user-manage radius-attribute-id define-as security-group

Function

The user-manage radius-attribute-id define-as security-group command sets the RADIUS accounting packet's RADIUS attribute that can be used as a security group.

The undo user-manage radius-attribute-id define-as security-group command cancels the setting of the RADIUS accounting packet's RADIUS attribute that can be used as a security group.

Format

user-manage radius-attribute-id [ vendor-specific ] radius-attribute-id define-as security-group [ delimiter delimiter ]

undo user-manage radius-attribute-id define-as security-group

Parameters

Parameter	Description	Value
vendor-specific	Uses the extended RADIUS attribute as the security group. A RADIUS accounting packet contains 256 attribute fields, and the attribute ID ranges from 0 to 255. The attribute whose ID is 26 is an extended attribute, which is defined by the vendor. Other attributes are standard attributes.	-
radius-attribute-id radius-attribute-id	Specifies the ID of the RADIUS attribute as the security group. The FW uses the parsed attribute as the user's security group. If the command contains vendor-specific, the value indicates the sub-attribute ID of the extended attribute. For example, if the value is 40, the FW parses sub-attribute 40 of attribute 26 and uses this sub-attribute as the user's security group. If the command does not contain vendor-specific, the value indicates the ID of a standard attribute (except attribute 26). For example, if the value is 40, the FW parses attribute 40 and uses this attribute as the user's security group.	The value is an integer ranging from 0 to 255.
delimiter delimiter	Specifies the separator of the security group. If the attribute parsed by the FW contains the specified separator, the user belongs to multiple security groups. For example, if the parsed attribute is a,b and the configured separator is ,, the user belongs to both security groups a and b. If no separator is configured, the user belongs to security group a,b.	The value is a string of 1 character. It cannot be a space, question mark (?), or Chinese character.

Parameter

Description

Value

vendor-specific

Uses the extended RADIUS attribute as the security group.

A RADIUS accounting packet contains 256 attribute fields, and the attribute ID ranges from 0 to 255. The attribute whose ID is 26 is an extended attribute, which is defined by the vendor. Other attributes are standard attributes.

radius-attribute-id radius-attribute-id

Specifies the ID of the RADIUS attribute as the security group.

The FW uses the parsed attribute as the user's security group.

If the command contains vendor-specific, the value indicates the sub-attribute ID of the extended attribute. For example, if the value is 40, the FW parses sub-attribute 40 of attribute 26 and uses this sub-attribute as the user's security group.
If the command does not contain vendor-specific, the value indicates the ID of a standard attribute (except attribute 26). For example, if the value is 40, the FW parses attribute 40 and uses this attribute as the user's security group.

The value is an integer ranging from 0 to 255.

delimiter delimiter

Specifies the separator of the security group.

If the attribute parsed by the FW contains the specified separator, the user belongs to multiple security groups. For example, if the parsed attribute is a,b and the configured separator is ,, the user belongs to both security groups a and b. If no separator is configured, the user belongs to security group a,b.

The value is a string of 1 character. It cannot be a space, question mark (?), or Chinese character.

Views

RADIUS SSO view

Default Level

2: Configuration level

Usage Guidelines

In RADIUS SSO scenarios, if you need to use the RADIUS attribute as a security group and control policies based on the security group, run the user-manage radius-attribute-id define-as security-group command.

After this command is run, the FW parses the RADIUS attribute in a RADIUS accounting packet and uses the attribute as the user's security group.

Ensure that the FW has the parsed security group (parsed attribute). Otherwise, the parsed security group will not be recorded in the online user table.

Example

# Specify RADIUS attribute 23 as a security group and set the separator to ,.

<sysname> system-view
[sysname] user-manage single-sign-on radius
[sysname-sso-radius] user-manage radius-attribute-id 23 define-as security-group delimiter ,