cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4497
Views
0
Helpful
6
Replies

bluecoat proxy ssg 300-25 administration access using ISE

Meuserid1979
Level 1
Level 1

Hi experts,

 

my customer needs to migrate from acs to ise. this will be for administration access of their devices. they have non-cisco devices and 1 of them is bluecoat proxy. i have tried to configure the way i think it will work but unfortunately no luck. so far below are what have i done:

 

1. added bluecoat vendor id(14501) on ise dictionary

2.  added attribute for admin access. admin access id = 2

3. added attribute for read only access. read only = 1

4. created device profile for bluecoat. using the newly added radius attribute

5. created a policy with the result of "administrative" for admin access. and "login" for read only access. 

 

during testing authentication is successful but doesnt go thru to proxy gui access. the device is re-prompting to username and password window. 

 

anybody have tried this setup ? or maybe can point me to a good document. thanks in advance.

 

regards,

chris 

6 Replies 6

Hi Chris,

Add Bluecoat Proxy under Radius Vendor in ISE Dictionary with vendor id 14501

Under dictionary attribute add 2 new attribute with

Attribute Name : Blue-Coat-Authorization

Data Type: UINT32

Direction: Both

ID: 2

Another attribute with Attribute Name: Blue-Coat-Group

Data Type: UINT32

Direction: Both

ID: 1

 

Under Authorization profile,use network device profile as Bluecoat,then in Advance attribute call the above 2 attributes as:

Blue-Coat-Authorization = 2
Blue-Coat-Group = 2 

-Aravind

Hi,

 

thanks for the reply. I have tried what you have suggested but sorry to say that it doesn't work. im talking to cisco tac about it. thanks

 

regards,

Chris

I see that there has not been anything posted as to a resolution on this. I have tried the same process and found it to not work as expected.

 

Can someone that has been able to verify a working configuration please respond.

 

Thank you,

yalbikaw
Cisco Employee
Cisco Employee

Hello :)

 

on the authorization profile how did you create it and what was the response from ISE, kindly note i don't have a verified test

 

however will help you here to have the profile as per this

VENDOR BlueCoat 14501
 
BEGIN-VENDOR BlueCoat
 
ATTRIBUTE Blue-Coat-Group 1 string
# Accepts multiple groups as comma-separated list.
 
ATTRIBUTE Blue-Coat-Authorization 2 integer
 
VALUE Blue-Coat-Authorization No-Access 0
VALUE Blue-Coat-Authorization Read-Only-Access 1
VALUE Blue-Coat-Authorization Read-Write-Access 2
 

END-VENDOR BlueCoat

 

in some of the answers i am seeing a respond for group with integer which is not correct since in group we should send group name,

 

based on your explanation you are only pushing read only or read-write which is identified as integer

1 for read

2 for read write

 

can you please double check the dictionary

then make sure your authorization profile pushing something like this.

 

 

Access Type = ACCESS_ACCEPT
Blue-Coat-Authorization = 2 

 

 

let me know how it goes

 

Wishes,

 

Hi,

for bluecoat admin access "result":

under "Advanced attributes settings" choose:

Radius:Service-Type = Administrative

 

this will give attribute details as:

access type = ACCESS_ACCEPT

service-type = 5

 

for bluecoat read-only access "result":

under "Advanced attributes settings" choose:

Radius:Service-Type = Login

 

this will give attribute details as:

access type = ACCESS_ACCEPT

service-type = 1

 

i believe on bluecoat side you also need to do some configurations unfortunately i cant remember what and where it should be configured.   

 

hope this helps.

 

p.s. that usnig the built-in ietf radius attributes
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: