Article Number
000030957
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
Issue
When an attribute is configured in Security Console under Identity > Users > Authentication Settings > RADIUS > RADIUS User Attributes, you may notice the attribute sent by RSA Authentication Manager to RADIUS client has both an attribute ID and an attribute name appended to the value.
For example:
On the other hand, if you set a RADIUS profile in RADIUS > RADIUS Profiles, then link it with a user or agent, the attribute sent by RSA Authentication Manager to RADIUS client contains just the value. For example, if you select Filter-ID[M] for Attribute and set policy_GRP_I as the value, the attribute contained in RADIUS response message is:
Filter-ID=policy_GRP_
The issue is that the attribute format of attribute_id+attribute_name+attribute_value may not be accepted by RADIUS clients.
Task
You can change the configuration in the Security Console to determine how the RADIUS attribute(s) are returned. The configuration specifies whether just the attribute value is returned, or the Attribute Name + ID + Value.
Resolution
For RSA Authentication Manager 7.1, see steps provided in the Notes section, below.
For Authentication Manager 8.x:
- Login to the Security Console.
- Navigate to Setup > System Settings > RADIUS.
- Check the option to Send user´s RADIUS attributes to the RADIUS server upon successful authentication.
- You can then set the RADIUS Attribute Format. Select one of three options. Use the above example for reference, where 11 - Filter-ID is Attribute and policy_GRP_1 is set as value.
- Send attribute ID, attribute name, and attribute value
Filter-ID=ATTR11_Filter-ID=policy_GRP_1
- Send attribute name and attribute value
Filter-ID=Filter-ID=policy_GRP_1
- Send attribute value only
Filter-ID=policy_GRP_1
- Click Save when done.
