PDF(5.5 KB) View with Adobe Reader on a variety of devices
ePub(87.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(74.1 KB) View on Kindle device or Kindle app on multiple devices
Updated:November 16, 2015
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure group-role mapping using Radius class attribute on Security Management Appliance (SMA)
Cisco recommends that you have a basic knowldge of SMA and Radius configuration.
The information in this document is based on these software and hardware versions:
AsyncOS 7.2.x and later
Security Management Appliance
Q. How to configure group-role mapping using Radius class attribute on Security Management Appliance?
A. Radius authentication on the SMA allows administrators to provide users with access to the Web Graphic User Interface (GUI) of the SMA. In addition, it provides the ability to map different user groups, based on the RADIUS class attribute, to different roles like Operator for the SMA.
Steps to configure group-role based mapping using Radius on SMA are as following:
From SMA GUI:
Navigate to the System Administration > Users (under Management Appliance tab)
Click the Edit Global Setting under External Authentication.
Under Group Mapping: field : “RADIUS CLASS Attribute”.
Enter Correspondence value of “IETF Attribute type 25 - Class Attribute” from Radius server.
Enter Role from the drop down bar.
Submit and commit.
The RADIUS server can be configured for many attributes based on user groups. Once a user is authenticated via Radius, the SMA can check the group attributes and assign different role mappings. SMA will match the Radius Attribute class value configured on the Radius Server (Standard RADIUS attribute #25).
To configure Class Attribute on radius server, you would need to login to radius server as Administrator.
Consider "IETF Attribute type 25 - Class Attribute" shows value of 'Domain Admin' for users with administrator privilege.
On radius server On SMA, Under "RADIUS CLASS Attribute” type Domain Admin and Under Role type Administrator
You may add multiple 'Group Mapping' rows by clicking 'Add Row'
Note: Radius server MUST have same class attribute value configured. The value is case-sensitive.