Configure Authorization Profiles
An Authorization profile allows adding attribute-based parameters to the authentication process in order to control user access based on the appropriate attributes transmitted to the network remote access point (VPN, firewall, router etc.).
It is a list of parameters (sets of attributes or attribute/value pairs) that determines user authentication policies. Authorization profiles apply to both generic and RADIUS channels.
ActivID AS checks Authorization profiles as users request access, and then it either checks data or sends data back to the Access Controller.
When a user attempts a connection, an Authorization Profile Selection Rule defined in the channel configuration specifies what data to check or send back to the Access Controller.
An Authorization Profile Selection Rule is selected based on the role and Authentication Policy to be used for the user (dynamic authentication) and the roles granted to the user.
Each rule specifies the following conditions to control access:
Each condition is independent, so the console does not check if the selected Authentication Policy is eligible for the selected User Role:
- Authentication Policy only – the user must belong to an LDAP group enabled with the specified policy.
- User Role only – the user must be assigned the specified role. Users of each role should use different RADIUS IP addresses.
- Authentication Policy AND User Role − both conditions are applied in conjunction.
Adds additional constraints on user access (restricts role depending on defined static RADIUS values and or an LDAP user attributes). The success conditions are:
- The authentication request does not contain the Check Before attribute.
- If a static value is required, the value matches that of the Check Before attribute.
- If an LDAP value is required, the user LDAP value exists and the value matches that of the Check Before attribute.
There are also two automatic conditions:
- Check Before always succeeds (automatic success condition)
- Check Before always fails (automatic fail condition)
Check Before profiles can be generic or RADIUS-specific (to filter users based on LDAP attributes) by selecting the corresponding dictionary. Only the profiles configured with the same dictionary as selected in the Authorization Profile Selection Rule tab can be applied to the rule.
Specifies attributes name/value pairs to return to the service provider.
Send After profiles can be generic or RADIUS-specific by selecting the corresponding dictionary. Only the profiles configured with the same dictionary as selected in the Authorization Profile Selection Rule tab can be applied to the rule.
You can create the Check Before and Send After profiles for an Authorization Profile Selection Rule when configuring a channel or independently as described in the following topics.
Topics in this section: