Security

Reply
New Contributor
Posts: 3
Registered: ‎12-12-2014

Howto: Authenticate a Avocent ACS6000 via Clearpass and RADIUS - Feb15-MHC

[ Edited ]

This how-to configures RADIUS authentication on an AVOCENT ACS6000 console server running v2.5.0.10 firmware and integrating their authentication with a Clearpass version v6.4.4.70162 via Radius.

The AVOCENT device will be configured to give admin access to the users that belong to a specific Active Directory group.

  1. Clear Pass Configuration (v 4.4.70162)

 

  • Enabling the Radius Avocent Dictionary:

We do not need the Avocent ACS Dictionary installed inside Clearpass because we will use Radius: IETF standard attributes

cp-av-integration-01.jpg

 

  • Add the Device to Clearpass:
    • Configuration > Network > Devices
    • . Select "Add Devices"
      • Name = <Name you'd like>
      • RADIUS Shared Secret = <Your shared secret> &  Verify = <Your shared secret again>
      • Vendor Name = <Blank> (Vendor “Avocent” is not included inside the predefined list)
    • Select "Save"

cp-av-integration-02.jpg

 

  • Add the Device to a New Device Group:

Using device groups for everything in Clearpass is the best option to organize devices. This step is OPTIONAL

  • Configuration > Network > Device groups
  • Select "Add Device Group"
    • Fill in the "Name" field. I'll be using "ACS AVOCENT" in this example
    • Select "List" under "Format"
    • Under the "List", move the Avocent Device (Their IP address will be listed) from the "Available Devices" to "Selected Devices"
  • Click "Save"

cp-av-integration-03.jpg

 

  • Create an AVOCENT Enforcement Profile:

 

  • Configuration > Enforcement > Profiles
  • Click "Add Enforcement Profile"
    • Select "RADIUS based enforcement" as the Template
    • Under "Profile" TAB provide a name, "AVOCENT RADIUS Admin" or similar
      • Make sure that "Accept" is set under "Action", the Description filling field is optional

cp-av-integration-04.jpg

 

  • Under Attributes TAB (THIS IS THE KEY, if you know what we are doing, this is the information you are looking for):
  1. Type - "Radius: IETF" (we will use a standard IETF Attribute)
  2. Name - "Filter-Id",
  • Value - ":group_name=admin;"
    • Finally, click "Save"

VERY IMPORTANT STEP: The Users Group named "admin" is configured by default inside your AVOCENT devices. You could define a different Users group name (for example the “group-access-console-port-one"). Then, you should define the additional Users Group inside the AVOCENT devices assigning the specific privileges to the group.

 

cp-av-integration-05.jpg

 

  • Create a AVOCENT Enforcement Policy:

 

  • Configuration > Enforcement > Policies
  • Click "Add Enforcement Policy"
    • Under "Enforcement" TAB, provide a name, "AVOCENT Login Enforcement Policy" or similar
      • Verify that RADIUS is the "Enforcement Type", as you can not to modify lately this parameter (you should delete and create a new Enforcement Policy if you do not define the right Type)
      • Select "[Deny Access Profile] for the "Default Profile

cp-av-integration-06.jpg

 

  • Select "Rules" TAB and click "Add Rule"
    • You should apply the previously defined profile with the condition defined in your organization (typically you will use one AD group membership to assign the role), this is a sample with the AD group "NACSistTelecomunicaciones":
      • Type - Tips
      • Name - Role
      • Operator - EQUALS
      • Value - NACSistTelecomunicaciones
        • Enforcement Profiles > "Profile Names" > "PROF AVOCENT RADIUS Admin", ie the Enforcement Profile you defined previously
      • Click "Save" to Save the Rule
    • Click "Save" again to Save the whole Policy

cp-av-integration-07.jpg

 

VERY IMPORTANT STEP: You could define additional Rules (repeating the Rule creation Steps) to associate the remaining user groups with other AD groups following your convenience.

 

  • Create a AVOCENT Radius Login Service:

 

  • Configuration > Services
  • Click "Add Service"

 

  • Select "Type" of "RADIUS Enforcement ( Generic )", as you can not to modify lately this parameter

 

  • Provide a name for the service, "AVOCENT ACS Login", the Description field is optional

 

  • Under "Service Rule" enter the following:

 

  • Type - Radius:IETF
  • Name - "NAS-IP-Address"
  • Operator - "BELONGS_TO_GROUP"
  • Value - "ACS AVOCENT"

VERY IMPORTANT NOTE: You could reach the same goal using the condition Connection:NAD-IP-Address "BELONGS_TO_GROUP" "ACS AVOCENT". The Key here is that the Value corresponds with the Device Group Name you defined previously.

 

cp-av-integration-08.jpg

 

  • Under Authentication:
    • Authentication Methods - PAP
    • Authentication Sources - <your AD>

cp-av-integration-09.jpg

 

  • Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "POL AVOCENT Login Enforcement Policy"
  • Click "Save"

cp-av-integration-10.jpg

 

  • You should click on the red dot to enable the Service (it becomes a green dot) and you should reorder (clicking on Reorder button) the Services according to your deployed Service Rules to avoid troubles.

cp-av-integration-11.jpg

 

With this steps we have finished the ClearPass initial configuration needed for integrate with the Avocent device. The configuration could be extended with more roles with different privileges to comply with your organization needs.

 

  • Avocent Configuration (v 2.5.0.10)

 

The configuration steps below will be done through the GUI.

Also we will include the CLI commands, but they will be simply listed, assuming enough Avocent CLI knowledge (it is a bit tricky and it is not very well documented).

 

  1. Go to System > Security > Security Profile

Change the Security Profile to use "Port Access by Controlled by authorizations assigned to user groups" above Serial Devices paragraph and press "Save"

cp-av-integration-av-01.jpg

 

cd /system/security/security_profile

set port_access=port_access_per_user_group_authorization

 

2 Configure the Authentication Type to RADIUS/LOCAL in the Appliance Authentication sheet under Authentication Folder

Note: The "Enable fallback to Local type for root user in appliance console port" is optional, but it is strongly recommended.

cp-av-integration-av-02.jpg

 

cd /authentication/appliance_authentication

set authentication_type=radius|local

set enable_fallback_to_local_type_for_root_user_in_appliance_console_port=yes

 

VERY IMPORTANT NOTE: You could reverse the change selecting the Authentication Type to LOCAL in the Appliance Authentication. It is better to no close the administration session, especially if the device is located in a remote place ;)

 

3 Configure Authentication Servers (again under Authentication Folder) to use your ClearPass servers as RADIUS servers and enter necessary parameters, and then, press "Save". In this example, the Authentication Server and Accounting Server is the same machine.

Note: There is no need to enable the Service Type Attribute since the Group Authorization will be set.

 

cp-av-integration-av-03.jpg

 

cd /authentication/authentication_servers/radius

set first_authentication_server=10.210.5.2

set first_accounting_server=10.210.5.2

set second_authentication_server=10.210.5.3

set second_accounting_server=10.210.5.3

set secret=xxxxxxxx

set timeout=3

set retries=2

set enable_servicetype=no

 

4 OPTIONAL: Create a new Authorization Group to control serial access and permissions. Note: In this example, we named the Authorization Group as ‘RadiusAdmin’. If you want directly ALL the privileges you should use the predefined “admin” User Group

 

cp-av-integration-av-04.jpg

 

cd /users/authorization/groups

set name=RadiusAdmin

 

It is possible to assign the particular privileges using the CLI, however it is a bit tricky and a bit time consuming.

 

 

Now the Avocent device is also configured and it is time to try your new config.

 

Please, let me know if this how-to help you.

 

Anyway, this is the first approach to this problem, very common in my organization. If people liked, the howto improvements could be numerous: single sign on with the remote device console accessed will be the next one I understand it could be very interesting. Please, let me know your interest about possible how-to extensions (you could grant me Kudos, but it is only an idea ;)).

 

 

New Contributor
Posts: 3
Registered: ‎12-12-2014

Re: Howto: Authenticate a Avocent ACS6000 via Clearpass and RADIUS - Feb15-MHC

There are two possibilities out there... The explanation is amazingly clear or Nobody is using ACS6000... I do not know which is the right one...
Occasional Contributor I
Posts: 7
Registered: ‎02-04-2015

Re: Howto: Authenticate a Avocent ACS6000 via Clearpass and RADIUS - Feb15-MHC

Ok, I have followed all the steps.  However, when I login with my ClearPass authenticated AD login, Clearpass shows the right enforcement profile being followed and the enforcement policy applied, and I connect.  However, when accessing the Avocent GUI I have VERY few of the options available.  Also, when accessing via SSH to a terminal port using IPADDRESS:PORT I am NOT allowed access, nor do I see any entries in ClearPass reflecting the attempt.

New Contributor
Posts: 3
Registered: ‎12-12-2014

Re: Howto: Authenticate a Avocent ACS6000 via Clearpass and RADIUS - Feb15-MHC

Have you introduced the last optional step named 4?

Occasional Contributor I
Posts: 7
Registered: ‎02-04-2015

Re: Howto: Authenticate a Avocent ACS6000 via Clearpass and RADIUS - Feb15-MHC

The ID that I am using is a member of the ADMIN group, which appears to have serial access.
Search Airheads
Showing results for 
Search instead for 
Did you mean: