RADIUS Filter-ID to segregate the access users authentication
i have a Sonicwall firewall with local users defined in the internal firewall database that will use the vpn to access the network, the goal is to move users on the AM to add the 2FA.
It has been interfaced the AM with the Sonicwall firewall via RADIUS and the token authentication part works correctly, since the users are defined on the radius server (AM) and not on the firewall, Sonicwall is unable to punctually check the local network objects from the firewall. The user himself can log in.
Is there a way to segregate the access users authentication (i suppose with Radius parameters) so that the users are not allowed to get access to all resources?
In the firewall documentation it seems that this parameter must be set otherwise the group to which the acl of the network is to be set does not return, and then you have to use the everyone group (which, however, does not help to make access distinctions):
“Use RADIUS Filter-ID attribute on RADIUS server – To apply a configured Filter-ID attribute from
the RADIUS server. The attribute must provide the user group to which the user belongs.
NOTE: If the Use SonicWall vendor-specific attribute on Radius server or Use RADIUS Filter-ID
attribute on RADIUS server options are selected, the RADIUS server must be properly configured
to return these attributes to the SonicWall appliance when a user is authenticated. The RADIUS
server should return aero (0) or more instances of the selected attribute, each giving the name of a
user group to which the user belongs. ”
I think something should be set in Rsa-level attributes to be associated with the user (?) or profiles to return the group to which it belongs, and then it must exist in correspondence on the firewall.
Do you have any suggestions?
Thanks a lot.