cancel
Showing results for 
Search instead for 
Did you mean: 

SSL VPN and Radius Server Authentication

Highlighted
Regular Contributor

SSL VPN and Radius Server Authentication

Hi Experts

I am not using AD/LDAP as authentication server. I have Radius server (Cisco ACS). I am using this radius server as authentication server.

When I use AD as authentication server then I can make role mapping rules based on groups name (fetched by group lookup and select group name) and give the access. But how can I do the same using radius server as authentication server?

Thanks

9 REPLIES 9
Highlighted
Respected Contributor

Re: SSL VPN and Radius Server Authentication

You cannot do group-based authorization with RADIUS. You can choose among the listed attributes only
Highlighted
Regular Contributor

Re: SSL VPN and Radius Server Authentication

Assuming the Radius Server returns group information as part of the return attributes then on SA you need to create a Role mapping rule based on 'User Attribute' and rom drop select the attribute that will be returned by the Radius server.

 

See screenshot for sample config

Highlighted
Regular Contributor

Re: SSL VPN and Radius Server Authentication

Thank you very much for the reply. I really appreciate if you could tell me how I can check on radius server what attribute he is returning? Is it group name?

Highlighted
Respected Contributor

Re: SSL VPN and Radius Server Authentication

check with your RADIUS admin. if he is not sure, you can also check what is veing returned by looking at a tcp dump of login with wireshark (filter for radius)

Highlighted
Regular Contributor

Re: SSL VPN and Radius Server Authentication

Hi

The radius server is Cisco ACS. I checked the configuration on ACS. It is lik:

[025] Class OU=ALDAR

So on SSL VPN, which radius attribute should I need to use to map with role?

Thanks

Highlighted
Regular Contributor

Re: SSL VPN and Radius Server Authentication

Its not clear if

 

1. your Radius return attribute is Class and the value 'OU=ALDAR' (in that case you can select Class from the drop down aption)

(OR)

2. your Radius return attribute is Class OU and the value is ALDAR (in that case you will have to create a custom expression for role mapping. Similar to userAttr.Class OU = 'ALDAR')

 

I think it should be # 1 however I can't say for sure based on the info in your post.

Highlighted
Respected Contributor

Re: SSL VPN and Radius Server Authentication

this should be something coming through on your policy trace as well that you can use to determine how the rule needs to be created

Highlighted
Super Contributor

Re: SSL VPN and Radius Server Authentication

You want to specify your AD/LDAP server as your authorization server.

I do authentication against a Radius server which proxies authentications to a number of RSA ACE servers. I then use the user ID from that authentication to do a search on our AD as a LDAP server. So, in my realm definition, the Radius server is listed as the authentication server, and the LDAP as the authorization server.

Ken

Highlighted
Respected Contributor

Re: SSL VPN and Radius Server Authentication

Ken has the best/most efficient approach for doing this, thank you ken!