cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1004
Views
5
Helpful
2
Replies

¿How to use user-roles in Ironport WSA (7.6) using ACS 4.1?

slizarraga
Beginner
Beginner

Hello,

I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).

I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.

Thanks for your help!

Sergio

1 Accepted Solution

Accepted Solutions

kushsriva
Beginner
Beginner

Hi,

 

This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.

 

"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."

 

Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".

 

 

Regards,

Kush

View solution in original post

2 Replies 2

kushsriva
Beginner
Beginner

Hi,

 

This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.

 

"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."

 

Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".

 

 

Regards,

Kush

Thanks kushsriva !

The document was for the WSA but it was usefull anyway. The class attribute in Radius uses number 25  and in the Cisco ACS is indicated like this:

ou=definedclass

In the ESA I had to make a modification ("Map externally authenticated users to multiple local roles".

Thanks again kushsriva!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: