You can use RADIUS proxy to outsource the management of dial-in hardware to an Internet Service Provider (ISP) while you manage the users in your eDirectory tree. This benefit provides you with the flexibility to manage dial-in users without the investment in dial-in hardware or the burden of managing the hardware.
Using RADIUS proxy, a remote user (such as jane@acme.com) dials in to an ISP network. The user's access request (user ID and password) is forwarded to a RADIUS proxy server on the ISP network. The ISP RADIUS proxy server forwards the access request to your company's RADIUS server (such as acme.com). The RADIUS server then checks the information in the access request and either accepts or rejects the request. If the RADIUS server accepts the request, it returns configuration information specifying the type of connection service (such as PPP or Telnet) to deliver to the user.
Authentication Services can act as both a conventional RADIUS server and a RADIUS proxy server at the same time. To set up a RADIUS proxy, you must add a domain to the Dial Access System object's domain list. The domain name you assign is the target domain the user must use to be directed to that proxy for authentication. The RADIUS server supports usernames specified as either an eDirectory distinguished name or a common name. For access requests that have a username without a domain, you can configure search domains that can be checked to determine if valid authentication information is available. The search domains consist of configured domains that do not authenticate by eDirectory context. Domains are defined as one of the following types:
This domain type configures an authentication domain for the Dial Access System object that will look up users by NDS or eDirectory context. The authentication request can be processed by any Novell BorderManager 3.7 Authentication Services server in the eDirectory tree. For this domain type, you specify the eDirectory context and define whether to look for the user in that context and any context under it, or look for the user only in the specified context. If the user is not found, you can set the option to look up the user in any defined search domains.
This domain type also configures an authentication domain for the Dial Access System object that will look up users by NDS or eDirectory context. However, this domain type will forward the authentication request to a specific Novell BorderManager 3.7 Authentication Services server in the eDirectory tree where the user belongs to reduce network latency. For this domain type, you specify the eDirectory context and define whether to look for the user in that context and any context under it, or look for the user only in the specified context. The search domain option is not available. To define the target server, specify the IP address, port, and RADIUS secret of the server. To define how accounting packets are handled, specify whether to log accounting locally on the server or forward accounting packets to an accounting server on a remote domain.
This domain type configures a simple domain proxy. Authentication requests will be forwarded to the designated RADIUS server. If the server expects to see only the common username, set the option to remove the target domain name the user logged in with. To target the server, specify the IP address, port, and RADIUS secret for the server. To define how accounting packets are handled, specify whether to log accounting locally on the server or forward accounting packets to an accounting server on a remote domain.
This domain type configures a search domain. Search domains are searched when a user logs in with a common username (no target), or when a user with a target domain is not found in a specified eDirectory context and usage of a search domain is allowed for that domain. If the server expects to see only the common username, set the option to remove the target domain name the user logged in with. To target the server, specify the IP address, port, and RADIUS secret for the server. To define how accounting packets are handled, specify whether to log accounting locally on the server or forward accounting packets to an accounting server on a remote domain.
This domain type configures a domain that targets an external authentication server (such as a Security Dynamics ACE/Server). If the server expects to see only the common username, set the option to remove the target domain name the user logged in with. To target the server, specify the IP address, port, and RADIUS secret for the server. You can create External Identity objects for third-party tokens administered by an External Authentication Service object and assign NDS or eDirectory users to an External Identity object.
Refer to the NetWare Administrator online help for information about specific configuration procedures.
This section contains the following tasks:
A user logs in as jane@acme.com. You want this user to authenticate using the local NDs or eDirectory tree and search for the user from the [Root] context of the NDS or eDirectory tree and any context below [Root]. You don't care which RADIUS server handles the authentication. If the user cannot be authenticated in the NDS or eDirectory tree, you want the server to send the authentication request to all the search domains for the Dial Access System object. Configure the Dial Access System object as follows:
A user logs in as jane@sales.acme.com. You want this user to authenticate using the local NDS or eDirectory tree, but you want to search for the user only in the sales.acme context. You also want a specific RADIUS server that is within the same partition of the NDS or eDirectory tree as the sales context to handle the authentication to reduce network latency for the login. The IP address for the RADIUS server is 1.2.3.4 and the secret is 12345678998765432100. You need the accounting to be logged locally on the RADIUS server. Configure the Dial Access System object as follows:
You manage an ISP. Acme Corporation user joe dials in with the username joe@acme.com, and you need to forward the authentication request to the corporation's RADIUS server at IP address 1.2.3.4, port 1645, with a RADIUS secret of 12345678998765432100. You also need to forward accounting to the Acme corporation RADIUS accounting server at IP address 1.2.4.5, port 1646, with a RADIUS secret of 98765432112345678900 and a retry limit of 24 hours. Configure the Dial Access System object as follows:
Your corporation has a Security Dynamics ACE/Server external server that supports token authentication. Your sales force uses this token implementation extensively and you need to preserve your investment in this hardware. You want to use the token authentication capabilities of this server, but would like to manage the users in eDirectory with Novell BorderManager 3.7 Authentication Services. Salesperson Olivia Olsen logs in as Olivia.Sales.Acme. You want to remove the domain name on this login and create a domain, ace, to forward the request to the external authentication server at IP address 1.2.3.4, port 1645, with a RADIUS secret of 09876543211234567890. To implement this example, you must create an External Authentication Service object and an External Identity object.
Configure the External Authentication Service object as follows:
Assign the User object to the External Identity Object as follows:
Your implementation is exactly the same as in the previous configuration; however, you want to eliminate the need to manage user accounts on the token server. Instead of using usernames on your external authentication server, you have assigned the serial number of the token as the login name. The serial number and login name for the token used by salesperson Olivia Olsen is 12345. You still want Olivia to log in as Olivia.Sales.Acme. However, you want eDirectory to substitute 12345 as Olivia's other name. To implement this configuration, you must configure the User object Olivia as follows:
Configure the External Authentication Service object as follows:
Acme Corporation has a legacy RADIUS server. You want to migrate your remote access to Novell BorderManager 3.7 Authentication Services; however, you want to do it gradually, moving one department a month from the legacy system to Novell BorderManager 3.7. You want your users to authenticate to the Novell BorderManager 3.7 RADIUS server and you want this server to search the legacy RADIUS server if the user does not exist in eDirectory.
To allow users to authenticate, you can set up a search domain on the Novell BorderManager 3.7 Authentication Services RADIUS server. The legacy RADIUS server, RAD1, is at IP address 1.2.3.4, port 1645, with a secret of 09876543211234567890. You also want accounting to be logged at the legacy proxy server. Configure the Dial Access System object on the Novell BorderManager 3.7 Authentication Services RADIUS server as follows: