How to configure RADIUS to send back group membership to RADIUS clients

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version Affected:  All



    How to configure RADIUS to send back group membership in a RADIUS attribute.



    Sometimes it is required to send back group membership in the RADIUS response so the RADIUS client can apply different policies or VPN profiles.



    1. Open the SecureAuth RADIUS admin console.
    2. Click on the RADIUS Clients tab
    3. Click the relevant RADIUS Client
    4. In the Data Attribute Mapping section, click the + icon to add a mapping.
    5. Then map GroupList to Class:

    6. Now open the IdP admin console and click on the Data tab for the realm that RADIUS uses.
    7. Ensure that the "Groups" property is mapped to the AD attribute "memberOf" (assuming the data store is AD)
    Special considerations:
    Please note that this will return full distinguished names of the groups.  When the user is a member of many groups or the groups are deeply nested this can quickly lead to a large value  being returned.  This is particularly pertinent with RADIUS because the UDP packet size is constrained to 4KB. 
    If the RADIUS packet exceeds 4KB then the RADIUS client (e.g. VPN Server) will not see this as an Access-Accept and the authentication attempt will be rejected.

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products

    0 out of 0 found this helpful



    Please sign in to leave a comment.