Shashank Rajvanshi

Multiple RADIUS Profiles Provide Policy-Driven Granular Control

Blog Post created by Shashank Rajvanshi Employee on Mar 25, 2019

The Cloud Authentication Service now supports multiple RADIUS profiles. Previously, you had to use the same Default RADIUS Profile for all the RADIUS clients. This new, policy-drive capability gives you the flexibility to assign a custom RADIUS profile to a target user population.  You can also provide custom return list attributes, such as VLAN assignments or IP address assignments, to RADIUS client devices, which are used to connect the target user population. The RADIUS server also sends the RADIUS client the Access-Accept message to set session parameters for that user. You can set static attribute values or use dynamic values for LDAP or Active Directory attributes to provide granular control.

 

Multiple RADIUS profiles follow these basic rules

 

 

  1. The RADIUS client can uses only one access policy. This access policy is associated with one or more identity sources and can be used by multiple RADIUS clients.
  2. Each RADIUS client can have multiple custom RADIUS profiles and a list of checklist attributes.
  3. Each access policy has one or more rule sets. These rule sets can be configured to target a smaller user population based on user attributes. For example, a rule set can target only users who have the “manager” title and can control access to specific applications.  
  4. One RADIUS profile can be associated with only one rule set and vice a versa. The rule set must be in an access policy used by the RADIUS client. You can configure return list attributes for the target population tied to this rule set to provide granular control by the RADIUS client device.
  5. You can create multiple custom RADIUS profiles associated with different RADIUS clients which use the same policy.
  6. When RADIUS profile is not created for few rule sets or RADIUS Profile for few rule sets is not associated to this RADIUS client, then for those rule sets (set of users) in this RADIUS Client default RADIUS profile will be used. Default profile can have only static attribute values as part of their return list attributes, if configured.

 

  

 

 

You can create RADIUS profiles as part of the RADIUS client workflow. You can now add checklist attributes when you configure the RADIUS client, whereas in earlier versions, checklist attributes were part of the Default RADIUS Profile. After you configure the RADIUS client, click the RADIUS Profiles on the left Window pan, as shown below, to go to the RADIUS Profile configuration.

 

 

 

 

   On the RADIUS Profile configuration page, you can choose to create a new custom profile. If you do not create one,       Default RADIUS Profile will be associated with this RADIUS client. You can configure return list attributes for this             Default RADIUS Profile, but remember that Default RADIUS Profile is same across all the RADIUS clients. You cannot    delete a Default RADIUS Profile, but this profile will not apply to RADIUS clients that are associated with at least one    custom RADIUS profile. To see the Default RADIUS Profile, select Show default profile. By default this option is       unselected.

 

 

 

Click New Profile to see the custom RADIUS Profile page. This page allows you to add static and dynamic return list attributes from the identity source. After you specify the attributes and rule set, you can associate this RADIUS profile to the client or just save it to make it available to other RADIUS clients. Remember that one rule set can be assigned to only one RADIUS profile. If no rule sets are available, you must create one in the access policy associated with the RADIUS client that this profile is associated with.  

 

You can also choose to disassociate or delete an associated RADIUS profile. If you want to remove a profile from the RADIUS client, click  Disassociate. You can always re-associate this profile with the RADIUS client by clicking Associate. If you delete a profile, the profile will be removed from all RADIUS clients that use it.

 

You can create multiple RADIUS profiles for each RADIUS client and leverage stronger, policy-based, granular control for end-users/privileged users who access RADIUS-protected applications. We will continue to bring additional features and enhancements in future releases of the Cloud Authentication Service. Please feel free to reach out to us with any additional comments and feature requests.

 

Multiple RADIUS Profiles Demo Link

Outcomes