A RADIUS profile defines return list attributes which the RADIUS server sends to the RADIUS client for setting session parameters. You can configure custom profiles that specify an access policy rule set to determine which users can authenticate through the clients associated with the profile. A default profile is automatically associated with all RADIUS clients, and applies when an authentication attempt does not match the rule set for any other configured profile.
You can associate multiple profiles with a single client, or the same profile with multiple clients, but clients can only be associated with profiles that use rule sets from the access policy configured for the client. For information on return list attributes, see Attributes for RADIUS Clients and Profiles for the Cloud Authentication Service.
Note: RADIUS authentication is possible if you choose not to configure attributes for the default profile. In that case, the profile will have no impact on authentication.
Before you begin
You must be a Super Admin for the Cloud Administration Console.
In the Cloud Administration Console, click Authentication Clients > RADIUS.
Add a RADIUS Client for the Cloud Authentication Service, or click the name of an existing RADIUS client.
Click the RADIUS Profiles tab.
If you want to configure the default profile, select Show default profile, and skip to step 6. Otherwise, click New Profile.
In the Enter profile name field, enter a unique name to identify this profile.
- (Optional) To define return list attributes that the RADIUS server sends to the RADIUS client device after successful authentication, do the following:
Click ADD in the Return List Attributes table.
In the Attribute Name field, begin typing the attribute name to see valid attributes from the RADIUS dictionary file and select one from the drop-down list.
If you want to leave the attribute value blank and ensure that the value from the user request is returned to the client in the RADIUS response, select the Echo checkbox.
If you did not select Echo, specify the attribute value in the Value field. Click ADD if you need to specify additional values. To specify a value from an identity source attribute, begin typing the identity source attribute name, then select the value from the drop-down list. For an identity source attribute to appear in this list, you must select the Policy checkbox for the attribute on the Identity Source > User Attributes page. The order of specified values is important for certain attributes. The return list in the RADIUS server response displays the values in the order you specify.
Note: You can select only one identity source attribute per RADIUS attribute. You must enter attribute values using the correct data type. The field hint indicates the data type.
Repeat steps a to e for each return list attribute you want to add.
In the Rule Set drop-down menu, select a rule set to determine which users can authenticate through any RADIUS client associated with this profile. Rule sets are not applicable for the default profile.
Do one of the following:
- To assign this profile to the RADIUS client you selected in step 2, click Associate. Associating applies the profile's rule set and return list attributes to the client. The default profile is automatically associated with all RADIUS clients.
- To unassign this profile from the RADIUS client you selected in step 2, click Dissociate. Dissociating the profile unassigns it from the selected client but maintains the profile, so that it can be assigned to other RADIUS clients.
- To permanently remove this profile (for example, it is no longer needed), click Delete.
Click Publish Changes to apply the configured settings.
Note: A separate rule set is required for each profile you add. Two profiles cannot share the same rule set. A profile can only use rule sets from the access policy configured for its associated RADIUS clients. All clients associated with a profile must use the same access policy.