Configure Roles in External Authentication Servers
This section describes how to set up RADIUS, TACACS+, and LDAP servers to work with GigaVUE nodes, including how to include a local user mapping attribute that the GigaVUE node can use to assign roles to an externally-authenticated user. Refer to the following sections for details:
Grant Roles with External Authentication Servers |
Configure Cisco ACS: RADIUS Authentication |
Configure Cisco ISE: RADIUS Authentication |
Configure Cisco ACS: TACACS+ Authentication |
Configure Cisco ISE: TACACS Authentication |
Configure LDAP Authentication |
Configure Cisco ACS: RADIUS Authentication
Use the following steps to configure the Cisco Access Control System (ACS): RADIUS to grant extra roles to externally authenticated users on the GigaVUE H Series node.
Note: The steps described below are based on CISCO ACS Version 5.x. The navigation path may vary depending on the CISCO ACS version that you use.
Enable Extra Roles for RADIUS on the GigaVUE Node
1. | Go to Settings > Authentication > RADIUS > Default Settings to enable the GigaVUE H Series node to accept extra roles in response from the AAA server. |
Note: The extra role must match a role already configured on the GigaVUE H Series node/cluster.
Example of Assigning the Class Attribute in RADIUS Authorization Profile (ACS 5.x)
In the Cisco Secure ACS screen:
- Navigate to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles.
- Click Create to add a new authorization profile.
- Enter/select the following:
- Click Add to add this attribute to the authorization profile.
- Assign this authorization profile to a group and populate it with GigaVUE users.
Parameter |
Attribute |
Dictionary Type | RADIUS-IETF |
RADIUS Attribute |
Class |
Attribute Type |
Default Value (string) |
Attribute Value |
Default Value (static) |
Local user mapping and optional roles |
Select the appropriate roles |
Configure Cisco ISE: RADIUS Authentication
To configure Cisco Identity Services Engine (ISE): RADIUS and to grant extra roles to externally authenticated users on the GigaVUE H Series node, perform the following:
Note: The steps described below are based on CISCO ISE Version 5.x. The navigation path may vary depending on the CISCO ISE version that you use.
- Create the following two users in the GigaVUE H Series Node and configure the remote server using the following commands:
-
Create the following Users in ISE database:
-
User 1 must be mapped to the admin auth profile.
-
User 2 must be mapped to the read only auth profile.
-
- Add Gigamon device to the ISE:
- Enter the following:
- Create two Authorization Policies, one for admin user and one for read-only user.
- Enter/select the Common Attribute Values in the ASA VPN.
Do not enter Vendor specific radius attributes as they are not supported.
Parameter
Attribute
Name
Local user name
If this is admin auth profile, then the username should be the same as configured in Gigamon, which is adminauthprofile.
If this is the read-only auth profile, then the user name should be the same as configured in Gigamon, which is nonadminauthprofile.
Access type ACCESS_ACCEPT ASA VPN
Enabled
Note: You must enable this to provide common attribute values.
Attribute Details
Access Type
ACCESS_ACCEPT
class
local-user-name=adminauthprofile
Network Device profile CISCO / TAP local-user-name
adminauthprofile
-
Create a policy set that defines the authentication policy and the authorization policy. Policy pertains to conditions and actions.
- Define the attributes that match the policy, for example you can define the attribute as 'Device type' and match all the devices.
- Select the Allowed Protocols/Server Sequence as 'Default Network Access'.
- Once the conditions are defined and the allowed protocols are configured, click the View option to configure authentication policy and map the authorization policy.
- For the authentication policy: Define the conditions appropriately for the RADIUS packets to hit the authentication policy. For example, use the IP address of eth0 interface of Gigamon as condition and as per this policy the authentication would be done against the ISE local users.
- For the authorization policy: Define two rules and based on these rule conditions, the authorization policy created in the previous step will be triggered.
- If you enter the username as adminauthprofile while accessing the Gigamon devices via SSH/GUI, the admin auth profile is triggered. The corresponding attribute values defined in this authorization profile in the RADIUS response packet would be sent by the ISE. Based on these values, Gigamon would map this user to an user in its local database and hence the remote user gets authorized.
- If you enter the username as nonadminauthprofile while accessing the Gigamon devices, as this user belongs to the monitor group in ISE, the non admin auth profile is triggered and the corresponding attribute values in the radius response packet is sent by the ISE.
CISCO ISE RADIUS Configuration | |
Local user account configuration |
|
User 1 with admin auth profile |
username adminauthprofile password 7 $1$Nc/LLAfM$EwiU.qjNQHoqnWSaqQiNG0 |
User 2 with read only auth profile |
no username nonadminauthprofile disable username nonadminauthprofile full-name "" username nonadminauthprofile roles replace monitor |
|
|
AAA remote server configuration |
Assume the radius server host as 1.1.1.1. Add this radius-server to the GigaVUE-OS H series nodes list using the following commands: # radius-server host 1.1.1.1 # radius-server host 1.1.1.1 key ******** # ldap bind-password ******** radius-server extra-user-params roles enable |
Note: Users can also be mapped from an Active Directory server.
Parameter |
Attribute |
Shared Secret Key |
Configure the same shared secret key as what you have configured in Gigamon using the CLI command: #radius server host x.x.x.x key <xxxxxx> #radius server host 1.1.1.1 key ******
|
Configure Cisco ACS: TACACS+ Authentication
Use the following steps to configure Cisco ACS: TACACS+ to grant extra roles to externally authenticated users on the GigaVUE H Series node.
Note: The steps described below are based on CISCO ACS Version 5.x. The navigation path may vary depending on the CISCO ACS version that you use.
Enable Extra Roles for TACACS+ on the GigaVUE H Series Node
1. | Go to Settings > Authentication > TACACS > Default Settings to enable the GigaVUE H Series node to accept extra roles in the response from the AAA server. |
Note: The extra role must match a role already configured on the GigaVUE node/cluster.
Example of Assign local-user-name to Shell Profile (ACS 5.x)
2. | Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. |
3. | Click Create to add a new shell profile. |
4. | Enter/select the following: |
Parameter |
Attribute |
General |
Profile Name and Description |
Custom Attributes |
|
Attribute |
local-user-name |
Requirement |
Default Value (Mandatory) |
Attribute Value |
Default Value (Static) |
local user mapping and optional roles |
|
5. | Click Add to add this attribute to the shell profile. |
6. | Click Submit to finalize this shell profile. |
7. | Create Service Selection rules that will assign this shell profile to the desired GigaVUE users. |
Configure Cisco ISE: TACACS Authentication
To configure Cisco ISE: TACACS and to grant extra roles to externally authenticated users on the GigaVUE H Series node, perform the following steps:
Note: The steps described below are based on CISCO ISE Version 5.x. The navigation path may vary depending on the CISCO ISE version that you use.
- Create the following two users in the GigaVUE H Series Node and configure the remote server using the following commands:
- Create the following users in ISE database:
User 1 must be mapped to Admin group
User 2 must be mapped to monitor group
- Add Network devices to ISE.
- Enter the following:
-
Create Shell profiles for each of the users.
-
The shell profiles in TACACS is very similar to the Authorization profile in radius. Once the device is authenticated successfully, the custom attribute which is defined under the shell profile is sent to Gigamon in the TACACS response packets for the authorization to work. Similar to the RADIUS auth profile, the shell profile should have the exact username, defined as the value under Custom attributes (Attribute name: local-user-name).
Note: This username should match the ones you configured in the Gigamon local database)
- Create a policy set which pairs the authentication policy and the TACACS shell policy. Similar to the policy created in RADIUS section, create one for the TACACS authentication and authorization to work.
- Login to the device using the appropriate accounts / usernames.
CISCO ISE RADIUS Configuration | |
Local user account configuration |
|
User 1 with admin auth profile | username adminauthprofile password 7 $1$Nc/LLAfM$EwiU.qjNQHoqnWSaqQiNG0 |
User 2 with non admin auth profile (that replaces the monitor role) | no username nonadminauthprofile disable username nonadminauthprofile full-name "" username nonadminauthprofile roles replace monitor |
|
|
AAA remote server configuration |
Assume tacacs server host as 1.1.1.1 and shared key as *******. tacacs-server host 1.1.1.1 timeout 5 retransmit 3 # tacacs-server host 1.1.1.1 key ******** #tacacs-server extra-user-params roles enable # tacacs-server key ******** tacacs-server retransmit 3 tacacs-server service Gigamon tacacs-server timeout 5 |
AAA Configuration |
aaa authentication login default tacacs+ local aaa authorization map default-user monitor aaa authorization map order remote-first |
Parameter |
Attribute |
Shared Secret Key |
Configure the same as what you have configured in Gigamon using the CLI command: tacacs-server host 1.1.1.1 key ******** |
Configure LDAP Authentication
Use the following steps to configure an LDAP server (for example, Apache Directory Server) to grant extra roles to externally authenticated users on the GigaVUE H Series node.
1. | Enable Extra Roles for LDAP on the GigaVUE H Series. |
To enable the GigaVUE H Series node to accept extra roles in the response from the AAA server:
a. | Select Settings > Authentication > LDAP. |
b. | Click Default Settings. |
c. | Set the Extra Roles field to Yes. |
Note: The extra role must match a role already configured on the GigaVUE node or cluster.
2. | Assign local-user-name to Shell Profile (ACS 5.x). |
To assign a local-user-name to Shell Profile (ACS 5.x), add an employeeType attribute to the InetOrgPerson user object.
The attribute format is as follows:
<mapping_local_user>[:role-<mapping_local_role_1> [role-<mapping_local_role_2>[...]]]