| |
You can use RADIUS proxy to out source the management of dial-in hardware to an Internet Service Provider (ISP) while you manage the users in your NDS tree. This benefit provides you with the flexibility to manage dial-in users without the investment in dial-in hardware or the burden of managing the hardware.
Using RADIUS proxy, a remote user (such as jane@acme.com) dials in to an ISP network. The user's access request (user ID and password) is forwarded to a RADIUS proxy server on the ISP network. The ISP RADIUS proxy server forwards the access request to your company's RADIUS server (such as acme.com). The RADIUS server then checks the information in the access request and either accepts or rejects the request. If the RADIUS server accepts the request, it returns configuration information specifying the type of connection service (such as PPP or Telnet) to deliver to the user.
This concept is shown in Figure 3.
Figure 3
RADIUS Proxy
The RADIUS server can act as both a conventional RADIUS server and a RADIUS proxy server at the same time. To set up a RADIUS proxy, you must add a domain to the Dial Access System object's domain list. The domain name you assign is the target domain the user must use to be directed to that proxy for authentication. The RADIUS server supports usernames specified as either an NDS distinguished name or a common name. For access requests that have a username without a domain, you can configure search domains that can be checked to determine if valid authentication information is available. The search domains consist of configured domains that do not authenticate by NDS context. Domains are defined as one of the following types:
This domain type configures an authentication domain for the Dial Access System object that will look up users by NDS context. The authentication request can be processed by any Novell RADIUS Services server in the NDS tree. For this domain type, you specify the NDS context and define whether to look for the user in that context and any context under it, or look for the user only in the specified context. If the user is not found, you can set the option to look up the user in any defined search domains.
This domain type also configures an authentication domain for the Dial Access System object that will look up users by NDS context. However, this domain type will forward the authentication request to a specific Novell RADIUS Services server in the NDS tree where the user belongs to reduce network latency. For this domain type, you specify the NDS context and define whether to look for the user in that context and any context under it, or look for the user only in the specified context. The search domain option is not available. To define the target server, specify the IP address, port, and RADIUS secret of the server. To define how accounting packets are handled, specify whether to log accounting locally on the server or forward accounting packets to an accounting server on a remote domain.
This domain type configures a simple domain proxy. Authentication requests will be forwarded to the designated RADIUS server. If the server expects to see only the common username, set the option to remove the target domain name the user logged in with. To target the server, specify the IP address, port, and RADIUS secret for the server. To define how accounting packets are handled, specify whether to log accounting locally on the server or forward accounting packets to an accounting server on a remote domain.
This domain type configures a search domain. Search domains are searched when a user logs in with a common username (no target), or when a user with a target domain is not found in a specified NDS context and usage of a search domain is allowed for that domain. If the server expects to see only the common username, set the option to remove the target domain name the user logged in with. To target the server, specify the IP address, port, and RADIUS secret for the server. To define how accounting packets are handled, specify whether to log accounting locally on the server or forward accounting packets to an accounting server on a remote domain.
This section contains the following tasks:
A user logs in as jane@acme.com. You want this user to authenticate using the local NDS tree and search for the user from the [Root] context of the NDS tree and any context below [Root]. You don't care which RADIUS server handles the authentication. If the user cannot be authenticated in the NDS tree, you want the server to send the authentication request to all the search domains for the Dial Access System object. Configure the Dial Access System object as follows:
Refer to the context-sensitive help for information about specific configuration procedures.
A user logs in as jane@sales.acme.com. You want this user to authenticate using the local NDS tree, but you want to search for the user only in the sales.acme context. You also want a specific RADIUS server that is within the same partition of the NDS tree as the sales context to handle the authentication to reduce network latency for the login. The IP address for the RADIUS server is 1.2.3.4 and the secret is 12345678998765432100. You need the accounting to be logged locally on the RADIUS server. Configure the Dial Access System object as follows:
Refer to the context-sensitive help for information about specific configuration procedures.
You manage an ISP. Acme Corporation user joe dials in with the username joe@acme.com, and you need to forward the authentication request to the corporation's RADIUS server at IP address 1.2.3.4, port 1645, with a RADIUS secret of 12345678998765432100. You also need to forward accounting to the Acme corporation RADIUS accounting server at IP address 1.2.4.5, port 1646, with a RADIUS secret of 98765432112345678900 and a retry limit of 24 hours. Configure the Dial Access System object as follows:
Refer to the context-sensitive help for information about specific configuration procedures.
Acme Corporation has a legacy RADIUS server. You want to migrate your remote access to NMAS and Novell RADIUS Services; however, you want to do it gradually, moving one department a month from the legacy system to NMAS and Novell RADIUS Services. You want your users to authenticate to the RADIUS server, and you want this server to search the legacy RADIUS server if the user does not exist in NDS.
To allow users to authenticate, you can set up a search domain on the NMAS RADIUS server. The legacy RADIUS server, RAD1, is at IP address 1.2.3.4, port 1645, with a secret of 09876543211234567890. You also want accounting to be logged at the legacy proxy server. Configure the Dial Access System object on the NMAS RADIUS server as follows:
Refer to the ConsoleOne online help for information about specific configuration procedures.
| |