You can associate RADIUS profiles with users and agents in your deployment by assigning a profile to them. When you assign a profile to a user or agent, the RADIUS server uses the checklist and return list contained in the profile whenever the user or agent attempts a RADIUS authentication. Assigning a profile designates the checklist and return list contained in the profile as the set of attributes to be used when a RADIUS authentication attempt is made.
An administrator can assign or unassign a profile to the following:
User. An account managed by the system that is usually a person, but may be a computer or a web service.
User Alias. Allows users to authenticate with their RSA SecurID tokens, but using User IDs other than their own. For example, suppose you assign the alias “root” to certain administrators. The administrators can log on using the User ID “root” and their own tokens.
Trusted User. A user from a different, trusted RSA Authentication Manager deployment that can authenticate to Authentication Manager through your deployment.
Agent. A software application installed on a RADIUS client or server, which enables authentication with Authentication Manager on the network server.
You can specify a default RADIUS profile that Authentication Manager assigns to a user's network request, if the user and the agent (that the user sends the network request to) do not have an assigned RADIUS profile.
Users are defined within Authentication Manager and their association with the correct RSA SecurID token record is maintained there. On the RADIUS pages in the Security Console, an administrator can associate a User ID with a profile. This action applies the attributes of that profile to that user.
User aliases allow a user to have multiple roles if necessary. For example, user Alice has a user identity Alice_User and a user alias identity Alice_Admin. When Alice logs on as Alice_User, all of the attributes associated with users are applied to her because her user identity is associated with a profile set up for users. When Alice_Admin logs on, attributes more appropriate for administrators are applied to her because her user alias identity is associated with a profile set up for administrators, for example, she can access IP addresses needed to manage routers and VPN servers.
Within a trusted realm, users from another realm may attempt to access resources using RSA RADIUS. How RADIUS profiles are associated with these users depends on how these remote “trusted users” are defined in the local realm.
A trusted user identity may be defined in Authentication Manager in advance, with a RADIUS profile associated with that trusted user identity. That profile may be set up especially for trusted users giving them attributes appropriate for trusted users. When that trusted user’s access request succeeds, RADIUS returns the associated profile attributes to the RADIUS client device along with any assigned RADIUS user attributes.
If the trusted user identity is not set up in advance, the authentication agent on the RADIUS server creates a trusted user account dynamically in Authentication Manager. In turn, Authentication Manager forwards the authentication request to other trusted realms until a success or failure is returned. When the request is successful, Authentication Manager adds the trusted user’s home realm to the trusted user identity (to speed up future authentication requests) and returns a passcode accepted message to RADIUS.
If an agent profile is associated with the RADIUS client (the VPN server, wireless access point, or network access servers supporting dial-in modems) used by the trusted user, the trusted user receives the attributes of that profile. Otherwise, the user receives the default profile, if one is specified.
Assigning a profile to an authentication agent causes the attributes in the profile to be assigned to all users authenticating using that specific RADIUS client device.
For example, a remote user authenticating through a VPN server could have access to one set of resources while that same user authenticating over a wireless access point could access a reduced set of services. RSA RADIUS allows administrators to choose whether an agent profile takes precedence over a user profile. This avoids conflicts in the case where a profile for users and a profile for an agent could both be applied to a user. For instructions, see Configure RADIUS Settings.
To avoid conflicts in cases where a profile for users and a profile for an agent could both be applied to a user, for example, you assign a RADIUS profile to a user, and the user requests network access from a RADIUS client with an agent that has a different assigned profile. To prevent profile conflicts, specify the profile precedence.
The following figure shows how RADIUS applies profiles to users based on associations of profiles to users and agents (RADIUS clients).
Jim is not explicitly associated with a profile. He authenticates through VPN2 that does have an explicitly associated profile, so he gets the profile for VPN agents.
Liz_Admin is explicitly associated with the profile for Administrators. She is authenticating through a wireless access point that also has an explicitly associated profile. As both profiles could be applied to Liz Admin, the precedence mechanism determines which profile is applied.
Michelle does not have an associated profile. She is authenticating through VPN3 that also does not have an explicitly associated profile for agents. RADIUS applies the default profile because no other profile applies to Michelle.