RADIUS Profiles

A RADIUS profile is a named collection of attributes that specify session requirements for users authenticating using RADIUS. When you create or update a profile, you can add, remove, or modify attributes and their values within checklists and return lists.

Profiles support easy administration of groups of users. An administrator creates a profile with a checklist and a return list of attributes suitable for a specific group of users, and then assigns the profile to relevant user identities defined within Authentication Manager. Available checklist and return list attributes appear in the Security Console in the drop-down list on the management pages for creating and updating profiles.

Profiles are synchronized across all RSA RADIUS servers in the deployment. The profile names reside on Authentication Manager so that they can be centrally managed from the Security Console. RSA RADIUS, when shipped, contains no profiles. You create profiles using the Security Console.

RADIUS Attributes

RSA RADIUS provides flexibility in controlling system behavior during authentication through the use of multiple-value attributes. Multiple-value attributes may appear several times in the checklist or return list. Any one of the values is valid.

For example, you can set up a checklist to include multiple telephone numbers for the attribute Calling-Station-ID. Because all of the telephone numbers are valid, a user trying to dial in to your network can call from any of the designated telephone numbers and still authenticate successfully.

If an attribute appears more than once in the return list, each value of the attribute is sent as part of the response packet. For example, to enable both IP and IPX header compression for a user, the Framed-Compression attribute must appear twice in the return list: once with the value VJ-TCP-IP-header-compression and once with the value IPX-header-compression.

Multiple-value return list attributes are also orderable, which means that the attribute can appear more than once in a RADIUS response, and the order in which the attributes appear is important. For example, the Reply-Message attribute allows text messages to be sent back to the user for display. A multiline message is sent by including this attribute multiple times in the return list, with each line of the message in its proper sequence.

Although you can specify an order for more than one value for the same attribute, RADIUS does not maintain the order for different types of attributes. The RADIUS authentication response from the server may return different attributes in a random order. Make sure your RADIUS clients are not relying on the order in which attributes are returned.

RADIUS Checklist

The RADIUS checklist is the set of attributes that must be sent from a RADIUS client to a RADIUS server as part of an authentication request. If a required attribute is not present, the request is rejected. For example, the checklist attribute, NAS-IP-Address, specifies the IP address of a RADIUS client that the user is allowed to use. If this attribute is not in the access request, the request is rejected.

The RADIUS server examines authentication requests from RADIUS clients to confirm that attributes and values defined in a profile as checklist attributes are contained in the authentication request.

By default, a RADIUS client sends all available attributes and values with authentication requests. If a RADIUS client is configured to not send some attribute and that attribute is defined as a checklist attribute, the authentication request fails. See the RADIUS client device documentation for procedures on how to configure a RADIUS client.

You can assign an attribute to the checklist by adding the attribute to a RADIUS profile and then assigning the profile to a user or agent.

RADIUS Return List

The RADIUS return list is the set of attributes that a RADIUS server returns to a RADIUS client when a user is authenticated. Return list attributes provide additional parameters, such as VLAN assignment or IP address assignment, that the RADIUS client needs to connect the user. When authentication succeeds, RADIUS sends return list attributes to the RADIUS client along with the Access-Accept message for use in setting session parameters for that user.

You can add an attribute to the return list in two ways:

  • Add the attribute to the return list in a profile and assign the profile to a user or agent. For more information, see RADIUS Profiles and RADIUS Profile Associations.

  • Assign a user attribute, either a standard user attribute or a custom user attribute, to a user directly. For more information, see RADIUS User Attributes.

Note: The purpose and use of specific attributes is described in the documentation for particular RADIUS client devices and is outside the scope of this guide.

Default Profile

RSA RADIUS supports a default profile. When a RADIUS user authenticates and has no assigned profile, the user receives the attributes and values that are defined in the default profile, if one is specified.

There is no default RADIUS profile specified during installation. Administrators must create the default profile and specify it as the default. Once you have added one or more RADIUS profiles to Authentication Manager, you can specify the default profile on the System Settings page in the Security Console.

Administrators can add, remove, or modify attributes and their values within checklists and return lists for the default profile in the same manner as for regular profiles.

For more information on setting a default RADIUS profile, see Configure RADIUS Settings.

Dictionary Files to Customize Attributes

RSA RADIUS provides standard RADIUS attributes defined in dictionary files provided with the server. These standard attributes are sufficient to support most major brands of RADIUS client devices. If you purchase a new or specialized RADIUS client device, that device may also have its own dictionary file that contains client-specific attributes. You can install that dictionary file on each of the RADIUS servers so that new or changed RADIUS client attributes are available for inclusion in profiles.

In some rare cases, attribute names in RADIUS may differ from attribute names used by a particular RADIUS client. The Operations Console allows administrators to modify attributes defined in dictionary files.