How to list all users with radius attribute ?
i need to export all users with an configured radius attribute on the RSA Authentication Manager (ver 8.1 SP1).
The management console does not contain such a report where i can filter on radius attributes
If anyone has a solution this would be great.
Thanks in advance
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- radius attribute
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
I haven't tested this in 8.1 only in 8.3, but you can try this SQL query. You can use this KB Article on how to access the database if you haven't done it before: https://community.rsa.com/docs/DOC-45361 Please try it in a Dev AM first.
This is the query I've used to list UserID, and their corresponding Radius Profile Name:
SELECT DISTINCT ipd.loginuid,arp.profile_name FROM rsa_rep.ims_principal_group ipg join rsa_rep.ims_principal_data ipd on ipd.id = ipg.principal_id join rsa_rep.am_principal amp on amp.id = ipd.id join rsa_rep.am_radius_profiles arp on arp.id = amp.radius_profile_id WHERE arp.profile_name IS NOT NULL;
188.8.131.52.0 has a report built-in to show radius profiles assigned to a user.
The SQL query shows radius profiles assigned, and SQL is needed on early versions of 8.x.
However it is possible for users to have radius attributes independent of radius profiles
This query will show those attributes not tied into a radius profile:
am_principal_attr_values.principal_id = ims_principal_data.id AND
am_attr_definitions.id = am_principal_attr_values.attr_definition_id;
This shows is user zaz (internal database) has a class attribute of Domain Admin that will get sent.
Users marbles and ltate are external AD users, who have a mapped attribute grprad, the value is empty and filled at runtime when the system looks up what it is mapped to, in AD.
User ed (internal) has a mapped class attribute as well. It is mapped to an internal attribute and also empty as the mapping occurs at runtime, since it references a separate database object value that can be changed at any time, without needing to change the attribute mapping.
Here is another example,
I added a mapped Framed-IP-Address attribute to ZAZ, an unmapped callback number, and mapped Framed-IP-Address to ed.
I know this was a while back - we're using AM 8.4 and the solutions listed in this thread seem to be exactly what we need. However, the read only DB user doesn't allow access to all the tables in the queries (Access Denied). Is there a supported method to extend the read only rights to cover the additional tables we need?
Yes there is a way, Please follow the below steps:
1. SSH on the primary server
2. /opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
3. /opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba
4. enter the password fetched in step 2
5. in my case the read only user is <rouser>, all you nee to do is run the below SQL commands and change the userid if it doesn't match
GRANT SELECT ON ALL TABLES IN SCHEMA public TO rouser;
GRANT SELECT ON ALL TABLES IN SCHEMA rsa_logrep TO rouser;
GRANT SELECT ON ALL TABLES IN SCHEMA rsa_norep TO rouser;
GRANT SELECT ON ALL TABLES IN SCHEMA rsa_rep TO rouser;
GRANT SELECT ON ALL TABLES IN SCHEMA rsa_rep_cover TO rouser;
GRANT SELECT ON ALL TABLES IN SCHEMA rsa_rep_util TO rouser;