In this policy, you can define rules using regular expressions to accomplish the following actions:
Select an appropriate chain for authenticating users to the RADIUS client
Authenticate users to a specific event when multiple RADIUS events are available
Display associated user groups in the authentication response after a successful authentication to the RADIUS client
Select a particular chain based on the information that the user specifies on the RADIUS client
For example, if a user specifies username&chain-short-name (bob&OTP), then select the chain with the LDAP and SMS OTP methods. In case, the user specifies only the username (bob) then select the chain with LDAP and Smartphone methods.
NOTE:The chain short name is defined using the regular expressions in either Chain Selection or Event Selection rule.
Define a specific authentication chain for a RADIUS client when there are multiple RADIUS clients mapped to the same RADIUS event
You can define the following rules in this policy:
To understand how to configure RADIUS options policy with rules, use the following sample scenarios:
Configure this rule to obtain the user name or the chain short name from user-specified details in the RADIUS client. The details obtained from the RADIUS client are sent to the RADIUS server for validating users. To enable the RADIUS client to select a specific chain for authenticating a user based on the obtained chain short name, use this rule along with the Chain selection rule.
To configure the input rule, perform the following steps:
Navigate to Policies > RADIUS Options.
Click Add in the Input rules section.
Specify the following details based on your requirement:
Target-Input-Attribute: Specify the attribute or variable that carries the user specified data to the RADIUS server in the Access-Request packet.
Source-Input-Attribute: Specify the attribute that stores the user-specified details.
Regular expression: Specify the condition to obtain user-specified details.
Result specification
Comment: If any.
Click OK.
Example 1: You can define the input rule as follows to obtain chain short name from user specified <username>&<short-chain-name> in the Username while logging in to the RADIUS client:
Target-Input-Attribute: chain_name
Source-Input-Attribute: User-Name
Regular expression: (.+)&(.+)
Result specification: Extract chain from User-Name and put into "chain_name" variable
After you configure, the rule looks as follows:
chain_name / User-Name / (.+)&(.+) / {2}
Example 2: You can define the following input rules to achieve the following:
Rule 1: To extract the password and set to the variable, User-Password:
Target-Input-Attribute: User-Password
Source-Input-Attribute: User-Password
Regular expression: (.*)(.{6})
Result specification: {1}
Rule 2: To extract the six digits OTP from password and set to the variable, User-OTP:
Target-Input-Attribute: User-OTP
Source-Input-Attribute: User-Password
Result specification: {2}
After you configure, the rules are displayed as follows:
User-Password / User-Password / (.*)(.{6}) / {1}
User-OTP / User-Password / (.*)(.{6}) / {2}
Configure this rule to map the requests from the RADIUS client to a specific RADIUS event based on the input attribute and condition (regular expression).
To configure the Event selection rule, perform the following steps:
Navigate to Policies > RADIUS Options.
Click Add in the Event selection section.
Specify the following details based on your requirement:
Input-Attribute
Regular expression
Result specification
Comment
Click OK.
Example 1: An administrator configures an event RADIUS Server2 with OpenVPN as RADIUS client, and the value of NAS ID is 12345.
To map all requests containing 12345 as NAS ID to RADIUS Server2, define the following event selection rule:
Input-Attribute: NAS-Identifier
Regular expression: ^12345$
Result specification: RADIUS Server2
After you configure, the rule looks as follows:
NAS-Identifier / ^12345$ / RADIUS Server2
Example 2: There are two RADIUS events and two RADIUS clients as follows:
RADIUS Events |
RADIUS Clients |
---|---|
RADIUS Server |
172.16.0.1 |
RADIUS Server2 |
192.168.0.1 |
To map all requests from 172.16.0.1 to RADIUS Server event and 192.168.0.1 to RADIUS Server2 respectively, define the following event selection rules:
Rule 1 |
Rule 2 |
---|---|
Input-Attribute: Packet-Src-IP-Address |
Input-Attribute: Packet-Src-IP-Address |
Regular expression: 172.16.0.1 |
Regular expression: 192.168.0.1 |
Result specification: RADIUS Server |
Result specification: RADIUS Server2 |
After you configure, rules are displayed as follows:
Packet-Src-IP-Address / 172.16.0.1 / RADIUS Server
Packet-Src-IP-Address / 192.168.0.1 / RADIUS Server2
Configure this rule to select a specific chain for authenticating users to the RADIUS client. A chain is selected based on the input attribute and condition (regular expression).
To configure the Chain selection rule, perform the following steps:
Navigate to Policies > RADIUS Options.
Click Add in the Chain selection section.
Specify the following details based on your requirement:
Input-Attribute
Regular expression
Result specification
Comment
Click OK.
For example, a RADIUS event has two RADIUS clients and two chains defined.
To select a specific chain from multiple chains based on NAS ID of RADIUS client, defined the the following chain selection rules:
Rule 1 |
Rule 2 |
---|---|
Input-Attribute: NAS-Identifier |
Input-Attribute: NAS-Identifier |
Regular expression: ^12345$ |
Regular expression: ^openvpn$ |
Result specification: LDAP + SMS |
Result specification: LDAP + Smartphone |
After you configure, the rules look as follows:
NAS-Identifier / ^12345$ / LDAP + SMS
NAS-Identifier/ ^openvpn$ / LDAP + Smartphone
Configure this rule to display relevant details of a user in the RADIUS client after authentication. Details can be group name of the user, tenant name, phone number, e-mail address and so on.
To view the list of supported attributes, see Used Attributes.
To configure the Result specification rule, perform the following steps:
Navigate to Policies > RADIUS Options.
Click Add in the Result specification section.
Specify the following details:
Return-Attribute
User attribute
Regular expression
Result specification
Comment
Click OK.
For example:
To display only group names of authenticated user on the RADIUS client define the result specification rule as follows:
Return-Attribute: Filter-Id
User attribute: groups
Regular expression: .*?CN=(.*?)(,|$)
Result specification: {1}
After you configure, the rules look as follows:
Filter-Id / groups / .*?CN=(.*?)(,|$) / {1}
To display the group name of authenticated user on the RADIUS client in the format CN= group name, define the result specification rule as follows:
Return-Attribute: Filter-Id
User attribute: groups
Regular expression: .*?(CN=.*?)(,|$)
Result specification: {1}
After you configure, the rules look as follows:
Filter-Id / groups / .*?(CN=.*?)(,|$) / {1}
To display the tenant name of authenticated user on the RADIUS client define the result specification rule as follows:
Return-Attribute: User-Name
User attribute: tenant_user_name
After you configure, the rules look as follows:
User-Name / tenant_user_name
Following table describes the supported user attributes.
Attributes |
Description |
---|---|
name |
Use this attribute to display name of the user |
sid_hex |
Use this attribute to display user SID (AD only) in hexadecimal format |
repo_name |
Use this attribute to display repository name |
tenant_name |
Use this attribute to display a tenant name |
groups |
Use this attribute to display group of the user |
dn |
Use this attribute to display distinguished name of the user |
cn |
Use this attribute to display common name of the user |
|
Use this attribute to display email address of the user |
mobile_phone |
Use this attribute to display mobile phone of the user |
An organization has configured the default RADIUS Server event with the following authentication chains and RADIUS clients:
Authentication chains:
LDAP + SMS
LDAP + Smartphone
LDAP + HOTP
RADIUS clients:
Client 1: 10.0.0.1 with NAS ID 12345id
Client 2: 10.0.0.2 with NAS ID 0789id
Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:
Select a chain based on NAS ID
If the NAS ID is 12345id, select LDAP + Smartphone
If the NAD ID is 0789id, select LDAP + SMS
Display user associated group names after authentication
For this requirement, you can configure the RADIUS policy with Input, Chain selection, and Result specification rules.
Configuration Steps:
Click Policies > RADIUS Options on the Administration portal.
Add Input, Chain selection, and Result specification rules as follows:
Rule |
Procedure |
---|---|
Input rules |
|
Chain selection |
Rule 1:
Rule 2:
|
Result specification |
|
After you implement this RADIUS rules, the following are possible scenarios:
Scenario |
Chain Selected for Authentication |
Result |
---|---|---|
A user initiates authentication from RADIUS Client 1 (NAS ID: 12345id) |
LDAP + Smartphone |
Group names of the user is displayed on the RADIUS Client 1 after successful authentication. |
A user initiates authentication from RADIUS Client 2 (NAS ID: 0789id) |
LDAP + SMS |
Group names of the user is displayed on the RADIUS Client 2 after successful authentication. |
An organization has configured two RADIUS Server events with the following details:
Event Name |
Chains Assigned to Event |
IP Address of RADIUS Client |
RADIUS Client Name |
NAS ID |
---|---|---|---|---|
RADIUS Server |
|
10.0.1.1 |
openvpn1 |
abc123 |
RADIUS Server 1 |
|
10.0.1.2 |
openvpn2 |
xyz456 |
Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:
Send request from a RADIUS client to a specific RADIUS Server event based on the chain short name:
If the NAS ID is abc123, map requests to RADIUS Server event
If the NAS ID is xyz456, map requests to RADIUS Server 1 event
Display email address of users after authentication
For this requirement, you can configure the RADIUS policy with the Input rule, Event selection rule, and Result specification rule.
Configuration Steps:
Click Policies > RADIUS Options on the Administration portal.
Add Input, Event selection and Result specification rules as follows:
Rule |
Procedure |
---|---|
Input rule |
|
Event selection |
Rule 1:
Rule 2:
|
Chain selection |
Rule 1:
Rule 2:
|
Result specification |
|
After you implement this RADIUS rules, the following are possible scenarios:
Scenario |
Request Sent to the Event |
Result |
---|---|---|
A user initiates authentication from openvpn1 (NAS ID: abc123) |
RADIUS Server |
Email address of the user is displayed on the openvpn1 RADIUS client after successful authentication. |
A user initiates authentication from openvpn2 (NAS ID: xyz456) |
RADIUS Server 1 |
Email address of the user is displayed on the openvpn2 RADIUS client after successful authentication. |
You can add one or more RADIUS clients details in the Clients section. The defined input, event selection, chain selection, and result specification rules gets applied to the RADIUS clients.
To add a RADIUS Client perform the following steps:
Click Add.
Specify the IP address of the RADIUS Client in IP Address.
Specify the RADIUS Client name in Name.
Specify the RADIUS Client secret and confirm the secret.
Ensure that the RADIUS Client is set to ON.
Click next to the RADIUS Client to save the details.
The Clients section lists all the clients of different RADIUS Events. You can map all requests from a specific client to the required RADIUS event by defining the Event selection rule. For more information on how to create an event selection rule, see Event Selection Rule.