How to map a RADIUS attribute to a value that equals a user group for access control
2 months ago
Originally Published: 2013-12-23
Article Number
000045320
Applies To

RSA Product Set: SecurID 
RSA Product/Service Type: Authentication Manager 
RSA Version/Condition: 8.7 and higher

Issue
  • How to map a RADIUS attribute to a value that equals a User group for Access Control or Authorization?
  • Cisco ACS and other Access Control System devices map Active Directory (AD) user groups to access groups on Cisco devices. How can I switch this to Authentication Manager authentication instead of AD?


This solution will map a RADIUS attribute to a value that equals the user's group and return it in a RADIUS profile assigned to the RADIUS client. Note that this is not a dynamic link to an AD group through the identity source. In effect, we are not mapping to AD, we are simply re-creating the groups we know exist there, and assigning users to those profiles.  This is done in order to return that group attribute to the RADIUS client for every user that logs in on the RADIUS client.  Here is an example that uses the existing standard RADIUS attribute 25 called Class.

Cause

 Users can return group information to a RADIUS client in one of two ways:

  • Map to an AD group.  Years ago Frank Miller mapped User attributes to AD groups.  The problem was when RSA does the group lookup, it returned the first AD group found as the RADIUS attribute, which may be functionally useless, because you cannot require that an AD User only belong to a single group.  Apparently Cisco ASA may have a way to parse through group information.  See Retrieving Active Directory.doc. Some Cisco devices may be able to interpret this.  See KB a6348
  • Map a RADIUS attribute to a value that equals the user's group and return it in a RADIUS profile assigned to the RADIUS client. This is a  more practical option. Note that this is not a dynamic link to an AD group through the identity source. In effect, we are not mapping to AD, we are simply re-creating the groups we know exist there, and assigning users to those profiles.  This is done in order to return that group attribute to the RADIUS client for every user that logs in on the RADIUS client.  Here is an example that uses the existing standard RADIUS attribute 25 called Class. See KBa63480-RADIUSProfileReturnsToUserGroup.pdf.

 

Resolution

To configure a standard RADIUS attribute to pass group information, e.g. with class attribute 25, follow the steps below:

  1. Enable this Attribute for a RADIUS Profile. Go to Security Console ? RADIUS- RADIUS Profiles- New
    RADIUS Profile NEW
  2. Supply a profile a name.
  3. Scroll down and assign a value to the Class Attribute #25
          (e.g. One of the Group Names; Admin, Security, Regular User?) then [Add] so that the Return List Attributes has the value
          "Class [M]: Admin:NoEcho"       ...entered as the literal string to be returned by RSA RADIUS to ACS device RADIUS client.
    RADIUS return List attributes
  4. After creating one RADIUS profile for each of the groups that you need (for example, Admin, Security, Regular User),
    • Assign users to their appropriate RADIUS profile or group (RADIUS > RADIUS Profiles > Manage Existing). 
    • From the drop down for the profile click Associated Users
      RADIUS Profile Associated Users
      This brings up a list of users currently associated to the profile. To add new users, use the Search option on the left navigation pane.. C      lick Assign to More Users.

    • Users assigned to another RADIUS profile named Regular could send back the value (group) of RegularUser, or whatever string value your RADIUS client expected in order to set regular privilege levels as opposed to administrator privilege levels.
      The assumption is that the RADIUS client can use this value to assign access control levels.  Other users assigned to different RADIUS profiles return their appropriate values, which should be equal to their group.

      See Notes about disabling vendor attributes as this vendor attribute may get in the way of this associated user return attribute from this RADIUS profile. 
Notes

By default, Steel belted RADIUS will send its Vendor Class Attribute. In order to prevent the Vendor class attribute from being sent you need edit the vendor.ini File in the Operations Console - Deployment Configuration - RADIUS Servers.  Manger Server Files.
RADIUS Files under Ops Console
   You need to Edit vendor.ini, scroll all the way to the bottom and put send-class-attribute  = no in the last line of the file.
send-class-attribute = no
You will need to stop and restart Radius in order for this to work. You can do this from the operations console.
   If you have replicas, this edit needs to be done on them too along with a stop and start of Radius.

A test with NTRadPing would verify that the Group Attribute is returned

 

Related Articles

Trending Articles

Don't see what you're looking for?