11-20-2012 11:47 PM
Hello,
could someone points me to some docs explaining how to integrate IronPort appliance with Cisco ACS server 5.1 for admin access , operater access and viewer access and authentication logs (if possible).
Appreciated.
Thanks
11-21-2012 03:04 AM
Hi,
Which IronPort appliance are you talking about?
The WSA, annoyingly, doesn't support multiple levels.
Mor the SMA, management appliance does, you need to create roles and then assign them to attribute 25 on the RADIUS server.
To set them up in the SMA:
System Administration -> Users
External Authentication -> Edit External Authentication
Select RADIUS and set that up, IP addresses, Shared Secre.......
Then add roles in the group mapping.
Hope this helps.
Thanks
Chris
11-21-2012 05:18 AM
Hi, appericate your feedback:
Product: Cisco IronPort S370 Web Security Appliance
Model: S370
the hereunder the option allows add differnet users with different roles :
Group Mapping: |
|
---|
the problem in ACS the
Policy Elements > | Authorization and Permissions > | Network Access > | Authorization Profiles |
there is no
Dictionary Type: |
that match the ironport
i hope to find the advise at your end
thanks
11-21-2012 08:09 AM
Chris,
WSA 7.5 and higher has roles...
11-21-2012 08:12 AM
Cool, another reason to upgrade.
Cheers
11-21-2012 08:14 AM
Alex,
I'm not overly familiar with ACS, but I tried this on Juniper SBR. It didn't work there because of a bug in SBR...
You want to edit the users and add an attribute called "CLASS" with a value. Lets say that value for admins is WSAAdmin. It would look something like this:
Ken
11-25-2012 07:33 AM
Hi Alex,
You need to use Radius Class 25 Attributes to map the username to the role you need.
I have tested it and it is working fine.
On the ACS, you need add the WSA as AAA Radius client and then create an authorization profile and Radius Attributes, you need to create attributes with Value "username" will be used to login.
Also you need to complete the policy element configuration for the WSA.
On the WSA, you need to configure it like the following:
On the Group-Mapping, the RADIUS CLASS attribute is the same as "username" configured on the ACS with the Class 25 attributes.
Ex: "test", or "cisco" and then map it to the role (Administrator, Operator, ....)
Then login to the device using the username/password. If you need to check that it is working, try the Guest role for testing purposes, the Reporting page will appear only with this role.
If you have any question, let me know.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: