RADIUS Proxy Service

Configure the RADIUS Proxy service for any kind of RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request that needs to be proxied to another RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server (that is, a proxy target). There are no default rules associated with this service type. You can add rules to handle any type of standard or vendor-specific RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  attributes. Typically, proxying is based on the realm or the domain of the user who is trying to access the network.

To configure a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Proxy service:

1. Navigate to Configuration > Services, then click the Add link.

The Add Services page opens.

2. From the Service tab, select RADIUS Proxy from the Type drop down.

The RADIUS Proxy service configuration dialog opens:

Figure 1  RADIUS Proxy Service Configuration Dialog

3. Specify the Service tab parameters as described in the following table:

Table 1: RADIUS Proxy Service Tab Parameters

Parameter

Action/Description

Type

Select RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  Proxy.

Name

Enter the name of the service.

Description

Optionally, provide additional information that helps to identify the service.

Monitor Mode

Select this check box to monitor network access activity without enforcement.

More Options

Check these boxes to access the additional configuration tabs:

Authorization

Audit End-hosts

Profile Endpoints

Service Rule

Matches

Select the match condition for this service:

Matches ANY

Matches ALL of the following conditions

Type

Select Click to add to select the service rule type.

Name

Select the name of the service rule from the drop-down list.

Operator

Select an appropriate operator from the list of operators for the data type of the attribute.

Value

Enter the value or select the value from the drop-down list. The value list depends on the Type and Operator selected.

4. Click Next.

Roles Tab

Use the Roles tab to associate a role-mapping policy with this service.

Figure 2  RADIUS Proxy Roles Configuration Dialog

1. Specify the Roles tab parameters as described in the following table:

Table 2: RADIUS Proxy Service > Roles Tab Parameters

Parameter

Action/Description

Role Mapping Policy

Select a role mapping policy from the drop-down list.

Policy Manager ships a number of preconfigured roles.

NOTE: A service can be configured without a role-mapping policy, but only one role-mapping policy can be configured for each service.

For information on configuring role-mapping policies, see Configuring a Role and Role-Mapping Policy.

Role Mapping Policy Details

Description

When you select a Role Mapping Policy, Policy Manager populates the Description field.

Default Role

When you select a Role Mapping Policy, Policy Manager populates the Default Role field.

The Default Roleis the role to which Policy Manager defaults when the role-mapping policy does not produce a match.

Rules Evaluation Algorithm

Shows the first matched rule.

2. Click Next.

Proxy Targets Tab

In Policy Manager, a proxy target represents a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server (Policy Manager or a third party) that is the target of a proxied RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  request.

For example, when a branch office employee visits a main office and logs into the network, Policy Manager assigns the request to the first service in priority order that contains a service rule for RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  proxy services and appends the domain to the username.

Figure 3  Proxy Targets Configuration Dialog

1. Specify the Proxy Targets parameters as described in the following table:

Table 3: RADIUS Proxy Service > Proxy Targets Parameters

Parameter

Action/Description

Proxying Scheme

Select one of the following proxying schemes:

Load Balance: When you select Load Balance, requests can be dispatched to the proxy targets randomly and load balanced.

Failover: In Failover mode, requests can be dispatched to the first proxy target in the ordered list of targets and subsequently to the other proxy targets if the prior requests failed.

Proxy Targets

From the Select to Add drop down, select one or more proxy targets.

RADIUS attributes to be removed from remote server (proxy target) reply

Type

Select Radius: IETF.

Name

Select Class (25).

Accounting Requests

Note the configuration below when working with Policy Manager or a proxy target that sends back a Class attribute in Access-Accept. This is required for the Accounting Proxy to work properly. The Policy Manager Proxy/Proxy server should be configured to remove those Class attributes.

To do so, select the Enable proxy for accounting requests check box and select the IETF:Class attribute from the drop-down.

2. Click Next.

The Enforcement tab opens.

Enforcement Tab

Use this tab to select an enforcement policy for a service.

Figure 4  Enforcement Configuration Dialog

1. Specify the Enforcement parameters as described in the following table:

Table 4: RADIUS Proxy Service > Enforcement Parameters

Parameter

Action/Description

Use Cached Results

Select this check box to use cached roles and posture attributes from previous sessions.

Enforcement Policy

Select the preconfigured enforcement policy from the drop-down list. This is mandatory.

If you do not have any preconfigured enforcement policies, click Add New Enforcement Policy to create a new enforcement policy.

Enforcement Policy Details

Description

Displays additional information about the selected enforcement policy.

Default Profile

Displays a default profile applied by Policy ManagerPolicy Manager.

Rules Evaluation Algorithm

Shows the first matched rule.

2. Click Save.