We have an SA 6500 in our environment for SSL-based portal pages and VPN usage and would like to better centralize our administrator authentication / authorization. Today we authenticate our administrators against Active Directory but we would like to migrate to RADIUS and leverage Cisco's ACS system so that we can track login activity on all of our devices from a single pane of glass, and ideally we would like to centralize our authorization as well (eg. return a value via RADIUS that tells the SA that the person who just logged in is a full admin, or a Read Only admin, etc).
I have searched the forums and what admin guides I could come up with but I haven't really found much if any information relating to how I could accomplish these goals. I'm sure the information is out there, I just haven't been able to find it because all I get when searching for authentication / authorization for RADIUS are pages and pages of results for USER access (eg. VPN users), not ADMIN access.
To boilerplate my questions:
1. Can an SA 6500 support remote administrator authentication using RADIUS?
1a. If so, do administrators need to be specified on-box or does it support true remote authentication (eg. users do not have to be defined on-box but will be allowed access provided that they authenticate properly against the remote datastore)?
2. Can an SA 6500 support remote administrator authorization using RADIUS, where RADIUS returns some kind of value to identify what role an administrator has (eg. full admin, read-only admin, etc)?
3. Can anyone provide links to guides or how-to's with any of this information?
Thanks in Advance!
To respond to your questions:
1- Yes, the functionality for admin is the same as for user. You define an A/A server and then link it to the appropriate Admin realm just as you would for a user realm.
1a - Admins, just like users do NOT have to be defined on box. The functionality is the same.
2 - yes - standard role mapping rules apply
3- yes - use the user guide to accomplish your tasks.
The admin realm / roles functionality is the same as the user. The one caveat would be that loss of the Radius server could lock you out. I would recommend either creating a back door local realm / admin account or ensuring that you always have console access to the box so you can enable a "super-admin" session if needed.
Did you get anywhere with this.
I am trying to do your question 2, I'm trying to create a role mapping rule that uses a User attribute from the radius server to push users into either the admin role or read-only role.
the part I am struggling with is I do not know what attribute to configure on the Radios server to push the attribute.
I'm using Cisco ACS 5.3