Screen OS

Is there any way to configure a Windows 2008 RADIUS server to pass back user privilege information for Admin account types?  I know this can be done for Auth and XAuth which is traffic flowing through the firewall.  I want to pass back to the firewall whether the user logging in to the device itself is a read-write or a read-only admin.  

So far the only way I can get the configuration to work is to set the admin privileges on the firewall by selecting "External admin has read-only privilege" or "External admin has read-write privilege".  

This means I have to choose which set of users will externally authenticate via RADIUS and set the other group of users up locally.  Is this correct?  Is there another way to handle this requirement?

Setup:

SSG-550M ScreenOS 6.2.0r5

Windows 2008 R2 64-bit

yes - you can designate admin privileges of read or read-write through Radius. What you do is create two windows groups. One for each of the two conditions. Then you setup your policy condition check in W2K8 to be based on group. Then add a vendor specific attribute to be returned. Vendor code for ScreenOS is 3224 and the attribute is "1" with an attribute value of "2" for read-write and "4" for read-only.

Doing this somewhat from memory as I am out of the office. I have this setup so try it and let me know if you have any other questions.

That was it I was using attribute values of "1" and "4".

Thanks

Hello!! I need the expert's help with a SSG 140.

I need to authenticate group of  Windows user through a firewall SSG, and using RADIUS. How can I do it? This user group is not to admin access, it is to apply a web blocker profile.

Thank a lot for your help.

Atte: kvillalobos