Configuring Cisco Secure ACS v5.5 to use RADIUS for

Configuring Cisco Secure ACS v5.5 to use RADIUS for
Configuring Cisco Secure ACS v5.5 to use RADIUS for
Orchestrator Authentication
This document outlines the procedure for configuring Cisco Secure Access Control System to provide RADIUS
services for Orchestrator authentication.

This procedure for configuring RADIUS references the ACS server’s internal user datastore.

All names and descriptions created by the user are denoted in cyan.

Advanced users who are familiar with the ACS RADIUS configuration tasks and only need to know the
Orchestrator attributes for admin and monitor can refer to the following table:
admin
monitor
Dictionary Type
Attribute
Type
Value
Radius Cisco
cisco-av-pair
string
LOGIN:priv-lvl=7
Radius IETF
service Type
Enumeration
NAS prompt
Radius Cisco
cisco-av-pair
string
LOGIN:priv-lvl=0
Radius IETF
service Type
Enumeration
NAS prompt
SUMMARY OF TASKS
1
2
3
4
5
6
7
8
Add Orchestrator information to Cisco’s Secure Access Control System
Create Identity Groups for Orchestrator’s “admin” and “monitor” users
Create ACS internal users for the Orchestrator
Define attributes for admin and monitor users for Orchestrator
Create access services that define policy structure and allowed protocols for admin and monitor
Create access rules for the services
Create a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate action
Configure the Orchestrator for RADIUS authentication with Cisco Secure ACS
Rev A - March 2016
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
1
Add Orchestrator information to Cisco’s Secure Access Control System
a
After logging into the Cisco Secure ACS, navigate to
Network Resources > Network Devices and AAA Clients.
b
Click Create.
Complete the following fields:
c
Name:
Orchestrator
Description:
adding Orchestrator to ACS
IP:
[Orchestrator IP address]
RADIUS:
[select]
Shared Secret:
[Orchestrator’s shared secret]
Click Submit. The result displays in the Network Devices table.
Rev A - March 2016
2
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
2
Create Identity Groups for Orchestrator’s “admin” and “monitor” users
a
Navigate to Users and Identity Stores > Identity Groups, and at the bottom of the page, click Create.
To create the group for “admin”, complete the following fields:
Name:
orchestrator-admin-group
Description:
Orchestrator administrator group
b
Click Submit. The new group displays under All Groups.
c
Click Create.
Rev A - March 2016
3
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
d
Again, navigate to Users and Identity Stores > Identity Groups, and at the bottom of the page, click Create.
To create the group for “monitor”, complete the following fields:
e
Name:
orchestrator-monitor-group
Description:
Orchestrator monitor group
Click Submit. The new group displays under All Groups.
Rev A - March 2016
4
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
3
Create ACS internal users for the Orchestrator
a
Navigate to Users and Identity Stores > Internal Identity Stores > Users, and at the bottom of the page,
click Create.
b
To create an admin-level user for Orchestrator, complete the following fields:
Rev A - March 2016
Name:
orchadmin
Description:
Orchestrator administrator
Identity Group:
[select] All Groups: orchestrator-admin-group
Password Type:
Internal Users
Password /
Confirm Password:
[create one]
5
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
c
Click Submit. The new user name appears in the Internal Users list.
d
Click Create.
To create a monitor-level user for Orchestrator, complete the following fields:
Rev A - March 2016
Name:
orchmonitor
Description:
Orchestrator monitor
Identity Group:
[select] All Groups: orchestrator-monitor-group
Password Type:
Internal Users
Password /
Confirm Password:
[create one]
6
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
e
Click Submit. The new user name appears in the Internal Users list.
Rev A - March 2016
7
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
4
Define attributes for admin and monitor users for Orchestrator
a
To create an admin profile, navigate to Policy Elements > Authorizations and Permissions > Network
Access > Authorization Profiles, and at the bottom of the page, click Create.
b
In the General tab, complete the following:
Rev A - March 2016
Name:
RADIUS admin profile
Description:
authorization profile for admin
8
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
c
Click the RADIUS Attributes tab and complete the following:
Dictionary Type:
RADIUS-Cisco
RADIUS Attribute:
cisco-av-pair
Attribute Type:
String
Attribute Value:
Static
[enter this] LOGIN:priv-lvl=7
d
Click Add^. The entry appears in the Manually Entered table.
Now, we’ll add a second attribute.
Rev A - March 2016
9
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
e
f
In the RADIUS Attributes tab, complete the following:
Dictionary Type:
RADIUS-IETF
RADIUS Attribute:
Service-Type
Attribute Type:
Enumeration
Attribute Value:
Static
NAS Prompt
Click Add^. The entry appears in the Manually Entered table.
Rev A - March 2016
10
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
g
Click Submit. The RADIUS admin profile appears in the Authorization Profiles list.
Now, we’ll create the monitor profile.
h
Click Create. In the General tab, complete the following:
Rev A - March 2016
Name:
RADIUS monitor profile
Description:
authorization profile for monitor
11
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
i
Click the RADIUS Attributes tab and complete the following:
Notice that for the monitor, the level equals zero.
Dictionary Type:
RADIUS-Cisco
RADIUS Attribute:
cisco-av-pair
Attribute Type:
String
Attribute Value:
Static
[enter this] LOGIN:priv-lvl=0
Rev A - March 2016
12
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
j
Click Add^. The entry appears in the Manually Entered table.
Now, we’ll add the second attribute.
k
In the RADIUS Attributes tab, complete the following:
Rev A - March 2016
Dictionary Type:
RADIUS-IETF
RADIUS Attribute:
Service-Type
Attribute Type:
Enumeration
Attribute Value:
Static
NAS Prompt
13
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
l
Click Add^. The entry appears in the Manually Entered table.
m
Click Submit. The RADIUS monitor profile appears in the Authorization Profiles list.
Rev A - March 2016
14
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
5
Create access services that define policy structure and allowed protocols for admin and monitor
a
b
Navigate to Access Policies > Access Services, and click Create.
When Step 1 - General appears, complete the following:
Name:
Orch-admin services
Description:
Orchestrator admin services for administrator
User Selected Service Type:
Network Access
Policy Structure:
Identity
Authorization
Click Next. When Step 2 - Allowed Protocols appears, select the following:
Rev A - March 2016
Process Host Lookup:
[deselect]
Authentication Protocols:
Allow PAP/ASCII
Allow CHAP
15
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
c
Click Finish. When asked if you’d like to activate this service, click Yes.
Notice that Orch-admin services is now listed under Access Policies in the navigation panel.
Rev A - March 2016
16
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
6
Create access rules for the services
These specify the conditions users must meet for access to Orchestrator.
a
Navigate to Access Policies > Access Services > Orch-admin services > Identity, and click Select.
b
Select Internal Users, and click Save Changes.
Rev A - March 2016
17
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
c
Navigate to Access Policies > Access Services > Orch-admin services > Authorization, and click Customize.
The Customize Conditions window appears.
d
Select and move Compound Condition from the Selected column to the Customize Conditions column.
Rev A - March 2016
18
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
e
Select and move Identity Group to the Selected column.
f
Click OK. The result displays in the Conditions column.
Rev A - March 2016
19
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
g
Click Create. A dialog box appears.
h
Select the Identity Group checkbox, and click Select.
The Network Device Groups list appears.
i
Select orchestrator-admin-group and click OK. The Rule-1 dialog returns.
Rev A - March 2016
20
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
j
Below the Authorization Profiles field, click Select.
The Authorization Profiles dialog appears.
k
Select RADIUS admin profile and click OK.
Rev A - March 2016
21
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
The input window returns.
l
Click OK. The Network Access Authorization Policy returns, with Rule-1 included.
m
At the bottom of the page, click Save Changes.
n
Now you’ll add Rule-2 to include the RADIUS monitor profile.
 At the bottom of the page, click Create. The Rule-2 dialog box appears.
 Select the Identity Group checkbox, and click Select.
The Network Device Groups list appears.
 Select orchestrator-monitor-group and click OK. The Rule-2 dialog returns.
 Below the Authorization Profiles field, click Select.
The Authorization Profiles dialog appears.
Rev A - March 2016
22
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
 Select RADIUS monitor profile and click OK.
The input window returns.
 Click OK. The Network Access Authorization Policy returns, with Rule-2 included.
o
Click Save Changes.
Rev A - March 2016
23
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
7
Create a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate action
a
Navigate to Access Policies > Access Services: Service Selection Rules, and click Create.
A dialog appears for creating a new rule.
Rev A - March 2016
24
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
b
Complete the following:
 Select the Protocol checkbox, and select match and Radius.
 From the drop-down list in the Service field, select Orch-admin services.
 Click OK.
The Service Selection Policy page appears, displaying the new rule at the bottom of the list.
c
Select the new rule, and click the caret to move the rule up to the appropriate priority.
Use the caret to move the Service Selection
Rule up to the appropriate priority.
Rev A - March 2016
25
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
d
Click Save Changes.
You have now finished configuring Cisco Secure ACS to use RADIUS for authenticating Orchestrator users.
Rev A - March 2016
26
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
8
Configure the Orchestrator for RADIUS authentication with Cisco Secure ACS
a
After logging into the Orchestrator as admin, navigate to Orchestrator Administration > Authentication.
The Remote Authentication dialog box appears.
b
Select RADIUS, and complete the following:
Authentication Order:
Remote first
Server IP:
[Cisco Secure ACS IP address]
Server Port:
1812
Server Secret Key:
[Orchestrator’s shared secret]
c
Click Save.
d
Log out of Orchestrator.
Rev A - March 2016
27
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication
e
On the welcome page, log in as orchadmin, the identity you created in the RADIUS server.
Orchestrator is now authenticating users via the RADIUS server.
Rev A - March 2016
28
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising