10.20 RADIUS Options

In this policy, you can define rules using regular expressions to accomplish the following actions:

  • Select an appropriate chain for authenticating users to the RADIUS client

  • Authenticate users to a specific event when multiple RADIUS events are available

  • Display associated user groups in the authentication response after a successful authentication to the RADIUS client

  • Select a particular chain based on the information that the user specifies on the RADIUS client

    For example, if a user specifies username&chain-short-name (bob&OTP), then select the chain with the LDAP and SMS OTP methods. In case, the user specifies only the username (bob) then select the chain with LDAP and Smartphone methods.

    NOTE:The chain short name is defined using the regular expressions in either Chain Selection or Event Selection rule.

  • Define a specific authentication chain for a RADIUS client when there are multiple RADIUS clients mapped to the same RADIUS event

You can define the following rules in this policy:

To understand how to configure RADIUS options policy with rules, use the following sample scenarios:

10.20.1 Input Rule

Configure this rule to obtain the user name or the chain short name from user-specified details in the RADIUS client. The details obtained from the RADIUS client are sent to the RADIUS server for validating users. To enable the RADIUS client to select a specific chain for authenticating a user based on the obtained chain short name, use this rule along with the Chain selection rule.

To configure the input rule, perform the following steps:

  1. Navigate to Policies > RADIUS Options.

  2. Click Add in the Input rules section.

  3. Specify the following details based on your requirement:

    • Target-Input-Attribute: Specify the attribute or variable that carries the user specified data to the RADIUS server in the Access-Request packet.

    • Source-Input-Attribute: Specify the attribute that stores the user-specified details.

    • Regular expression: Specify the condition to obtain user-specified details.

    • Result specification

    • Comment: If any.

  4. Click OK.

Examples

Example 1: You can define the input rule as follows to obtain chain short name from user specified <username>&<short-chain-name> in the Username while logging in to the RADIUS client:

Target-Input-Attribute: chain_name

Source-Input-Attribute: User-Name

Regular expression: (.+)&(.+)

Result specification: Extract chain from User-Name and put into "chain_name" variable

After you configure, the rule looks as follows:

chain_name / User-Name / (.+)&(.+) / {2}

Example 2: You can define the following input rules to achieve the following:

  • Rule 1: To extract the password and set to the variable, User-Password:

    Target-Input-Attribute: User-Password

    Source-Input-Attribute: User-Password

    Regular expression: (.*)(.{6})

    Result specification: {1}

  • Rule 2: To extract the six digits OTP from password and set to the variable, User-OTP:

    Target-Input-Attribute: User-OTP

    Source-Input-Attribute: User-Password

    Result specification: {2}

After you configure, the rules are displayed as follows:

User-Password / User-Password / (.*)(.{6}) / {1}

User-OTP / User-Password / (.*)(.{6}) / {2}

10.20.2 Event Selection Rule

Configure this rule to map the requests from the RADIUS client to a specific RADIUS event based on the input attribute and condition (regular expression).

To configure the Event selection rule, perform the following steps:

  1. Navigate to Policies > RADIUS Options.

  2. Click Add in the Event selection section.

  3. Specify the following details based on your requirement:

    • Input-Attribute

    • Regular expression

    • Result specification

    • Comment

  4. Click OK.

Examples

Example 1: An administrator configures an event RADIUS Server2 with OpenVPN as RADIUS client, and the value of NAS ID is 12345.

To map all requests containing 12345 as NAS ID to RADIUS Server2, define the following event selection rule:

Input-Attribute: NAS-Identifier

Regular expression: ^12345$

Result specification: RADIUS Server2

After you configure, the rule looks as follows:

NAS-Identifier / ^12345$ / RADIUS Server2

Example 2: There are two RADIUS events and two RADIUS clients as follows:

RADIUS Events

RADIUS Clients

RADIUS Server

172.16.0.1

RADIUS Server2

192.168.0.1

To map all requests from 172.16.0.1 to RADIUS Server event and 192.168.0.1 to RADIUS Server2 respectively, define the following event selection rules:

Rule 1

Rule 2

Input-Attribute: Packet-Src-IP-Address

Input-Attribute: Packet-Src-IP-Address

Regular expression: 172.16.0.1

Regular expression: 192.168.0.1

Result specification: RADIUS Server

Result specification: RADIUS Server2

After you configure, rules are displayed as follows:

Packet-Src-IP-Address / 172.16.0.1 / RADIUS Server

Packet-Src-IP-Address / 192.168.0.1 / RADIUS Server2

10.20.3 Chain Selection Rule

Configure this rule to select a specific chain for authenticating users to the RADIUS client. A chain is selected based on the input attribute and condition (regular expression).

To configure the Chain selection rule, perform the following steps:

  1. Navigate to Policies > RADIUS Options.

  2. Click Add in the Chain selection section.

  3. Specify the following details based on your requirement:

    • Input-Attribute

    • Regular expression

    • Result specification

    • Comment

  4. Click OK.

For example, a RADIUS event has two RADIUS clients and two chains defined.

To select a specific chain from multiple chains based on NAS ID of RADIUS client, defined the the following chain selection rules:

Rule 1

Rule 2

Input-Attribute: NAS-Identifier

Input-Attribute: NAS-Identifier

Regular expression: ^12345$

Regular expression: ^openvpn$

Result specification: LDAP + SMS

Result specification: LDAP + Smartphone

After you configure, the rules look as follows:

NAS-Identifier / ^12345$ / LDAP + SMS

NAS-Identifier/ ^openvpn$ / LDAP + Smartphone

10.20.4 Result Specification Rule

Configure this rule to display relevant details of a user in the RADIUS client after authentication. Details can be group name of the user, tenant name, phone number, e-mail address and so on.

To view the list of supported attributes, see Used Attributes.

To configure the Result specification rule, perform the following steps:

  1. Navigate to Policies > RADIUS Options.

  2. Click Add in the Result specification section.

  3. Specify the following details:

    • Return-Attribute

    • User attribute

    • Regular expression

    • Result specification

    • Comment

  4. Click OK.

For example:

To display only group names of authenticated user on the RADIUS client define the result specification rule as follows:

Return-Attribute: Filter-Id

User attribute: groups

Regular expression: .*?CN=(.*?)(,|$)

Result specification: {1}

After you configure, the rules look as follows:

Filter-Id / groups / .*?CN=(.*?)(,|$) / {1}

To display the group name of authenticated user on the RADIUS client in the format CN= group name, define the result specification rule as follows:

Return-Attribute: Filter-Id

User attribute: groups

Regular expression: .*?(CN=.*?)(,|$)

Result specification: {1}

After you configure, the rules look as follows:

Filter-Id / groups / .*?(CN=.*?)(,|$) / {1}

To display the tenant name of authenticated user on the RADIUS client define the result specification rule as follows:

Return-Attribute: User-Name

User attribute: tenant_user_name

After you configure, the rules look as follows:

User-Name / tenant_user_name

Following table describes the supported user attributes.

Attributes

Description

name

Use this attribute to display name of the user

sid_hex

Use this attribute to display user SID (AD only) in hexadecimal format

repo_name

Use this attribute to display repository name

tenant_name

Use this attribute to display a tenant name

groups

Use this attribute to display group of the user

dn

Use this attribute to display distinguished name of the user

cn

Use this attribute to display common name of the user

email

Use this attribute to display email address of the user

mobile_phone

Use this attribute to display mobile phone of the user

Scenario 1: Selecting an Authentication Chain based on NAS ID and Display Groups of the Authenticated User

An organization has configured the default RADIUS Server event with the following authentication chains and RADIUS clients:

  • Authentication chains:

    • LDAP + SMS

    • LDAP + Smartphone

    • LDAP + HOTP

  • RADIUS clients:

    • Client 1: 10.0.0.1 with NAS ID 12345id

    • Client 2: 10.0.0.2 with NAS ID 0789id

Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:

  • Select a chain based on NAS ID

    • If the NAS ID is 12345id, select LDAP + Smartphone

    • If the NAD ID is 0789id, select LDAP + SMS

  • Display user associated group names after authentication

For this requirement, you can configure the RADIUS policy with Input, Chain selection, and Result specification rules.

Configuration Steps:

  1. Click Policies > RADIUS Options on the Administration portal.

  2. Add Input, Chain selection, and Result specification rules as follows:

    Rule

    Procedure

    Input rules

    1. Click Add in Input rules.

    2. Specify the following details:

      • Target-Input-Attribute: User-Name

      • Source-Input-Attribute: User-Name

      • Regular expression: (.+)&(.+)

      • Result specification: {1}

      • Comment: To retrieve the user name

    3. Click OK.

    Chain selection

    Rule 1:

    1. Click Add in Chain selection.

    2. Specify the following details:

      • Input-Attribute: NAS-Identifier

      • Regular expression: ^12345id$

      • Result specification: LDAP + Smartphone

      • Comment: To select a chain

    3. Click OK.

    Rule 2:

    1. Click Add in Chain selection.

    2. Specify the following details:

      • Input-Attribute: NAS-Identifier

      • Regular expression: ^0789id$

      • Result specification: LDAP + SMS

      • Comment: To select a chain

    3. Click OK.

    Result specification

    1. Click Add in Result specification.

    2. Specify the following details:

      • Return-Attribute: Filter-Id

      • User attribute: groups

      • Regular expression: .*?CN=(.*?)(,|$)

      • Result specification: {1}

      • Comment: To display only group name of an authenticated user

    3. Click OK.

    After you implement this RADIUS rules, the following are possible scenarios:

    Scenario

    Chain Selected for Authentication

    Result

    A user initiates authentication from RADIUS Client 1 (NAS ID: 12345id)

    LDAP + Smartphone

    Group names of the user is displayed on the RADIUS Client 1 after successful authentication.

    A user initiates authentication from RADIUS Client 2 (NAS ID: 0789id)

    LDAP + SMS

    Group names of the user is displayed on the RADIUS Client 2 after successful authentication.

    Scenario 2: Mapping RADIUS requests to a Specific RADIUS Server Event based on NAS ID and Display Email Address of the Authenticated User

    An organization has configured two RADIUS Server events with the following details:

    Event Name

    Chains Assigned to Event

    IP Address of RADIUS Client

    RADIUS Client Name

    NAS ID

    RADIUS Server

    • LDAP + SMS

    • LDAP + HOTP

    10.0.1.1

    openvpn1

    abc123

    RADIUS Server 1

    • LDAP + Smartphone

    • LDAP + TOTP

    10.0.1.2

    openvpn2

    xyz456

    Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:

    • Send request from a RADIUS client to a specific RADIUS Server event based on the chain short name:

      • If the NAS ID is abc123, map requests to RADIUS Server event

      • If the NAS ID is xyz456, map requests to RADIUS Server 1 event

    • Display email address of users after authentication

    For this requirement, you can configure the RADIUS policy with the Input rule, Event selection rule, and Result specification rule.

Configuration Steps:

  1. Click Policies > RADIUS Options on the Administration portal.

  2. Add Input, Event selection and Result specification rules as follows:

    Rule

    Procedure

    Input rule

    1. Click Add in Input rules.

    2. Specify following details:

      • Target-Input-Attribute: chain_short_name

      • Source-Input-Attribute: User-Name

      • Regular expression: (.+)&(.+)

      • Result specification: {2}

      • Comment: To retrieve text after the & symbol

    3. Click OK.

    Event selection

    Rule 1:

    1. Click Add in Event selection.

    2. Specify following details:

      • Input-Attribute: NAS-Identifier

      • Regular expression: ^abc123$

      • Result specification: RADIUS Server

      • Comment: To select an event

    3. Click OK.

    Rule 2:

    1. Click Add in Event selection.

    2. Specify following details:

      • Input-Attribute: NAS-Identifier

      • Regular expression: ^xyz456$

      • Result specification: RADIUS Server 1

      • Comment: To select an event

    3. Click OK.

    Chain selection

    Rule 1:

    1. Click Add in Chain selection.

    2. Specify following details:

      • Input-Attribute: chain_short_name

      • Regular expression: ^HOTP$

      • Result specification: LDAP + HOTP

      • Comment: To select chain

    3. Click OK.

    Rule 2:

    1. Click Add in Chain selection.

    2. Specify following details in the respective fields:

      • Input-Attribute: NAS-Identifier

      • Regular expression: ^TOTP$

      • Result specification: LDAP + TOTP

      • Comment: To select a chain

    3. Click OK.

    Result specification

    1. Click Add in Result specification.

    2. Specify following details:

      • Return-Attribute: Filter-Id

      • User attribute: email

      • Regular expression: .

      • Result specification: email address is {email}

      • Comment: To display email address of authenticated user

    3. Click OK.

After you implement this RADIUS rules, the following are possible scenarios:

Scenario

Request Sent to the Event

Result

A user initiates authentication from openvpn1 (NAS ID: abc123)

RADIUS Server

Email address of the user is displayed on the openvpn1 RADIUS client after successful authentication.

A user initiates authentication from openvpn2 (NAS ID: xyz456)

RADIUS Server 1

Email address of the user is displayed on the openvpn2 RADIUS client after successful authentication.

10.20.5 Adding Clients

You can add one or more RADIUS clients details in the Clients section. The defined input, event selection, chain selection, and result specification rules gets applied to the RADIUS clients.

To add a RADIUS Client perform the following steps:

  1. Click Add.

  2. Specify the IP address of the RADIUS Client in IP Address.

  3. Specify the RADIUS Client name in Name.

  4. Specify the RADIUS Client secret and confirm the secret.

  5. Ensure that the RADIUS Client is set to ON.

  6. Click next to the RADIUS Client to save the details.

The Clients section lists all the clients of different RADIUS Events. You can map all requests from a specific client to the required RADIUS event by defining the Event selection rule. For more information on how to create an event selection rule, see Event Selection Rule.