|RSA RADIUS resides in /opt/rsa/am/radius on the appliance hosting RSA Authentication Manager 8.x and contains the RADIUS configuration files and RADIUS dictionary (.dct) files.|
Procedure for adding the Palo Alto RADIUS dictionary file
IMPORTANT: These steps must be performed on every RSA Authentication Manager instance in the deployment and included in any disaster recovery plan, as it is a custom update to RSA RADIUS.
- Unpack the paloalto.zip file that is attached to this article. This file contains a paloalto.dct, an updated vendor.ini, and updated dictiona.dcm.
- Copy the Palo Alto RADIUS dictionary file called paloalto.dct, the updated vendor.ini, and dictiona.dcm into /opt/rsa/am/radius.
- Move the RADIUS binary dictionary file (/opt/rsa/am/radius/saved-dcts.bin):
mv /opt/rsa/am/radius/saved-dcts.bin /opt/rsa/am/radius/saved-dcts.bin.OLD
- Restart the RSA RADIUS service at the command line:
rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius
Stopping RSA RADIUS Server: *
RSA RADIUS Server [SHUTDOWN]
Starting RSA Administration Server with Operations Console:
Starting RSA Database Server: *- RSA Database Server [RUNNING] *
RSA Administration Server with Operations Console [RUNNING]
Starting RSA RADIUS Server Operations Console: *
RSA RADIUS Server Operations Console [RUNNING]
Starting RSA Runtime Server:
RSA Runtime Server [RUNNING]
Starting RSA RADIUS Server: *
RSA RADIUS Server [RUNNING]
- Check that the changes took effect by looking at the RADIUS log file in /opt/rsa/am/radius folder. The file is named with the current date stamp in the format of yyyymmdd.log. For example,
03/31/2020 13:12:07 Saved dictionary file /opt/rsa/am/radius/saved-dcts.bin does not exist
03/31/2020 13:12:07 Opening saved dictionary file
03/31/2020 13:12:07 Successfully initialized saved-dcts.bin file
03/31/2020 13:12:07 Starting dictionary file processing ...
03/31/2020 13:12:10 Writing dictionary info to saved dictionary
03/31/2020 13:12:10 Successfully wrote dictionary information to saved-dcts.bin
03/31/2020 13:12:10 Closing saved dictionary file
03/31/2020 13:12:10 Successfully created and closed saved-dcts.bin
03/31/2020 13:12:10 Concluded dictionary file processing ...
- Add a new RADIUS client (RADIUS > RADIUS Client > Add New) in the Security Console and select Palo Alto Networks for the Make/Model selection
- Add a new RADIUS Profile where the Palo Alto RADIUS attributes can be added to the Return List Attributes section of the RADIUS Profile:
NOTE: Ensure you are in a new Security Console session, else you may be looking at cached, old data and not see the Palo Alto RADIUS attributes.
- Assign the RADIUS profile to a user account using Authentication Settings and perform a RADIUS authentication test.