RADIUS Profiles

A RADIUS profile is a named collection of attributes that specify session requirements for users authenticating using RADIUS. When you create or update a profile, you can add, remove, or modify attributes and their values within checklists and return lists.

Profiles support easy administration of groups of users. An administrator creates a profile with a checklist and a return list of attributes suitable for a specific group of users, and then assigns the profile to relevant user identities defined within Authentication Manager. Available checklist and return list attributes appear in the Security Console in the drop-down list on the management pages for creating and updating profiles.

Profiles are synchronized across all RSA RADIUS servers in the deployment. The profile names reside on Authentication Manager so that they can be centrally managed from the Security Console. RSA RADIUS, when shipped, contains no profiles. You create profiles using the Security Console.

RADIUS Attributes

RSA RADIUS provides flexibility in controlling system behavior during authentication through the use of multiple-value attributes. Multiple-value attributes may appear several times in the checklist or return list. Any one of the values is valid.

For example, you can set up a checklist to include multiple telephone numbers for the attribute Calling-Station-ID. Because all of the telephone numbers are valid, a user trying to dial in to your network can call from any of the designated telephone numbers and still authenticate successfully.

If an attribute appears more than once in the return list, each value of the attribute is sent as part of the response packet. For example, to enable both IP and IPX header compression for a user, the Framed-Compression attribute must appear twice in the return list: once with the value VJ-TCP-IP-header-compression and once with the value IPX-header-compression.

Multiple-value return list attributes are also orderable, which means that the attribute can appear more than once in a RADIUS response, and the order in which the attributes appear is important. For example, the Reply-Message attribute allows text messages to be sent back to the user for display. A multiline message is sent by including this attribute multiple times in the return list, with each line of the message in its proper sequence.

Although you can specify an order for more than one value for the same attribute, RADIUS does not maintain the order for different types of attributes. The RADIUS authentication response from the server may return different attributes in a random order. Make sure your RADIUS clients are not relying on the order in which attributes are returned.

RADIUS Checklist

The RADIUS checklist is the set of attributes that must be sent from a RADIUS client to a RADIUS server as part of an authentication request. If a required attribute is not present, the request is rejected. For example, the checklist attribute, NAS-IP-Address, specifies the IP address of a RADIUS client that the user is allowed to use. If this attribute is not in the access request, the request is rejected.

The RADIUS server examines authentication requests from RADIUS clients to confirm that attributes and values defined in a profile as checklist attributes are contained in the authentication request.

By default, a RADIUS client sends all available attributes and values with authentication requests. If a RADIUS client is configured to not send some attribute and that attribute is defined as a checklist attribute, the authentication request fails. See the RADIUS client device documentation for procedures on how to configure a RADIUS client.

You can assign an attribute to the checklist by adding the attribute to a RADIUS profile and then assigning the profile to a user or agent.

RADIUS Return List

The RADIUS return list is the set of attributes that a RADIUS server returns to a RADIUS client when a user is authenticated. Return list attributes provide additional parameters, such as VLAN assignment or IP address assignment, that the RADIUS client needs to connect the user. When authentication succeeds, RADIUS sends return list attributes to the RADIUS client along with the Access-Accept message for use in setting session parameters for that user.

You can add an attribute to the return list in two ways:

Note: The purpose and use of specific attributes is described in the documentation for particular RADIUS client devices and is outside the scope of this topic.

Default Profile

RSA RADIUS supports a default profile. When a RADIUS user authenticates and has no assigned profile, the user receives the attributes and values that are defined in the default profile, if one is specified.

There is no default RADIUS profile specified during installation. Administrators must create the default profile and specify it as the default. Once you have added one or more RADIUS profiles to Authentication Manager, you can specify the default profile on the System Settings page in the Security Console.

Administrators can add, remove, or modify attributes and their values within checklists and return lists for the default profile in the same manner as for regular profiles.

For more information on setting a default RADIUS profile, see Configure RADIUS Settings.

Dictionary Files to Customize Attributes

RSA RADIUS provides standard RADIUS attributes defined in dictionary files provided with the server. These standard attributes are sufficient to support most major brands of RADIUS client devices. If you purchase a new or specialized RADIUS client device, that device may also have its own dictionary file that contains client-specific attributes. You can install that dictionary file on each of the RADIUS servers so that new or changed RADIUS client attributes are available for inclusion in profiles.

In some rare cases, attribute names in RADIUS may differ from attribute names used by a particular RADIUS client. The Operations Console allows administrators to modify attributes defined in dictionary files.

Add a RADIUS Profile

You can add a profile to create a collection of checklist and return list attributes that you want to assign to users, user aliases, trusted users, or agents.

Before you begin

At least one RADIUS client must exist in the deployment before you can create a RADIUS profile.

Procedure

  1. In the Security Console, click RADIUS > RADIUS Profiles > Add New.

  2. In the Profile Name field, enter a unique name that identifies the purpose for this profile, for example, SALES.

    After you save the profile, you can change its name by editing the profile.

  3. In the Notes field, enter any notes for this profile, for example, Use this profile for all employees in Sales.

  4. In Return List Attributes, do one of the following:

    • If you want to add an attribute, select each return list attribute, enter its corresponding value for this profile, and click Add.

      You can add an attribute more than one time. Multiple-value attributes may appear several times in the checklist or return list. Any one of the values is valid. For more information about the attributes and their values, see the RADIUS client documentation.

    • If you want to remove an attribute, select the attribute from the list box, and click Remove.

    • If you want to update an attribute, select the attribute from the list, enter the updated value in the field, and click Update. If an attribute appears more than once in the return list, click Up or Down to specify the necessary order for the attribute and its value.

    • If you do not want to specify a particular value, but want to make sure that the attribute value in the RADIUS request is echoed to the client in the RADIUS response, select Echo for the attribute.

  5. In Checklist Attributes, do one of the following:

    • If you want to add an attribute, select each checklist attribute, enter its corresponding value for this profile, and click Add. For more information about the attributes and their values, see the RADIUS client documentation.

      You can add an attribute more than one time. Multiple-value attributes may appear several times in the checklist or return list. Any one of the values is valid. For more information about the attributes and their values, see the RADIUS client documentation.

    • If you want to remove an attribute, select the attribute from the list box, and click Remove.

    • If a RADIUS client does not send one of these attributes (for example, Port-Limit), and you select Default for the attribute (for example, Port-Limit), the RADIUS server still processes the authentication request. If a RADIUS client does not send one of these attributes, and you do not select Default for the attribute, the RADIUS server rejects the authentication request.

  6. Click Save.

After you finish

  • (Optional) Specify the Default RADIUS Profile. By default, RSA RADIUS does not contain a default RADIUS profile. You must be a Super Admin to specify the default profile.

  • Assign RADIUS profiles to users, user aliases, trusted users, and authentication agents associated with RADIUS clients. For more information, see RADIUS Profile Associations.

Manage RADIUS Profiles

You can edit, delete, and view the details of RADIUS profiles.

Procedure

  1. In the Security Console, click RADIUS > RADIUS Profiles > Manage Existing.

    A list of RADIUS profiles displays.

  2. Do the following:

    Task Description Procedure
    Edit a RADIUS profile Edit a RADIUS profile if you need to change the checklist or return list attributes or values. For example, you might need to edit the default value of an attribute to reflect a configuration change on a RADIUS client. If any attributes are unknown, verify that the device providing the attribute is part of the RADIUS Client list.
    1. Click the profile that you want to edit.

    2. From the context menu, click Edit.

    3. On the View or Edit RADIUS Profile Properties page, make any necessary changes to the profile. For more information, see Add a RADIUS Profile.

    4. Click Save.

      RSA Authentication Manager replication notifies the RADIUS servers on replica instances about this updated profile.

    Delete a RADIUS profile

    Delete a RADIUS profile to permanently remove the RADIUS profile from RSA Authentication Manager.

    Note: Do not delete a profile that is assigned to a user. If you delete an active profile, Authentication Manager removes the attributes defined in the profile from the user's settings, possibly resulting in authentication failures.

    1. Click the profile that you want to delete.

    2. From the context menu, click Delete.

      RSA Authentication Manager replication notifies the RADIUS servers on replica instances about this deleted profile.

    View a RADIUS profile You can view properties of a RADIUS profile.
    1. Click the profile that you want to view.

    2. From the context menu, click View.

    The RADIUS profile displays the following information:

    • The name of the profile

    • Notes that you specify about the profile when you add the profile

    • The attributes and values in the return list and check list