Set up RADIUS authentication to Director on Cisco ACS server

book

Article ID: 166894

calendar_today

Updated On:

Products

Director

Issue/Introduction

To set up RADIUS authentication to Director, you must configure the RADIUS server and the Director appliance. Refer to "Administering Director" in the Director Configuration and Management Guide for instructions on configuring the appliance.

This document contains instructions for configuring RADIUS authentication in Cisco ACS 4.x and 5.4.

Cisco ACS 4.x

  1. Create a Network Device group.
    1. Click the Network Configuration button.
      A list of existing Network Device groups displays.
    2. Click Add Entry and enter your name and key or shared secret.
  2. Create one AAA client for each Director appliance that uses the RADIUS protocol.
    1. Select the Network Device group you created in step 1.
    2. Click Add Entry.
    3. For AAA Client hostname, specify a name. You can use the IP address for the name.
    4. For AAA Client IP address, specify the IP address of the Director appliance.
    5. Select the Network Device group you created in step 1.
    6. Select RADIUS (Bluecoat) as the protocol/client.
    7. Click Submit + Apply
      If you only click Submit, you might be prompted to restart the ACS server; restart the server (select System Configuration > Service Control).
  3. Create a group.
    1. Click Group Setup and select an unused group.
    2. Click Rename and enter a name such as "Director users".
    3. Select the group you created and click Edit Settings.
    4. Scroll down to Enable Options and click Max Privilege for any AAA client. Set it to level 15.
    5. On the drop down window, select the Device group you created in step 1 and click Add Association to add it to the group.
  4. Create a user.
    1. Click User Setup.
    2. In the window, specify a username and click Add/Edit.
    3. Enter details for the user, including the following:
      • Real name
      • Description
      • Password - This should only contain alphanumerical characters and cannot exceed 16 bytes in length. (You do not need a separate CHAP/MS-CHAP/ARAP password.)
    4. Assign the user to the group you created in step 3.
      Tip: You can add users to a group created for a specific purpose or to a generic group. In either case, the User Group must be associated to the Device Group for this AAA client.
    5. Leave all other options set to defaults and scroll down to IETF RADIUS attributes.
    6. Set this to Administrative.
    7. Click Submit.   

Cisco ACS 5.4

Support for Cisco ACS 5.4 was introduced in SGME 6.1.15.1.
ACS Version Tested: 5.4.0.46.0a

  1. Create a Network Device group.
    1. Select Network Resources > Network Device Groups.
    2. A list of existing Network Device groups displays.
    3. Click Create and enter a name and description.
    4. Click Submit.
  2. Select Network Resources > Network Device Groups > Device Type and select the group you created.
    1. Add Director as a client.
    2. Select Network Resources > Network Devices and AAA Clients.
    3. Click Create.
    4. For the Name, specify a name. You can use the IP address for the name.
    5. For IP Address, select Single IP Address and specify the IP address of the Director appliance in the field.
    6. For Authentication Options, select RADIUS and enter the key or shared secret.
    7. Click Submit.
  3. Create a group.
    1. Select Users and Identity Stores  > Identity Groups.
    2. Click Create.
    3. Enter a name and description for the group.
    4. Click Submit.  
  4. Create a user.
    1.  Select Users and Identity Stores  > Internal Identity Stores > Users.
    2. In the window, specify a username and click Create.
    3. Enter details for the user, including the following:
      ·         Real name
      ·         Description
      Password - This should only contain alphanumerical characters and cannot exceed 16 bytes in length. (You do not need a separate CHAP/MS-CHAP/ARAP or enable password.)
    4. Assign the user to the group you created in step 3. 
      Tip: You can add users to a group created for a specific purpose or to a generic group. In either case, the User Group must be associated to the Device Group for this AAA client.
    5. Click Submit.
  5.  Create an Authorization profile.
    1. Click Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles.
    2. Click Create and add a Name and Description for the profile. 
    3. Click the RADIUS Attributes tab and set the Dictionary Type to “RADIUS-IETF”
    4. Select Service-Type as an Radius Attribute.
    5. Select Enum Name “1,6,7,9” equivalent “1,15,7,10 Director Privilege levels.
       Note: Other Enum values should be mapped in the Director privilege levels as fallows
      director (config) # radius-server response-stype <1-11> privilege <1,7,10,15>
  6. Create the access policy.
    1. Select Access Policies > Access Services.
    2. Click Create.
    3. For Name, enter "Radius access policy".
    4. Select User Selected Service Type, select Network Access.
    5. Click Next.
    6. Select “Allow PAP/ASCII” in Step 2 - Allowed Protocols.
    7. Select Finish.
    8. Select Access Policies > Access Services (which is created above) > Identity.
    9. Select Single result selection.
    10. For Identity source, select Internal users.
    11. Click Submit.
    12. For Authorization, Create a rule with valid conditions.
    13. Select Access Policies > Access Services (which is created above) > Authorization.
    14. Select the Authorization profile that you created in step 5.
    15. Click Submit.
  7. Enable the access policy.
    1. ​Select Access Policies > Service Selection Rules.
    2. Select Rule based result selection and click Create.
    3. Enter a name for the policy.
    4. For Status, select Enabled.
    5. Under Conditions, select Protocol and select RADIUS.
    6. For Service, select Radius access policy(step 6).
    7. Click OK.
      When the rule is enabled, the rules list displays it with a green icon.
  8. ​Reload the server or restart the ACS service
    Note: Make sure Access Services > Service Selection Rules has the valid conditions and that Access Services is selected.