You can create a group-based web mapping for different policies within SWG using RADIUS. When a user authenticates to SWG using RADIUS, SWG can query the RADIUS server to get the group to which the user belongs. Then, SWG can use that group information to apply a policy. In this example, the Windows 2008 AD group will be returned to SWG.
- Configure the RADIUS server to return the proper attribute:
NOTE: Various RADIUS server configurations might have different syntax requirements. This example shows how to use the Windows 2008 Network Policy Server (NPS), which passes back the proper attribute.
- Build a user group and put all users into this group in the Active Directory (AD). This group will be used in the RADIUS server for group mapping.
- Add a new RADIUS client:
- Open the NPS console, right-click RADIUS Clients, and select New RADIUS Client.
- Type the client Name and Address, which are the SWG name and IP address.
- Type the Shared secret, which is the agreed secret to be input in SWG.
- Add a new Network Policy:
- Right-click Policies, Network Policies, and select New.
- Type a Policy Name, and click Next.
- Add a condition. For example, select Users Groups and select the new user group that you added above as the condition to trigger this policy. Click Next.
- Select Access granted, and then click Next.
- Select Unencrypted authentication (PAP, SPSP) as the authentication method, and then click Next. You see a warning message about reading the help for using unencrypted authentication.
- Click No, and then click Next. There's no need to add other constraints.
- On the Configure Settings screen, select RADIUS Attributes, Standard at the left panel.
- Click Add and select Login-LAT-Group from the Attributes list.
- Click Add and type the group name string. The string is the newly added user group Managers you created above. The Attribute number 36 is shown. This number is the standardized attribute number for Login-LAT-Group.
- Click OK, Close.
- Click Next, Finish.
- Configure SWG to use RADIUS for authentication and query the RADIUS server for group information:
- Add a new RADIUS authentication engine:
- Log on to the SWG GUI. Navigate to Policy, Settings.
- Right-click Engines, Authentication, and then click Add.
- Type a name for this engine.
- Under the section RADIUS Specific Parameters, click Add and type the IP address of the RADIUS server.
- Locate Shared secret and click Change to input the shared secret you created above.
- Locate the Value of attribute with groups, and type 36 (standardized attribute, as described above).
- Click Save changes.
- Test the authentication:
- Open the Authentication Test section.
- Type an AD user and password. This user belongs to the user group defined in step 1.
- Click Authenticate User. The group should be returned with Authentication group attributes.
You can now build policy with this new added RADIUS authentication engine and the group attributes.
