Authenticate Against Radius Server Assertion

The Authenticate Against Radius Server assertion is used to authenticate credentials against a RADIUS (Remote Authentication Dial In User Service) Server.
gateway90
The
Authenticate Against Radius Server
assertion is used to authenticate credentials against a RADIUS (Remote Authentication Dial In User Service) Server.
This assertion only provides authentication—authorization and accounting against the RADIUS server is not supported.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
Be sure to precede this assertion with a username/password credential source.
Example:
The following simple policy fragment authenticates a user's HTTP Basic Credentials against the Radius server:
Radius_authentication_simple.png 
Context Variables Created by This Assertion
The Authenticate Against Radius Server assertion sets the following context variables.
Note:
The default
<prefix>
is "radius" and can be changed in the assertion properties.
Context variable
Description
<prefix>
.
<AttributeName>
Retrieves the Radius attribute value returned by the Radius server.
Example: ${radius.User-Name}
will return the user's name.
<prefix>
.
reasonCode
Returns a success/fail reason code from the table below.
A reason code is not returned if the authentication failed due to invalid credentials.
   
Code
Name
Description
0
Success
Authenticated against the Radius server successfully
-1
Radius Server Error
Any Radius server error (view the audit events for the failure reason)
-2
Radius Server Timeout
Radius server timed out. This code will be returned when the Radius server is unresponsive or if an invalid IP address is specified.
-3
Unknown Host
Unknown Radius server host. This code will be returned when the Radius server cannot be found or if an invalid hostname was specified.
-4
Secret Not Found
Secret key cannot be found from the stored password
-5
Configuration Error
The "Auth Port" or "Timeout" fields contain a context variable that did not resolve to a numeric value
-6
Challenge
Additional information required from the user (for example, PIN or token).
Authenticating Against a RSA SecurID Server
When working in a SecureID environment, the Authenticate Against Radius Server assertion sends an Access-Request, to which the RSA server responds with an Access-Challenge*, which includes a number of attributes (for example, Reply-Message and State). These attributes are accessible in the Gateway as <prefix>.<AttributeName> context variables (see above). You must construct a policy that decodes and answers these challenges, and then return the State attribute** that was received in the previous challenge. This is done by populating the  "Attributes" panel in the assertion properties. The Radius server tracks responses to Access-Challenges using the State attribute.
Examples of challenges used in authentication modes:
  • New PIN Mode: The user is prompted to enter a new pin.
  • Next Token Mode: The user is prompted to enter the next token.
You need to know the name of the "<AttributeName>" variables returned by the Radius server in order to process them properly. These attribute names may differ depending on the use case and the Radius server being used. Common attributes include:
<prefix>.reasonCode
,
<prefix>.Reply-Message
, and
<prefix>.State
.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the
    Authenticate Against Radius Server Properties
    automatically appears; when modifying the assertion, right-click
    <target>
    Authenticate Against Radius Server
    in the policy window and choose
    Authenticate Against Radius Server Properties
    or double-click the assertion in the policy window. The properties dialog appears.
  3. Configure the properties as follows:Authenticate Against Radius Server settings
    Setting
    Description
    Host
    Enter the Radius Server host name. You may reference context variables.
    Secret
    Choose the stored secret to use from the drop-down list.
    Note: Only stored passwords may be used here —you cannot type in the secret. To define a stored password, click [
    Manage Passwords
    ]. For more information, see Manage Stored Passwords.
    Auth Port
    Enter the Radius Server authorization port number. You may reference context variables.
    The default port is:
    1812
    Timeout
    Enter the Radius Server authorization timeout value. You may reference context variables.
    The default timeout is:
    5
    seconds
    Authenticator
    Choose the authentication protocol to use from the drop-down list.
    Attributes
    Optionally add Radius attributes for the access request.
    For a list of the Radius attributes, see http://freeradius.org/rfc/attributes.html. Note that the attributes
    User-Name
    and
    User-Password
    are overridden by the user credentials.
     
    To add an attribute:
    1. Click [
      Add
      ].
    2. Enter a
      Name
      and
      Value
      for the attribute. You may reference context variables for the Value, but not the Name.
    3. Click [
      OK
      ].
    To modify an attribute:
    1. Select the attribute and then click [
      Edit
      ].
    2. Modify the Value. You may reference context variables for the Value, but not the Name.
    3. Click
      [OK
      ].
    To remove an attribute:
    1. Select the attribute to remove.
    2. Click [
      Delete
      ]. The attribute is removed.
    Radius Variable Prefix
    Enter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.
    Context variables are not supported for the prefix. If a variable is specified, the assertion will strip away the enclosing characters and use the variable name itself as the prefix. For example, specifying the variable "${abc}" will result in "abc" as the variable prefix.
  4. Click [
    OK
    ] when done.