- In a text editor such as Notepad++, create a file with the required attributes from the vendor dictionary file and save it as a .dct file:
ATTRIBUTE NCPS-Ip-PoolNr 261 integer r
ATTRIBUTE NCPS-Timeout 264 integer r
- Login to the primary Authentication Manager Operations Console, then:
- Select Deployment Configuration > RADIUS Server.
- Click on the context arrow next to the primary server name and choose Manage server files.
- Click on the Dictionary Files tab.
- Click the Add New button.
- Click Choose File and browse to the NCP.dct file created in step 1.
- Click Submit.
- Verify the content of the .dct by clicking on the Dictionary Files tab. Scroll to the ncp.dct and from the context arrow, choose Edit.
- Click Save & Restart RADIUS server.
- Click on the Configuration Files tab.
- Click on the context arrow next to the dictiona.dcm file and choose Edit.
- In the dictiona.dcm file, add the ncp.dct file name. The recommendation is that files be listed in the correct alphabetic order. Since the file we are adding is called ncp.dct, the example below shows it listed after nautica.dct and before netblazr..dct.
- Click Save & Restart RADIUS Server.
- Again on the Configuration Files tab, select vendor.ini and choose Edit.
- In the vendor.ini file scroll down so that the entry below is in alphabetical order (in the example below, the new text goes between Microsoft RRAS for Windows NT and Netscreen Technologies) then add the following text:
vendor-product = NCP-VPN
dictionary = NCPS
ignore-ports = no
port-number-usage = per-port-type
help-id = 2000
- When done, click Save & Restart RADIUS Server.
- Make sure that the RADIUS server status is synchronized.
Before continuing, repeat step 2 through step 8 for every replica in the deployment.
Adding a RADIUS client
- Login to the Security Console and select RADIUS > RADIUS Clients > Add New.
- Create the RADIUS client,
- Name the client device.
- Set the IP address type and use the IP address of the NCP server.
- For the Make/Model, select NCP-VPN, since that was what was added to the vendor.ini.
- Enter the RADIUS shared secret that was configured on the NPC server.
- Click Save & Create Associated RSA Agent when done.
- On the Add New Authentication Agent page, complete the fields for Authentication Agent Basics and Authentication Agent attributes.
- Click Save when done.
Adding a RADIUS profile
- Select RADIUS > RADIUS Profile > Add New.
- The attributes are shown as in the image below in the drop down menu of the return list attributes:
- Configure the RADIUS profile with the desired check list and /or return list attributes.
- Click Save.
Assigning the RADIUS profile to an agent or user
- Navigate to RADIUS > RADIUS Profiles > Manage Existing.
- Click on the context arrow and select Associated Users or Associated Agents.
- Depending on the selection click on Assign to More Users or Assign to More Agents.
- Place a check next to the user(s) or agent(s) and click Assign Profile.
Test RADIUS authentication with NTRadPing
NTRadPing is a free RADIUS test utility. For information on how to install and use it, please see 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager.
To perform the authentication test using NTRad Ping, the attribute must be defined in the dictionary file of the utility. If not defined, the following warning will be seen:
To skip the warning the attributes must be defined in the raddict.dat file for NTRadPing as shown below.
- First extract the files as explained in 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager.
- Edit the raddict.dat with a text editor to add the attributes as shown:
ATTRIBUTE NCPS-Ip-PoolNr 246 integer
ATTRIBUTE NCPS-Timeout 227 integer
- Launch NTRadPing.
- From the Security Console, navigate to Reporting > Real Time Activity Monitors > Authentication Activity Monitor and click Start Monitor.
- Following the steps in 000014905 - Performing RADIUS authentication tests with NTRadPing to RSA Authentication Manager, enter the RADIUS server and port, the RADIUS secret key, a user ID and passcode.
- Click Send to see the text results. A successful authentication will show as Access-Accept. Access-Reject is a failed authentication and Access-Challenge is a message showing the passcode used has an issue and is either in New PIN Mode or Next Tokencode Mode.