Transcription
Configuring Cisco Secure ACS v5.5 to use RADIUS forOrchestrator AuthenticationThis document outlines the procedure for configuring Cisco Secure Access Control System to provide RADIUSservices for Orchestrator authentication. This procedure for configuring RADIUS references the ACS server’s internal user datastore. All names and descriptions created by the user are denoted in cyan. Advanced users who are familiar with the ACS RADIUS configuration tasks and only need to know theOrchestrator attributes for admin and monitor can refer to the following table:adminmonitorDictionary TypeAttributeTypeValueRadius Ciscocisco-av-pairstringLOGIN:priv-lvl 7Radius IETFservice TypeEnumerationNAS promptRadius Ciscocisco-av-pairstringLOGIN:priv-lvl 0Radius IETFservice TypeEnumerationNAS promptSUMMARY OF TASKS12345678Add Orchestrator information to Cisco’s Secure Access Control SystemCreate Identity Groups for Orchestrator’s “admin” and “monitor” usersCreate ACS internal users for the OrchestratorDefine attributes for admin and monitor users for OrchestratorCreate access services that define policy structure and allowed protocols for admin and monitorCreate access rules for the servicesCreate a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate actionConfigure the Orchestrator for RADIUS authentication with Cisco Secure ACSRev A - March 2016
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication1Add Orchestrator information to Cisco’s Secure Access Control SystemaAfter logging into the Cisco Secure ACS, navigate toNetwork Resources Network Devices and AAA Clients.bClick Create.Complete the following fields:cName:OrchestratorDescription:adding Orchestrator to ACSIP:[Orchestrator IP address]RADIUS:[select]Shared Secret:[Orchestrator’s shared secret]Click Submit. The result displays in the Network Devices table.Rev A - March 20162
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication2Create Identity Groups for Orchestrator’s “admin” and “monitor” usersaNavigate to Users and Identity Stores Identity Groups, and at the bottom of the page, click Create.To create the group for “admin”, complete the following chestrator administrator groupbClick Submit. The new group displays under All Groups.cClick Create.Rev A - March 20163
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationdAgain, navigate to Users and Identity Stores Identity Groups, and at the bottom of the page, click Create.To create the group for “monitor”, complete the following :Orchestrator monitor groupClick Submit. The new group displays under All Groups.Rev A - March 20164
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication3Create ACS internal users for the OrchestratoraNavigate to Users and Identity Stores Internal Identity Stores Users, and at the bottom of the page,click Create.bTo create an admin-level user for Orchestrator, complete the following fields:Rev A - March 2016Name:orchadminDescription:Orchestrator administratorIdentity Group:[select] All Groups: orchestrator-admin-groupPassword Type:Internal UsersPassword /Confirm Password:[create one]5
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationcClick Submit. The new user name appears in the Internal Users list.dClick Create.To create a monitor-level user for Orchestrator, complete the following fields:Rev A - March 2016Name:orchmonitorDescription:Orchestrator monitorIdentity Group:[select] All Groups: orchestrator-monitor-groupPassword Type:Internal UsersPassword /Confirm Password:[create one]6
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationeClick Submit. The new user name appears in the Internal Users list.Rev A - March 20167
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication4Define attributes for admin and monitor users for OrchestratoraTo create an admin profile, navigate to Policy Elements Authorizations and Permissions NetworkAccess Authorization Profiles, and at the bottom of the page, click Create.bIn the General tab, complete the following:Rev A - March 2016Name:RADIUS admin profileDescription:authorization profile for admin8
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationcClick the RADIUS Attributes tab and complete the following:Dictionary Type:RADIUS-CiscoRADIUS Attribute:cisco-av-pairAttribute Type:StringAttribute Value:Static[enter this] LOGIN:priv-lvl 7dClick Add . The entry appears in the Manually Entered table.Now, we’ll add a second attribute.Rev A - March 20169
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationefIn the RADIUS Attributes tab, complete the following:Dictionary Type:RADIUS-IETFRADIUS Attribute:Service-TypeAttribute Type:EnumerationAttribute Value:StaticNAS PromptClick Add . The entry appears in the Manually Entered table.Rev A - March 201610
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationgClick Submit. The RADIUS admin profile appears in the Authorization Profiles list.Now, we’ll create the monitor profile.hClick Create. In the General tab, complete the following:Rev A - March 2016Name:RADIUS monitor profileDescription:authorization profile for monitor11
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationiClick the RADIUS Attributes tab and complete the following:Notice that for the monitor, the level equals zero.Dictionary Type:RADIUS-CiscoRADIUS Attribute:cisco-av-pairAttribute Type:StringAttribute Value:Static[enter this] LOGIN:priv-lvl 0Rev A - March 201612
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationjClick Add . The entry appears in the Manually Entered table.Now, we’ll add the second attribute.kIn the RADIUS Attributes tab, complete the following:Rev A - March 2016Dictionary Type:RADIUS-IETFRADIUS Attribute:Service-TypeAttribute Type:EnumerationAttribute Value:StaticNAS Prompt13
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationlClick Add . The entry appears in the Manually Entered table.mClick Submit. The RADIUS monitor profile appears in the Authorization Profiles list.Rev A - March 201614
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication5Create access services that define policy structure and allowed protocols for admin and monitorabNavigate to Access Policies Access Services, and click Create.When Step 1 - General appears, complete the following:Name:Orch-admin servicesDescription:Orchestrator admin services for administratorUser Selected Service Type:Network AccessPolicy Structure:IdentityAuthorizationClick Next. When Step 2 - Allowed Protocols appears, select the following:Rev A - March 2016Process Host Lookup:[deselect]Authentication Protocols:Allow PAP/ASCIIAllow CHAP15
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationcClick Finish. When asked if you’d like to activate this service, click Yes.Notice that Orch-admin services is now listed under Access Policies in the navigation panel.Rev A - March 201616
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication6Create access rules for the servicesThese specify the conditions users must meet for access to Orchestrator.aNavigate to Access Policies Access Services Orch-admin services Identity, and click Select.bSelect Internal Users, and click Save Changes.Rev A - March 201617
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationcNavigate to Access Policies Access Services Orch-admin services Authorization, and click Customize.The Customize Conditions window appears.dSelect and move Compound Condition from the Selected column to the Customize Conditions column.Rev A - March 201618
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationeSelect and move Identity Group to the Selected column.fClick OK. The result displays in the Conditions column.Rev A - March 201619
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationgClick Create. A dialog box appears.hSelect the Identity Group checkbox, and click Select.The Network Device Groups list appears.iSelect orchestrator-admin-group and click OK. The Rule-1 dialog returns.Rev A - March 201620
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationjBelow the Authorization Profiles field, click Select.The Authorization Profiles dialog appears.kSelect RADIUS admin profile and click OK.Rev A - March 201621
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationThe input window returns.lClick OK. The Network Access Authorization Policy returns, with Rule-1 included.mAt the bottom of the page, click Save Changes.nNow you’ll add Rule-2 to include the RADIUS monitor profile. At the bottom of the page, click Create. The Rule-2 dialog box appears. Select the Identity Group checkbox, and click Select.The Network Device Groups list appears. Select orchestrator-monitor-group and click OK. The Rule-2 dialog returns. Below the Authorization Profiles field, click Select.The Authorization Profiles dialog appears.Rev A - March 201622
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication Select RADIUS monitor profile and click OK.The input window returns. Click OK. The Network Access Authorization Policy returns, with Rule-2 included.oClick Save Changes.Rev A - March 201623
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication7Create a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate actionaNavigate to Access Policies Access Services: Service Selection Rules, and click Create.A dialog appears for creating a new rule.Rev A - March 201624
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationbComplete the following: Select the Protocol checkbox, and select match and Radius. From the drop-down list in the Service field, select Orch-admin services. Click OK.The Service Selection Policy page appears, displaying the new rule at the bottom of the list.cSelect the new rule, and click the caret to move the rule up to the appropriate priority.Use the caret to move the Service SelectionRule up to the appropriate priority.Rev A - March 201625
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationdClick Save Changes.You have now finished configuring Cisco Secure ACS to use RADIUS for authenticating Orchestrator users.Rev A - March 201626
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication8Configure the Orchestrator for RADIUS authentication with Cisco Secure ACSaAfter logging into the Orchestrator as admin, navigate to Orchestrator Administration Authentication.The Remote Authentication dialog box appears.bSelect RADIUS, and complete the following:Authentication Order:Remote firstServer IP:[Cisco Secure ACS IP address]Server Port:1812Server Secret Key:[Orchestrator’s shared secret]cClick Save.dLog out of Orchestrator.Rev A - March 201627
Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator AuthenticationeOn the welcome page, log in as orchadmin, the identity you created in the RADIUS server.Orchestrator is now authenticating users via the RADIUS server.Rev A - March 201628
Rev A - March 2016 4 Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication d Again, navigate to Users and Identity Stores Identity Groups, and at the bottom of the page, click Create. To create the group for "monitor", complete the following fields: Name: orchestrator-monitor-group
