative" for admin access. and "login" for read only access. 


during testing authentication is successful but doesnt go thru to proxy gui access. the device is re-prompting to username and password window. 


anybody have tried this setup ? or maybe can point me to a good document. thanks in advance.




6 Replies 6

Hi Chris,

Add Bluecoat Proxy under Radius Vendor in ISE Dictionary with vendor id 14501

Under dictionary attribute add 2 new attribute with

Attribute Name : Blue-Coat-Authorization

Data Type: UINT32

Direction: Both

ID: 2

Another attribute with Attribute Name: Blue-Coat-Group

Data Type: UINT32

Direction: Both

ID: 1


Under Authorization profile,use network device profile as Bluecoat,then in Advance attribute call the above 2 attributes as:

Blue-Coat-Authorization = 2
Blue-Coat-Group = 2 




thanks for the reply. I have tried what you have suggested but sorry to say that it doesn't work. im talking to cisco tac about it. thanks




I see that there has not been anything posted as to a resolution on this. I have tried the same process and found it to not work as expected.


Can someone that has been able to verify a working configuration please respond.


Thank you,

Cisco Employee
Cisco Employee

Hello :)


on the authorization profile how did you create it and what was the response from ISE, kindly note i don't have a verified test


however will help you here to have the profile as per this

VENDOR BlueCoat 14501
ATTRIBUTE Blue-Coat-Group 1 string
# Accepts multiple groups as comma-separated list.
ATTRIBUTE Blue-Coat-Authorization 2 integer
VALUE Blue-Coat-Authorization No-Access 0
VALUE Blue-Coat-Authorization Read-Only-Access 1
VALUE Blue-Coat-Authorization Read-Write-Access 2



in some of the answers i am seeing a respond for group with integer which is not correct since in group we should send group name,


based on your explanation you are only pushing read only or read-write which is identified as integer

1 for read

2 for read write


can you please double check the dictionary

then make sure your authorization profile pushing something like this.



Blue-Coat-Authorization = 2 



let me know how it goes





for bluecoat admin access "result":

under "Advanced attributes settings" choose:

Radius:Service-Type = Administrative


this will give attribute details as:

access type = ACCESS_ACCEPT

service-type = 5


for bluecoat read-only access "result":

under "Advanced attributes settings" choose:

Radius:Service-Type = Login


this will give attribute details as:

access type = ACCESS_ACCEPT

service-type = 1


i believe on bluecoat side you also need to do some configurations unfortunately i cant remember what and where it should be configured.   


hope this helps.


p.s. that usnig the built-in ietf radius attributes