If Cisco ACS is configured to do normal RADIUS authentication for APC UPS devices, the RADIUS user gets only Read-Only priviledges on the APC User Interface.
To get Admin priviledges for RADIUS users, Vendor Specific Attributes (VSA) have to be configured on Cisco ACS. Following are the Vendor Specific Attributes (can be obtained online, or from a VSA dictionary file) for APC devices.
VENDOR APC 318
ATTRIBUTE APC-Service-Type 1 integer APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
To configure VSA Attributes in Cisco ACS 5.2, Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA, click Create and Enter the Name: APC and Vendor ID: 318 and click Submit. Go to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA > APC (or from the Vendor Specific Dictionary Page, check the box next to APC and click Show Vendor Attributes), click Create and enter the following values, Attribute: APC-Service-Type, Vendor Attribute ID: 1, Direction: BOTH, Multiple Allowed: True and Attribute Type: Unsigned Integer 32 and click Submit.
Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, click Create and under the General tab enter a Name for the Profile (say RADIUS_AUTH). Then under the RADIUS Attributes tab, Select RADIUS-APC from the Dictionary Type drop down list, Select RADIUS Attribute as APC-Service-Type and enter the Attribute Value as Static with value 1 (to get Admin user privilege) and click Add^ to Manually Enter the Attribute and then click Submit.
To Add the APC device to Cisco ACS 5.2, go to Network Resources > Device Type, and click Create to create a new group for APC. Enter the Name: APC Devices. Then go to Network Resources > Network Devices and AAA Clients. Click Create and Then on the create page enter the Host name of the APC Device in the Name field, Device Type: APC Devices, Enter the IP of the APC Device in the IP field. Check the RADIUS check box and enter the Shared Secret.
To add a user to the ACS, go to Users and Identity Stores > Identity Groups, click Create and add a Group with the Name: APC User under All Groups. Then go to Users and Identity Stores > Internal Identity Stores > Users and create an user under APC User Indentity Group.
Now we need to tie up the created user and device with the RADIUS Authorization Profile by creating a policy. To do that go to Access Policies > Access Services, click Create and enter the Name: RADIUS Admin, Select User Selected Service Type and Network Access from the drop down list. From the Policy Structure select Identity and Authorization and then click Next. On the Allowed Protocols page select Allow PAP/ASCII and click Finish.
Go to Access Policies > Access Services > RADIUS Admin > Identity, Select Single result selection radio button and Select Internal Users as the Identity Source and click Save Changes. Go to Access Policies > Access Services > RADIUS Admin > Authorization, click on Customize (lower right of the screen) and choose Identity Group as the Conditions and Authorization Profiles as the Results and click Ok. Click Create to create a Network Access Authorization Policy. Under Conditions, Select Identity Group as APC User (created under Users and Identity Stores above) and under Results Select RADIUS_AUTH (depends on what you created under Policy Elements above) and click Ok.
Final step is to go to Access Policies > Access Services > Service Selection Rules, click on Customize. Select Conditions as Device Type and Protocol. Click Ok to save it. Now go to Access Policies > Access Services > Service Selection Rules, click Create... to create a new Service Selection Policy. Select Conditions, Device Type as APC Devices, Protocol as Radius and Results (Service) as RADIUS Admin. Click Ok to Save the Service Policy. With this user you should be able to login into the APC UI with Administrator privileges.
This might look very complicated, but its actually like solving a math problem. ACS 5.X is very flexible in creating policies. The above steps can be used for configuring RADIUS VSA for any other devices also.
3 comments:
aaah.. Thanks man! havent been doing ACS for a long time and was strugling with this but for riverbed devices on ACS 5.2. Worked very well thank you!
Here are some info on it:
[User Defined Vendor]
Name=Riverbed Technology
IETF Code=17163
VSA 1=Local-User
[Local-User]
Type=STRING
Profile=OUT
On the authorization profile attribute you specify "admin" as the string value.
//gunnar
Hi i chance upon yr blog looking for ACS 5.2 with APC ups information. I followed the steps stated in your blog but i have some problems getting it to work.
When i loging to the ups via radius account, it gives me a credential error and fails my authentication. But my ACS log shows that the authentication has passed. Was wondering if you know of such issues with ACS 5.2 and APC UPS.
was there ever a solution for ccie2323? having same issue
Post a Comment