Configure Roles in External Authentication Servers

This section describes how to set up RADIUS, TACACS+, and LDAP servers to work with GigaVUE nodes, including how to include a local user mapping attribute that the GigaVUE node can use to assign roles to an externally-authenticated user. Refer to the following sections for details:

Grant Roles with External Authentication Servers
Configure Cisco ACS: RADIUS Authentication
Configure Cisco ACS: TACACS+ Authentication
Configure LDAP Authentication

Configure Cisco ACS: RADIUS Authentication

Use the following steps to configure Cisco ACS 5.x (RADIUS) to grant extra roles to externally authenticated users on the GigaVUE H Series node.

Enable Extra Roles for RADIUS on the GigaVUE Node

1.   Go to Settings > Authentication > RADIUS > Default Settings to enable the GigaVUE H Series node to accept extra roles in the response from the AAA server.

Note:  The extra role must match a role already configured on the GigaVUE H Series node/cluster.

Example of Assigning the Class Attribute in RADIUS Authorization Profile (ACS 5.x)

2. Navigate to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles and click Create to add a new authorization profile.
3. Give the profile a name and description and click on the RADIUS Attributes tab.
4. Leave Dictionary Type set to RADIUS-IETF and click the Select button adjacent to the RADIUS Attribute field.
5. Select the Class attribute from the dialog that appears and click OK.
6. Leave the Attribute Type and Attribute Value fields at their default value (String and Static, respectively).
7. Supply the local user mapping and optional roles, as shown in the following figure:

8. Click the Add button to add this attribute to the authorization profile.
9. Assign this authorization profile to a group and populate it with GigaVUE users.

Figure 1: Supplying the Class Field for RADIUS (ACS 5.x) shows these settings in a CiscoSecure ACS 5.x authorization profile.

Figure 14 Supplying the Class Field for RADIUS (ACS 5.x)

Configure Cisco ACS: TACACS+ Authentication

Use the following steps to configure Cisco ACS 5.x (TACACS+) to grant extra roles to externally authenticated users on the GigaVUE H Series node.

Enable Extra Roles for TACACS+ on the GigaVUE H Series Node

1.   Go to Settings > Authentication > TACACS > Default Settings to enable the GigaVUE H Series node to accept extra roles in the response from the AAA server.

Note:  The extra role must match a role already configured on the GigaVUE node/cluster.

Example of Assign local-user-name to Shell Profile (ACS 5.x)

2. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles and click Create to add a new shell profile.
3. Give the profile a name and description in the General tab.
4. Click on the Custom Attributes tab.
5. Set the Attribute field to local-user-name.
6. Leave the Requirement and Attribute Value fields at their default value (Mandatory and Static, respectively).
7. Supply the local user mapping and optional roles, as shown in the following figure:

8. Click the Add to add this attribute to the shell profile.
9. Click Submit to finalize this shell profile.
10. Create Service Selection rules that will assign this shell profile to desired GigaVUE users.

Configure LDAP Authentication

Use the following steps to configure an LDAP server (for example, Apache Directory Server) to grant extra roles to externally authenticated users on the GigaVUE H Series node.

1.   Enable Extra Roles for LDAP on the GigaVUE H Series.

To enable the GigaVUE H Series node to accept extra roles in the response from the AAA server:

a. Select Settings > Authentication > LDAP
b. Click Default Settings.
c. Set the Extra Roles field to Yes.

Note:  The extra role must match a role already configured on the GigaVUE node or cluster.

2. Assign local-user-name to Shell Profile (ACS 5.x)

To assign a local-user-name to Shell Profile (ACS 5.x), add an employeeType attribute to the InetOrgPerson user object.

The attribute format is as follows:

       <mapping_local_user>[:role-<mapping_local_role_1> [role-<mapping_local_role_2>[...]]]

Figure 2: Adding the employeeType Attribute shows an example.

Figure 15 Adding the employeeType Attribute