Symantec Access Management

Normally, we use forms-based authentication scheme (FCC).  We have a new requirement where we might need to use Radius as the authentication scheme.  It's not clear from the CA doc exactly what I have to do ask the user for credentials (user id and password) and then pass them to the Radius server via the authentication scheme.  Also, if Radius is doing the authentication, does that mean the user directory configured for the policy domain is bypassed? What about authorization... does Siteminder still do that the normal way using the user directory configured for the policy domain?  What about SSO...will Radius authentication scheme still generate an SMSESSION cookie and will it still work with my other apps that use the traditional forms-based auth scheme?

The CA SSO (SiteMinder) Policy Servers can act as both a RADIUS Server or as a RADIUS client or as both RADIUS Server and RADIUS client simultaneously. 

As a RADIUS Server, the Policy Server accepts RADIUS protocol requests from external RADIUS clients, typically network access servers (NAS), and returns RADIUS protocol responses.  As a RADIUS Server, the Policy Server can only perform Authentication, return RADIUS responses and acknowledge client RADIUS accounting requests.  As a RADIUS Server, the Policy Server does not perform authorization except what is implicit in the type and values of the RADIUS responses returned. 

As a RADIUS client, the Policy Server accepts user credentials and makes an authentication request using the RADIUS protocol to a external RADIUS Server.  The RADIUS Server performs authentication and returns a RADIUS response such as RADIUS Accept or Reject.  In this RADIUS client configuration, the Policy Server delegates the test of credentials portion of authentication to the configured RADIUS Server and uses the RADIUS Server response type--Accept or Reject--to determine if the user credentials are valid.  The Policy Server ignores any RADIUS response attributes returned in the RADIUS Server's response.  After a successful RADIUS authentication, the Policy Server will search for the user in the configured User Directories and, if found, will perform the remaining Policy Server authentication process and create a typical "SiteMinder" user "session" based on the user identity and directory.  This requires the user login name or identity to be found in a configured Policy Server User Directory but the Policy Server will not check the password against that directory.  If the request to the Policy Server was an Agent API Login request from a Web Agent, the Agent can build an SMSESSION cookie from the Policy Server response.  Once the session exists, the Policy Server can complete typical authorization.

Your questions suggest that you want the Policy Server to act as RADIUS client and authenticate against an external RADIUS server.  To configure this for basic user name and password, configure a realm with the RADIUS Server Authentication Scheme.  In that scheme, configure the IP address, port and secret for the RADIUS Server.  This scheme accepts username and password and will produce a Basic challenge (HTTP 401 challenge) in a browser.  This authentication scheme does not work with an HTML form.

The XAUTH RADIUS Solution Module may be required if you need forms-based RADIUS authentication.  XAUTH RADIUS integration with the Policy Server may provide additional capabilities as well.

Hi burja14,

Thanks, this was well explained.. I have a very similar situation and my question, after i get a basic user name/password pop up,( well, actually, authentication fails for me with error " user not authenticated by policy server), will i be redirected to second page to get the radius code? I am using the same setup for MFA.

1. have created realm configured with Radius auth.

and could you please explain the steps. should i create and html form based auth scheme and redirect to radius auth scheme?

Any help would be great from ca communities.

HubertDennis

Could you please ponder some ideas and points to achieve this?

RADIUS within SSO only supports PAP, if CHAP (Challenge/Response) is needed then only the XauthRADIUS module supports it.

But I am using Policy server as Radius Client, so that initial challenge happens from Policy server and second authentication happens from Radius Server. Would it still matter.

The OOTB module for SSO only allows to transmit all the data on the authentication to the Radius server. What you are describing is Challenge/Response where the initial authentication happens and forwards to Radius server which requires prompting for more information.

Thanks Sidney,

more information like?

That will depend on your configuration. A good read on the RFC can be found at RFC 1994 - PPP Challenge Handshake Authentication Protocol (CHAP) . Practically, if you are trying this with SiteMinder then you will need to look at a trial of XauthRADIUS Authentication in order to be able to test your configuration. PAP requires that you submit UserID/Password/Token_Value all in the initial post while CHAP would allow you to perform it in steps (UserID/Password, receive an additional challenge for and provide token response).

Hi Sid_Mautte, Chris_Hackett

How do I get Xauth Radius solution Module. Will this module be from CA or is it from Radius? And does this have a separate license? 

Please provide seom details on this.

Regards,

Joseph Christie

You would need to reach out to your CA/Broadcom sales representative.