Sophos UTM optional settings

Some vendors support returning group information in the RADIUS response using vendor specific attributes. The following procedure describes how to use vendor specific attributes to return group information in a RADIUS response.

The vendors listed in step below are only a subset of the vendors that can possibly take advantage of including groups in RADIUS response. If your vendor can take advantage of groups in the RADIUS response and is not listed:

Determine the unique vendor code or ID.
Vendor ID identifies the vendor the content is targeted for and is entered as vendor specific ID.
For example Cisco refers to this value RADIUS Vendor ID, Citrix uses Vendor code.
Determine the vendor specific code associated with group policy. The vendor specific group code identifies to the vendor that this field contains group name values and is entered as Attribute ID. .
For example, for Cisco uses value 25 to indicate Group-Policy.

To configure the app to send RADIUS Group information in vendor specific attributes:

Note

This is an Early Access feature. To enable it, contact Okta Support.

In Okta, navigate to Applications > Applications.
Open the application by clicking its name.
Tip
You can narrow the set of applications displayed using the Search field.
Select the Sign on tab.
Scroll to the Advanced RADIUS Settings section and click Edit.

In the GROUPS RESPONSE section:

Check include groups in RADIUS response.

In the RADIUS attributes sub section, specify the following:

Field	Value	Comment
RADIUS attribute	26-Vendor specific	Must be 26-Vendor specific.
vendor specific ID	Enter one of : Cisco - ASA-Group-Policy (3076) Citrix-Group-Names (3845) Fortinet-Group-Name(12356) PaloAlto-User-Group(25461)	Enter the associated numeric vendor id. For example, for Cisco enter 3076. Unlisted - The unique vendor code or ID. For example Cisco refers to this value RADIUS Vendor ID, Citrix uses Vendor code.
Attribute ID	Cisco - ASA-Group-Policy (25) Citrix-Group-Names (16) Fortinet-Group-Name(1) PaloAlto-User-Group(5)	Enter the associated numeric attribute id. For example, for Cisco enter 25. Unlisted - The unique vendor specific code associated with group policy. For example, for Cisco uses value 25 to indicate Group-Policy.

Field

Value

Comment

RADIUS attribute

26-Vendor specific

Must be 26-Vendor specific.

vendor specific ID

Enter one of :
Cisco - ASA-Group-Policy (3076)

Citrix-Group-Names (3845)

Fortinet-Group-Name(12356)

PaloAlto-User-Group(25461)

Enter the associated numeric vendor id.
For example, for Cisco enter 3076.

Unlisted - The unique vendor code or ID. For example Cisco refers to this value RADIUS Vendor ID, Citrix uses Vendor code.

Attribute ID

Cisco - ASA-Group-Policy (25)

Citrix-Group-Names (16)

Fortinet-Group-Name(1)

PaloAlto-User-Group(5)

Enter the associated numeric attribute id. For example, for Cisco enter 25.

Unlisted - The unique vendor specific code associated with group policy. For example, for Cisco uses value 25 to indicate Group-Policy.

Important

Vendor specific ID and Attribute ID are string fields.

Caution

The maximum group membership value length is 247 bytes. In situations where length of group memberships or where any group names length exceeds the maximum size truncation will occur and partial values returned.
In such situations Okta suggests configuring the response as a set of Repeated Attributes as opposed to a single delimited list.

Click Save.

Next steps

Test the Sophos UTM integration