RADIUS attributes for users or groups
You can apply RADIUS attributes to users or groups. RADIUS attributes that are set for a user take precedence over attributes that are set for the groups to which the user belongs. The RADIUS attributes for both users and groups are the same.
When RADIUS attributes are set for a group, the attribute is returned for each member of the group when they authenticate.
To define user-based RADIUS attributes, use either the SafeNet FreeRADIUS Agent or Microsoft NPS. Both the FreeRADIUS Agent and Microsoft NPS are capable of returning RADIUS attributes that are defined in STA to the RADIUS client.
By default, RADIUS return attributes are defined for all auth nodes, or they can be restricted to selected auth nodes (excluding shared auth nodes) by using the Restrict To Auth Nodes check box.
When authenticating with a RADIUS token, STA also passes RADIUS attributes to the RADIUS client that were received from an external RADIUS server. This is beneficial for authentication requests that may go to a third-party authentication service and then return through STA. This is also useful for migrations where an external RADIUS server continues to authenticate users that are not yet migrated to STA. With this feature, the RADIUS client can receive the same external attributes during the migration phase than before migration (without STA).
Also, refer to Block RADIUS authentication.
STA returns the attributes received from the external server after attributes that are configured in STA. If the same attribute is configured in the external server and in STA but with different values, it is up to the RADIUS client as to how this is interpreted. It is advised to avoid conflicting attribute definitions in STA and the external RADIUS server.
Set RADIUS attributes for a user
-
On the STA Token Management console, search for a user on the Assignment tab.
-
Select the user.
-
Select RADIUS Attributes (user).
-
Select Add.
The options and input values vary according to your selections. Consult your network equipment vendor’s documentation for guidance on which attributes to use.
-
Select Add.
-
Repeat as necessary to add more attributes.
Set RADIUS attributes for groups
-
On the STA Token Management console, select Groups > RADIUS Attribute (Group).
-
Select the group, and then select New.
The options and input values vary according to your selections. Consult your network equipment vendor’s documentation for guidance on which attributes to use.
-
Select Add.
-
Repeat as necessary to add more attributes.
View RADIUS attributes for a group
-
On the STA Token Management console, select Groups > RADIUS Attribute (Group).
-
Select the group, and then select Search.
The attributes that are assigned to the group are listed.
-
To modify an attribute, select Edit, change the settings, and then select Save.
-
To remove the group attribute, select Remove and then select Remove to confirm.