Setting Up Users and Groups for Container and Group Administration

Perform the following tasks to modify the NDS objects in your NDS tree to manage dial access services with Novell RADIUS Services:


Setting Up Organization and Organizational Unit Container Objects

You can specify common dial access properties for all users in Organization or Organizational Unit container objects. The Dial Access Service page of an Organization or Organizational Unit allows you to

For example, if your organization has several departments that want to allow remote users to access your corporate network, you could use BorderManagerTM Authentication Services to manage users who authenticate with the RADIUS protocol. Each department could specify rights to applications, file and print services, and dial-in configuration information. However, multiple departments could be managed by the same network administrator without the requirement to maintain multiple databases.

Specifying dial access properties in the Dial Access Service page for an Organization or Organizational Unit container object has the following benefits:

The dial access properties that you define for an Organization or Organizational Unit container object apply to every user in the selected container object (but not to users in Organizational Units that are at a lower level in the NDS tree). Refer to the ConsoleOne online help for information about specific configuration procedures.

You can override the dial access properties of an Organization container object or Organizational Unit container object by modifying the Dial Access Services page of a User object. This allows you to specify unique dial access properties for any User object in your NDS tree.


Enabling Dial Access Services For Users in a Container Object

To enable users in an Organization or Organizational Unit container object for dial access services, complete the following steps:

  1. Start ConsoleOne.

  2. Double-click an Organization or Organizational Unit container object.

  3. Click the Dial Access Services tab > Enable dial access.

Refer to the context-sensitive help for more information.


Setting Up Group Objects

You can grant rights to use one or more specified Dial Access System objects to members of a Group object. Group-based administration leverages the powerful access control list (ACL) capability of NDS to enforce user dial-in access restrictions. For example, separate Dial Access System objects could be created for firewall and dial-in access servers. Then a Firewall Group object and a Dial-In Users Group object could be created with access privileges to the firewall Dial Access System object and the dial-in Dial Access System object. By making a user a member of one or both groups, access to these resources is granted selectively based on group membership. Group-based administration can also be used to allow access to high-speed connections by selected users only, while allowing low-speed connections by all users by creating multiple Dial Access System objects.

Restricting access based on assignment to a geographical region is another use for group-based administration. Dial Access System objects could be created for each geographical region that a set of users are allowed to access. Groups such as West Coast, Midwest, and East Coast could be created with users in those regions added as members. Certain users, such as sales staff, could be included in more than one geographical group to allow access to different locations.

Each Dial Access System object must have sufficient rights to any User object that can be authenticated. This can be done for multiple users in a Group object by assigning a parent container object to which the users belong to the user list of a Dial Access System object.

Likewise, the Group object must have sufficient rights to the Dial Access System object used for authentication. This can be done by assigning the Group object to the user list of the Dial Access System object.

Both of these procedures are done in the Login Policy Object's Rules tab.