Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2052
Views
5
Helpful
6
Replies

IronPort and Cisco ACS5.1 AAA integration

alex-bank
Level 1
Level 1

‎11-20-2012 11:47 PM

IronPort and Cisco ACS5.1 AAA integration

Hello,

could  someone points me to some docs explaining how to integrate IronPort  appliance with Cisco ACS server 5.1 for admin access , operater access and viewer access and authentication  logs (if possible).

Appreciated.

Thanks

Labels:
0 Helpful
6 Replies 6

Chris Illsley
Level 3
Level 3

‎11-21-2012 03:04 AM

Hi,

Which IronPort appliance are you talking about?

The WSA, annoyingly, doesn't support multiple levels.

Mor the SMA, management appliance does, you need to create roles and then assign them to attribute 25 on the RADIUS server.

To set them up in the SMA:

System Administration -> Users

External Authentication -> Edit External Authentication

Select RADIUS and set that up, IP addresses, Shared Secre.......

Then add roles in the group mapping.

Hope this helps.

Thanks

Chris

0 Helpful

alex-bank
Level 1
Level 1
In response to Chris Illsley

‎11-21-2012 05:18 AM

Hi, appericate your feedback:

Product: Cisco IronPort S370 Web Security Appliance

Model: S370

the hereunder the option allows add differnet users with different roles :

Group Mapping:
RADIUS CLASS Attribute 

the problem in ACS the

Policy Elements  > Authorization and Permissions  > Network Access > Authorization Profiles

there is no

Dictionary Type:

that match the ironport

i hope to find the advise at your end

thanks





0 Helpful

Ken Stieers
VIP
VIP
In response to alex-bank

‎11-21-2012 08:09 AM

Chris,

WSA 7.5 and higher has roles...

0 Helpful

Chris Illsley
Level 3
Level 3
In response to Ken Stieers

‎11-21-2012 08:12 AM

Cool, another reason to upgrade.

Cheers

0 Helpful

Ken Stieers
VIP
VIP
In response to alex-bank

‎11-21-2012 08:14 AM

Alex,

I'm not overly familiar with ACS, but I tried this on Juniper SBR.  It didn't work there because of a bug in SBR...

You want to edit the users and add an attribute called "CLASS" with a value.  Lets say that value for admins is WSAAdmin. It would look something like this:

Ken

Ahmad Murad
Level 1
Level 1

‎11-25-2012 07:33 AM

Hi Alex,

You need to use Radius Class 25 Attributes to map the username to the role you need.

I have tested it and it is working fine.

On the ACS, you need add the WSA as AAA Radius client and then create an authorization profile and Radius Attributes, you need to create attributes with Value "username" will be used to login.

Also you need to complete the policy element configuration for the WSA.

On the WSA, you need to configure it like the following:

On the Group-Mapping, the RADIUS CLASS attribute is the same as "username" configured on the ACS with the Class 25 attributes.

Ex: "test", or "cisco" and then map it to the role (Administrator, Operator, ....)

Then login to the device using the username/password. If you need to check that it is working, try the Guest role for testing purposes, the Reporting page will appear only with this role.

If you have any question, let me know.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents