Configure this rule to display relevant details of a user in the RADIUS client after authentication. Details can be group name of the user, tenant name, phone number, e-mail address and so on.
To view the list of supported attributes, see Used Attributes.
To configure the Result specification rule, perform the following steps:
Navigate to Policies > RADIUS Options.
Click Add in the Result specification section.
Specify the following details:
Return-Attribute
User attribute
Regular expression
Result specification
Comment
Click OK.
For example:
To display only group names of authenticated user on the RADIUS client define the result specification rule as follows:
Return-Attribute: Filter-Id
User attribute: groups
Regular expression: .*?CN=(.*?)(,|$)
Result specification: {1}
After you configure, the rules look as follows:
Filter-Id / groups / .*?CN=(.*?)(,|$) / {1}
To display the group name of authenticated user on the RADIUS client in the format CN= group name, define the result specification rule as follows:
Return-Attribute: Filter-Id
User attribute: groups
Regular expression: .*?(CN=.*?)(,|$)
Result specification: {1}
After you configure, the rules look as follows:
Filter-Id / groups / .*?(CN=.*?)(,|$) / {1}
To display the tenant name of authenticated user on the RADIUS client define the result specification rule as follows:
Return-Attribute: User-Name
User attribute: tenant_user_name
After you configure, the rules look as follows:
User-Name / tenant_user_name
Following table describes the supported user attributes.
Attributes |
Description |
---|---|
name |
Use this attribute to display name of the user |
sid_hex |
Use this attribute to display user SID (AD only) in hexadecimal format |
repo_name |
Use this attribute to display repository name |
tenant_name |
Use this attribute to display a tenant name |
groups |
Use this attribute to display group of the user |
dn |
Use this attribute to display distinguished name of the user |
cn |
Use this attribute to display common name of the user |
|
Use this attribute to display email address of the user |
mobile_phone |
Use this attribute to display mobile phone of the user |
An organization has configured the default RADIUS Server event with the following authentication chains and RADIUS clients:
Authentication chains:
LDAP + SMS
LDAP + Smartphone
LDAP + HOTP
RADIUS clients:
Client 1: 10.0.0.1 with NAS ID 12345id
Client 2: 10.0.0.2 with NAS ID 0789id
Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:
Select a chain based on NAS ID
If the NAS ID is 12345id, select LDAP + Smartphone
If the NAD ID is 0789id, select LDAP + SMS
Display user associated group names after authentication
For this requirement, you can configure the RADIUS policy with Input, Chain selection, and Result specification rules.
Configuration Steps:
Click Policies > RADIUS Options on the Administration portal.
Add Input, Chain selection, and Result specification rules as follows:
Rule |
Procedure |
---|---|
Input rules |
|
Chain selection |
Rule 1:
Rule 2:
|
Result specification |
|
After you implement this RADIUS rules, the following are possible scenarios:
Scenario |
Chain Selected for Authentication |
Result |
---|---|---|
A user initiates authentication from RADIUS Client 1 (NAS ID: 12345id) |
LDAP + Smartphone |
Group names of the user is displayed on the RADIUS Client 1 after successful authentication. |
A user initiates authentication from RADIUS Client 2 (NAS ID: 0789id) |
LDAP + SMS |
Group names of the user is displayed on the RADIUS Client 2 after successful authentication. |
An organization has configured two RADIUS Server events with the following details:
Event Name |
Chains Assigned to Event |
IP Address of RADIUS Client |
RADIUS Client Name |
NAS ID |
---|---|---|---|---|
RADIUS Server |
|
10.0.1.1 |
openvpn1 |
abc123 |
RADIUS Server 1 |
|
10.0.1.2 |
openvpn2 |
xyz456 |
Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:
Send request from a RADIUS client to a specific RADIUS Server event based on the chain short name:
If the NAS ID is abc123, map requests to RADIUS Server event
If the NAS ID is xyz456, map requests to RADIUS Server 1 event
Display email address of users after authentication
For this requirement, you can configure the RADIUS policy with the Input rule, Event selection rule, and Result specification rule.
Configuration Steps:
Click Policies > RADIUS Options on the Administration portal.
Add Input, Event selection and Result specification rules as follows:
Rule |
Procedure |
---|---|
Input rule |
|
Event selection |
Rule 1:
Rule 2:
|
Chain selection |
Rule 1:
Rule 2:
|
Result specification |
|
After you implement this RADIUS rules, the following are possible scenarios:
Scenario |
Request Sent to the Event |
Result |
---|---|---|
A user initiates authentication from openvpn1 (NAS ID: abc123) |
RADIUS Server |
Email address of the user is displayed on the openvpn1 RADIUS client after successful authentication. |
A user initiates authentication from openvpn2 (NAS ID: xyz456) |
RADIUS Server 1 |
Email address of the user is displayed on the openvpn2 RADIUS client after successful authentication. |