Setup Cisco ACS For RADIUS authentication on the ProxyAV

book

Article ID: 168449

calendar_today

Updated On:

Products

ProxyAV Software - AVOS

Issue/Introduction

This document contains instructions for configuring RADIUS authentication in Cisco ACS 5.4 with ProxyAV, but it can apply on ProxySG.

Resolution


1. Login as acsadmin
User-added image

2. Add Bluecoat in Vendor Specific Dictionary
Click System Administration -> Configuration -> Dictionaries -> Protocols -> RADIUS -> RADIUS VSA -> Create
User-added image

User-added image

Enter Name: Bluecoat
Vendor ID: 14501
Click Submit
User-added image

 

3. Modify Bluecoat in RADIUS Dictionaries
Click System Administration -> Configuration -> Dictionaries -> Protocols -> RADIUS -> RADIUS VSA -> Bluecoat -> Create
User-added image

User-added image

Enter Attribute: Blue-Coat-Group
Vendor Attribute ID: 1
Direction: BOTH
Multiple Allowed: False (Check box - Include attribute in log)
Attribute Type: Unsigned Integer 32
Click Submit
User-added image

Click Create
Enter Attribute: Blue-Coat-Authorization
Vendor Attribute ID: 2
Direction: BOTH
Multiple Allowed: False (Check box - Include attribute in log)
Attribute Type: Unsigned Integer 32
Click Submit
User-added image

4. Add Authorization Profiles
Click Policy Elements  -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Create
User-added image

In General tab, enter Name: ProxyAV Auth
In Radius Attributes tab,
Dictionary type: select RADIUS-Bluecoat from the drop down menu
RADIUS Attribute: click select -> select Blue-Coat-Group -> click OK
Attribute Type: Unsigned Integer 32
Attribute Value: Static
Value: 2
Click ADD
User-added image


In Radius Attributes tab,
Dictionary type: select RADIUS-Bluecoat from the drop down menu
RADIUS Attribute: click select -> select Blue-Coat-Authorization -> click OK
Attribute Type: Unsigned Integer 32
Attribute Value: Static
Value: 2
Click ADD
User-added image
Click Submit
 
(Note:
Blue-Coat-Authorization VALUE 0 means No-Access              
Blue-Coat-Authorization VALUE 1 means Read-Only-Access      
Blue-Coat-Authorization VALUE 2 means Read-Write-Access)

User-added image

5. Add Network Device Type
Click Network Resources -> Network Device Groups -> Device Type -> Create
User-added image

User-added image

Enter Name: ProxyAV
Click Submit
User-added image

6. Add Network Device Location
Click Network Resources -> Network Device Groups -> Location -> Create
User-added image

User-added image

Enter Name: Sunnyvale
Click Submit
User-added image

7. Add Network Device
Click Network Resources -> Network Devices and AAA Clients -> Create
User-added image

User-added image

Enter Name: AV2400
Location: click Select -> select Sunnyvale -> click OK
Device Type: click Select -> select ProxyAV -> click OK
Select Single IP Address -> IP:  Enter IP address of ProxyAV (e.g. 10.78.51.135)
Check RADIUS from Authentication Options
Shared Secret: Enter password shared (e.g. shared)
Click Submit
User-added image

User-added image

8. Add Identity Groups
Click Users and Identity Stores -> Identity Groups -> Create
User-added image

User-added image

Enter Name: ProxyAV Admin
Click Submit
User-added image

9. Add Internal Users
Click Users and Identity Stores -> Internal identity Stores -> Users -> Create
User-added image

User-added image

Enter Name: User1
Status: Enable
Identity Group: click Select -> select ProxyAV Admin -> click OK
Password Type: Internal Users
Password: testing123
Confirm Password: testing123
Click Submit
User-added image

User-added image

10. Add Access Policies
Click Access Policies -> Access Services -> Create
User-added image

User-added image

Enter Name: ProxyAV Access
Select User Selected Service Type: Network Access
In Policy Structure, check Identity and Authorization
User-added image


Click Next
Check Process Host Lookup and Allow PAP/ASCII
User-added image

Click Finish
Click Yes  (when asking  Access Service created successfully. Would you like to modify the Service Selection policy to activate this service?)
User-added image

Click Customize
User-added image

Select NDG: Device Type to add to the right column and move it to the top
User-added image

Click OK
User-added image

Click Create
User-added image

Enter Name: Rule-ProxyAV
Status: Enable
Check NDG: Device Type: in -> select ProxyAV -> click OK
Service: ProxyAV Access
User-added image

Click OK
User-added image


Check Rule-ProxyAV and move it to the top of the list
Click Save Changes
User-added image

Click Access Policies -> Access Services -> ProxyAV Access -> Identity
User-added image

Select Rule based result selection 
User-added image

Click OK (You switched from single to rule-based result selection. Any settings saved in the single mode will be lost when you Submit. Click OK to continue.)
User-added image

Click Customize
User-added image

Select NDG: Device Type -> add to the right column
Remove Compound Condition from the right column
User-added image

Click OK -> Create
User-added image

Enter Name: ProxyAV2400
Status: Enabled
Check NDG: Device Type: in -> select ProxyAV -> click OK
Identity Source: select Internal Users 
User-added image

Click OK -> Save Changes
User-added image

Click Access Policies -> Access Services -> ProxyAV Access -> Authorization
User-added image

Click Customize
User-added image

Select Identity Group to add to the right column 
Remove Compound Condition from the right column
User-added image

Click OK -> Create 
User-added image


Enter Name: Rule-ProxyAV Admin
Status: Enabled
Check identiy Group:  in -> select ProxyAV Admin -> click OK
Click Select from Authorization Profiles
User-added image

Select ProxyAV Auth -> click OK
User-added image

Click OK -> Save Changes
User-added image

Click Access Policies -> Access Services
User-added image

11. Modify ProxyAV RADIUS Authentication
Login as ProxyAV Local admin
Open Web Browser (e.g. https://<IP Address of ProxyAV Web Portal>:8082) -> click Authentication
Check ProxyAV RADIUS Authentication
Server IP: <IP Address of Cisco ACS>
Port: 1812
Secret: shared (same key we entered in #7)
User-added image
Click Save Changes -> LOGOUT

12. Test RADIUS Access on ProxyAV
Username: User1
Password: testing123
User-added image

Attachments