Configure Roles in External Authentication Servers

This section describes how to set up RADIUS, TACACS+, and LDAP servers to work with GigaVUE nodes, including how to include a local user mapping attribute that the GigaVUE node can use to assign roles to an externally-authenticated user. Refer to the following sections for more details:

■   Grant Roles with External Authentication Servers
■   Configure Cisco ACS: RADIUS Authentication
■   Configure Cisco ISE: RADIUS Authentication
■   Configure Cisco ACS: TACACS+ Authentication
■   Configure Cisco ISE: TACACS Authentication
■   Configure LDAP Authentication

Configure Cisco ACS: RADIUS Authentication

Use the following steps to configure the Cisco Access Control System (ACS): RADIUS to grant extra roles to externally authenticated users on the GigaVUE H Series node.

Note:  The steps described below are based on CISCO ACS Version 5.x. The navigation path may vary depending on the CISCO ACS version that you use.

Enable Extra Roles for RADIUS on the GigaVUE Node

1.   Go to Settings > Authentication > RADIUS > Default Settings to enable the GigaVUE H Series node to accept extra roles in response from the AAA server.

Note:  The extra role must match a role already configured on the GigaVUE H Series node/cluster.

Example of Assigning the Class Attribute in RADIUS Authorization Profile (ACS 5.x)

In the Cisco Secure ACS screen:

  1. Navigate to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles.
  2. Click Create to add a new authorization profile.
  3. Enter/select the following:

    4. Parameter

    Attribute
    Dictionary Type RADIUS-IETF

    RADIUS Attribute

    Class

    Attribute Type

    Default Value (string)

    Attribute Value

    Default Value (static)

    Local user mapping and optional roles

    Select the appropriate roles
  4. Click Add to add this attribute to the authorization profile.
  5. Assign this authorization profile to a group and populate it with GigaVUE users.

Configure Cisco ISE: RADIUS Authentication

To configure Cisco Identity Services Engine (ISE): RADIUS and to grant extra roles to externally authenticated users on the GigaVUE H Series node, perform the following:

Note:  The steps described below are based on CISCO ISE Version 5.x. The navigation path may vary depending on the CISCO ISE version that you use.

  1. Create the following two users in the GigaVUE H Series Node and configure the remote server using the following commands:
    2. CISCO ISE RADIUS Configuration

    Local user account configuration

     

    User 1 with admin auth profile

    		 
    username adminauthprofile password 7 $1$Nc/LLAfM$EwiU.qjNQHoqnWSaqQiNG0
       

    User 2 with read only auth profile 

    no username nonadminauthprofile disable
username nonadminauthprofile full-name ""
username nonadminauthprofile roles replace monitor

     

     

    AAA remote server configuration

    Assume the radius server host as 1.1.1.1. Add this radius-server to the GigaVUE-OS H series nodes list using the following commands:

    # radius-server host 1.1.1.1

    # radius-server host 1.1.1.1 key ********

    # radius-server extra-user-params roles enable

  2. Create the following Users in ISE database:

    • User 1 must be mapped to the admin auth profile.

    • User 2 must be mapped to the read only auth profile.

    3. Note:  Users can also be mapped from an Active Directory server.

  3. Add Gigamon device to the ISE:
  4. Enter the following:

    5. Parameter

    Attribute
    Shared Secret Key

    Configure the same shared secret key as what you have configured in Gigamon using the CLI command:

    #radius server host x.x.x.x key <xxxxxx>
    #radius server host 1.1.1.1 key ******

     

  5. Create two Authorization Policies, one for admin user and one for read-only user.
  6. Enter/select the Common Attribute Values in the ASA VPN. Do not enter Vendor specific radius attributes as they are not supported.

    Parameter

    Attribute

    Name

    Local user name

    If this is admin auth profile, then the username should be the same as configured in Gigamon, which is adminauthprofile.

    If this is the read-only auth profile, then the user name should be the same as configured in Gigamon, which is nonadminauthprofile.

    Access typeACCESS_ACCEPT

    ASA VPN

    Enabled

    Note:  You must enable this to provide common attribute values.

    Attribute Details

     

    Access Type

    ACCESS_ACCEPT

    class

    local-user-name=adminauthprofile

    Network Device profileCISCO / TAP

    local-user-name

    adminauthprofile

  7. Create a policy set that defines the authentication policy and the authorization policy. Policy pertains to conditions and actions.

  8. Define the attributes that match the policy, for example you can define the attribute as 'Device type' and match all the devices.
  9. Select the Allowed Protocols/Server Sequence as 'Default Network Access'.
  10. Once the conditions are defined and the allowed protocols are configured, click the View option to configure authentication policy and map the authorization policy.
    • For the authentication policy: Define the conditions appropriately for the RADIUS packets to hit the authentication policy. For example, use the IP address of eth0 interface of Gigamon as condition and as per this policy the authentication would be done against the ISE local users.
    • For the authorization policy: Define two rules and based on these rule conditions, the authorization policy created in the previous step will be triggered.
  11. If you enter the username as adminauthprofile while accessing the Gigamon devices via SSH/GUI, the admin auth profile is triggered. The corresponding attribute values defined in this authorization profile in the RADIUS response packet would be sent by the ISE. Based on these values, Gigamon would map this user to an user in its local database and hence the remote user gets authorized.
  12. If you enter the username as nonadminauthprofile while accessing the Gigamon devices, as this user belongs to the monitor group in ISE, the non admin auth profile is triggered and the corresponding attribute values in the radius response packet is sent by the ISE.

Configure Cisco ACS: TACACS+ Authentication

Use the following steps to configure Cisco ACS: TACACS+ to grant extra roles to externally authenticated users on the GigaVUE H Series node.

Note:  The steps described below are based on CISCO ACS Version 5.x. The navigation path may vary depending on the CISCO ACS version that you use.

Enable Extra Roles for TACACS+ on the GigaVUE H Series Node

1.   Go to Settings > Authentication > TACACS > Default Settings to enable the GigaVUE H Series node to accept extra roles in the response from the AAA server.

Note:  The extra role must match a role already configured on the GigaVUE node/cluster.

Example of Assign local-user-name to Shell Profile (ACS 5.x)

2. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.
3. Click Create to add a new shell profile.
4. Enter/select the following:

Parameter

Attribute
General

Profile Name and Description

Custom Attributes

 

Attribute

local-user-name

Requirement

Default Value (Mandatory)

Attribute Value

Default Value (Static)

local user mapping and optional roles

 

5. Click Add to add this attribute to the shell profile.
6. Click Submit to finalize this shell profile.
7. Create Service Selection rules that will assign this shell profile to the desired GigaVUE users.

Configure Cisco ISE: TACACS Authentication

To configure Cisco ISE: TACACS and to grant extra roles to externally authenticated users on the GigaVUE H Series node, perform the following steps:

Note:  The steps described below are based on CISCO ISE Version 5.x. The navigation path may vary depending on the CISCO ISE version that you use.

  1. Create the following two users in the GigaVUE H Series Node and configure the remote server using the following commands:
    2. CISCO ISE RADIUS Configuration

    Local user account configuration

     
    User 1 with admin auth profile 
    username adminauthprofile password 7 $1$Nc/LLAfM$EwiU.qjNQHoqnWSaqQiNG0
       
    User 2 with non admin auth profile (that replaces the monitor role) 
    no username nonadminauthprofile disable
username nonadminauthprofile full-name ""
username nonadminauthprofile roles replace monitor

     

     

    AAA remote server configuration

    Assume tacacs server host as 1.1.1.1 and shared key as *******.

    tacacs-server host 1.1.1.1
 timeout 5 retransmit 3
    # tacacs-server host 1.1.1.1 key ********

    #tacacs-server extra-user-params roles enable
    # tacacs-server key ********
    tacacs-server retransmit 3
    tacacs-server service Gigamon
    tacacs-server timeout 5

    AAA Configuration

    		 
    aaa authentication login default tacacs+ local
    aaa authorization map default-user monitor
    aaa authorization map order remote-first
  2. Create the following users in ISE database:

    • User 1 must be mapped to Admin group

    • User 2 must be mapped to monitor group

  3. Add Network devices to ISE.
  4. Enter the following:

    5. Parameter

    Attribute
    Shared Secret Key

    Configure the same as what you have configured in Gigamon using the CLI command:

    tacacs-server host 1.1.1.1 key ********

  5. Create Shell profiles for each of the users.

  6. The shell profiles in TACACS is very similar to the Authorization profile in radius. Once the device is authenticated successfully, the custom attribute which is defined under the shell profile is sent to Gigamon in the TACACS response packets for the authorization to work. Similar to the RADIUS auth profile, the shell profile should have the exact username, defined as the value under Custom attributes (Attribute name: local-user-name).

    Note:  This username should match the ones you configured in the Gigamon local database)

  7. Create a policy set which pairs the authentication policy and the TACACS shell policy. Similar to the policy created in RADIUS section, create one for the TACACS authentication and authorization to work.
  8. Login to the device using the appropriate accounts / usernames.

Configure LDAP Authentication

Use the following steps to configure an LDAP server (for example, Apache Directory Server) to grant extra roles to externally authenticated users on the GigaVUE H Series node.

1.   Enable Extra Roles for LDAP on the GigaVUE H Series.

To enable the GigaVUE H Series node to accept extra roles in the response from the AAA server:

a. Select Settings > Authentication > LDAP.
b. Click Default Settings.
c. Set the Extra Roles field to Yes.

Note:  The extra role must match a role already configured on the GigaVUE node or cluster.

2. Assign local-user-name to Shell Profile (ACS 5.x).

To assign a local-user-name to Shell Profile (ACS 5.x), add an employeeType attribute to the InetOrgPerson user object.

The attribute format is as follows:

       <mapping_local_user>[:role-<mapping_local_role_1> [role-<mapping_local_role_2>[...]]]