Implement FreeRadius with Management Center

book

Article ID: 171192

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

You can use FreeRadius as the authentication and authorization realm for admin users on the Management Center (MC)

Environment

Symantec Management Center and FreeRadius running on Debian system.

Resolution

There are many publicly available guides for FreeRadius installation. As and example you can follow the steps here to install the FreeRadius service on Debian. Once the installation is complete the important files are stored at:


/etc/freeradius/radiusd.conf
Includes the radius service configuration


/etc/freeradius/users
Includes the radius user configuration. The MC recognizes two attributes. Blue-Coat-Group and Blue-Coat-Authorization. This means that we need to define these two values in the users file as in the below example:

bob Cleartext-Password:="secure_password"
    Reply-Message = "Hello, %{User-Name}",
    Blue-Coat-Group = "Administrators",
    Blue-Coat-Authorization = "2"


The first attribute has the string of "Administrators" which is a default group defined on the MC. You can change this but you have to make sure that on both sides the string matches. Since this is a UNIX based service the strings are case sensitive.  If you want a user that will only be able to run reports you can define a group on MC called Monitor, add the appropriate rights on the MC under the Roles settings, and create a user on FreeRadius as below:

John Cleartext-Password:="securepassword"
    Reply-Message = "Hello, %{User-Name}",
    Blue-Coat-Group = "Monitor",
    Blue-Coat-Authorization = "2"


The second attribute cannot be changed on the MC. It is there by default and it is also in the VCP file you can download on the Symantec's download portal-https://support.symantec.com.

NOTE: If you do not define the Blue-Coat-Authorization attribute the user will be able to login (authenticate) but won't able to do anything (no authorization).

/etc/freeradius/clients.conf
Includes the clients configuration. In Radius , clients are the devices that authenticate the user against the Radius server. In this case it is the MC. The clients can be defined as below:

client SymantecMC {
ipaddr = 1.1.1.1
secret = radiussecret
}


NOTE: This KB is written for FreeRadius but the concept with the two attributes applies to other Radius realms such as the Cisco ACS.