000037580 - RSA SecurID Access identity router couldn't return Actie Dirrctory groups to RADIUS client

Document created by RSA Customer Support Employee on Jun 14, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037580
Applies ToRSA Product Set: SecurID Access 
RSA Product/Service Type: Identity Router 
RSA Version/Condition: 12.0, 12.2, 12.5
Issue
  • The identity router (IDR) cannot return the virtualGroups value to a RADIUS client as a return list attribute added in RADIUS profile, when the attribute name is Group.
  • It may be seen in the IDR logs that the attribute is returned successfully, however, on the RADIUS client nothing is received.  For example, in the /var/log/symplified/cxf.log the HR Active Directory group is returned but fom a RADIUS text client such as NTradping it is not received:

[idradmin@idr1 ~]$ cat /var/log/symplified/cxf.log
ID: 10
Address: https://127.0.0.1/radiusj/radius/v1/authenticate/user
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json; charset=utf-8
Headers: {Accept=[*/*], Content-Length=[309], content-type=[application/json; charset=utf-8], host=[127.0.0.1], user-agent=[libcurl-agent/1.0]}
Payload: {"User-Name":{"type":"string","value":["HRUser"]},"User-Password":{"type":"string","value":["********"]},"NAS-IP-Address":{"type":"ipaddr","value":["192.168.20.100"]},"Event-Timestamp":{"type":"date","value":["Apr 30 2019 20:30:22 UTC"]},"RSA_INTERNAL_SOURCE_IP":{"type":"ipaddr","value":["192.168.20.100"]}}
--------------------------------------
2019-04-30 20:30:23 INFO  LoggingOutInterceptor:274 - Outbound Message
---------------------------
ID: 10
Response-Code: 200
Content-Type: application/json;charset=UTF-8
Headers: {Content-Type=[application/json;charset=UTF-8], Date=[Tue, 30 Apr 2019 20:30:23 GMT]}
Payload: {"control:Response-Packet-Type":"Access-Accept","reply:Reply-Message":"Authentication succeeded","reply:ASA-Banner2":["HRUser@example.com"],"reply:Group":["HR"],"reply:ASA-Banner1":["test"]}
--------------------------------------
Cause

Group is a FreeRADIUS internal attribute. Some of these attributes are used by the FreeRADIUS server for internal verification/validation and they will not be sent back as part of reply message.

That is why we are seeing value for virtualGroups is showing in the cxf.log as part of the response being sent by the Free RADIUS Java module and the same is not sent back to RADIUS client using NTRadPing).

For the complete list, please review the Github information on the FreeRADIUS dictionry.

ResolutionA future release will not allow the selection of these attributes when defining a RADIUS profile.
WorkaroundMap the virtualGroups to any other attribute name that isn't a FreeRADIUS attribute (instead of using Group), this way the AD groups will be returned successfully

An example from the cxf.log:
ID: 21
Address: https://127.0.0.1/radiusj/radius/v1/authenticate/user
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json; charset=utf-8
Headers: {Accept=[*/*], Content-Length=[309], content-type=[application/json; charset=utf-8], host=[127.0.0.1], user-agent=[libcurl-agent/1.0]}
Payload: {"User-Name":{"type":"string","value":["HRUser"]},"User-Password":{"type":"string","value":["********"]},"NAS-IP-Address":{"type":"ipaddr","value":["192.168.20.100"]},"Event-Timestamp":{"type":"date","value":["May 14 2019 12:40:09 UTC"]},"RSA_INTERNAL_SOURCE_IP":{"type":"ipaddr","value":["192.168.20.100"]}}
--------------------------------------
2019-05-14 12:40:10 INFO  LoggingOutInterceptor:274 - Outbound Message
--------------------------
ID: 21
Response-Code: 200
Content-Type: application/json;charset=UTF-8
Headers: {Content-Type=[application/json;charset=UTF-8], Date=[Tue, 14 May 2019 12:40:10 GMT]}
Payload: {"control:Response-Packet-Type":"Access-Accept","reply:Reply-Message":"Authentication succeeded","reply:ASA-Banner2":["HRUser@example.com"],"reply:ASA-WebVPN-Storage-Objects":["HR"],"reply:ASA-Banner1":["test"]}

Attachments

    Outcomes