04-21-2014 12:31 PM
Hello,
I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).
I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.
Thanks for your help!
Sergio
Solved! Go to Solution.
04-22-2014 12:05 AM
Hi,
This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.
"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."
Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".
Regards,
Kush
04-22-2014 12:05 AM
Hi,
This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.
"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."
Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".
Regards,
Kush
04-22-2014 03:48 PM
Thanks kushsriva !
The document was for the WSA but it was usefull anyway. The class attribute in Radius uses number 25 and in the Cisco ACS is indicated like this:
ou=definedclass
In the ESA I had to make a modification ("Map externally authenticated users to multiple local roles".
Thanks again kushsriva!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: