Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2934
Views
0
Helpful
2
Replies

RADIUS AV pairs to use with Citrix NetScaler

Go to solution
Patrick Jonsson
Level 1
Level 1

‎03-27-2017 06:42 AM - edited ‎03-11-2019 12:34 AM

Hi,

I would like to login to a NetScaler appliance using ISE as a RADIUS server to authenticate administrators. (ISE already uses Active Directory as an external identity source). I do get authenticated, but only with read only access to the NetScaler, which tells me RADIUS group extraction isn't happening. I'm pretty sure it's the AV pairs on the ISE box that isn't correct. I read on a blog that this is the values to use, but I'm not sure about the syntax.

Vendor Code: 3845
Attribute number: 25
Attribute value: ad_group_to_be_extracted

In my authorization profile, I've tried: 

Vendor specific (attribute 26) = 3845
Class (attribute 25) = ad_group_to_be_extracted
I've also tried but I believe that is incorrect syntax because ISE complained about that the authorization profile couldn't be found.
Vendor specific (attribute 26) = 3845:25=ad_group_to_be_extracted

Any ideas?

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
CHRISTOPH WAGNER
Level 1
Level 1
In response to CHRISTOPH WAGNER

‎09-29-2020 03:59 AM

Hi,
I was able to solve my issue. I created a Radius dictionary entry for vendor Citrix.

## ISE-Menu (for dictionary):
via Workcenter - Dictionaries - System - Radius - Radius Vendors = Add
or
via Policy - Dictionaries - System - Radius - Radius Vendors = Add

## Dictionary entry which I created:
Dictionary Name: Citrix
Description: Dictionary for Vendor Citrix (manually added)
Vendor ID: 3845
Vendor Attribute Type Field Length: 1
Vendor Attribute Size Field Length: 1

Dictionary Attributes:
Attribute Name: radGroupName (manually chosen name)
Description: manually defined attribute
Data Type: STRING
Direction: BOTH (do not know)
ID: 0 (not changed to other value)


## Creating a new authorization profile (under Policy - Results - Authorization - Authorization Profiles:
In the section "Advanced Attributes Settings" you can now select dictionary "Citrix" in the first menu structure and also the attribute here "radGroupName" you have configured (do not go under Radius - Vendor specific attribute anymore).

I had still problems as I tried to modify a profile which I created earlier with Vendor specific attribute configuration
(error message: 15019 Could not find selected Authorization Profiles).
So I have deleted this old authorization profile first (maybe you have to remove it from policyset before) and created a completely new profile.
I also added "Service-Type : NAS-Prompt" but I could imagine that this would be not needed.

Regards Chris

## Similar article with some screenshots for Checkpoint Firewalls:
http://mdtnets.blogspot.com/2016/07/checkpoint-gaia-radius-authentication.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
CHRISTOPH WAGNER
Level 1
Level 1

‎09-28-2020 10:52 PM

Hi,
has anybody found the reason why Cisco ISE does not like this configuration? Is there any syntax issue?

Regards,

Chris

0 Helpful

Go to solution
CHRISTOPH WAGNER
Level 1
Level 1
In response to CHRISTOPH WAGNER

‎09-29-2020 03:59 AM

Hi,
I was able to solve my issue. I created a Radius dictionary entry for vendor Citrix.

## ISE-Menu (for dictionary):
via Workcenter - Dictionaries - System - Radius - Radius Vendors = Add
or
via Policy - Dictionaries - System - Radius - Radius Vendors = Add

## Dictionary entry which I created:
Dictionary Name: Citrix
Description: Dictionary for Vendor Citrix (manually added)
Vendor ID: 3845
Vendor Attribute Type Field Length: 1
Vendor Attribute Size Field Length: 1

Dictionary Attributes:
Attribute Name: radGroupName (manually chosen name)
Description: manually defined attribute
Data Type: STRING
Direction: BOTH (do not know)
ID: 0 (not changed to other value)


## Creating a new authorization profile (under Policy - Results - Authorization - Authorization Profiles:
In the section "Advanced Attributes Settings" you can now select dictionary "Citrix" in the first menu structure and also the attribute here "radGroupName" you have configured (do not go under Radius - Vendor specific attribute anymore).

I had still problems as I tried to modify a profile which I created earlier with Vendor specific attribute configuration
(error message: 15019 Could not find selected Authorization Profiles).
So I have deleted this old authorization profile first (maybe you have to remove it from policyset before) and created a completely new profile.
I also added "Service-Type : NAS-Prompt" but I could imagine that this would be not needed.

Regards Chris

## Similar article with some screenshots for Checkpoint Firewalls:
http://mdtnets.blogspot.com/2016/07/checkpoint-gaia-radius-authentication.html

0 Helpful
Customers Also Viewed These Support Documents