Adding a Palo Alto RADIUS dictionary to RSA RADIUS for RSA Authentication Manager 8.x
2 months ago
Originally Published: 2015-09-11
Article Number
000062109
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
 
Issue
A Palo Alto device requires that vendor-specific attributes are returned in a RADIUS profile returns list.
Resolution
RSA RADIUS resides in /opt/rsa/am/radius on the appliance hosting RSA Authentication Manager 8.x and contains the RADIUS configuration files and RADIUS dictionary (.dct) files.

Procedure for adding the Palo Alto RADIUS dictionary file

IMPORTANT: These steps must be performed on every RSA Authentication Manager instance in the deployment and included in any disaster recovery plan, as it is a custom update to RSA RADIUS.

  1. Unpack the paloalto.zip file that is attached to this article. This file contains a paloalto.dct, an updated vendor.ini, and updated dictiona.dcm.
  2. Copy the Palo Alto RADIUS dictionary file called paloalto.dct, the updated vendor.ini, and dictiona.dcm into /opt/rsa/am/radius.
  3. Move the RADIUS binary dictionary file (/opt/rsa/am/radius/saved-dcts.bin):
mv /opt/rsa/am/radius/saved-dcts.bin /opt/rsa/am/radius/saved-dcts.bin.OLD
  1. Restart the RSA RADIUS service at the command line:
rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius
Stopping RSA RADIUS Server: *
RSA RADIUS Server                                          [SHUTDOWN]
Starting RSA Administration Server with Operations Console:
Starting RSA Database Server: *- RSA Database Server                                        [RUNNING]                             *
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: *
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server:
RSA Runtime Server                                         [RUNNING]
Starting RSA RADIUS Server: *
RSA RADIUS Server                                          [RUNNING]
rsaadmin@am84p:~>
  1. Check that the changes took effect by looking at the RADIUS log file in /opt/rsa/am/radius folder. The file is named with the current date stamp in the format of yyyymmdd.log. For example, 
...
...
...
03/31/2020 13:12:07 Saved dictionary file /opt/rsa/am/radius/saved-dcts.bin does not exist
03/31/2020 13:12:07 Opening saved dictionary file
03/31/2020 13:12:07 Successfully initialized saved-dcts.bin file
03/31/2020 13:12:07 Starting dictionary file processing ...
03/31/2020 13:12:10 Writing dictionary info to saved dictionary
03/31/2020 13:12:10 Successfully wrote dictionary information to saved-dcts.bin
03/31/2020 13:12:10 Closing saved dictionary file
03/31/2020 13:12:10 Successfully created and closed saved-dcts.bin
03/31/2020 13:12:10 Concluded dictionary file processing ...
...
...
...
  1. Add a new RADIUS client (RADIUS > RADIUS Client > Add New) in the Security Console and select Palo Alto Networks for the Make/Model selection
User-added image
  1. Add a new RADIUS Profile where the Palo Alto RADIUS attributes can be added to the Return List Attributes section of the RADIUS Profile:
User-added image
NOTE: Ensure you are in a new Security Console session, else you may be looking at cached, old data and not see the Palo Alto RADIUS attributes.
  1. Assign the RADIUS profile to a user account using Authentication Settings and perform a RADIUS authentication test.
Notes
To perform a RADIUS authentication test, an administrator could use NTRadPing.

Related Articles

Trending Articles

Don't see what you're looking for?