Our scenario is we have network devices that we do DUO authentication for administrative access to the devices. This is generally accomplished via RADIUS by way of the DUO Authentication Proxy (DAP).
The simplest configuration is to configure DAP with a LDAP for primary authentication and a series of radius clients for our various devices.
This works great except for those devices that require the indication of an access level/role by way of a RADIUS-provided attribute (such as ‘priv=15’ or ‘role=sysadmin’). I can accomplish this when doing attribute pass-thru with RADIUS as the primary authentication but then I need to setup (in our Windows environment) NPS for RADIUS which is basically yet another proxy not unlike DAP itself. This creates another point of failure just to facilitate inserting the attribute required by network devices to assign the appropriate access.
What I perceive as being ideal is the ability to have DAP insert/inject these attributes directly by way of some additional attribute for each device/group of RADIUS clients (like an ‘insert_attribute_1’ and ‘insert_attribute_2’ corresponding to a ‘radius_ip_1’ and ‘radius_ip_2’ so each client/group can receive the response independently of others as each device requires).
Since there could be multiple attributes required, the value could perhaps be a delimited list (eg.
insert_attribute=cisco-avpair= ”shell:priv-lvl=15“, cisco-avpair= ”shell:role=sysadmin“ ). I don’t have a complete understanding of all the possible options/variations on a RADIUS attribute so I’m not sure if this solution would work for all possible uses but I’m hoping smarter people could fill in gaps with relative ease.
Is there another way to accomplish getting these attributes communicated to RADIUS clients when using LDAP as the primary authentication that I’m missing?