NDS user Authorization with a Radius-aware Network Access Server
Novell Cool Solutions: Tip
By Jan Persson
Digg This -
Posted: 22 Feb 2002
Version: BMAS 3.5
This tip was part of a solution from a Novell Consulting engagement where BMAS 3.5 integrated with a Cisco Network Access Solution.
Using Radius to authenticate users is a common solution for many Network Access Server implementations.Using the same technology to provide authorization for NDS users is another option available with BorderManager Authentication Services.
The Radius protocol carries authentication, authorization and configuration information between a Network Access Server (NAS) and an authentication server. Requests and responses carried by the protocol are expressed in terms of Radius attributes such as User name, Service type, and so on. These attributes provide the information needed by a Radius server to authenticate users and to establish authorized network service for them.
With BMAS 3.5 and a Remote Access Server the access control can be configured in NDS and passed as Radius attributes to the RAS. In this case-study a Cisco 3600 RAS was used. However the same solution should work with any Radius-aware RAS/Firewall solution with the appropriate Radius attributes.
Cisco's Radius implementation has its own vendor specific Radius attribute, Cisco-AV-Pair. The Cisco-AV-Pair attribute can, for example, pass values for hosts and protocols needed in the access list together with the generic Radius attributes. Radius attributes are configured in the Dial Access Profile in NDS. The attribute can also be applied on users, group or containers in NDS.
Cisco AV-Pair Syntax:
Protocol : attribute sep value *
From Cisco's description of the commands used to configure Radius:
"Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. "Attribute" and "value" are an appropriate attribute/value (AV) pair defined in the Cisco TACACS+ specification, and "sep" is "=" for mandatory attributes and "*" for optional attributes. This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
cisco-avpair = "ip:inacl#1=deny ip any 10.10.10.10"
In this example the access list inacl#1 denies any host or network IP access to the host 10.10.10.10. The access list can, as previously described, be applied to any NDS user, group or container.
The value of this solution is to have access control configured on a NDS user level basis and also to have the Radius authorization configured in NDS with a single point of administration for access control.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com