000023097 - Adding a vendor-specific attribute dictionary to RSA RADIUS

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023097
Applies ToVSA
RSA Authentication Manager 6.1
RSA Authentication Manager 7.1
RSA SecurID Appliance 3.0
RSA RADIUS 6.1.2
Microsoft Windows
IssueAdding a vendor-specific attribute dictionary to RSA RADIUS
How to add vendor specific attributes to RSA Radius
Resolution

To configure an RSA RADIUS server to add a new custom dictionary for vendor-specific attributes follow these steps:


1)       Create a custom dictionary in the radius/service directory and add an appropriate MACRO line and Vendor-Specific Attributes (VSA). The dictionary file must have a '.dct' file extension.
For example the following text is for Juniper vendor-specific attributes in a dictionary called
Juniper.dct:



  

################################################################################


  

#


  

# This dictionary contains Juniper Vendor Specific Attributes


  

#


  

# (See README.DCT for more details on the format of this file)


  

################################################################################


  

 


  

# Use the Radius specification attributes


  

#


  

@radius.dct


  

 


  

#


  

# Juniper specific parameters


  

#


  

MACRO Juniper-VSA(t,s) 26 [vid=2636 type1=%t% len1=+2 data=%s%]


  

 


  

ATTRIBUTE Juniper-Local-User-Name Juniper-VSA(1, string) r


  

ATTRIBUTE Juniper-Allow-Commands Juniper-VSA(2, string) r


  

ATTRIBUTE Juniper-Deny-Commands Juniper-VSA(3, string) r


  

ATTRIBUTE Juniper-Allow-Configuration Juniper-VSA(4, string) r


  

ATTRIBUTE Juniper-Deny-Configuration Juniper-VSA(5, string) r


  

2)       Changes are required in the radius/service/vendor.ini file
For example:



  

vendor-product = Juniper


  

dictionary = Juniper


  

ignore-ports = no


  

port-number-usage = per-port-type


  

help-id = 2000


  

3)       For this example you would add the following line to the radius/service/dictiona.dcm file:



  

@juniper.dct


  

4)       Stop the RSA RADIUS server from the RSA Authentication Manager Control Panel > Start & Stop RSA Auth Mgr Services > Stop RADIUS button (where ?Start and Stop RADIUS server together with authentication engine? is not checked)


5)       Rename radius/service/saved-dcts.bin to a new filename e.g. saved-dcts.bin.OLD


6)       Start the RSA RADIUS server from RSA Authentication Manager Control Panel > Start & Stop RSA Auth Mgr Services > Start RADIUS button
* A new
saved-dcts.bin file is created when the RSA RADIUS server starts.
During the start up of RSA RADIUS server the following information is written in to the RSA RADIUS log:



  

02/06/2008 15:30:56 Saved dictionary file C:\PROGRA~1\RSASEC~2\RSARAD~1\Service\saved-dcts.bin does not exist


  

02/06/2008 15:30:56 Opening saved dictionary file


  

02/06/2008 15:30:56 Successfully initialized saved-dcts.bin file


  

02/06/2008 15:30:56 Starting dictionary file processing ...


  

02/06/2008 15:31:03 Writing dictionary info to saved dictionary


  

02/06/2008 15:31:03 Successfully wrote dictionary information to saved-dcts.bin


  

02/06/2008 15:31:03 Closing saved dictionary file


  

02/06/2008 15:31:03 Successfully created and closed saved-dcts.bin


  

7)       An administrator can now create a RADIUS client using the new RADIUS dictionary and the vendor-specific attributes will be available in the Return List Attributes list when creating a RADIUS profile.


 


Available documentation: RSA RADIUS Server 6.1 Administrator?s Guide  and RSA Authentication Manager 7.1 RADIUS Reference Guide

Notes

In the above example the files are shown in a radius/service folder, on the RSA SecurID appliance this folder is  /usr/local/RSASecurity/RSAAuthenticationManager/radius

Legacy Article IDa38618

Attachments

    Outcomes