cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2569
Views
0
Helpful
5
Replies

Configuring BlueCoat ProxyAV 510 with ACS v5.x

Hi everyone,

I am trying to configure the ACS v5.x server to accept RADIUS authentication/authorization for BlueCoat ProxyAV 510's. Unfortunately, I can't seem to find any useful documentation for this.

I have created a BlueCoat VSA with an Attribute of 'Blue-Coat-Authorization' with a value of '2' (Admin Access) and Type of 'Unsigned Integer' but this does not seem to work. The ACS reports that authentication has succeeded but I cannot login to the BlueCoat device and have to rely on local access.

Has anyone managed to get this working in the field. Help appreciated!

inayat

5 REPLIES 5
rodmunch999
Beginner

Hi,

I am not sure if this is the same as a Blue Coat Proxy SG but I posted about this Blue Coat and ACS v4.x a while back under this thread:

https://supportforums.cisco.com/message/3356662#3356662   (This might help with the Blue Coat side)

If you want to convert it for v5.x then:

  • Under  System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA create a VSA with a name of Blue-Coat and a Vendor Id of 14501
  • Under the new VSA create an attribute called Blue-Coat-Group and a Type of String
  • Now under  Policy Elements  > Authorization and Permissions  > Network Access > Authorization Profiles create a policy called something like Blue Coat Privileged.
  • In the Authorization policy add a manual attribute for Blue-Coat-Group and a string value of whatever group you created on the Proxy SG in the Visual Policy Manager.
  • Now you can create an Access Policy and assign the new Authorization Policy

Cheers

Dave

Hi Dave,

Thank you for the response. I did step 1 of your five bullet points. But for the second bullet point there is no place to define the attribute as a 'string' type on that screen. It asks for the Vendor Attribute ID. These are the various parameters the ACS seems to be looking for across a number of screens and my tentative answers are on the right.

Vendor Name:                                 Blue-Coat

Vendor ID:                                      14501

Vendor Attribute:                             ?

Vendor Attribute ID:                         ?

Vendor Attribute Type:                     String

Vendor Attribute Value:                    ?

Do you know what answers I need to enter above. I am told by my firewall team that the help file on the Bluecoat says that the Vendor Attribute should be 'Blue-Coat-Authorization' and the value should be '2' (admin access). However, the help files says nothing about the Vendor ID, Vendor Attribute ID or Vendor Attribute Type.

Hi Inayat,

It might be different for a a BC ProxyAV 510 than a BC Proxy SG

Here are the screenshots of the setup for the Proxy SG .

Hi Dave,

Thank you for that - yes, I think the ProxyAV requires that the Blue-Coat-Authorization attribute be added - though I don't know if this is in addition to the Blue-Coat-Group attribute that you have defined or not. In any case, when I try and create the attribute I get the following error message:

I had deleted all traces of the previous BlueCoat attributes I had created as well as references to them in my policies but I still get this error message. Any ideas? Thank you for your help so far!

david.lung
Beginner

Hi Sir ,

 

At the end , how do you resolve this issue , please share

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube