000034398 - How to map the value of a Microsoft Active Directory object to a RADIUS user attribute definition to be associated to a RADIUS user attribute on RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Nov 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034398
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 SP1 and higher
 
IssueA RADIUS client requires a RADIUS profile to be returned where is contains the value of an Active Directory object.
 
ResolutionHere is a procedure to map the value of a Microsoft Active Directory object (or user attribute) to a RADIUS user attribute definition, which in turn can be associated to a RADIUS user attribute linked to a user ID.
This is an example where the object (or user attribute) of info is used and provided a value of TEST-MARK. Only the attributes/objects found in the user properties can be mapped in this way. The memberOf object is in the user properties; however, this only returns the distinguished name (DN), not the common name (CN) of the group. You may need to use another object or set up a custom object in the user properties.

Updating the value of an attribute in ADSI Edit


ADSI Edit is used to update the value of an attribute for a user.  In this example, the user is named Brodie Chen, the attribute used is info and provided a value of TEST-MARK, as shown here:
User-added image

An external identity source for the Active Directory is configured to map user and group information into the Authentication Manager.  Review the online for the procedure for adding an external identity source via the Operations Console.
User-added image

Once the external identity source is created, it will need to be linked to the system.  Again, the steps to complete this task are in the online help.
User-added image

Add a new identity attribute definition


  1. In the Security Console, navigate to Identity > Identity Attribute Definitions > Add New.
  2. Fill out the Attribute Name.
  3. Set the Data Type to String
  4. Under Identity Source Mapping where the name of the identity source is displayed, enter the attribute name.  In this example the attribute name is info.  Note that dynaglide is the name given to the external identity source configured for this example.
  5. Click Save.
User-added image

 

Add a new RADIUS user attribute definition via the Security Console


  1. In the Security Console navigate to RADIUS > RADIUS User Attribute Definition.
  2. Enter a Number (64 – 255), here 117 is used.
  3. Enter an Attribute Name.
  4. Select Yes for Map to an Identity Attribute.
  5. Select the Identity Attribute created previously from the drop-down list.
  6. Click Save.
User-added image


Update the RADIUS dictionary so it reflects the Attribute Name


  1. Logon to the Authentication Manager at the command line with the rsaadmin account.
  2. Navigate to /opt/rsa/am/radius.
  3. Open the radius.dct file in a text editor, such as vi.
  4. Add the new attribute name to the bottom of the file, as shown in the example below.
  5. When done, press Esc then :wq! to save and close the file.
  6. Restart the RADIUS services for the changes to take effect.
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter OS password>
Last login: Wed Nov 30 20:16:23 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/radius
rsaadmin@am81p:/opt/rsa/am/radius> vi radius.dct
################################################################################
# radius.dct - the baseline Radius dictionary implementation for STRUCTURED
#              vendor specific attributes
#
# Notes:
#     NRHH = Not Required to Honor the Hint (applies to request attributes).
#            This language (the expansion of NRHH) is taken directly from the
#            RADIUS spec.
#
# (See README.DCT for more details on the format of this file)
#
#
# updated 06/18/1998   KPW/DJM
# updated 01/24/2000   KPW
# updated 07/30/2001   ECA
################################################################################
ATTRIBUTE Digest-Entity-Body-Hash   111         string      c
ATTRIBUTE Digest-CNonce             112         string      c
ATTRIBUTE Digest-Nonce-Count        113         string      c
ATTRIBUTE Digest-Username           114         string      c
################################################################################
# radius.dct - the baseline Radius dictionary implementation for STRUCTURED
#              vendor specific attributes
################################################################################
#added by Mark Bell
ATTRIBUTE groupname                 117         string      r
:wq!
rsaadmin@am81p:/opt/rsa/am/radius> cd ../server
rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv restart radius
rsaadmin@am81p:/opt/rsa/am/server>

  
Assign the attribute to a user


  1. In the Security Console select Identity > Users > Manage Existing.
  2. Enter search criteria to show the user ID in the search results.
  3. Click on the user ID and select Authentication Settings.
  4. Scroll to the section on RADIUS.
  5. For RADIUS User Attributes, select the new attribute (in this case, 117 - groupname) from the pull-down list and click Add.
  6. Click Save.
User-added image

Testing the new attribute


Use a RADIUS test client, such as NTRadPing to test.  With NTRadPing a RADIUS client and an associated RSA agent need to be created.
  1. In the Security Console navigate to RADIUS > RADIUS Client > Add New.
  2. Enter a client name.
  3. Enter an IP address.
  4. Enter a shared secret.
  5. Click Save & Create Associated RSA Agent.
  6. The authentication agent form is pre-filled so click Save then click Yes, Save Agent.
 To test with NTRadPing,
  1. Launch the interface.
  2. Enter the FQDN or IP address of the Authentication Manager server.
  3. Enter the RADIUS port number, typically 1645 or 1812.
  4. In the RADIUS Secret Key text box, enter the shared secret created above.
  5. Enter the user name.
  6. Enter the user's passcode, tokencode or fixed passcode, depending on the authentication method used.  Note that NTRadPing does not handle tokens in New PIN Mode by default and extra steps are needed.
  7. Do not check CHAP and leave the request type as Authentication Request.
  8. The RADIUS authentication test shows the attribute returned in the attribute dump:
User-added image

Attachments

    Outcomes