Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4787
Views
15
Helpful
7
Replies

ISE v1.2 RADIUS - Authentication of access to a Riverbed Steelhead

Ian Cowley
Level 1
Level 1

‎02-21-2014 10:41 AM - edited ‎03-10-2019 09:26 PM

VENDOR RBT 17163

ATTRIBUTE Local-User 1 string RBT

TACACS+ docs

TACACS+ (Shell Profile)

Attribute(s): service ; local-user-name

Value(s): rbt-exec ; <username>

Usage: In order to grant the user read-only access, the <username> value must be set to monitor. In order to grant the user read-write access, the <username> value must be set to admin. If you have another account defined in addition to admin and monitor, configure that name to be returned.

Example – Add Attributes to a Shell Profile (for read-only access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory monitor

Example – Add Attributes to a Shell Profile (for read-write access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory

I have successfully achieved getting the profile to identify the unit and to apply the correct Result.

But my 'Result' is clearly incorrectly defined.

The dictionary attribute value for Riverbed 17163

local-user-name 1 STRING BOTH  NO

I'm sure this is wrong!

Access Type = ACCESS_ACCEPT

local-user-name = shell:local-username=admin

Service-Type = 1

From the authenttication log it would appear it doesn't send this at all to the device

Regards

Ian Cowley

Labels:
0 Helpful
7 Replies 7

mojocoops
Level 1
Level 1

‎07-21-2014 05:47 PM

Hi Ian,

Did you ever resolve this issue?

I am trying to get the same working on ISE 1.1.2 (soon upgrading to 1.2.1).

I have the Authorization Profile configured to send local-user=admin attribute (at recommendation of Riverbed support) but this is not sent by ISE according to packet captures.  

Sending Access Accept gives full access to Steelhead web GUI.

I think the attribute ID configured in the dictionary entry could be wrong (I currently have ID as 1).

Thanks,

Stephen.

0 Helpful

Ian Cowley
Level 1
Level 1
In response to mojocoops

‎07-22-2014 06:18 AM

Attributes Details
Service Template         false
Access Type                 ACCESS_ACCEPT
Radius:Service-Type   Administrative(6)
Riverbed:Local-User    admin

Local user Dictionary Attribute ID is also '1'

 

The AuthProfile sends this if user is in correct AD group and device is Riverbed.

Seems to work.  RiOS 8.5.2 through 8.6.0

 

IanC

 

mojocoops
Level 1
Level 1
In response to Ian Cowley

‎07-22-2014 03:26 PM

Thanks Ian.

I've changed my authorization profile to have Radius:Service-Type as Administrative(6), still works.

Packet capture shows ISE sending AVP type 6 as Shell-User.

Riverbed user logs don't show anything pertaining to role being admin, apart from CLI login:

user stephencooper.adm: CLI launched for user stephencooper.adm and rbm admin

I tried creating an authorization profile for monitor, same settings but set local-user to monitor and Service-Type to NAS-Prompt (only going on Cisco WLC access example).  This causes ISE to send AVP type 6 as Exec-user, and same entry in user logs for CLI login.  I get full access to the web GUI.

Could you please advise how you confirmed role access upon login, and also provide your config for monitor access?

Thank you!

Stephen.

0 Helpful

Ian Cowley
Level 1
Level 1
In response to mojocoops

‎07-29-2014 07:53 AM

Stephen

Let me check...

I might not have been as thorough as you!

 

IanC

 

0 Helpful

Ian Cowley
Level 1
Level 1
In response to Ian Cowley

‎07-29-2014 08:16 AM

OK it works..though perhaps not as granularly as I'd like.

2 Authorization Rules; both identify the Riverbed device; VTY, PAP, Riverbed Device Group.

and either AD Group for Admins, or Service Desk (in my case).

The Permsisions responses [Policy - Results - Authorization - Authorization Profiles]  are:

Riverbed Admins:

Radius:Service-Type = Administrative

Riverbed:Local-User = admin       [Policy - Policy Elements - Dictionary - System - Radius - RADIUS Vendors - Riverbed (17163) - Dictionary Attrubutes - Local-User 1 STRING BOTH ]

[result of this is Service Type =6, Local-User=admin]

Riverbed Monitor

Radius:Service-Type = Administrative

Riverbed:Local-User = monitor     

[result of this is Service Type =6, Local-User=monitor]

 

It greys out the Configuration - Network and Optimization pages

 

Hope this helps

 

IanC

0 Helpful

mojocoops
Level 1
Level 1
In response to Ian Cowley

‎07-29-2014 04:19 PM

Thanks Ian, that has helped me figure out my issue.

I had admin and monitor as allowed values in the VSA setting, so it was sending a 1 or a 2 as the index for these allowed values which obviously the Steelhead didn't recognise.

I removed these and manually entered admin and monitor for Local-User in the Authorization Profiles and have confirmed it is now working.

Regards,

Stephen.

jacob.parker
Level 1
Level 1
In response to mojocoops

‎10-22-2019 03:20 AM

Hello together, 

 

i have the same problem and i don't unterstand how to remove the index 1 and 2 manually. 

I try several settings and i always have admin access. 

Only monitor don't work for me.

 

What means VSA settings?

 

Kind Regards, 

 

Jacob 

0 Helpful
Customers Also Viewed These Support Documents