Contents
Alteon Configuration
1 Go to Vision setting
2 Go to general setting àAuthentication Protocols à Radius settings
3 Go to User Management Settings and choose the authentication Mode to RADIUS
Cisco ACS configuration
1 Login in as user xxx:xxx
2 Go to system Administration à Configuration à Dictionaries à protocol à RADIUS à RADIUS VSA à Radware
3 Go to Network Resources
3.1 define the location
3.2 define the device Type
3.3 Define the Network Devices and AAA clients
3.4 Got Users and Identity Stores àIdentity Group
3.5 Go to Users and Identity Stores à Internal identity Stores àUsers
3.6 Go to Users and Identity Stores à External à LDAP
3.7 Go to RSA SecureID Token Servers for RSA integration
3.8 Go to Identity Store Sequences
4 Go to Policy Elements à Authorization and Permissions à Network Access à Authorization Profile
5 Go to Access Policies
5.1 Check the Service Selection Rules
5.2 Go to Default Network Access
5.3 Select Identity
5.4 Select Group Mapping
5.5 Go to Authorization
6 Configuration is Done now.
Alteon Configuration
1 Go to Vision setting
2 Go to general setting àAuthentication Protocols à Radius settings
Setthe primary sever IP address, port and shared secret(which is radware)
Leavethe shared Parameters as default
3 Go to User Management Settings and choose the authentication Mode to RADIUS
Cisco ACS configuration
1 Login in as xxx/xxx
2 Go to system Administration à Configuration à Dictionaries à protocol à RADIUS à RADIUS VSA à Radware
3 Go to Network Resources
3.1 define the location
.2 define the device Type
3.3 Define the Network Devices and AAA clients
ocation is All Locations
Device Type is Radware-Vision
IP Address is the IP of vision management
Authentication Options is RADIUS
3.4 Got Users and Identity Stores àIdentity Group
groups defined forVision-Admin/Vision-Real-Operator/VISION_VIEWONLY.
3.5 Go to Users and IdentityStores àInternal identity Stores àUsers
Define the local authenticate user here.
3.6 Go to Users and IdentityStores àExternal à LDAP
LDAPintegration
Choose the Globaltest, define the name,server connection/Directory Organization/Directory Groups
3.7 Go to RSA SecureID Token Servers for RSA integration
3.8 Go to Identity Store Sequences
Authenticate user from RSA and grab theinformation from LDAP, if can’t find we go to internal user.
Here I tested the authentication sequence,first check at the RSA then internal. But for some reason it not work.
4 Go to Policy Elements à Authorization and Permissions à Network Access à Authorization Profile
Here I defined 3 authorization profiles
4.1, Radware-Vision-Administrator
Role : SYS_ADMIN
Scope: ALL
4.2 Radware-Real-Operator
Role:REAL_SERVER_OPERATOR
Scope: Perimeter
4.3 VISION_VIEWONLY
Role: VIEWER
Scope:ALL
We may need to add more authorizationprofile to user with Role=REAL_SERVER_OPERATOR, Scope = [Name of logical groupat Vision].
5 Go to Access Policies
5.1 Check the Service Selection Rules
There are 2 rules, 1 for Radius and anotherfor TACACA. We will always match Rule 1 and select the Default Network Access.
5.2 Go to Default Network Access
There are 3 elements in the profile.
Identity: Which is the location ACS willtry to find the user name and password.
Group Mapping: ACS will try to map the userauthenticated with local Identity Group for Authorization
Authorization: Define the rule to how toauthorize different local identity group
Check the allowed protocol with PAPincluded which is configured at Alteon Vision.
5.3 Select Identity
To define the rule to select the Identitygroup(where to look for the user name and password)
Rule 10 is the one we wanted,
If the device type matches Radware-Vision,we will choose the identity group VisionUser which means find at RSA first andthen go to local user table.
5.4 Select Group Mapping
I am using the NetworkServices guys as aexample
hese kind of information is coming fromLDAP:externalGroups.
Define local user mapping
5.5 Go to Authorization
Define a rule
Those belong to local Identity Group asVision-Admin and coming from Radware-Vision will authorize asRadware-Vision-Administrator
Those coming from Radware-Vision and belongto Vision-Real-Operator will grant Radware-Real-Operator
Those coming from Radware-Vision and belongto VISION-VIEWONLY will grant VISION_VIEWONLY
Those coming from Radware-Vision and belongto Networks-Services will grant Radware-Real_Operator as well
