000031215 - Adding a Palo Alto RADIUS dictionary to RSA RADIUS for RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Mar 31, 2020Last modified by RSA Customer Support Employee on Mar 31, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031215
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
IssueA Palo Alto device requires that vendor-specific attributes are returned in a RADIUS profile returns list.
ResolutionRSA RADIUS resides in /opt/rsa/am/radius on the appliance hosting RSA Authentication Manager 8.x and contains the RADIUS configuration files and RADIUS dictionary (.dct) files.

Procedure for adding the Palo Alto RADIUS dictionary file

IMPORTANT: These steps must be performed on every RSA Authentication Manager instance in the deployment and included in any disaster recovery plan, as it is a custom update to RSA RADIUS.

  1. Unpack the paloalto.zip file that is attached to this article. This file contains a paloalto.dct, an updated vendor.ini, and updated dictiona.dcm.
  2. Copy the Palo Alto RADIUS dictionary file called paloalto.dct, the updated vendor.ini, and dictiona.dcm into /opt/rsa/am/radius.
  3. Move the RADIUS binary dictionary file (/opt/rsa/am/radius/saved-dcts.bin):

mv /opt/rsa/am/radius/saved-dcts.bin /opt/rsa/am/radius/saved-dcts.bin.OLD

  1. Restart the RSA RADIUS service at the command line:

rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius
Stopping RSA RADIUS Server: *
RSA RADIUS Server                                          [SHUTDOWN]
Starting RSA Administration Server with Operations Console:
Starting RSA Database Server: *- RSA Database Server                                        [RUNNING]                             *
RSA Administration Server with Operations Console          [RUNNING]
Starting RSA RADIUS Server Operations Console: *
RSA RADIUS Server Operations Console                       [RUNNING]
Starting RSA Runtime Server:
RSA Runtime Server                                         [RUNNING]
Starting RSA RADIUS Server: *
RSA RADIUS Server                                          [RUNNING]

  1. Check that the changes took effect by looking at the RADIUS log file in /opt/rsa/am/radius folder. The file is named with the current date stamp in the format of yyyymmdd.log. For example, 

03/31/2020 13:12:07 Saved dictionary file /opt/rsa/am/radius/saved-dcts.bin does not exist
03/31/2020 13:12:07 Opening saved dictionary file
03/31/2020 13:12:07 Successfully initialized saved-dcts.bin file
03/31/2020 13:12:07 Starting dictionary file processing ...
03/31/2020 13:12:10 Writing dictionary info to saved dictionary
03/31/2020 13:12:10 Successfully wrote dictionary information to saved-dcts.bin
03/31/2020 13:12:10 Closing saved dictionary file
03/31/2020 13:12:10 Successfully created and closed saved-dcts.bin
03/31/2020 13:12:10 Concluded dictionary file processing ...

  1. Add a new RADIUS client (RADIUS > RADIUS Client > Add New) in the Security Console and select Palo Alto Networks for the Make/Model selection

User-added image

  1. Add a new RADIUS Profile where the Palo Alto RADIUS attributes can be added to the Return List Attributes section of the RADIUS Profile:

User-added image
NOTE: Ensure you are in a new Security Console session, else you may be looking at cached, old data and not see the Palo Alto RADIUS attributes.

  1. Assign the RADIUS profile to a user account using Authentication Settings and perform a RADIUS authentication test.
NotesTo perform a RADIUS authentication test, an administrator could use NTRadPing.