Security Management

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Integrate NSM/NSMXpress with Cisco ACS for RADIUS Authentication

    Posted 10-20-2009 08:06

    Does anyone know how to do this? It seems fairly simple on the NSM side to create a RADIUS server with PSK, etc.  However, integrating this into the Cisco ACS appears to not be so easy.

     

    Has anyone done this before? or can point me to an article on how to do this?  Any info is appreciated.

     

    Thanks.


    #nsmxpress
    #cisco
    #RADIUS
    #dictionary
    #NSM
    #ACS


  • 2.  RE: Integrate NSM/NSMXpress with Cisco ACS for RADIUS Authentication

    Posted 10-28-2009 02:07
    Hi berky, do you have experience in configuring cisco ACS Server? We used ACS for authentication of our NSMxpress for several months, before migrating to freeradius. Using Cisco ACS works perfectly. You have only to create the system with PSK in your ACS Database with Using Radius (IETF). bye Markus


  • 3.  RE: Integrate NSM/NSMXpress with Cisco ACS for RADIUS Authentication

    Posted 10-28-2009 05:28

    hello,

     

    does that mean that you had duplicate accounts? one in ACS and one in NSM for every user? If so, that is not our preferred option.  I want it to grab the users from ACS so we dont' have duplicate account management.  This is for an enterprise with hundreds of users.

     

    I know how to create the NSM as a 'client' in the ACS, but like I mentioned, it's the usernames that are the issue, which is why I thought it required adding the dictionary files.

     

    Thanks for the help.



  • 4.  RE: Integrate NSM/NSMXpress with Cisco ACS for RADIUS Authentication

    Posted 11-05-2009 06:01

    Did you checked the nsm admin guide?

    http://www.juniper.net/techpubs/software/management/security-manager/nsm2009_1/nsm-admin-guide.pdf

     

    You are not required to define RADIUS users in the local NSM database. The AUTH
    Handler looks at the local database to find the user, and then, if no match is found,
    to the RADIUS server. You can also define the role assignment for each user directly
    from the RADIUS server.

     

    RADIUS authentication is well explained in the admin guide. the needed dicionary file (netscreen.dct) is available in the NSM. If you installed NSM using the default options, you can find the dictionary in the following location:
    /usr/netscreen/GuiSvr/utils/netscreen.dct

     

    best regards

    Thorsten

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
    A kudo would be cool if you think I earned it.

     



  • 5.  RE: Integrate NSM/NSMXpress with Cisco ACS for RADIUS Authentication
    Best Answer

    Posted 03-25-2010 06:26
      |   view attached

    Well, I finally figured this out.  Attached is the csv file (rename it to csv) you need to import into Cisco ACS to create a custom vendor (I named it "Juniper-Netscreen" because 'Juniper' is a predefined vendor and I couldn't figure out how to edit that one.

     

    Steps:

     

    1) Import attached file using the "System Configuration -> RDBMS Synchronization" feature.

        - for the SE appliance, just import using the ftp function it gives you
        - for the Windows software, you have to create an ODBC resource [administrative tools -> Data Sources (ODBC) -> System DSN tab -> add Microsoft text driver (*.txt, *.csv)] from the windows desktop.  Name the file "accountActions.csv" and place it in the directory: "C:\Program Files\CiscoSecure ACS v4.1\CSDBSync\Databases\CSV".  Then 'synchronize' inside the ACS GUI.

        - Check the RDBMS logs for any errors.  If successful, it will auto-push the changes during the ACS DB replication action, so you only have to do this to the ACS Master.

     

    2) Set a network device to use "RADIUS (Juniper-Netscreen)" for authentication.

     

    3) Turn on the options to show under user and group.  Interface Configuration -> RADIUS (Juniper-Netscreen) -> check boxes as necessary.

     

    4) set user's or group's domain and role as required.

     

    below is some testing I did with various users and subdomains.  I'm not going to reformat it, so take it as you will.

     

    ---------------------------------

    ===================

     

     

    Must import accountactions.csv into RDBMS configuration and replicate DB.
    Must configure at least a single device to use "RADIUS (Juniper-Netscreen)" in order to enable/edit the VSA's for users


    NSM ACS info:

    login user global:    username
    login user sub-domain:    domain/username


    For sub-domains, each domain requires separate RADIUS server configuration

    Generic building of domain and role:

    domain defines where user 'exists'; if sub-domain, user must login as defined above
        - user in subdomain does nothing to restrict access
    domain global:            global
    domain sub:            global.<sub-domain>

    role defines 2 things:
        1 - before the colon: what user has access to (useful if giving user multiple roles with access to different sub-domains)
        2 - after the colon: location of the defined role

    (1) - this is the key to what the user can view
    global access:            global:
    sub-domain access:        global.<sub-domain>:

    (2) - pre-defined roles ONLY exist in global
    role global predefine:        :<predefined role>
    role global custom:        :global.<custom role>
    role sub custom:        :global.<sub-domain>.<custom role>


    The only reason to define custom roles in a sub-domain would be for easier management of many sub-domains, or if a global role of the same name requires different permissions than a sub-domain role (ie. 2 roles of same name with different permissions based on domain)


    ---------------------------------------------------------------------

    [01]<tested>
    global user, global access, pre-defined global role:

    domain:        global
    role:        global:<predefined role>


    [02]<tested>
    global user, global access, custom global role:

    domain:        global
    role:        global:global.<custom role>


    [03]<tested>
    global user, global access, custom sub-domain role:

    *** INVALID permission set ***
    domain:        global
    role:        global:global.sub-domain.<custom role>
    ******************************


    [04]<tested>
    global user, sub-domain access, pre-defined global role:

    domain:        global
    role:        global.<sub-domain>:<predefined role>


    [05]<tested>
    global user, sub-domain access, custom global role:

    domain:        global
    role:        global.<sub-domain>:global.<custom role>


    [06]<tested>
    global user, sub-domain access, custom sub-domain role:

    domain:        global
    role:        global.<sub-domain>:global.<sub-domain>.<custom role>


    [07]<tested> (can still view everything; no different than global user w/same access)
    sub-domain user, global access, pre-defined global role:

    domain:        global.sub-domain
    role:        global:<predefined role name>


    [08]<tested>
    sub-domain user, global access, custom global role:

    domain:        global.sub-domain
    role:        global:global.<custom role>


    [09]<tested>
    sub-domain user, global access, custom sub-domain role:

    *** INVALID permission set ***
    domain:        global.sub-domain
    role:        global:global.sub-domain.<custom role>
    ******************************

    [10]<tested>
    sub-domain user, sub-domain access, pre-defined global role:

    domain:        global.sub-domain
    role:        global.sub-domain:<predefined role>


    [11]<tested>
    sub-domain user, sub-domain access, custom global role:

    domain:        global.sub-domain
    role:        global.sub-domain:global.<custom role>


    [12]<tested>
    sub-domain user, sub-domain access, custom sub-domain role:

    domain:        global.sub-domain
    role:        global.sub-domain:global.sub-domain.<custom role>

     

     

     

    Combo's are possible and work:  just set 1 role per 'line' in the text box for the role

     

    acs user r/w to sub 1, ro to sub 2:
    user settings overrides group, but this is possible.  Specific subdomain priveleges override global privs.
    requires multiple roles defined in ACS

    acs group r/w, acs user ro:
    user setting always overrides group

    acs group ro, acs user r/w:
    user setting always overrides group

     

     

    ==============

    ------------------------

     

    hopefully someone else finds this info useful

    Attachment(s)



  • 6.  RE: Integrate NSM/NSMXpress with Cisco ACS for RADIUS Authentication

    Posted 04-22-2011 06:14

    Thanks for the efforts Berky.

    My logs has a few parse errors, but still went through and worked like a champ.

    for those that are very new, I'm running 2011.1.  go to tools -> manage admins and domains -> current domain detail tab -> global - set authenticate to remote  and auth server to your ACS box.