Setting Up Remote Authentication
A RADIUS or TACACS+ authentication server needs information about an AppResponse 11 before it can successfully respond to an authentication request. A summary of the required information and an example configuration for RADIUS and TACACS+ servers is provided below. These instructions assume you have an existing authentication server to which you are adding an AppResponse 11. For information on setting up an authentication server, please see the documentation that came with the authentication server.
RADIUS Server Information
Modify or create a vendor file
Add and save an AppResponse 11 attribute to the Riverbed RADIUS vendor file:
◼ The Riverbed RADIUS vendor ID is 17163.
◼ Add the attribute 'Riverbed-Roles-List' with value 10, type 'string' to the file.
Here is an example showing this change added to a FreeRADIUS authentication server:
/usr/share/freeradius/dictionary.riverbed
# -*- text -*-
VENDOR Riverbed 17163
BEGIN-VENDOR Riverbed
ATTRIBUTE Riverbed-Local-User 1 string
ATTRIBUTE Riverbed-Roles-List 10 string
END-VENDOR Riverbed
The example above also shows the attribute used by Riverbed SteelHead.
A vendor ID can only be used in a single file. If there is an existing file using the Riverbed vendor ID add the AppResponse 11 attribute to the existing file and save the change.
Add available roles (optional)
The authorization (roles) for a remote user can be specified by the RADIUS server using a Vendor Specific Attribute (VSA). If the VSA is not returned by the remote server, then the default role configured on AppResponse 11 is assigned. If the VSA is present, but empty, or if no default roles are configured on AppResponse 11, no roles are assigned to the user.
The vendor value is a comma-separated list of role names (case sensitive). Valid values match the roles created in AppResponse 11. For more information, see “Roles” on page 79.
TACACS+ Server Information
Add available roles (optional)
The authorization (roles) for a remote user can be specified by the TACACS+ server using the Vendor Specific Attribute (VSA) "riverbed-roles-list", added under the "system" service.
An example of a defined role appears below.
user = tacplus {
login = cleartext "tacplus"
service = system {
riverbed-roles-list = "System Administrator"
}
}
Restricted packet access (optional)
User access to packet data can be controlled finely through the use of a TACACS+ VSA named “riverbed-hg-pkt-filter”, which enables you to restrict packet access for specific users to only those packets originating from IP addresses in specific host groups. Note that absence of the "riverbed-hg-pkt-filter" entry in the TACACS+ configuration file implies no restrictions on host group based access control.
SAML IDP Information
The SAML IDP needs to provide two pieces of information to AppResponse 11 during the login process: a username and one or more roles associated with that user.
Field | Default SAML Attribute | Description |
Username | NameID | The username string to be entered in the AR11 login screen. If this string is not specified, it will default to the Email address of the user, and this will be seen by AR11 as a new user. |
Roles | memberOf | Comma-separated, case-sensitive string of roles defined in AR11. |
If the Username attribute is missing, the SAML assertion is considered invalid and the login attempt will be denied. If the roles attribute is missing, the user will be granted no roles, but still allowed to log in.
AppResponse 11 has one default user, admin, with the predefined role of System Administrator.