Mapping roles to authorization attributes

Users who do not have a NetProfiler account must have both their authentication information (login name, password) and their authorization information (user role indicated by the value of the Class attribute or the Cascade-User-Role attribute) specified on the RADIUS server. The values of the RADIUS authorization attributes must be mapped to their corresponding user roles on NetProfiler.  more

Ensure that you know which authorization attributes the RADIUS administrator is using and what values may be assigned to them. The authorization attribute/value pairs must use either the Class attribute or the Cascade-User-Role attribute. The values assigned to these attributes (for example, admin, operator, monitor) are free form. However, the values on the RADIUS server and the values on NetProfiler must match for the user to be logged on.

To map the NetProfiler user roles to RADIUS authorization attributes:

  1. Click Edit in the Roles-Attributes Mapping section of the RADIUS tab of the Configuration > Account Management > Remote Authentication page.

  2. For the first NetProfiler user role, click Add new attribute to display an edit box.

  3. Select the RADIUS authorization attribute (Class or Cascade-User-Role).

  4. Enter the attribute value that is required for a RADIUS-authorized user to be logged on in this user role.

  5. If applicable, click Add new attribute to add another mapping.

  6. Continue with the next NetProfiler user role that is to be authorized by RADIUS.

  7. For a Restricted role, specify the attribute/value pair necessary for limiting data resolution to automatic and specify the traffic filter attribute.  more

  8. When the RADIUS authorization attributes have been mapped to their corresponding NetProfiler user roles and permissions, click Save.

  9. If desired, click Test User to open a page on which you can specify a user name and password to be tested. When you click Run on this page, NetProfiler attempts to log the user in using RADIUS authentication and reports the test results.

A user who does not have a NetProfiler account logs in by entering the login name and password that are specified on the RADIUS server. NetProfiler sends this information to the RADIUS server in an authentication and authorization request.  

If the RADIUS server can authenticate the user’s login name and password, it sends a "request accepted" code back to NetProfiler, along with the authorization attribute-value pair. The authorization value is a string that the RADIUS administrator assigns to the Class attribute or the Cascade-User-Role attribute. The NetProfiler administrator must assign this same attribute-value pair to the role that is to be remotely authorized.  more

When NetProfiler finds a match between the authorization attribute value sent by the server and the NetProfiler value for the attribute, it logs the user on to NetProfiler and authorizes the matching user role. If no match is found, then the login attempt fails.

When NetProfiler logs the user on, it automatically creates an account for the user. However, subsequent logins by the RADIUS user do not create multiple NetProfiler accounts for the user.

Vendor-specific RADIUS attributes

RADIUS authentication

Vendor-specific RADIUS attributes

Traffic filter on a RADIUS server