cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4786
Views
15
Helpful
7
Replies

ISE v1.2 RADIUS - Authentication of access to a Riverbed Steelhead

Ian Cowley
Level 1
Level 1

VENDOR RBT 17163

ATTRIBUTE Local-User 1 string RBT

TACACS+ docs

TACACS+ (Shell Profile)

Attribute(s): service ; local-user-name

Value(s): rbt-exec ; <username>

Usage: In order to grant the user read-only access, the <username> value must be set to monitor. In order to grant the user read-write access, the <username> value must be set to admin. If you have another account defined in addition to admin and monitor, configure that name to be returned.

Example – Add Attributes to a Shell Profile (for read-only access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory monitor

Example – Add Attributes to a Shell Profile (for read-write access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory

I have successfully achieved getting the profile to identify the unit and to apply the correct Result.

But my 'Result' is clearly incorrectly defined.

The dictionary attribute value for Riverbed 17163

local-user-name 1 STRING BOTH  NO

I'm sure this is wrong!

Access Type = ACCESS_ACCEPT

local-user-name = shell:local-username=admin

Service-Type = 1

From the authenttication log it would appear it doesn't send this at all to the device

Regards

Ian Cowley

7 Replies 7

mojocoops
Level 1
Level 1

Hi Ian,

Did you ever resolve this issue?

I am trying to get the same working on ISE 1.1.2 (soon upgrading to 1.2.1).

I have the Authorization Profile configured to send local-user=admin attribute (at recommendation of Riverbed support) but this is not sent by ISE according to packet captures.  

Sending Access Accept gives full access to Steelhead web GUI.

I think the attribute ID configured in the dictionary entry could be wrong (I currently have ID as 1).

Thanks,

Stephen.

Attributes Details
Service Template         false
Access Type                 ACCESS_ACCEPT
Radius:Service-Type   Administrative(6)
Riverbed:Local-User    admin

Local user Dictionary Attribute ID is also '1'

 

The AuthProfile sends this if user is in correct AD group and device is Riverbed.

Seems to work.  RiOS 8.5.2 through 8.6.0

 

IanC

 

Thanks Ian.

I've changed my authorization profile to have Radius:Service-Type as Administrative(6), still works.

Packet capture shows ISE sending AVP type 6 as Shell-User.

Riverbed user logs don't show anything pertaining to role being admin, apart from CLI login:

user stephencooper.adm: CLI launched for user stephencooper.adm and rbm admin

I tried creating an authorization profile for monitor, same settings but set local-user to monitor and Service-Type to NAS-Prompt (only going on Cisco WLC access example).  This causes ISE to send AVP type 6 as Exec-user, and same entry in user logs for CLI login.  I get full access to the web GUI.

Could you please advise how you confirmed role access upon login, and also provide your config for monitor access?

Thank you!

Stephen.

Stephen

Let me check...

I might not have been as thorough as you!

 

IanC

 

OK it works..though perhaps not as granularly as I'd like.

2 Authorization Rules; both identify the Riverbed device; VTY, PAP, Riverbed Device Group.

and either AD Group for Admins, or Service Desk (in my case).

The Permsisions responses [Policy - Results - Authorization - Authorization Profiles]  are:

Riverbed Admins:

Radius:Service-Type = Administrative

Riverbed:Local-User = admin       [Policy - Policy Elements - Dictionary - System - Radius - RADIUS Vendors - Riverbed (17163) - Dictionary Attrubutes - Local-User 1 STRING BOTH ]

[result of this is Service Type =6, Local-User=admin]

Riverbed Monitor

Radius:Service-Type = Administrative

Riverbed:Local-User = monitor     

[result of this is Service Type =6, Local-User=monitor]

 

It greys out the Configuration - Network and Optimization pages

 

Hope this helps

 

IanC

Thanks Ian, that has helped me figure out my issue.

I had admin and monitor as allowed values in the VSA setting, so it was sending a 1 or a 2 as the index for these allowed values which obviously the Steelhead didn't recognise.

I removed these and manually entered admin and monitor for Local-User in the Authorization Profiles and have confirmed it is now working.

Regards,

Stephen.

Hello together, 

 

i have the same problem and i don't unterstand how to remove the index 1 and 2 manually. 

I try several settings and i always have admin access. 

Only monitor don't work for me.

 

What means VSA settings?

 

Kind Regards, 

 

Jacob