Using the RADIUS groups in VPM


Article ID: 167115


Updated On:


ProxySG Software - SGOS


You would like to write policy using the RADIUS group object

You need the dictionary file for BlueCoat ProxySG

How does one use the BlueCoat custom attribute in windows IAS / linux freeRADIUS


The ProxySG appliance allows you to build policy based on RADIUS groups.

One way to do this would be to simply use a standard RADIUS attribute such as Filter-ID, and manually map these to groups via CPL policy on the ProxySG appliance. However, this will not work if you are using VPM to write your policy.

To use visual policy manager (VPM) and RADIUS groups is outlined in the BlueCoat SGOS Administration Guide:

"Create a RADIUS realm group by using the custom Blue Coat attribute, which can appear multiple times within a RADIUS response. It can be used to assign a user to one or more groups. Values that are found in this attribute can be used for comparison with the group condition in CPL and the group object in VPM. The group name is a string with a length from 1-247 characters. The Blue Coat Vendor ID is 14501, and the Blue-Coat-Group attribute has a Vendor Type of 1."

The VPM will only work with the custom Blue Coat attribute. The important details are marked in bold above. Take note of this information to build a custom attribute.

The custom attribute has been tested with both FreeRADIUS and windows IAS; both should work fine.


- Define dictionary file : nano /usr/share/freeradius/dictionary.bluecoat

- Enter the following into the file:

#               $Id$
# vendor id = 14501

VENDOR          BlueCoat                        14501

#       These attributes contain the access-level value.

#vendor type = 1
ATTRIBUTE       Blue-Coat-Group                         1     string

END-VENDOR      BlueCoat

- edit /usr/share/freeradius/dictionary
- after $INCLUDE, add line:
$INCLUDE dictionary.bluecoat

- modify /etc/freeradius/users
# /etc/freeradius/users

Service-Type := Login-User,
Blue-Coat-Group := “xxx”
DEFAULT Auth-Type := Reject

- make sure to replace the “xxx” with the proper group you would like returned.
- make sure to use safe characters.  Hyphens should not be used in group names.
- use the Test feature in Configuration>Authentication>RADIUS>RADIUS Servers to confirm the group that is sent.
- use a pcap on port 1812 to see the accept or reject status from the server. If accept, identify what is sent to the proxy so it can be mapped in policy.  If reject, check authentication details and RADIUS configuration.

- restart free radius /etc/init.d/freeradius restart

For microsoft IAS:

- Open IAS manger
- Create a Remote Access Policy, and modify as necessary
- Edit Profile > Advanced
- Click the Add button
- Select Vendor Specific
- Enter vendor code : 14501
    “yes it conforms”
- Configure attribute
vendor-assigned attribute number : 1

The following screenshot illustrates this process: