Yeah even though it's in the R80.10 documentation I can't get it to work where it sets the access based on the RADIUS return value...

can you share more about your configuration? radius-server-object configuration etc.?

I'm using NPS Microsoft Server and I see it hitting my rules for authentication. I have the Vendor-Specific value set like this as noted in the documentation:

To use RADIUS groups, you must define a return attribute in the RADIUS user profile of the RADIUS server. This attribute is returned to the Security Gateway and contains the group name (for example, RAD_<group to which the RADIUS users belong>) to which the users belong.

Use these RADIUS attributes (refer to RFC 2865):

• For SecurePlatform - attribute "Class" (25)
• For other operating systems, including Gaia, Windows, and IPSO- attribute "Vendor-Specific" (26)

I have it set to 26 on my NPS, according to the document, but I just noticed in the GuiDBEdit the default is 25 for the radius_groups_attr setting. I'll udpate that and let you know how that works. Basically, I just followed that document.

I do have another issues though that I'd like you input. We have office mode setup, for example with 10.10.10.0/24, and when I authenticate I do get an address in that range on my endpoint but I want to be able to get to internal assets at that site that are not within that VPN range. So I need to get to 10.10.100.0/24, 10.10.120.0/24, etc. How do I accomplish this? When I do a route print after connecting to the CP VPN I only get a route for the office mode range.

This is separate from the RADIUS groups but I noticed that this wouldn't work even if the RADIUS groups worked...

I appreciate your willingness to help! 

Regarding the attributes: have you accounting enabled on your radius server objects?

[edit] and btw. did you enable "add_radius_groups" in AdvancedConfiguration of Global Properties?

Regarding the office mode setup: how does your encryption domain look like?

Yes, I followed the guidance and we even put on WireShark on the NPS server to see the recieved and return values being sent correctly back to CP but we were never able to see the correct setting of roles on the CP side. We even engaged CP support to take a look and the consensus was "this should work". We tried to play with the return values 25, 26, etc. for the NPS attribute class to no avail.

Encryption domain was the entire /24 we wanted to gain access.

We've abandoned this setup. If you have this working then I'd be interested in anything you could post for future site setups but at this moment we are not actively working on getting this to work. Thanks

Same concern we have, do you get any success till now ?? 
Refer the below Logs:- 
====
AVP: t=Class(25) l=46 val=89f1076200000137000102008dac98d30000000000000000…

I did get the VPN to work but abandoned setting the role based on the RADIUS group as I believe this feature does not work. Not even CP could get this to work. 

I did eventually get the routing figured out. Thanks for the input and for reaching out!

I'm certainly interested in your setup. Could you throw together some screenshots? What version/take are you on? I only had RADUIS setup at the time...I believe.

R77.30 Jumbo take 292. But i did that setup some time ago for a customer with older take.

from the guide: VPN for Remote Access Considerations 

To give access through RADIUS server groups:

1. In SmartDashboard, go to Manage > Server and OPSEC Applications.

   Servers and OPSEC Applications window opens.

2. Click New > RADIUS.

   The RADIUS Server Properties window opens.

3. Configure new server properties:
   1. Name the RADIUS Server object.
   2. Click New to create a new Host Object.

      Host Node window opens.

   3. Enter the Name and the IP Address of the new RADIUS Host object, and click OK.
   4. Select the Service - RADIUS (on port 1645) or NEW-RADIUS (on port 1812 service).

      Note - The default setting is RADIUS, however the RADIUS standards group recommends using NEW-RADIUS, because port 1645 can conflict with the datametrics service running on the same port.

   5. Enter the Shared Secret that you configured on the RADIUS server.
   6. Select the version - RADIUS Ver. 1.0 Compatible (RFC 2138 compliant) or RADIUS Ver. 2.0 Compatible (RFC 2865 compliant).
   7. Select the Priority, if you use more than one RADIUS Authentication server.
   8. Click OK.
   9. Click Close.
4. Create a generic* External User Profile:
   1. Go to Manage > Users and Administrators.

      Users and Administrators window opens.

   2. Go to New > External User Profile > Match all users.

      External User Profile Properties window opens.

   3. In the Authentication tab, select RADIUS as the Authentication Scheme.
   4. Select the created RADIUS server (not the node) from the drop-down list.
   5. Click OK.
   6. Click Close.
5. Define the RADIUS user groups
   1. Go to Manage > Users & Administrators.

      Users and Administrators window opens.

   2. Go to New > User Group.

      Group Properties window opens.

   3. Enter the name of the group in this format: RAD_<group to which the RADIUS users belong>. Make sure the group is empty.
   4. Click OK.
   5. Click Close.
6. Create the required Rule Base rules to allow access to RADIUS users.
7. Save the changes.
8. Close all SmartConsole windows.
9. On the Security Management Server, use GuiDBedit to change the value of the add_radius_groups attribute from false to true.
10. Save.
11. Close GuiDBedit.
12. Open SmartDashboard.
13. Install the policy.
14. On the RADIUS server, edit the RADIUS users to include a class RADIUS attribute on the users Return list that corresponds to the user group that they access.

Make sure you did step 9 in GuiDBedit otherwise the system will not look for RAD_group.

I kept using class 25. i see no reason to change it.

I would also recommand running Wireshark on the RADIUS server if possible and (enter the preshared key under preferences->protocol) and see if the RADIUS reply includes a class 25 attribute.

Hi all,

i am configure as the guide of you and after install policy on SMC but remote access vpn fail authen. Can you description step by step configure?

Thank you so much.

Duo uses an on premise proxy/connector to the cloud service. The RADIUS server is basically setup to the Duo proxy which forwards to the actual RADIUS server. If the response is successful then the proxy reaches out to the cloud for the MFA. If that is successful then the RADIUS response is released to the gateway. I would assume it would work similar for totally on-prem solutions like RSA, SafeNet, etc.

We have verified the updated instructions from CP for setting up this RADIUS connections with the CP groups does work. I appreciate the response from the original post from everyone that responded.

The only problem with MFA and this has quiet different behaviour from NPS radius server for example in the fact that you cannot make conditions based on AD groups. for instance, if you set RADIUS attributes (class 25 or any other attr) it's basically being sent back for all groups\users associated. Then we need to forward our RADIUS request through the MFA(cause we still need the OTP features from) to another RADIUS server(NPS, RSA etc)which will basically make the conditions based attributes received and AD groups.

Are you saying in general with NPS/RADIUS you can't set access for a user in an AD group or you are having a CP problem with using that response to set the access? I can say that we are setting CP permissions based on NPS/RADIUS response through MFA by following the most recent CP documentation utilizing Microsoft NPS, Duo, and CP. 

Hi,

I noticed that in the gateway properties - Authentication - Settings that you can switch from Legacy to RADIUS.  The issue we have is that I can make a group of our RADIUS servers, but 2 are used for Google Authentication and 2 are used for DUO.  They are seperate user names.   If I make one group with all 4 servers will it try one RADIUS server and keep going down the line to look for another user on a different RADIUS server if the user doesn't exist.  Or if it doesn't see the user on the first RADIUS server will it throw an error?

I'm betting it will throw an error, and I'm stuck with legacy - user defined which works but gets a POOR rating on the compliance blade since passwords can be used with legacy.