Setup RADIUS Authentication Groups Between ProxySG And FreeRADIUS
Article ID: 166484
Updated On:
Products
Issue/Introduction
FreeRADIUS
1. Download and install FreeRADIUS from http://freeradius.org/getting.html (Source code).
The example below will be based on the default installation directory/folder.
2. Edit the C:\FreeRADIUS.net\etc\raddb\dictionary file with WordPad.
Enter the line: $INCLUDE ../share/freeradius/dictionary.bluecoat
Before:
$INCLUDE ../share/freeradius/dictionary
After:
$INCLUDE ../share/freeradius/dictionary
$INCLUDE ../share/freeradius/dictionary.bluecoat
3. Save the file.
4. Place the dictionary.bluecoat file in the Attachment section in C:\FreeRADIUS.net\share\freeradius.
5. Edit C:\FreeRADIUS.net\etc\raddb\clients.conf with WordPad and create the following entry:
client 10.10.10.10 {
secret = secret64
shortname = ProxySG64
}
Replace 10.10.10.10 with the IP address of your Edge SWG. Refer to the clients.conf in the Attachment section for an example.
6. Edit C:\FreeRADIUS.net\etc\raddb\users.conf with WordPad and create the following entries for testing purposes:
#admin1 is an Administrator only
admin1 User-Password == "pass1"
Blue-Coat-Group += "BCadmin"
#admin2 is an Administrator and FTP user
admin2 User-Password == "pass2"
Blue-Coat-Group += "BCadmin",
Blue-Coat-Group += "FTP"
#ftpuser1 is an FTP user only
ftpuser1 User-Password == "ftppass1"
Blue-Coat-Group += "FTP"
Refer to users.conf in the Attachment section for an example.
Edge SWG
- Go to the SGAC -> Configuration-> Authentication-> Realms and Domains section and add a new RADIUS Realm.
- Use the following entry:
Realm name: My_RADIUS_realm
Primary server host: 10.105.1.65
Secret: secret64
Confirm secret: secret64
- Click Apply, then Save... , then Save Changes, then Close.
- Go to the Visual Policy Manager. Click Add a Layer, then Admin Authentication, press Add.
5. Provide the layer a name (or leave default) and press OK.
- Click on the column under Action and choose Set.
7. Click Add a new object
8. Click Admin Authenticate, then select My_RADIUS_Realm under Realm
Then click Apply, then Set
9. Click Add Layer, then Admin Access, then Add. Provide the layer a name (or leave default) then press OK
An Admin Access Layer tab will be created.
10. Click on the Deny column under Action and choose Allow Read/Write Access.
11. Click on the column below Source and choose Set
12. Click Add new object. Then Group. Enter “BCadmin” as the name of the group. Set My_RADIUS_Realm in the authentication realm.
13. Click Apply, then Set, and you will see the following screen.
14. Users with the Blue-Coat-Group attribute defined as “BCadmin” will have read/write administrative access to the Edge SWG.
15. Click Add Layer, Web Authentication Layer, Add, OK.
A Web Authentication Layer tab will be created.
16. Click on the column below Action and choose Set. Click Add new object, then Authenticate
17. The screen below will be brought up.
Click Apply and Set and you will get the following screen.
18. Click Add Layer, Select Web Access Layer
The Web Access Layer tab will be created.
19. Click on the column below Action and choose Allow.
20. Click on the column below Source and choose Set.
21. Click Add new object, then Group
22. Enter FTP as the name of the group, set the realm to My_RADIUS_Realm.
23. Click Apply, then Set.
24. Click on the column below Service and choose Set.
25. Click Add new object, then Client Protocol
26. Choose FTP and All FTP.
27. Click Apply, then Set and you will be brought back to the main VPM screen.
28. Click Apply Policy, then OK.
Resolution
This example shows how the Blue-Coat-Group RADIUS attribute can be used to group users together. Users admin1 and admin2 will be able to access the Management Console with their RADIUS account. Users admin2 and ftpuser1 will be able to use the Proxy for FTP.
Attachments
Feedback
