Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Member

¿How to use user-roles in Ironport WSA (7.6) using ACS 4.1?

Hello,

I want to give a client access to a S370 WSA quarantine and I am using an ACS 4.1 for external authentication; that would be used for administrators and for the client access (non-administration access).

I have created a user-role in the WSA that has access to the quarantine I want, but I need the user to be in the ACS. I created the user in ACS but my question is, what should I configure or change in the ACS in order for the WSA to recognize the user with the specific role I created and not like an administrator role.

Thanks for your help!

Sergio

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Hi, This can be done by

Hi,

 

This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.

 

"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."

 

Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".

 

 

Regards,

Kush

2 REPLIES
Bronze

Hi, This can be done by

Hi,

 

This can be done by configuring the Radius Class attribute on the ACS and mapping it with the user roles on the WSA.

 

"To map RADIUS users to different Web Security appliance user role types, you assign a role type, such
as Administrator and Operator, to a RADIUS CLASS attribute. Mapping different role types lets you
specify the authorization level for each RADIUS user."

 

Please go to Page 26-12 of the WSA user guide http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-5/user_guide/WSA_7-5-0_UserGuide.pdf for more information under the section "Using External Authentication".

 

 

Regards,

Kush

Community Member

Thanks kushsriva !The

Thanks kushsriva !

The document was for the WSA but it was usefull anyway. The class attribute in Radius uses number 25  and in the Cisco ACS is indicated like this:

ou=definedclass

In the ESA I had to make a modification ("Map externally authenticated users to multiple local roles".

Thanks again kushsriva!!

460
Views
5
Helpful
2
Replies
CreatePlease to create content