13.29.4 Result Specification Rule

Configure this rule to display relevant details of a user in the RADIUS client after authentication. Details can be group name of the user, tenant name, phone number, e-mail address and so on.

To view the list of supported attributes, see Used Attributes.

To configure the Result specification rule, perform the following steps:

Navigate to Policies > RADIUS Options.
Click Add in the Result specification section.
Specify the following details:
- Return-Attribute
- User attribute
- Regular expression
- Result specification
- Comment
Click OK.

For example:

To display only group names of authenticated user on the RADIUS client define the result specification rule as follows:

Return-Attribute: Filter-Id

User attribute: groups

Regular expression: .*?CN=(.*?)(,|$)

Result specification: {1}

After you configure, the rules look as follows:

Filter-Id / groups / .*?CN=(.*?)(,|$) / {1}

To display the group name of authenticated user on the RADIUS client in the format CN= group name, define the result specification rule as follows:

Return-Attribute: Filter-Id

User attribute: groups

Regular expression: .*?(CN=.*?)(,|$)

Result specification: {1}

After you configure, the rules look as follows:

Filter-Id / groups / .*?(CN=.*?)(,|$) / {1}

To display the tenant name of authenticated user on the RADIUS client define the result specification rule as follows:

Return-Attribute: User-Name

User attribute: tenant_user_name

After you configure, the rules look as follows:

User-Name / tenant_user_name

Following table describes the supported user attributes.

Attributes	Description
name	Use this attribute to display name of the user
sid_hex	Use this attribute to display user SID (AD only) in hexadecimal format
repo_name	Use this attribute to display repository name
tenant_name	Use this attribute to display a tenant name
groups	Use this attribute to display group of the user
dn	Use this attribute to display distinguished name of the user
cn	Use this attribute to display common name of the user
email	Use this attribute to display email address of the user
mobile_phone	Use this attribute to display mobile phone of the user

Scenario 1: Selecting an Authentication Chain based on NAS ID and Display Groups of the Authenticated User

An organization has configured the default RADIUS Server event with the following authentication chains and RADIUS clients:

Authentication chains:
- LDAP + SMS
- LDAP + Smartphone
- LDAP + HOTP
RADIUS clients:
- Client 1: 10.0.0.1 with NAS ID 12345id
- Client 2: 10.0.0.2 with NAS ID 0789id

Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:

Select a chain based on NAS ID
- If the NAS ID is 12345id, select LDAP + Smartphone
- If the NAD ID is 0789id, select LDAP + SMS
Display user associated group names after authentication

For this requirement, you can configure the RADIUS policy with Input, Chain selection, and Result specification rules.

Configuration Steps:

Click Policies > RADIUS Options on the Administration portal.

Add Input, Chain selection, and Result specification rules as follows:

Rule	Procedure
Input rules	Click Add in Input rules. Specify the following details: Target-Input-Attribute: User-Name Source-Input-Attribute: User-Name Regular expression: (.+)&(.+) Result specification: {1} Comment: To retrieve the user name Click OK.
Chain selection	Rule 1: Click Add in Chain selection. Specify the following details: Input-Attribute: NAS-Identifier Regular expression: ^12345id$ Result specification: LDAP + Smartphone Comment: To select a chain Click OK. Rule 2: Click Add in Chain selection. Specify the following details: Input-Attribute: NAS-Identifier Regular expression: ^0789id$ Result specification: LDAP + SMS Comment: To select a chain Click OK.
Result specification	Click Add in Result specification. Specify the following details: Return-Attribute: Filter-Id User attribute: groups Regular expression: .?CN=(.?)(,\|$) Result specification: {1} Comment: To display only group name of an authenticated user Click OK.

Rule

Procedure

Input rules

Click Add in Input rules.
Specify the following details:
- Target-Input-Attribute: User-Name
- Source-Input-Attribute: User-Name
- Regular expression: (.+)&(.+)
- Result specification: {1}
- Comment: To retrieve the user name
Click OK.

Chain selection

Rule 1:

Click Add in Chain selection.
Specify the following details:
- Input-Attribute: NAS-Identifier
- Regular expression: ^12345id$
- Result specification: LDAP + Smartphone
- Comment: To select a chain
Click OK.

Rule 2:

Click Add in Chain selection.
Specify the following details:
- Input-Attribute: NAS-Identifier
- Regular expression: ^0789id$
- Result specification: LDAP + SMS
- Comment: To select a chain
Click OK.

Result specification

Click Add in Result specification.
Specify the following details:
- Return-Attribute: Filter-Id
- User attribute: groups
- Regular expression: .*?CN=(.*?)(,|$)
- Result specification: {1}
- Comment: To display only group name of an authenticated user
Click OK.

After you implement this RADIUS rules, the following are possible scenarios:

Scenario	Chain Selected for Authentication	Result
A user initiates authentication from RADIUS Client 1 (NAS ID: 12345id)	LDAP + Smartphone	Group names of the user is displayed on the RADIUS Client 1 after successful authentication.
A user initiates authentication from RADIUS Client 2 (NAS ID: 0789id)	LDAP + SMS	Group names of the user is displayed on the RADIUS Client 2 after successful authentication.

Scenario 2: Mapping RADIUS requests to a Specific RADIUS Server Event based on NAS ID and Display Email Address of the Authenticated User

An organization has configured two RADIUS Server events with the following details:

Event Name	Chains Assigned to Event	IP Address of RADIUS Client	RADIUS Client Name	NAS ID
RADIUS Server	LDAP + SMS LDAP + HOTP	10.0.1.1	openvpn1	abc123
RADIUS Server 1	LDAP + Smartphone LDAP + TOTP	10.0.1.2	openvpn2	xyz456

Now, the administrator wants to achieve the following tasks as per the RADIUS authentication requirement:

Send request from a RADIUS client to a specific RADIUS Server event based on the chain short name:
- If the NAS ID is abc123, map requests to RADIUS Server event
- If the NAS ID is xyz456, map requests to RADIUS Server 1 event
Display email address of users after authentication

For this requirement, you can configure the RADIUS policy with the Input rule, Event selection rule, and Result specification rule.

Configuration Steps:

Click Policies > RADIUS Options on the Administration portal.

Add Input, Event selection and Result specification rules as follows:

Rule	Procedure
Input rule	Click Add in Input rules. Specify following details: Target-Input-Attribute: chain_short_name Source-Input-Attribute: User-Name Regular expression: (.+)&(.+) Result specification: {2} Comment: To retrieve text after the & symbol Click OK.
Event selection	Rule 1: Click Add in Event selection. Specify following details: Input-Attribute: NAS-Identifier Regular expression: ^abc123$ Result specification: RADIUS Server Comment: To select an event Click OK. Rule 2: Click Add in Event selection. Specify following details: Input-Attribute: NAS-Identifier Regular expression: ^xyz456$ Result specification: RADIUS Server 1 Comment: To select an event Click OK.
Chain selection	Rule 1: Click Add in Chain selection. Specify following details: Input-Attribute: chain_short_name Regular expression: ^HOTP$ Result specification: LDAP + HOTP Comment: To select chain Click OK. Rule 2: Click Add in Chain selection. Specify following details in the respective fields: Input-Attribute: NAS-Identifier Regular expression: ^TOTP$ Result specification: LDAP + TOTP Comment: To select a chain Click OK.
Result specification	Click Add in Result specification. Specify following details: Return-Attribute: Filter-Id User attribute: email Regular expression: . Result specification: email address is {email} Comment: To display email address of authenticated user Click OK.

After you implement this RADIUS rules, the following are possible scenarios:

Scenario	Request Sent to the Event	Result
A user initiates authentication from openvpn1 (NAS ID: abc123)	RADIUS Server	Email address of the user is displayed on the openvpn1 RADIUS client after successful authentication.
A user initiates authentication from openvpn2 (NAS ID: xyz456)	RADIUS Server 1	Email address of the user is displayed on the openvpn2 RADIUS client after successful authentication.