Using AAA for WAAS

Unanswered Question
Mar 12th, 2009

We are trying to integrate WAAS with Cisco ACS server for having AAA functionality. Authentication works fine provided we create the user and map respective roles locally in the WAAS CM. Otherwise user is not allowed to login to the home page itself.

We need to know whether it is possible to use the authorization from ACS without creating the user & roles locally in WAAS.

Because it is added work to create all the users in WAAS also.

Please clarify.

Regards,

Guru

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gururajan Fri, 03/13/2009 - 02:35

I got the solution. Just wanted to update here,

In WAAS, Authorization privileges apply to console and Telnet connection attempts, secure FTP (SFTP) sessions, and Secure Shell (SSH, Version 1 and Version 2) sessions.

For Web GUI access, we must create users and map roles locally in WAAS. No other GO.

Regards,

Guru

dstolt Fri, 03/13/2009 - 11:26

Guru,

Create users in the GUI with blank passwords and assign them to the roles you want them to have. Then the users will use external authorization to access the GUI.

See if that helps,

Dan

tj.mitchell Mon, 04/06/2009 - 07:00

You can have TACACS authenticate a user without the user being added locally on the box. The next idea is to what group to put that user in, this can be accomplished as well with out having to create users in WAAS. Your last post on finding the enable login on all the devices and such. But there is also way to map a user to a particular group that has access to only certain devices or can only report or what have you without creating each user on the box itself. This is possible, little cumbersome at first to get it setup, but once setup it can be done fairly quickly.

gururajan Mon, 04/06/2009 - 21:43

Thanks for your reply.

Can you provide me the configuration steps for doing this.

Thanks again,

Guru

tj.mitchell Tue, 04/07/2009 - 07:08

Let me see what I can do, it's a process. Basically, you can create the group on the WAE like you typically would, then assign the permissions to the group.

Now, once complete, go to your TACACS server, under TACACS services there should a tab for advanced configuration options. Then, once you show that, show customized TACACS attributes, check that off.

Then, define a group in TACACS and in put the custom WAAS Group attributes: Check off Shell (exec)

Check off custom attributes - put the following string in -- waas_rbac_groups=<>

Submit/Restart

Then either define a new user or assign a user to the new group created.

Test, should work fine.

g-hopkinson Mon, 06/15/2009 - 04:00

Hi,

Does anyone know a solution for assigning roles within ACE using Radius?

Thanks

Gary

Actions

This Discussion