Authenticate Against Radius Server Assertion
The Authenticate Against Radius Server assertion is used to authenticate credentials against a RADIUS (Remote Authentication Dial In User Service) Server.
gateway90
The
Authenticate Against Radius Server
assertion is used to authenticate credentials against a RADIUS (Remote Authentication Dial In User Service) Server.This assertion only provides authentication—authorization and accounting against the RADIUS server is not supported.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
Be sure to precede this assertion with a username/password credential source.
Example:
The following simple policy fragment authenticates a user's HTTP Basic Credentials against the Radius server:
Context Variables Created by This Assertion
The Authenticate Against Radius Server assertion sets the following context variables.
Note:
The default <prefix>
is "radius" and can be changed in the assertion properties.Context variable | Description |
<prefix> .<AttributeName> | Retrieves the Radius attribute value returned by the Radius server. Example: ${radius.User-Name} will return the user's name. |
<prefix> .reasonCode | Returns a success/fail reason code from the table below. A reason code is not returned if the authentication failed due to invalid credentials. |
Code | Name | Description |
0 | Success | Authenticated against the Radius server successfully |
-1 | Radius Server Error | Any Radius server error (view the audit events for the failure reason) |
-2 | Radius Server Timeout | Radius server timed out. This code will be returned when the Radius server is unresponsive or if an invalid IP address is specified. |
-3 | Unknown Host | Unknown Radius server host. This code will be returned when the Radius server cannot be found or if an invalid hostname was specified. |
-4 | Secret Not Found | Secret key cannot be found from the stored password |
-5 | Configuration Error | The "Auth Port" or "Timeout" fields contain a context variable that did not resolve to a numeric value |
-6 | Challenge | Additional information required from the user (for example, PIN or token). |
Authenticating Against a RSA SecurID Server
When working in a SecureID environment, the Authenticate Against Radius Server assertion sends an Access-Request, to which the RSA server responds with an Access-Challenge*, which includes a number of attributes (for example, Reply-Message and State). These attributes are accessible in the Gateway as <prefix>.<AttributeName> context variables (see above). You must construct a policy that decodes and answers these challenges, and then return the State attribute** that was received in the previous challenge. This is done by populating the "Attributes" panel in the assertion properties. The Radius server tracks responses to Access-Challenges using the State attribute.
Examples of challenges used in authentication modes:
- New PIN Mode: The user is prompted to enter a new pin.
- Next Token Mode: The user is prompted to enter the next token.
*An Access-Challenge is packet data: http://en.wikipedia.org/wiki/RADIUS#Attribute_value_pairs
You need to know the name of the "<AttributeName>" variables returned by the Radius server in order to process them properly. These attribute names may differ depending on the use case and the Radius server being used. Common attributes include:
<prefix>.reasonCode
, <prefix>.Reply-Message
, and <prefix>.State
.Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Adding an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- When adding the assertion, theAuthenticate Against Radius Server Propertiesautomatically appears; when modifying the assertion, right-clickin the policy window and choose<target>Authenticate Against Radius ServerAuthenticate Against Radius Server Propertiesor double-click the assertion in the policy window. The properties dialog appears.
- Configure the properties as follows:Authenticate Against Radius Server settingsSettingDescriptionHostEnter the Radius Server host name. You may reference context variables.SecretChoose the stored secret to use from the drop-down list.Note: Only stored passwords may be used here —you cannot type in the secret. To define a stored password, click [Manage Passwords]. For more information, see Manage Stored Passwords.Auth PortEnter the Radius Server authorization port number. You may reference context variables.The default port is:1812TimeoutEnter the Radius Server authorization timeout value. You may reference context variables.The default timeout is:5secondsAuthenticatorChoose the authentication protocol to use from the drop-down list.AttributesOptionally add Radius attributes for the access request.For a list of the Radius attributes, see http://freeradius.org/rfc/attributes.html. Note that the attributesUser-NameandUser-Passwordare overridden by the user credentials.To add an attribute:
- Click [Add].
- Enter aNameandValuefor the attribute. You may reference context variables for the Value, but not the Name.
- Click [OK].
To modify an attribute:- Select the attribute and then click [Edit].
- Modify the Value. You may reference context variables for the Value, but not the Name.
- Click[OK].
To remove an attribute:- Select the attribute to remove.
- Click [Delete]. The attribute is removed.
Radius Variable PrefixEnter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.Context variables are not supported for the prefix. If a variable is specified, the assertion will strip away the enclosing characters and use the variable name itself as the prefix. For example, specifying the variable "${abc}" will result in "abc" as the variable prefix. - Click [OK] when done.