A RADIUS profile is a named collection of attributes that specify session requirements for users authenticating using RADIUS. When you create or update a profile, you can add, remove, or modify attributes and their values within checklists and return lists.
Profiles support easy administration of groups of users. An administrator creates a profile with a checklist and a return list of attributes suitable for a specific group of users, and then assigns the profile to relevant user identities defined within Authentication Manager. Available checklist and return list attributes appear in the Security Console in the drop-down list on the management pages for creating and updating profiles.
Profiles are synchronized across all RSA RADIUS servers in the deployment. The profile names reside on Authentication Manager so that they can be centrally managed from the Security Console. RSA RADIUS, when shipped, contains no profiles. You create profiles using the Security Console.
RSA RADIUS provides more flexibility in controlling system behavior during authentication through the use of single-value and multiple-value attributes and orderable multiple-value attributes.
Single-Value and Multiple-Value Attributes
Attributes can be single-value or multiple-value. Single-value attributes appear only once in the checklist or return list.Multiple-value attributes may appear several times. If an attribute appears more than once in the checklist, this means that any one of the values is valid. For example, you can set up a checklist to include multiple telephone numbers for the attribute Calling-Station-ID. Because all of the telephone numbers are valid, a user trying to dial in to your network can call from any of the designated telephone numbers and still authenticate successfully.
If an attribute appears more than once in the return list, each value of the attribute is sent as part of the response packet. For example, to enable both IP and IPX header compression for a user, the Framed-Compression attribute must appear twice in the return list: once with the value VJ-TCP-IP-header-compression and once with the value IPX-header-compression.
Orderable Multiple-Value Attributes
Certain multiple-value return list attributes are also orderable, which means that the attribute can appear more than once in a RADIUS response, and the order in which the attributes appear is important. For example, the Reply-Message attribute allows text messages to be sent back to the user for display. A multiline message is sent by including this attribute multiple times in the return list, with each line of the message in its proper sequence.
The RADIUS checklist is the set of attributes that must be sent from a RADIUS client to a RADIUS server as part of an authentication request. If a required attribute is not present, the request is rejected. For example, the checklist attribute, NAS-IP-Address, specifies the IP address of a RADIUS client that the user is allowed to use. If this attribute is not in the access request, the request is rejected.
The RADIUS server examines authentication requests from RADIUS clients to confirm that attributes and values defined in a profile as checklist attributes are contained in the authentication request.
By default, a RADIUS client sends all available attributes and values with authentication requests. If a RADIUS client is configured to not send some attribute and that attribute is defined as a checklist attribute, the authentication request fails. See the RADIUS client device documentation for procedures on how to configure a RADIUS client.
You can assign an attribute to the checklist by adding the attribute to a RADIUS profile and then assigning the profile to a user or agent.
The RADIUS return list is the set of attributes that a RADIUS server returns to a RADIUS client when a user is authenticated. Return list attributes provide additional parameters, such as VLAN assignment or IP address assignment, that the RADIUS client needs to connect the user. When authentication succeeds, RADIUS sends return list attributes to the RADIUS client along with the Access-Accept message for use in setting session parameters for that user.
You can add an attribute to the return list in two ways:
RSA RADIUS supports a default profile. When a RADIUS user authenticates and has no assigned profile, the user receives the attributes and values that are defined in the default profile, if one is specified.
There is no default RADIUS profile specified during installation. Administrators must create the default profile and specify it as the default. Once you have added one or more RADIUS profiles to Authentication Manager, you can specify the default profile on the System Settings page in the Security Console. However, you can also specify a default profile in the securid.ini RADIUS configuration file. The default profile specified in Authentication Manager always overrides any default profile specified in the securid.ini file.
Administrators can add, remove, or modify attributes and their values within checklists and return lists for the default profile in the same manner as for regular profiles.
RSA RADIUS provides standard RADIUS attributes defined in dictionary files provided with the server. These standard attributes are sufficient to support most major brands of RADIUS client devices. If you purchase a new or specialized RADIUS client device, that device may also have its own dictionary file that contains client-specific attributes. You can install that dictionary file on each of the RADIUS servers so that new or changed RADIUS client attributes are available for inclusion in profiles.
In some rare cases, attribute names in RADIUS may differ from attribute names used by a particular RADIUS client. The Operations Console allows administrators to modify attributes defined in dictionary files.