Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE v1.2 RADIUS - Authentication of access to a Riverbed Steelhead

VENDOR RBT 17163

ATTRIBUTE Local-User 1 string RBT

TACACS+ docs

TACACS+ (Shell Profile)

Attribute(s): service ; local-user-name

Value(s): rbt-exec ; <username>

Usage: In order to grant the user read-only access, the <username> value must be set to monitor. In order to grant the user read-write access, the <username> value must be set to admin. If you have another account defined in addition to admin and monitor, configure that name to be returned.

Example – Add Attributes to a Shell Profile (for read-only access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory monitor

Example – Add Attributes to a Shell Profile (for read-write access)

Attribute Requirement Attribute Value

service Mandatory rbt-exec

local-user-name Mandatory

I have successfully achieved getting the profile to identify the unit and to apply the correct Result.

But my 'Result' is clearly incorrectly defined.

The dictionary attribute value for Riverbed 17163

local-user-name 1 STRING BOTH  NO

I'm sure this is wrong!

Access Type = ACCESS_ACCEPT

local-user-name = shell:local-username=admin

Service-Type = 1

From the authenttication log it would appear it doesn't send this at all to the device

Regards

Ian Cowley

Everyone's tags (6)
6 REPLIES
New Member

Hi Ian,Did you ever resolve

Hi Ian,

Did you ever resolve this issue?

I am trying to get the same working on ISE 1.1.2 (soon upgrading to 1.2.1).

I have the Authorization Profile configured to send local-user=admin attribute (at recommendation of Riverbed support) but this is not sent by ISE according to packet captures.  

Sending Access Accept gives full access to Steelhead web GUI.

I think the attribute ID configured in the dictionary entry could be wrong (I currently have ID as 1).

Thanks,

Stephen.

New Member

Attributes DetailsService

Attributes Details
Service Template         false
Access Type                 ACCESS_ACCEPT
Radius:Service-Type   Administrative(6)
Riverbed:Local-User    admin

Local user Dictionary Attribute ID is also '1'

 

The AuthProfile sends this if user is in correct AD group and device is Riverbed.

Seems to work.  RiOS 8.5.2 through 8.6.0

 

IanC

 

New Member

Thanks Ian.I've changed my

Thanks Ian.

I've changed my authorization profile to have Radius:Service-Type as Administrative(6), still works.

Packet capture shows ISE sending AVP type 6 as Shell-User.

Riverbed user logs don't show anything pertaining to role being admin, apart from CLI login:

user stephencooper.adm: CLI launched for user stephencooper.adm and rbm admin

I tried creating an authorization profile for monitor, same settings but set local-user to monitor and Service-Type to NAS-Prompt (only going on Cisco WLC access example).  This causes ISE to send AVP type 6 as Exec-user, and same entry in user logs for CLI login.  I get full access to the web GUI.

Could you please advise how you confirmed role access upon login, and also provide your config for monitor access?

Thank you!

Stephen.

New Member

StephenLet me check...I might

Stephen

Let me check...

I might not have been as thorough as you!

 

IanC

 

New Member

OK it works..though perhaps

OK it works..though perhaps not as granularly as I'd like.

2 Authorization Rules; both identify the Riverbed device; VTY, PAP, Riverbed Device Group.

and either AD Group for Admins, or Service Desk (in my case).

The Permsisions responses [Policy - Results - Authorization - Authorization Profiles]  are:

Riverbed Admins:

Radius:Service-Type = Administrative

Riverbed:Local-User = admin       [Policy - Policy Elements - Dictionary - System - Radius - RADIUS Vendors - Riverbed (17163) - Dictionary Attrubutes - Local-User 1 STRING BOTH ]

[result of this is Service Type =6, Local-User=admin]

Riverbed Monitor

Radius:Service-Type = Administrative

Riverbed:Local-User = monitor     

[result of this is Service Type =6, Local-User=monitor]

 

It greys out the Configuration - Network and Optimization pages

 

Hope this helps

 

IanC

New Member

Thanks Ian, that has helped

Thanks Ian, that has helped me figure out my issue.

I had admin and monitor as allowed values in the VSA setting, so it was sending a 1 or a 2 as the index for these allowed values which obviously the Steelhead didn't recognise.

I removed these and manually entered admin and monitor for Local-User in the Authorization Profiles and have confirmed it is now working.

Regards,

Stephen.

899
Views
15
Helpful
6
Replies