When you configure RADIUS clients and profiles in the Cloud Administration Console, you define sets of checklist and return list attributes that are exchanged between the RADIUS client and server during authentication. These attributes are used to validate requests and to set parameters for the user's session. RSA SecurID Access provides the attributes in dictionary files with the RADIUS server.
The RADIUS client device sends checklist attributes in the authentication request to the RADIUS server. The server confirms if the attributes in the request match those configured for the client in the Cloud Administration Console. If any values are missing, the request is rejected. If you want the server to accept requests with missing attributes, select the Optional for user request processing checkbox when configuring the client.
Return List Attributes
The RADIUS server sends the return list attributes defined in a RADIUS profile to the RADIUS client device after a user is authenticated. Return list attributes provide parameters, such as VLAN assignment or IP address assignment, that the RADIUS client needs to connect the user. The RADIUS server also sends the client the Access-Accept message to set session parameters for that user.
Return list attributes must use attribute names from the provided dictionary files. You can set static attribute values or use values from LDAP or Active Directory attributes.
If you want an attribute value in the user request to be returned to the client in the RADIUS response, leave the return list value blank and select the Echo checkbox for the attribute when configuring the profile.
Single- and Multiple-Value Attributes
Single-value attributes appear only once in the checklist or return list. Multiple-value attributes may appear several times, and all of the values are valid. For example, a checklist can include multiple telephone numbers for the attribute Calling-Station-ID. Because all of the telephone numbers are valid, a user trying to dial in to your network can call from any of the specified telephone numbers and authenticate successfully.
If an attribute appears more than once in the return list, each value is included in the response. For example, to enable both IP and IPX header compression for a user, the Framed-Compression attribute must appear twice in the return list: once with the value VJ-TCP-IP-header-compression and once with the value IPX-headercompression.
Ordered Multiple-Value Attributes in Return Lists
When you define certain multiple-value return list attributes in a profile, it is important to properly order the values that appear in a RADIUS response more than once. For example, the Reply-Message attribute allows text messages to be sent back to the user for display. The RADIUS response handles a multiline message by including this attribute multiple times in the return list, with each message line in proper sequence, as specified in the profile.
You can re-order attribute values by first deleting them from the attribute and then re-adding them in the correct order.
RADIUS Dictionary Files
RSA SecurID Access provides all attributes in dictionary files stored on the identity router. These dictionaries support most major brands of RADIUS client devices. The files include:
- Standard RADIUS attributes.
- Vendor-specific dictionaries containing over 4000 attributes and 5000 named values.
Note: If you want to use a new or specialized RADIUS client device that has its own dictionary file containing client-specific attributes, contact RSA Customer Support.
When adding attributes to a RADIUS client or profile, you can search for specific attributes.