RADIUS Groups
From Swivel Knowledgebase Wiki
Contents |
Overview
RADIUS Groups.
PINsafe can include group information within the RADIUS response for a succesful authentication. This can be used by the VPN to allocate different access rights to different user groups
Different VPNs require this information in different format. PINsafe supports a number of formats and new formats can be added if required, with some development work.
Note that the response will reflect the membership of the groups defined on PINsafe rather than groups names within the repository
Prerequisites
PINsafe 3.6
How To
On the PINsafe RADIUS->NAS screen set RADIUS groups to Yes.
If you set a RADIUS keyword, only group names that contain that keyword will be returned in the RADIUS response. If this is left blank then all groups may be passed back, depending on Vendor seting.
If a RADIUS authentication is successful then the RADIUS response will include the groups that the user is a member of in the format specified by the Vendor setting.
Vendor Settings
Cisco
The list of groups the user is a member of is returned in the RADIUS CLASS attribute (Attribute 25). It is returned in the format "OU=group1;group2"
Fortinet
Only one group is passed back, so use of the Group keyword is required to ensure the correct group is returned.
The group is passed back using a Vendor Specific Attribute List (12356).
The arrtributes in this list are 1, the group 2, the source IP address of the request 3, "root"
Watchguard
Only one group is passed back, so use of the Group keyword is required to ensure the correct group is returned.
The group the user is a member of is returned in the RADIUS Filter_ID attribute (Attribute 11).
It is returned in the format "OU=group1;group2"
Creating new Vendor Classes
Support for additional vendors can be achieved by creating new "vendor classes".
To create such a custom class, create a class in the com.swiveltechnologies.pinsafe.server.radius.vendor package that extends the AbstractVendor class and implements the Vendor interface.
For example
package com.swiveltechnologies.pinsafe.server.radius.vendor;
import java.util.List;
import com.swiveltechnologies.pinsafe.server.user.PINsafeUser;
import com.theorem.radserver3.Attribute;
import com.theorem.radserver3.AttributeList;
import com.theorem.radserver3.AuthInfo;
public class ExampleVendor extends AbstractVendor implements Vendor {
public Cisco() {
super();
}
Refer to
http://www.axlradius.com/
For information on the RADIUS classes used
The AbstractVendor class has a method in it that returns all the groups the user is a member of.
The interface has the method
public AttributeList getVendorAttributeList(PINsafeUser user, String filter, AuthInfo ai)
It is this method that the Vendor Class must implement.
For example
public AttributeList getVendorAttributeList(PINsafeUser user, String filter, AuthInfo ai) {
String param = "";
AttributeList aList = new AttributeList();
List<String> group = getFilteredGroupList(user, filter);
if (group.size() > 0) {
for (int c = 0; c < group.size(); c++) {
param = param.concat(group.get(c)) + ";";
}
aList.addAttribute(Attribute.Class, param);
return aList;
} else {
return null;
}
}
Once the new class has been created it needs to be registered on PINsafe.
To do this copy the class to the appropriate path then edit the vendor.properties file under WEB-INF\classes and add the name, class pair as required
null=com.swiveltechnologies.pinsafe.server.radius.vendor.Null cisco=com.swiveltechnologies.pinsafe.server.radius.vendor.Cisco fortinet=com.swiveltechnologies.pinsafe.server.radius.vendor.Fortinet watchguard=com.swiveltechnologies.pinsafe.server.radius.vendor.Watchguard example=com.swiveltechnologies.pinsafe.server.radius.vendor.ExampleVendor
You need to restart tomcat for the changes to take effect.
