Adding a Palo Alto RADIUS dictionary to RSA RADIUS for RSA Authentication Manager 8.x
Originally Published: 2015-09-11
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
Resolution
Procedure for adding the Palo Alto RADIUS dictionary file
IMPORTANT: These steps must be performed on every RSA Authentication Manager instance in the deployment and included in any disaster recovery plan, as it is a custom update to RSA RADIUS.
- Unpack the paloalto.zip file that is attached to this article. This file contains a paloalto.dct, an updated vendor.ini, and updated dictiona.dcm.
- Copy the Palo Alto RADIUS dictionary file called paloalto.dct, the updated vendor.ini, and dictiona.dcm into /opt/rsa/am/radius.
- Move the RADIUS binary dictionary file (/opt/rsa/am/radius/saved-dcts.bin):
mv /opt/rsa/am/radius/saved-dcts.bin /opt/rsa/am/radius/saved-dcts.bin.OLD
- Restart the RSA RADIUS service at the command line:
rsaadmin@am84p:~> /opt/rsa/am/server/rsaserv restart radius Stopping RSA RADIUS Server: * RSA RADIUS Server [SHUTDOWN] Starting RSA Administration Server with Operations Console: Starting RSA Database Server: *- RSA Database Server [RUNNING] * RSA Administration Server with Operations Console [RUNNING] Starting RSA RADIUS Server Operations Console: * RSA RADIUS Server Operations Console [RUNNING] Starting RSA Runtime Server: RSA Runtime Server [RUNNING] Starting RSA RADIUS Server: * RSA RADIUS Server [RUNNING] rsaadmin@am84p:~>
- Check that the changes took effect by looking at the RADIUS log file in /opt/rsa/am/radius folder. The file is named with the current date stamp in the format of yyyymmdd.log. For example,
... ... ... 03/31/2020 13:12:07 Saved dictionary file /opt/rsa/am/radius/saved-dcts.bin does not exist 03/31/2020 13:12:07 Opening saved dictionary file 03/31/2020 13:12:07 Successfully initialized saved-dcts.bin file 03/31/2020 13:12:07 Starting dictionary file processing ... 03/31/2020 13:12:10 Writing dictionary info to saved dictionary 03/31/2020 13:12:10 Successfully wrote dictionary information to saved-dcts.bin 03/31/2020 13:12:10 Closing saved dictionary file 03/31/2020 13:12:10 Successfully created and closed saved-dcts.bin 03/31/2020 13:12:10 Concluded dictionary file processing ... ... ... ...
- Add a new RADIUS client (RADIUS > RADIUS Client > Add New) in the Security Console and select Palo Alto Networks for the Make/Model selection
- Add a new RADIUS Profile where the Palo Alto RADIUS attributes can be added to the Return List Attributes section of the RADIUS Profile:
NOTE: Ensure you are in a new Security Console session, else you may be looking at cached, old data and not see the Palo Alto RADIUS attributes.
- Assign the RADIUS profile to a user account using Authentication Settings and perform a RADIUS authentication test.
Notes
