Setting up BorderManager Authentication Services on NetWare 6
Novell Cool Solutions: Feature
By Joe Harmon
Digg This -
Posted: 10 May 2002
Versions: Novell NetWare 6.0, Novell BorderManager Authentication Services 3.6
Creating Dial Access System and Dial Access Profile objects
(1) The first thing that we need to do is to create a Dial Access System object by right clicking on the desired container and selecting CREATE and then selecting DIAL ACCESS SYSTEM from the list and click OK. In this example the Dial Access System Object is being created under the Organization called WEB.
(2) You will now need to give the Dial Access System object a name. This is the same name that you will use when loading RADIUS. After putting in the name, click CREATE.
(3) You will then be prompted to set a password for the Dial Access System object. This is the same password that you will use to start RADIUS.
(4) After creating the Dial Access System (DAS) Object go back into NWAdmin and double click on the object. This will bring up the preferences for the DAS object.
(5) Next we will need to add the client. The client will represent the particular Dial Access box that you are using. Click on the CLIENTS tab and select the ADD button. You will need to supply the following information about your Dial Access Box.
Client Address - This is the address of your Dial Access Box.
Client Type - This is the recommended client to use. If you are planning on using the vendor specific client, then you will be on your own for the configuration.
Secret - This is the shared secret you have on your Dial Access Box. In order for communication to occur, the secret must be the same on both sides.
(6) Next you will need to select the USERNAME RESOLUTION tab. The suggested option is the USE LOOKUP CONTEXTS LIST TO RESOLVE USERNAMES option. Here you will need to add all of the contexts that contain users who want to use RADIUS. In this example we are adding the WEB container. After all of the containers are added, click OK.
(7) Now we will create a Dial Access Profile object. This object is used to specify the attributes that will be used with RADIUS. Right click on the same container where you created the DAS object. Select CREATE and then choose DIAL ACCESS PROFILE from the list. Then click OK.
(8) In this example we will give the Dial Access Profile (DAP) the name of DAP. After the name is put in click CREATE.
(9) If you chose the DEFINE ADDITIONAL PROPERTIES option before you clicked on CREATE then you will already have the properties dialog box open. If not then just double click on the DAP object.
(10) You will now need to select the ATTRIBUTES tab. Click on the ADD button to add attributes. There are only two generic attributes that are recommended by Novell. First we will add the Framed Protocol - PPP.
Framed Protocol - PPP
Service Type - Framed
** NOTE ** This dialog box is just asking for a description. You can just press the CANCEL button.
(11) Next we will add the Service Type - Framed attribute. Select the attribute from the Generic section and click OK.
**NOTE** This dialog box is just asking for a description. You can just press the CANCEL button.
(12) You should now see both attributes in the Dial Access Profile object. Click OK to finish.
(13) The next thing that we need to do is to enable RADIUS at the container level. This same procedure can be done at the user level if desired. The user level will override the container settings for that user. In this instance we will only configure the container settings. This will enable RADIUS for every user within this container. We can access these setting by double clicking on the desired container and then selecting the DIAL ACCESS SERVICES tab.
(14) Here we will make sure that DIAL ACCESS CONTROL is checked. Then you will want to click on the browse button and select the Dial Access System object that you created. Then click OK.
(15) You will then get the message that the DAS object does not have sufficient rights and that it will need to assign them. Choose YES.
(16) Next we will need to add the Dial Access Profile. This can be by clicking on the ADD button and then selecting the DAP object. After you have selected the DAP object, click OK.
(17) You should now show the DAS and the DAP object under the DIAL ACCESS SERVICES tab at the container level.
(18) Now we will load RADIUS at the server console.
(19) If you try and authenticate you will notice that you get an Access Rejected, NDS error (-603). This issue is caused from NetWare 6 having created a Login Policy Object (LPO). RADIUS will try and use an LPO if one exists. In order to make it compatible we will need to run an attribute file.
(20) At the server console prompt type in ADMATTRS and hit enter. You will then be prompted to login with admin's username and password. You will then get the message, "Attributes created successfully."
(21) Now if you try and login you will get the error, "Unable to locate authentication rule." The reason for this error is caused from no rule being setup for RADIUS within the Login Policy Object (LPO). The next section will take us through setting up the LPO for RADIUS to do basic NDS authentication.
Setting up the Login Policy Object
** IMPORTANT ** The Login Policy Object for RADIUS must be configured in NWADMIN. It cannot be configured within ConsoleOne for the BorderManager 3.6 product.
(1) In order for us to access the Login Policy Object (LPO) we will need to first run the snapins. In this example NWADMIN will be run from the server. When viewing the LPO object under the security container it will show up as a white question mark box. This means that we need to run the snapins for the this product. This can be done by executing the SETUP.EXE found on the NetWare 6 SYS volume. The location for this file is SYS:/PUBLIC/BRDMGR/SNAPINS. Double click on the SETUP.EXE file.
(2) You will first be presented with the Welcome screen. Before you click the NEXT button, make sure that you do not have NWAdmin running. Click NEXT.
(3) Now we will need to point the installation to the SYS:/PUBLIC/WIN32 directory. Then click OK.
** NOTE ** Again, the directory that is being selected is the WIN32 directory on the server, since NWADMIN will be run from the server for this example.
(4) The next screen will show that you have the proper path listed. Click NEXT to continue.
(5) Next you will see the copy file process.
(6) You will be prompted to view the README. Click YES or NO depending on whether or not you want to read the README.
(7) Next you will be presented with a dialog box asking if you want to launch NWAdmin. Click YES so that you can configure the LPO.
(8) Under the security container (found at the root of the tree) you will find the Login Policy Object. Double click on the LPO to view the properties.
(9) You are now presented with a message box explaining that you will need to define at least one rule with in the LPO. Click OK to continue.
(10) Click on the RULES tab and then select the ADD button. You will then be presented with the Login Rule Configuration dialog box. Verify that the ENABLE option is checked. Then choose the OBJECT NAME option and browse out to select the Dial Access System object. Now select the METHODS tab and click on the ADD button.
(11) The next dialog box will be the CONFIGURE LOGIN METHOD dialog box. Make sure that the LOGIN METHOD ENABLED option is selected. Under the METHOD TYPES section, choose the NDS PASSWORD option. Under the METHOD ENFORCEMENT choose ACCEPTABLE or MANDATORY. In this example we will use ACCEPTABLE. Then click OK.
(12) When OK is clicked a message will pop telling you that you need to populate the user list. This will need to be any user that is going to need access to RADIUS. A container(s) or user(s) can be specified.
(13) To do this select the USER LIST tab and click on the ADD button. Then once the container or user is selected click OK to add it to the list.
(14) You can continue to add users and containers if desired. When finished click OK to create the rule.
(15) Verify that your rule created successfully. To do this select the DAS object under the RULES tab and you should see NDS PASSWORD and ACCEPTABLE appear in the method and enforcement section of the dialog box. When finished click OK to continue.
(16) Once you click OK you will receive a message explaining that the LPO needs to create rights to the user(s) or container(s) that were selected. Click OK to continue.
(17) You will now need to do a RADSTOP at the server console.
** IMPORTANT ** Make sure everything unloads successfully. If you have BorderManager Proxy installed it will prompt you to unload it as well.
(18) Now load radius at the server console and try to authenticate again. You should receive an Access Accept message.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com