A RADIUS profile is a collection of attributes that are exchanged between the RADIUS client and server during authentication. These attributes are used to validate the request and to set parameters for the user's session. RSA SecurID Access provides the attributes in dictionary files with the RADIUS server.
RSA SecurID Access provides one profile named Default RADIUS Profile, which is stored on the Cloud Authentication Service. A profile is not required for RADIUS authentication and you can choose not to configure it.
Return List Attributes
The RADIUS server sends return list attributes to the RADIUS client after a user is authenticated. Return list attributes provide parameters, such as VLAN assignment or IP address assignment, that the RADIUS client needs to connect the user. The RADIUS server also sends the client the Access-Accept message to set session parameters for that user.
Return list attributes must use attribute names from the provided dictionary files. You can set static attribute values when configuring the RADIUS profile, but dynamic values for LDAP or Active Directory attributes are not supported.
If you want an attribute value in the user request to be returned to the client in the RADIUS response, leave the return list value blank and select the Echo checkbox for the attribute.
The RADIUS client sends checklist attributes in the authentication request to the RADIUS server. The server confirms if the attributes in the request match the RADIUS profile. If any values are missing, the request is rejected. If you want the server to accept requests with missing attributes, select the Optional for user request processing checkbox for the attribute.
Single- and Multiple-Value Attributes
Single-value attributes appear only once in the checklist or return list. Multiple-value attributes may appear several times, and all of the values are valid. For example, a checklist can include multiple telephone numbers for the attribute Calling-Station-ID. Because all of the telephone numbers are valid, a user trying to dial in to your network can call from any of the specified telephone numbers and authenticate successfully.
If an attribute appears more than once in the return list, each value is included in the response. For example, to enable both IP and IPX header compression for a user, the Framed-Compression attribute must appear twice in the return list: once with the value VJ-TCP-IP-header-compression and once with the value IPX-headercompression.
Ordered Multiple-Value Attributes in Return Lists
When you define certain multiple-value return list attributes in a profile, it is important to properly order the values that appear in a RADIUS response more than once. For example, the Reply-Message attribute allows text messages to be sent back to the user for display. The RADIUS response handles a multiline message by including this attribute multiple times in the return list, with each message line in proper sequence, as specified in the profile.
You can re-order attribute values by first deleting them from the attribute and then re-adding them in the correct order.
RADIUS Dictionary Files
RSA SecurID Access provides all attributes in dictionary files stored on the identity router. These dictionaries support most major brands of RADIUS client devices. The files include:
- Standard RADIUS attributes.
- Vendor-specific dictionaries containing over 4000 attributes and 5000 named values.
Note: If you want to use a new or specialized RADIUS client device that has its own dictionary file containing client-specific attributes, contact RSA Customer Support.
When adding attributes to a RADIUS profile, you can search for specific attributes.