
Configuring Steel-Belted RADIUS Proxy to Send

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes
Copyright © 2010 Sophos Limited. All
rights reserved. No part of this publication
may be reproduced, stored in retrieval
system, or transmitted, in any form or
by any means electronic, mechanical,
photocopying, recording or otherwise
unless you are either a valid licensee
where the documentation can be
reproduced in accordance with the lice nc e
terms or you otherwise have the prior
permission in writing of the copyright
owner.
Sophos and Sophos Anti-Virus are
registered trademarks of Sophos Limited.
All other product and company names
are trademarks or registered trademarks
of their respective owners.
Document version 3.2
Published December 2010
2

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes
Table of Contents
About this Document ..................................................................................................................... 4
Configuring the Steel-Belted RADIUS Proxy ................................................................................. 5
Using the Sophos Compliance Agent .......................................................................................... 17
3

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes
About this Document
The purpose of this document is to configure Steel-Belted RADIUS to pull group information from a remote directory
server and forward that information to Sophos NAC Advanced. This ensures that the group can be given a Sophos
compliance policy without the Sophos Compliance Application Server having a direct connection to Active Directory
or LDAP. When Sophos NAC Advanced as a RADIUS proxy is used for the group mapping functionality, the
RADIUS Enforc er is no longer responsible for looking up the group in Active Directory (via its GroupMapper
component). Instead, the remote RADIUS server returns the Sophos VSA #20 (EF-GroupResponse) to let the
Compliance Application Se r ver know which group to apply to the user’s request.
This document requires you to have already configured Internet Authentication Service (IAS) or Network Policy
Server to use Sophos NAC Advanced as a RADIUS proxy, as described in the Post-Installation Requirements in
the Sophos NAC Advanced Installation Guide. This document also assumes that Steel-Belted RADIUS is already
set up and installed on the server and is running on ports 1812, 1813, 1645 and 1646 (default ports for Steel-Belted
RADIUS). If it is not set u p or running on these ports, you must modify these instructions to accommodate the
changes.
If you plan on using Steel-Belted RADIUS to connect to an Active Directory Domain Controller to pull user/group
information, make sure the Steel-Belted RADIUS server is on the domain or is in a trusted domain for the
account/group information it will be pulling from. Also, ensur e you use an account that is a member of the Domain
Users Group so that you will have access to pull user/group information from Active Directory.
4

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes
Configuring the Steel-Belted RADIUS Proxy
1. Go to http://localhost:1812, and click the Launch link to start Steel-Belted RADIUS.
5