How to setup Cisco ACS for Management Center

book

Article ID: 169400

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

Note:  Steps may vary depending on version and vendor being used.  This is only an example guide and should be used as such.  Normally the Vendor ID and groups are contained in the dictionary file which should be used but if not you can use the following as a guide.

Create Bluecoat in Vendor Specific Dictionary

  • Click on ‘System Administration – Configuration – Dictionaries – RADIUS – RADIUS VSA’ and select create
    • Name: Bluecoat
      Vendor ID: 14501
    • Click Submit

User-added image
 

  • In the left hand column select ‘System Administration – Configuration – Dictionaries – RADIUS – RADIUS VSA - Bluecoat’ and select create
    • Attribute: Blue-Coat-Group
    • Vendor Attribute ID: 1
    • Include attribute in log: checked
    • Attribute Type: string
    • Click submit

User-added image
 

  • In the left hand column select ‘System Administration – Configuration – Dictionaries – RADIUS – RADIUS VSA - Bluecoat’ and select create
  • Attribute: Blue-Coat-Authorization
  • Vendor Attribute ID: 2
  • Include attribute in log: checked
  • Attribute Type: Unsigned integer 32
  • Click submit

User-added image
 

  • Add Authentication profile by clicking ‘Policy Elements – Authorization and Permissions – Network Access – Authorization Profiles – Create’
    • Name: MC-Auth-Profile (whatever name you would like to give here)
    • (RADIUS Attributes tab) Dictionary Type: RADIUS-Bluecoat
    • Attribute Type: String
    • Attribute Value: Static (this may vary)
    • Type ‘MCGroup’ for the value as this will be the group we will create later on and assign to the user.  This may vary depending on the environment.  Also if multiple groups are needed you can seperate them with a comma.  For example "MCGroup,MCGroup1" 
    • Click Add button to add this attribute

User-added image
 

  • Add another Attribute with Dictionary Type: RADIUS-Bluecoat
    • RADIUS Attribute: Blue-Coat-Authorization
    • Attribute Type: Unsigned Integer 32
    • Attribute Value: Static
    • Type 2 in the box below
    • Click Add to add this attribute

User-added image

Add a Network Device

  • Click on ‘Network Resources – Network Device Groups – Device Type’ then click create
    • Name: MC (can be anything)
    • Click submit

Add Network Device Location

  • Click on ‘Network Resources – Network Device Groups – Location’ then click create
    • Name: WTL (can be anything)
    • Click submit

Add Network Devices and AAA Clients

  • Click on ‘Network Resources – Network Devices and AAA Clients’ then click create
    • Name: MC-Clients (can be anything)
    • Location: Select the location created in earlier step
    • Device Type: Select the device created in earlier step
    • IP Address: type in the ip address of the MC
    • Click on Radius
    • Enter in a Shared Secret.  (for example secret)
    • Click submit

User-added image

Add Identity Group

  • Click on ‘Users and Identity Shores – Identity Groups” and click create
    • Name: MCGroup
    • Click Submit

Add Internal Users

  • Click on ‘Users and Identity Stores – Internal Identity Stores – Users’ and click create
  • Name: User01
  • Identity Group: MCGroup
  • Type in password and confirm password
  • Click Submit

Add Access Policies

  • Click on ‘Access Policies – Access Services’ and click create
  • Name: MC-Access-Policy
  • User Selected Service Type: Network Access
  • Make sure Identity/Group Mapping/Authorization are all selected
  • Click Next
  • Make sure ‘Process Host Lookup’ is selected
  • Select “Allow PAP/ASCII’ is selected
  • Click Finish
  • Click Yes when it asks “Access Service created Successfully.  Would you like to modify the Service Selection policy to activate this service?”
  • Continue to Service Selection Rules

User-added image

Service Selection Rules

  • Click on ‘Customize’ button on the bottom right
    • Add ‘NDG: Device Type” to the selected section and move it to the top
    • Click Ok

User-added image

 

  • Click on create
  • Name: Rule-MC
  • Status: Enabled
  • Check “NDG: Device Type” and select MC
  • Service: MC-Access-Policy
  • Click Ok

User-added image
 

  • Once created Move this rule to the top using the Up arrow
  • Click Save changes
  • Click on ‘Access Policies – Access Services – MC-Access-Policy’ and select Identity
    • Select “Rule based result selection”
    • Click Ok
  • Click on the Customize button on the bottom right
    • Select “NDG: Device Type” and add it to the right
    • Remove Compound Condition from the right
    • Click Ok
  • Click Create
    • Name: Rule-Identity
    • Status: Enabled
    • Select “NDG:Device Type” under conditions and select MC as the device
    • Identity Source: Internal Users
    • Click Ok

User-added image
 

  • Click on ‘Access Policies – Access Services – MC-Access-Policy’ and select Group Mapping
    • Select “Rule based result selection”
    • Click Ok
  • Click on the Customize button on the bottom right
    • Select “System:UserName” and move it to the right
    • Move “Compound Condition” to the left
    • Click Ok
  • Click Create
    • Name:Rule-MC-Group
    • Status: Enabled
    • Check “System:UserName” eq User01
    • Identity Group: MCGroup
    • Click Ok and Save changes

User-added image
 

  • Click on ‘Access Policies – Access Services – MC-Access-Policy’ and select Authorization
    • Click Customize
    • Remove Compound Condition and move it to the left
    • Add Identity Group and move it to the right
    • Click ok
  •   Click Create
    • Name: Rule-Authorization
    • Status: Enabled
    • Check “Identity Group” and select MCGroup
    • Authorization Profile: MC-Auth-Profile
    • Click ok and save changes


After this in MC make sure you add the group "MCGroup" under groups and give it proper permissions.  Note the names have to match exactly or this will not work.








 

Resolution

                            

Attachments