This document describes how to configure group-role mapping using Radius class attribute on Security Management Appliance (SMA)
Cisco recommends that you have a basic knowldge of SMA and Radius configuration.
The information in this document is based on these software and hardware versions:
AsyncOS 7.2.x and later
Security Management Appliance
Q. How to configure group-role mapping using Radius class attribute on Security Management Appliance?
A. Radius authentication on the SMA allows administrators to provide users with access to the Web Graphic User Interface (GUI) of the SMA. In addition, it provides the ability to map different user groups, based on the RADIUS class attribute, to different roles like Operator for the SMA.
Steps to configure group-role based mapping using Radius on SMA are as following:
From SMA GUI:
Navigate to the System Administration > Users (under Management Appliance tab)
Click the Edit Global Setting under External Authentication.
Under Group Mapping: field : “RADIUS CLASS Attribute”.
Enter Correspondence value of “IETF Attribute type 25 - Class Attribute” from Radius server.
Enter Role from the drop down bar.
Submit and commit.
The RADIUS server can be configured for many attributes based on user groups. Once a user is authenticated via Radius, the SMA can check the group attributes and assign different role mappings. SMA will match the Radius Attribute class value configured on the Radius Server (Standard RADIUS attribute #25).
To configure Class Attribute on radius server, you would need to login to radius server as Administrator.
Consider "IETF Attribute type 25 - Class Attribute" shows value of 'Domain Admin' for users with administrator privilege.
On radius server On SMA, Under "RADIUS CLASS Attribute” type Domain Admin and Under Role type Administrator
You may add multiple 'Group Mapping' rows by clicking 'Add Row'
Note: Radius server MUST have same class attribute value configured. The value is case-sensitive.