000024843 - Trying to pass user extension data from RSA ACE/Server through RADIUS and the extension key is included with the data

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024843
Applies ToRSA Authentication Manager 6.0
RSA ACE/Server RADIUS
The User Extension Data can be passed from the ACE/Server to a requesting client using RADIUS attributes. User Extension Data for each user is accessible through the Administration Tool --> User --> Edit User --> Edit User Extension Data button. There are 2 fields necessary to add User Extension Data: the 'Key' field and the 'Data' field. In the below example, the key is "memberof" and the data is "Ace":

- The next step is to configure a profile under Administration Tool --> Profile --> Add Profile --> Name: TESTPROFILE

- Chose an attribute such as Filter-Id (the attribute must be a class attribute and have a value type selection of "User Extension key prefix"

- From the 'Available Attributes selection box, select "Class"

- From the Pull Down selection box "Value Type" select "User Extension key prefix"

- Under the "Value:" text box type in "memberof" this points to the User Extension key memberof that we added under Edit User

NOTE: You can have more than one key specified in the User Extension Data for the user, and you can pass multiple keys per profile

- The RADIUS profile is also selected under the Administration Tool --> User --> Edit User --> Assign Profile button

- The final step is to run the command /ace/prog/rwconfig . Under Profiles --> Make sure that Enable User Profiles is enabled. Make sure that User Profile Settings --> Profile Extensions is also enabled.

- Lastly, you must stop and start the ACE/Server RADIUS for these changes to take effect. The RADIUS can be stopped and started independently of the ACE/Server as follows:

On UNIX:

sdradius stop
sdradius start

On Windows NT:

Navigate to Start Menu --> Settings --> Control Panel --> Services -->  ACE/Server Radius, right mouse click and select stop, wait until stopped and select start

On Windows 2000:

Navigate to Start Menu --> Control Panel --> Administrative Tools --> Services
IssueTrying to pass user extension data from RSA ACE/Server through RADIUS and the extension key is included with the data
In this instance, the RADIUS attribute and value passed would look like the following:

    attr: name=Filter-Id value=memberof=Ace

The desired output would not include the key, "memberof":

attr: name=Filter-Id value=Ace
ResolutionThis issue is resolved in a hot fix for RSA Authentication Manager 6.0. Contact RSA Security Customer Support to obtain hot fix ID17126. RSA Authentication Manager 6.1 will have functionality such that this is configurable.
Legacy Article IDa26281

Attachments

    Outcomes