Integrate WSA 7.5 with ACS 5.2

hector.ricapa · ‎10-02-2012

Hello All,

I would like to assign Roles to users using external authentication via Radius (ACS 5.2). The Ironport user guide documentation saids that I have to map a Radius Class to a Role, but I dont know what attribute to add or modify in ACS 5.2 in order to make it work.

Thanks in advance.

Erik Kaiser · ‎10-02-2012

Hi Hector,

I will have to investiate this further to provide you with an answer.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Sincerely, Erik Kaiser WSA CSE WSA Cisco Forums Moderator

hector.ricapa · ‎10-03-2012

OK Erik, thanks a lot.

Ahmad Murad · ‎10-07-2012

Hello Hector,

You need to use Radius Class 25 Attributes to map the username to the role you need.

I have tested it and it is working fine.

On the ACS, you need add the WSA as AAA Radius client and then create an authorization profile and on Radius Attributes, you need to create attributes with Value "username" will be used to login.

Also you need to complete the policy element configuration for the WSA.

On the WSA, you need to configure it like the following:

On the Group-Mapping, the RADIUS CLASS attribute is the same as "username" configured on the ACS with the Class 25 attributes.

Ex: "test", or "cisco" and then map it to the role (Administrator, Operator, ....)

Then login to the device using the username/password. If you need to check that it is working, try the Guest role for testing purposes, the Reporting page will appear only with this role.

If you have any question, let me know.

Thanks.

Ahmad.