RADIUS User Attributes

Document created by RSA Information Design and Development on Jun 13, 2017Last modified by RSA Information Design and Development on Jun 13, 2017
Version 2Show Document
  • View in full screen mode

RSA RADIUS supports standard and custom RADIUS attributes.

  • Standard. Attributes with fixed names and assigned ID numbers specified by the RADIUS protocol. For more information, see the RADIUS client device documentation.

  • Custom. Attributes defined by a RADIUS client manufacturer that are not included in the RADIUS protocol. If you want to use these custom attributes, you define them through the Security Console, and then assign them to a user or trusted user. The user alias of a user is also assigned these custom attributes. For more information, see Edit a Custom RADIUS User Attribute Definition.

If you have attributes that you want to assign to more than one user, user alias, trusted user, or agent, you can create a profile with the attributes and assign the profile to the object.

If you want to assign specific standard or custom attributes to only one user or trusted user, you can assign these RADIUS attributes to a user or trusted user outside of a RADIUS profile. RADIUS attributes that you assign to a user or trusted user outside of a profile are called RADIUS user attributes. When you can assign RADIUS user attributes to a user, any user alias of the user is also assigned the attributes. You cannot assign user attributes to an agent. RSA Authentication Manager automatically assigns the attribute with its value to user aliases associated with the user object.

You can define a RADIUS user attribute in two ways:

  • Without an actual value

    When this attribute is assigned to a user, the administrator can enter the value appropriate for that user. For example, if the RADIUS user attribute is Callback Number, the administrator enters the user’s callback phone number when he or she applies the attribute to the user. (RADIUS can use a callback number to ensure that a user is calling from a specific phone number). RADIUS user attributes override profile attributes with the same name.

  • Mapped to data stored in an identity source

    In this case, the attribute returns information that is already stored in an identity source, such as an LDAP corporate identity database, avoiding the need to maintain attribute values in multiple places.

The RADIUS server sends RADIUS user attributes along with the profile return list attributes to a RADIUS client. These assigned RADIUS user attributes override attributes assigned to the user or trusted user through profiles.

You can also map a RADIUS user attribute definition to an identity source attribute. The RADIUS server applies the value of the identity source attribute to the RADIUS user attribute definition. For example, you can map the RADIUS Callback-ID attribute to the Phone Number attribute in the LDAP corporate database. If you do not map a RADIUS user attribute definition to an identity source attribute, when you assign the RADIUS attribute to the user or trusted user, you must enter the attribute value.

User Attribute Assignment Example

The following figure shows the relationship of profile return list attributes and RADIUS user attributes when user Alice authenticates using RADIUS. Alice is assigned RADIUS user attributes a and b (attribute c is assigned to someone else). When Alice authenticates successfully, she gets all of the profile attributes and RADIUS user attributes a and b. The value for RADIUS user attribute b is taken from an LDAP identity store.