Security

Does anyone know how to do this? It seems fairly simple on the NSM side to create a RADIUS server with PSK, etc.  However, integrating this into the Cisco ACS appears to not be so easy.

 

Has anyone done this before? or can point me to an article on how to do this?  Any info is appreciated.

 

Thanks.

#nsmxpress
#cisco
#RADIUS
#dictionary
#NSM
#ACS

Hi berky, do you have experience in configuring cisco ACS Server? We used ACS for authentication of our NSMxpress for several months, before migrating to freeradius. Using Cisco ACS works perfectly. You have only to create the system with PSK in your ACS Database with Using Radius (IETF). bye Markus

hello,

 

does that mean that you had duplicate accounts? one in ACS and one in NSM for every user? If so, that is not our preferred option.  I want it to grab the users from ACS so we dont' have duplicate account management.  This is for an enterprise with hundreds of users.

 

I know how to create the NSM as a 'client' in the ACS, but like I mentioned, it's the usernames that are the issue, which is why I thought it required adding the dictionary files.

 

Thanks for the help.

Did you checked the nsm admin guide?

http://www.juniper.net/techpubs/software/management/security-manager/nsm2009_1/nsm-admin-guide.pdf

 

You are not required to define RADIUS users in the local NSM database. The AUTH
Handler looks at the local database to find the user, and then, if no match is found,
to the RADIUS server. You can also define the role assignment for each user directly
from the RADIUS server.

 

RADIUS authentication is well explained in the admin guide. the needed dicionary file (netscreen.dct) is available in the NSM. If you installed NSM using the default options, you can find the dictionary in the following location:
/usr/netscreen/GuiSvr/utils/netscreen.dct

 

best regards

Thorsten

If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
A kudo would be cool if you think I earned it.

 

Well, I finally figured this out.  Attached is the csv file (rename it to csv) you need to import into Cisco ACS to create a custom vendor (I named it "Juniper-Netscreen" because 'Juniper' is a predefined vendor and I couldn't figure out how to edit that one.

 

Steps:

 

1) Import attached file using the "System Configuration -> RDBMS Synchronization" feature.

    - for the SE appliance, just import using the ftp function it gives you
    - for the Windows software, you have to create an ODBC resource [administrative tools -> Data Sources (ODBC) -> System DSN tab -> add Microsoft text driver (*.txt, *.csv)] from the windows desktop.  Name the file "accountActions.csv" and place it in the directory: "C:\Program Files\CiscoSecure ACS v4.1\CSDBSync\Databases\CSV".  Then 'synchronize' inside the ACS GUI.

    - Check the RDBMS logs for any errors.  If successful, it will auto-push the changes during the ACS DB replication action, so you only have to do this to the ACS Master.

 

2) Set a network device to use "RADIUS (Juniper-Netscreen)" for authentication.

 

3) Turn on the options to show under user and group.  Interface Configuration -> RADIUS (Juniper-Netscreen) -> check boxes as necessary.

 

4) set user's or group's domain and role as required.

 

below is some testing I did with various users and subdomains.  I'm not going to reformat it, so take it as you will.

 

---------------------------------

===================

 

 

Must import accountactions.csv into RDBMS configuration and replicate DB.
Must configure at least a single device to use "RADIUS (Juniper-Netscreen)" in order to enable/edit the VSA's for users


NSM ACS info:

login user global:    username
login user sub-domain:    domain/username


For sub-domains, each domain requires separate RADIUS server configuration

Generic building of domain and role:

domain defines where user 'exists'; if sub-domain, user must login as defined above
    - user in subdomain does nothing to restrict access
domain global:            global
domain sub:            global.<sub-domain>

role defines 2 things:
    1 - before the colon: what user has access to (useful if giving user multiple roles with access to different sub-domains)
    2 - after the colon: location of the defined role

(1) - this is the key to what the user can view
global access:            global:
sub-domain access:        global.<sub-domain>:

(2) - pre-defined roles ONLY exist in global
role global predefine:        :<predefined role>
role global custom:        :global.<custom role>
role sub custom:        :global.<sub-domain>.<custom role>


The only reason to define custom roles in a sub-domain would be for easier management of many sub-domains, or if a global role of the same name requires different permissions than a sub-domain role (ie. 2 roles of same name with different permissions based on domain)


---------------------------------------------------------------------

[01]<tested>
global user, global access, pre-defined global role:

domain:        global
role:        global:<predefined role>


[02]<tested>
global user, global access, custom global role:

domain:        global
role:        global:global.<custom role>


[03]<tested>
global user, global access, custom sub-domain role:

*** INVALID permission set ***
domain:        global
role:        global:global.sub-domain.<custom role>
******************************


[04]<tested>
global user, sub-domain access, pre-defined global role:

domain:        global
role:        global.<sub-domain>:<predefined role>


[05]<tested>
global user, sub-domain access, custom global role:

domain:        global
role:        global.<sub-domain>:global.<custom role>


[06]<tested>
global user, sub-domain access, custom sub-domain role:

domain:        global
role:        global.<sub-domain>:global.<sub-domain>.<custom role>


[07]<tested> (can still view everything; no different than global user w/same access)
sub-domain user, global access, pre-defined global role:

domain:        global.sub-domain
role:        global:<predefined role name>


[08]<tested>
sub-domain user, global access, custom global role:

domain:        global.sub-domain
role:        global:global.<custom role>


[09]<tested>
sub-domain user, global access, custom sub-domain role:

*** INVALID permission set ***
domain:        global.sub-domain
role:        global:global.sub-domain.<custom role>
******************************

[10]<tested>
sub-domain user, sub-domain access, pre-defined global role:

domain:        global.sub-domain
role:        global.sub-domain:<predefined role>


[11]<tested>
sub-domain user, sub-domain access, custom global role:

domain:        global.sub-domain
role:        global.sub-domain:global.<custom role>


[12]<tested>
sub-domain user, sub-domain access, custom sub-domain role:

domain:        global.sub-domain
role:        global.sub-domain:global.sub-domain.<custom role>

 

 

 

Combo's are possible and work:  just set 1 role per 'line' in the text box for the role

 

acs user r/w to sub 1, ro to sub 2:
user settings overrides group, but this is possible.  Specific subdomain priveleges override global privs.
requires multiple roles defined in ACS

acs group r/w, acs user ro:
user setting always overrides group

acs group ro, acs user r/w:
user setting always overrides group

 

 

==============

------------------------

 

hopefully someone else finds this info useful

Thanks for the efforts Berky.

My logs has a few parse errors, but still went through and worked like a champ.

for those that are very new, I'm running 2011.1.  go to tools -> manage admins and domains -> current domain detail tab -> global - set authenticate to remote  and auth server to your ACS box.