Configuring Authorization

Authorization can be completed at the time of initial authentication based on AD/LDAP group membership or RADIUS attributes included in the authentication request. Authorization can also be facilitated by RADIUS CoA after authentication has been completed based on other criteria such as node group, noncompliance with a policy, change in status, etc.

Configure Initial Authorization

Genian ZTNA provides the ability to specify an attribute for a device when it connects to the network. This can be used for assigning a VLAN, ACL or other attribute based on an attitribute of the node authenticating, such as User-Name. Additonally this feature can be used to selectively deny authentication requests.

  1. Go to Policy in the top panel.
  2. Go to Policy > RADIUS Policy in the left panel.
  3. Click Tasks > Create
  4. For General, input Name, Priority, and activation Status.
  5. For Conditions, select Attribute.
  6. Select Operator and Value.
  7. Click Add button.
  8. For Policy, choose to ACCEPT of REJECT Authentication Requests that match the attribute conditions.
    • If ACCEPT, Select Additional Attributes to apply to the Node / User.
  9. Click Add button.
  10. Click Create button.

Note

You can use RADIUS attributes such as User-Name, Calling-Station-Id, Called-Station-Id, Framed-IP-Address, NAS-IP-Address, NAS-Port, Service-Type, Filter-Id, Login-IP-Host, Class, Vendor-Specific, NAS-Port-Type, Connect-Infox, NAS-Port-ID, Aruba-User-Rolex, Aruba-Essid-Name

Attention

RADIUS client devices must support the RFC2868 IEEE 802.1X standard for client authentication.

Enable CoA (Change of Authorization)

If a device changes status after being authenticated to the network, such as violating a configured policy, the network access for the device can be restricted or denied using various RADIUS attributes. This is provided through a standard called CoA (Change of Authorization, RFC 5176 - Dynamic Authorization Extensions to RADIUS standard).

The CoA will disconnect the device from the network at which point the device will attempt to reconnect. The RADIUS server will then return the desired attribute.

  1. Go to Policy in the top panel.
  2. Go to Policy > Enforcement Policy in the left panel.
  3. Click name of enforcement policy to disconnect connection.
  4. Under Enforcement Options > RADIUS Control.
  5. For RADIUS CoA, select On.
  6. For CoA Commands, select Terminate Session for a standard attribute or select another Vendor Specific Attribute (VSA).
  7. For Vendor-Specific-Attribute, Enter the VSA value (for example, Nas-filter-Rule = 'permit in tcp from any to any 23').
  8. Click Update button.
  9. Click Apply in the right top.