Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1143
Views
5
Helpful
2
Replies

¿How to use user-roles in Ironport WSA (7.6) using ACS 4.1?

Go to solution
slizarraga
Level 1
Level 1

‎04-21-2014 12:31 PM

Hello,

I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).

I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.

Thanks for your help!

Sergio

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kushsriva
Level 1
Level 1

‎04-22-2014 12:05 AM

Hi,

 

This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.

 

"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."

 

Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".

 

 

Regards,

Kush

View solution in original post

2 Replies 2

Go to solution
kushsriva
Level 1
Level 1

‎04-22-2014 12:05 AM

Hi,

 

This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.

 

"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."

 

Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".

 

 

Regards,

Kush

Go to solution
slizarraga
Level 1
Level 1
In response to kushsriva

‎04-22-2014 03:48 PM

Thanks kushsriva !

The document was for the WSA but it was usefull anyway. The class attribute in Radius uses number 25  and in the Cisco ACS is indicated like this:

ou=definedclass

In the ESA I had to make a modification ("Map externally authenticated users to multiple local roles".

Thanks again kushsriva!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents