000011715 - Adding a new RADIUS dictionary to RSA RADIUS - Fortinet

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000011715
Applies ToRSA RADIUS 6.1
RSA RADIUS 7.1
RSA Authentication Manager 8.0
vendor specific attribute
VSA
RADIUS dictionary
RADIUS
Fortinet
Fortigate
IssueAdding a new RADIUS dictionary to RSA RADIUS - Fortinet
A third-party device requires a vendor specific attribute returned in a RADIUS profile returns list.
Resolution

Please contact the vendor of the third-party device or software with regards to the attributes required to be returned in the RADIUS profile, this information can be used to create a new RADIUS dictionary if the vendor specific attributes do not already exist. Here is an example of adding a new vendor specific attribute dictionary to RSA RADIUS for a Fortinet device.


 


Vendor: Fortinet


Description: Fortinet ACL specific attributes being returned in an RSA RADIUS profile


 


Steps:



  

1.


  

  

The default RSA RADIUS folders for RSA RADIUS 6.1 on;


  

 


  

i)              a supported Microsoft Windows platform is C:\Program Files\RSA Security\RSA RADIUS\Service


  

 


  

ii)             a supported UNIX platform /opt/rsa/radius


  

 


  

The default RSA RADIUS folders for RSA RADIUS 7.1 on;


  

 


  

i)              a supported Microsoft Windows platform is C:\Program Files\RSA Security\RSA Authentication Manager\radius\Service


  

 


  

ii)             a supported UNIX platform /usr/local/RSASecurity/RSAAuthenticationManager/radius


  

 


  

The default RSA RADIUS folder for RSA Authentication Manager 8.0 on;


  

 


  

i)              /opt/rsa/am/radius


  

 


  

 


  

  

2.


  

  

Create a radius dictionary file based on the vendors name in the RSA RADIUS folder


  

 


  

e.g. fortinet.dct


  

 


  

  

3.


  

  

For this example we are going to add attributes to the new radius dictionary


  

 


  

e.g.


  

@radius.dct


  

MACRO              FORTINET-VSA(type,syntax)   26   [vid=12356 type1=%type% len1=+2 data=%syntax%]


  

ATTRIBUTE          Fortinet-Group-Name                                   FORTINET-VSA(1,    string) r


  

ATTRIBUTE          Fortinet-Client-IP-Address                            FORTINET-VSA(2,    ipaddr) r


  

ATTRIBUTE          Fortinet-Vdom-Name                                    FORTINET-VSA(3,    string) r


  

 


  

NOTE: please refer to the readme.dct in the RADIUS folder for detailed information on the dictionary format


  

 


  

  

4.


  

  

Update a file called vendor.ini and add a new section for the new vendor


  

 


  

e.g.


  

vendor-product       = Fortinet


  

dictionary           = fortinet


  

ignore-ports         = no


  

port-number-usage    = per-port-type


  

help-id              = 2000


  

 


  

NOTE: it is recommended to add the new vendor in alphabetic order as this maintains order in the RADIUS graphical user interface on the pull-down list.


  

 


  

  

5.


  

  

Update a file called dictiona.dcm and add the dictionary filename to the vendor specific list (in alphabetic order)


  

 


  

e.g.


  

@fortinet.dct


  

 


  

  

6.


  

  

Stop and start the RSA RADIUS service.


  

 


  

Examine the RADIUS log file (formated yyyymmdd.log - e.g. 20110829) found in the radius folder for any error messages concerning the new radius dictionary (e.g. fortinet.dct)


  

e.g.


  

...


  

...


  

You are likely to see an update to the dictionary information after adding the new radius dictionary.


  

08/29/2011 09:51:03 Number of dictionaries in saved file does not match number in directory


  

08/29/2011 09:51:03 Opening saved dictionary file


  

08/29/2011 09:51:03 Successfully initialized saved-dcts.bin file


  

08/29/2011 09:51:03 Starting dictionary file processing ...


  

08/29/2011 09:51:10 Writing dictionary info to saved dictionary


  

08/29/2011 09:51:11 Successfully wrote dictionary information to saved-dcts.bin


  

08/29/2011 09:51:11 Closing saved dictionary file


  

08/29/2011 09:51:11 Successfully created and closed saved-dcts.bin


  

08/29/2011 09:51:11 Concluded dictionary file processing ...


  

...


  

...


  

 


  

  

7.


  

  

When configuring the RADIUS clients there will be a new Make/model type called ?Fortinet? which will allow Fortinet vendor specific attributes to be selected for the Return List of Attributes.


  

 


  

 


Contact RSA Customer Support if you still experience a technical issue adding a vendor specific RADIUS dictionary to RSA RADIUS 6.1 or RSA RADIUS 7.1.

Legacy Article IDa55704

Attachments

Outcomes