Adding vendor-specific RADIUS attributes (BlueCoat ProxySG)

Building on one of my previous posts (look here), I now wanted to integrate a bluecoat ProxySg more tightly into RADIUS. One of the Proxy features is to be able to build policy based on RADIUS groups. The easier method to do this would be to simply use a standard RADIUS attribute such as Filter-ID, and manually map these to groups via CPL policy in the BlueCoat itself. But I never like the easy way😉

The actual proper way to use visual policy manager and RADIUS groups is outlined vaguely in the BlueCoat admin guide:

Create a RADIUS realm group by using the custom Blue Coat attribute, which can
appear multiple times within a RADIUS response. It can be used to assign a user
to one or more groups. Values that are found in this attribute can be used for
comparison with the group condition in CPL and the group object in VPM. The
group name is a string with a length from 1-247 characters. The Blue Coat Vendor
ID is 14501, and the Blue-Coat-Group attribute has a Vendor Type of 1.

The VPM will only work with this custom Blue Coat attribute apparently. I marked the important line in bold above. We need this information to build a custom dictionary file for our FreeRADIUS server. I tested this with both FreeRADIUS and windows IAS, both work fine.

For FreeRADIUS:

  • Define dicitionary file : nano /usr/share/freeradius/dictionary.bluecoat
  • Enter the following into the file:

#
#       Unofficial bluecoat dictionary
#       By David Vassallo

  1.                $Id$
  2. vendor id = 14501

VENDOR          BlueCoat                        14501

  1.        These attributes contain the access-level value.
  2. BEGIN-VENDOR    BlueCoat

#vendor type = 1
ATTRIBUTE       Blue-Coat-Group                         1     string

END-VENDOR      BlueCoat

  • edit /usr/share/freeradius/dictionary
  • after $INCLUDE dictionary.nokia, add line:

$INCLUDE dictionary.bluecoat

  • modify /etc/freeradius/users

  1. /etc/freeradius/users

DEFAULT LDAP-Group == RADIUS_Users
Service-Type := Login-User,
Blue-Coat-Group := “xxx”
DEFAULT Auth-Type := Reject

  • make sure to replace the “xxx” with the proper group you would like returned.
  • restart free radius /etc/init.d/freeradius restart

For microsoft IAS:

  • open IAS manger
  • create remote access policy, and modify as necessary
  • edit profile > advanced
  • Click the add button
  • Select “vendor specific”
  • enter vendor code : 14501

“yes it conforms”

  • configure attribute

vendor-assigned attribute number : 1

Here’s a one-screen screenshot of the above process. Note it may appear “half there” or cut… just click on the picture to see it full screen in its entirety radius_custom

Edit : This article has been adapted and published to BlueCoat knowledge base, document ID: KB4019