Cisco WSA: What is RADIUS CLASS attribute?

Hello!

I am trying to use a radius server Cisco ISE as a server external authentication for ASO. I would like to assign roles to groups of users, but I do not understand the meaning of the RADIUS CLASS attribute. What should I write in this area?

Thank you

Stephane Walker

The attribute CLASS is generic, you can put anything in it.   So you get to decide what you use.

In the box of your RADIUS, for users or the group who it applies to, set it to something like "WSAAdmin" for admins, "WSARO" for read only users...

Then, when you config the WSA, you set them correctly he...

But you can really use any string you want, they just need match the appropriate way.

HTH,

Ken

Tags: Cisco Security

Similar Questions

  • What VPN Cisco IOS VPN and RADIUS client?

    Hello community,

    My company are trying to set up the remote user VPN for all of our external collaborators to the help of our existing Cisco router and a RADIUS server in Active Directory.

    I did all the AAA config on the router and set up the RADIUS, but I do not know what customer buy Cisco Remote and how to set up.

    Anyone who knows this set upwards or it uses can be me help please we don't lose our money (and my boss time!)?

    Thanks in advance.

    Paul

    Paul,

    AnyConnect lets connect you using IKEv2/IPsec and SSLVPN for IOS network head.

    There are countless examples of configuration.

    Alternatively, some clients of IKEv1/IPsec 3rd party exists and are able to connect, however is those who are not TAC (Cisco) supported. You can check the feature called ezvpn

    M.

  • Cisco CSA 4.2 + RADIUS + HP procurve switches

    Hello!

    We mixed network environment with cisco / HP hardware.

    We are currently assessing the Cisco ACS 4.2 to manage network access network equipment.

    Cisco equipment works very well, but we have problems the RADIUS and procurve switches (Ganymede works very well)

    I googled around and it seems that you need to create a new '(VSA, Vendor) vendor-specific attributes' for procurve switches and the IETF radius settings according to the variables on the right which must match the HP equipment.

    Problem is that I can't find this information online.

    Anyone who manages to solve this problem?

    Would really appreciate help!

    Thank you

    BR

    Generally, you should download VSA for acs. You must get the HP ini file. Once you have you need create a vsa and transfer it to acs.

    Because we need to add a specific seller attribute in the TAS, then we must first

    Create a file 'accountActions.csv' using the format specified in "RDBMS synchronization."

    Import definition', once we are ready with the file, then we must do an RDBMS

    Synchorization folder of ACS (SE) and then go on:

    Reports and activity > RDBMS synchronization and make sure that the synchronization has been

    done it without error. Once this is done, you must re - start the ACS SE, then

    We can create a new AAA client and use the new RADIUS (xxxx), and the attributes that we

    added can be made visible for:

    The interface configuration > and select the newly added Radius VSA attribute.

    : RDBMS synchronization:

    http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA

    PP40/ugse40/sad.htm#wp756877

    : Import a definition RDBMS synchronization:

    http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacsapp/CSA

    PP40/ugse40/AG.htm

    Kind regards

    ~ JG

  • Cisco WSA: Is it possible to use the web proxy in transparent mode without WCCP router?

    Hello!

    I would like to use Cisco WSA as a web proxy in a transparent manner (without any configuration of client web browsers), but I do not have a WCCP router. So, is it possible?

    If so, how?

    Thank you

    Stephane Walker

    Hi, Stéphane

    The only alternative to WCCP is ACB (the policy-based routing). With a simple configuration on the router, you can redirect traffic defined also interesting by the WSA access list. On the ASO you must configure transparent mode (security-> Web Proxy Services-> the settings of-> Mode Proxy: Transparent). You should also make sure proxy listens on port 80 and HTTPS proxy is enabled (on port 443) If you want to redirect HTTPS traffic as well.

    Cisco router configuration example

    !
    access-list 110 permit tcp any any eq www
    !
    proxy-redirect allowed route map 10
    corresponds to the IP 110
    set ip next-hop xxx.xxx.xxx.xxx
    !
    interface ethernet0/1
    proxy-redirect IP policy route map
    !

    xxx.xxx.xxx.xxx is the IP address of the proxy in such a case and access-list 110 sets web traffic (HTTP-TCP/80) also interesting.

    The biggest drawback of this solution is the lack of troubleshooting. If the proxy will go down because some reason router will keep redirecting traffic causing the cutoff of internet access.

    Cisco routers out material should also have an option to configure policy routing based.

    / Artur

    PS. It is not possible to place the WSA online between the clients and the internet.

  • Can someone tell me what jar contain class weblogic.jws.WLJmsTransport

    Hi all

    Can someone tell me what jar contain class weblogic.jws.WLJmsTransport

    Thanks in advance?

    Hello

    You can find that in the ' * weblogic.jar* ', ' * wls - api .jar * "and" * wseeclient.jar* "which is located in the sub directory

    Path:
    wlserver_10.3/server/lib/

    Also, you can take a look at the link that shows you how to find any CLASS within your system files below.

    Topic: Finding Classes using SCANNER JAR
    http://middlewaremagic.com/WebLogic/?page_id=241#comment-3621

    Kind regards

    Véronique Mody

  • custom object class attributes do not deploy in oID by IOM

    Hello

    I connected the IOM with oID provisioning of users is also underway. I had one class of structure customized with certain attributes in OID.

    In the form, in the form of usr OID Designer, I did field UD_OID_USR_Custom

    In the search for .config OId I mentioned this custom class and class attributes [in custom code to decode target attribute name]

    In the process recognised form of OID mapping I traced this domain name.

    Also, in recon resource mapping object also, I mentioned this attribute.

    But while creating user until the form attribute value process is filling and not the provisiong who attribute it to the OID.

    Please tell me where I went to mapping steps in definition, Lookup.OID.configuration, form designer, wrong process Resource or correct objects.

    Thank you

    Recon form process mapping of the OID I traced this domain name

    Did you before Provisioning Lookup AttrName.Prov.Map.OID attributes?

    Have you followed each step:

    http://download.Oracle.com/docs/CD/E11223_01/doc.904/e10436/extnd_func.htm#CACICHDH

  • [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

    Hello

    I had a lot of Cisco AP related to Cisco WLC 2.

    On each WLC, I configured a primary and a secondary RADIUS server.

    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

    ACS primary and secondary configurations are synchronized.

    There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

    When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

    WLC secondary contacts automatically secondary Cisco ACS and it works fine.

    Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

    The two Cisco ACS are synchronized, so I should have the same error on them...

    Why primary ACS generates this error?

    Thanks for your help,

    Patrick

    Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

    Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Cisco 2611 router and RADIUS

    Greetings. First of all, let me start by saying that I am a fool, I know I am a fool and I apologize for wasting everyone's time. In fact, I do RTFM, RTFMs a lot, and I've yet to find a resolution.

    Secondly, I am setting up a RADIUS server in my test network. I installed Yopougon RADIUS on a Windows 2000 System. I have the following Setup on my Cisco 2611 router:

    With the help of 2297 off 29688 bytes

    !

    ! 17:20:27 PDT configuration was last modified Tuesday, May 20, 2008

    ! NVRAM config update at 17:20:29 PDT Tuesday, May 20, 2008

    !

    version 12.1

    no single-slot-reload-enable service

    horodateurs service debug datetime localtime show-timezone msec

    Log service timestamps datetime localtime show-timezone msec

    encryption password service

    !

    host Tester name

    !

    logging buffered debugging 10000

    AAA new-model

    RADIUS AAA server group RadiusServers

    ACCT-port of the server 172.26.0.2 auth-port 1812 1813

    !

    Group AAA authentication login default local RadiusServers

    AAA authentication login local localauth

    AAA authentication ppp default if necessary to group local RADIUS

    AAA authorization exec default local radius group

    RADIUS AAA authorization network default local group

    AAA accounting delay start

    start-stop radius group AAA accounting exec by default

    start-stop radius group AAA accounting network default

    AAA process 6

    Select the secret xxx

    !

    test username password xxx

    !

    clock timezone PST - 8

    clock summer-time recurring PDT

    IP subnet zero

    no ip domain-lookup

    !

    no ip bootp Server

    !

    interface Loopback0

    the IP 192.168.0.1 255.255.255.0

    !

    interface Ethernet0/0

    Description for the main network

    address IP X.X.X.X 255.255.255.128

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    NAT outside IP

    full-duplex

    No cdp enable

    !

    interface Ethernet0/1

    Description of network internal

    IP 172.26.0.1 255.255.255.0

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    IP nat inside

    load-interval 30

    full-duplex

    No cdp enable

    !

    IP nat pool test X.X.X.X-X.X.X.X netmask 255.255.255.128

    IP nat inside source list 3 pool overload test

    IP nat inside destination list 3 pool test

    IP classless

    IP route 0.0.0.0 0.0.0.0 X.X.X.X

    no ip address of the http server

    !

    radius of the source interface Ethernet0/1 IP

    access-list 3 permit 172.26.0.0 0.0.0.255

    not run cdp

    public RO 15 SNMP-server community

    secret key of acct-port 1812 auth-172.26.0.2 - RADIUS server host port 1813

    RADIUS server retransmit 3

    key secret RADIUS server

    !

    Line con 0

    password xxx

    Synchronous recording

    line to 0

    line vty 0 4

    access-class 10

    1234567890 7 password

    Synchronous recording

    !

    NTP-period clock 17208108

    Server NTP 192.43.244.18

    end

    My RADIUS server is in place and respond to queries, but my router does not seem to be transferring applications to authenticate to it. In fact, when I connect to the router using HyperTerminal, it expires, and I find myself authenticate locally.

    I don't really like if my Cisco equipment authenticates with the RADIUS server, but I have to get set up to authenticate my users so that I can follow their time online. What I missed in my router configuration? Therefore no transfer requests to the RADIUS Server user authentication.

    Thanks for any assistance, you may be able to provide.

    If you explore the authentication Proxy and it works, it could make you forget the PPPoE fast enough.

    If you decide to pursue PPPoE, the following link is probably where you will find most of the information on the configuration of Cisco PPPoE:

    http://www.Cisco.com/en/us/Tech/tk175/tk819/tsd_technology_support_protocol_home.html

    "Providers" of Cisco forums could provide some guidance if PPPoE is achievable with your platform and environment?

  • Cisco ISE and Meraki RADIUS

    I am very new to Cisco ISE and Meraki.  I try to get the Radius configuration for wireless authentication.  When I do a test of the Meraki to ISE, it passes.

    When I try to connect from my laptop, I look at the logs of the Radius and it passes; However, it does not connect me to good policy.  I keep hitting the default policy.  I have my Meraki police above the default policy in the strategy defined in article.  I have attached what looks like my strategy game.

    Devices does not really matter. Here is what I see when I create a device group (where you add the access point to this group), and then create the condition:

    And here is where I create the condition of strategy game and you should be able to select the Meraki access points:

    This will give you the condition similar to what I posted above. This is perhaps why you aren't hit that is not matching the condition for this game.

  • [Cisco AnyConnect] Certificate on RADIUS authentication

    Hello

    I use authentication and LDAP authorization certificates and it works fine.

    Now, I want to centralize authentication and authorization on the server RADIUS (Cisco ACS in my case)

    In the connection profile, we have 3 authentication methods:

    • AAA: I can choose RADIUS server group or LDAP--> the user is prompted to enter the username/password credentials
    • Certificate: I can't choose AAA server...--> user group will have to provide the certificate
    • Both: I choose the RADIUS or LDAP--> the user is prompted for username/password credentials and the user must provide the certificate

    If I choose the certificate authentication methods, I can't delegate the authentication and authorization of RADIUS server.

    Is there a solution to delegate the authentication of the certificate to the RADIUS?

    I have different authorization for each VPN connection profile rules

    ASA can send a VPN connection profile to the RADIUS? (in the RADIUS attribute...)

    Thanks for your help,

    Patrick

    Patrick,

    The essential in deployments using WLC is begging on client can talk to EAP (including EAP - TLS) so the AAA server can authenticate the certificate.

    In the case of Anyconnect, or old IPsec client there is no way to send the full cert to server AAA (not implemented/redundant from the point of view of the customer, or not in the standard).

    IOS also gives you a possibility to make calls for authorization of PKI:

    http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-Rev-cert.html

    AFAIR is no similar mechanism on the SAA.

    M.

  • TabArrayTabControl façade object - what is this class?

    I am trying to determine the status on the controls in a tab control.  I can access the tab successfully by digging through the references for the Group and all the objects on the Panel, but the class that is returned is "TabArrayTabControl" (class, ID 55).  When I try to access pages on this control by using the refnum and "to a more specific class" this class is not available as an option, and if I use "TabControl" the VI fails (error 1055 occurred at the more class specific in FAÇADE FIND CONTROLS.vi Possible reason (s): LabVIEW: object reference is not valid.).  I tried to 'replace' the control with a simple "tab", and the problem persists.

    (1) what is the distinction between a "TabControl" and a "TabArrayTabControl".
    (2) how to fix the problem?

    Thank you

    Gavin Braithwaite wrote:

    Sorry, just to complete:

    I tried to access specific controls within the tabs and without knowing exactly what they are, or which page of the tab, they were on (it's a long story!).   So as far as I can see, the way to do is to generate a refnum at the façade of a VI and then use this refnum for control of the "allObjs" tab to find the tab control.  However, as I read elsewhere I then had to use "for a specific class' in conjunction with a class tabcontrol to give a refnum I could use to access the individual tab pages.  It does not work (now that I corrected my error in my previous post), but I'm still at a loss to explain what a class of TabArrayTabControl is...

    I can't answer that Q hand. Since you're at foot of a trail, I tread, I offer this nugget for your comment. In this nugget that I try to offer some advice on the use of control references, including the great challenge of how do you manage the tables if you do not know the data types.

    Don't worry if the tail of this nugget gets hairy. The last part is more of a demonstration on which it can be done, but you don't probably Wan to.

    Have fun!

    Ben

  • Could someone explain to me what is InformationCardSigninHelper class?

    I am running Win 7 64, IE 9 - class InformationCardSigninHelper is WE Add.  But what is its role?

    Thank you

    Christine

    It is a function/process of Internet Explorer. If IE is installed, it will be present. I have it too.

    Normally a hidden file, it is not uninstalled/removed/deleted

    You might be better to ask here a blow by blow account of what he done...

    http://social.technet.Microsoft.com/forums/en-us/ieitprocurrentver/threads

  • 1 box of Cisco Content Management Appliance come Cisco and Cisco WSA RSES.

    Hi all

    I have a question about Cisco Content Management Appliance, could you please help me check the answer.

    My client asked me if they could use a box of management to manage devices ASO and ESA.

    For example, I have 1 box C380 ESA and 1 box WSA S380. Can I use 1 box M380 to manage both of them.

    Thanks for your help.

    Vinh Phan.

    Hello Vinh,

    Yes, you can manage the ESA and the WSA with the same box M380.

    Source:

    http://www.Cisco.com/c/en/us/products/security/content-security-management-appliance/index.html

    "The ADM of Cisco simplifies administration by publishing from a single to multiple email security appliances and web configurations Cisco management console"

    Thank you for evaluating useful messages!

  • Custom icon in the icon of the CSS class attribute

    Hello world

    Apex version: 5.0.1

    Universal theme

    Oracle version: 11 GR 2

    I created a custom page, sign in as the picture below. In the icon attribute set spinner fa temporarily CSS classes, instead I need to put a custom, icon that I made icon. I don't know where to add the new icon? I've added an icon in the shared components > files to workspace static but I can not reference an Image of workspace of the class CSS of the icon attribute.


    Can someone tell me where and how to create a new icon for use with the attribute of CSS icon classes?

    Thank you

    customlogin.PNG

    The CSS style related to the use of the property of the icon of the CSS Classes is set up specifically to manage the icons great fonts. Rather than trying to substitute these for host your custom image, it's easier not to specify a class icon CSS and a simple CSS rule allows you to set your picture as a background on the header area of connection:

    .t-Login-header {
  background: url(&WORKSPACE_IMAGES.logo_GUATEFAC.ico) top center no-repeat;
}

    This can be applied on the page of connection Inline CSS property, either as a custom theme CSS Roller rule.

    Also note that even if the property is called "Icon of CSS Classes", the ICO file format is not normally used and in fact may not be returned by all browsers. (Fonts Awesome 'icons' are in fact a vector font glyphs). In this case you would be advised to use a version of the superior image quality of your logo in PNG format.

  • What name is this attribute?

    Please look at following peak.

    What is the name of the attribute to the point of an arrow?

    Thank you

    Tatsuya

    attr.jpg

    I think it would be:

    Effect ("alpha levels"). Enabled

    Dan

Maybe you are looking for