Planning RADIUS Proxy Services

You can use RADIUS proxy to out source the management of dial-in hardware to an Internet Service Provider (ISP) while you manage the users in your NDS tree. This benefit provides you with the flexibility to manage dial-in users without the investment in dial-in hardware or the burden of managing the hardware.

Using RADIUS proxy, a remote user (such as jane@acme.com) dials in to an ISP network. The user's access request (user ID and password) is forwarded to a RADIUS proxy server on the ISP network. The ISP RADIUS proxy server forwards the access request to your company's RADIUS server (such as acme.com). The RADIUS server then checks the information in the access request and either accepts or rejects the request. If the RADIUS server accepts the request, it returns configuration information specifying the type of connection service (such as PPP or Telnet) to deliver to the user.

This concept is shown in Figure 3.

Figure 3
RADIUS Proxy

The RADIUS server can act as both a conventional RADIUS server and a RADIUS proxy server at the same time. To set up a RADIUS proxy, you must add a domain to the Dial Access System object's domain list. The domain name you assign is the target domain the user must use to be directed to that proxy for authentication. The RADIUS server supports usernames specified as either an NDS distinguished name or a common name. For access requests that have a username without a domain, you can configure search domains that can be checked to determine if valid authentication information is available. The search domains consist of configured domains that do not authenticate by NDS context. Domains are defined as one of the following types:

This section contains the following tasks:


Setting Up a RADIUS Authentication Proxy to Authenticate Remote Users by NDS Context to Any RADIUS Server

A user logs in as jane@acme.com. You want this user to authenticate using the local NDS tree and search for the user from the [Root] context of the NDS tree and any context below [Root]. You don't care which RADIUS server handles the authentication. If the user cannot be authenticated in the NDS tree, you want the server to send the authentication request to all the search domains for the Dial Access System object. Configure the Dial Access System object as follows:

Domain Name: acme.com
Domain Type: NDS Context---Any Novell RADIUS Services Server
NDS Context Name: [Root]
Look for user in any lookup context under this context: checked
Use search domains if user not found: checked

Refer to the context-sensitive help for information about specific configuration procedures.


Setting Up a RADIUS Authentication Proxy to Authenticate Remote Users by NDS Context to a Specific RADIUS Server

A user logs in as jane@sales.acme.com. You want this user to authenticate using the local NDS tree, but you want to search for the user only in the sales.acme context. You also want a specific RADIUS server that is within the same partition of the NDS tree as the sales context to handle the authentication to reduce network latency for the login. The IP address for the RADIUS server is 1.2.3.4 and the secret is 12345678998765432100. You need the accounting to be logged locally on the RADIUS server. Configure the Dial Access System object as follows:

Domain Name: sales.acme.com
Domain Type: NDS Context---Specific Novell RADIUS Services Server
NDS Context Name: sales.acme
Look for user in this context only: checked
Primary Address: 1.2.3.4 Port: 1645
Secret: 12345678998765432100
Log at proxy server: checked

Refer to the context-sensitive help for information about specific configuration procedures.


Setting Up a RADIUS Authentication Proxy as an ISP to Forward Requests to a Corporate RADIUS Server

You manage an ISP. Acme Corporation user joe dials in with the username joe@acme.com, and you need to forward the authentication request to the corporation's RADIUS server at IP address 1.2.3.4, port 1645, with a RADIUS secret of 12345678998765432100. You also need to forward accounting to the Acme corporation RADIUS accounting server at IP address 1.2.4.5, port 1646, with a RADIUS secret of 98765432112345678900 and a retry limit of 24 hours. Configure the Dial Access System object as follows:

Domain Name: acme.com
Domain Type: Generic Proxy
Primary Address: 1.2.4.5 Port: 1645
Secret: 12345678998765432100
Forward to domain: checked
Use alternate addresses/secret: checked
Primary Address: 1.2.4.5 Port: 1646
Secret: 98765432112345678900

Refer to the context-sensitive help for information about specific configuration procedures.


Setting Up a RADIUS Authentication Proxy to Authenticate Usernames to a Search Domain

Acme Corporation has a legacy RADIUS server. You want to migrate your remote access to NMAS and Novell RADIUS Services; however, you want to do it gradually, moving one department a month from the legacy system to NMAS and Novell RADIUS Services. You want your users to authenticate to the RADIUS server, and you want this server to search the legacy RADIUS server if the user does not exist in NDS.

To allow users to authenticate, you can set up a search domain on the NMAS RADIUS server. The legacy RADIUS server, RAD1, is at IP address 1.2.3.4, port 1645, with a secret of 09876543211234567890. You also want accounting to be logged at the legacy proxy server. Configure the Dial Access System object on the NMAS RADIUS server as follows:

Domain Name: RAD1
Domain Type: Search Domain Server
Primary Address: 1.2.3.4
Port: 1645
Secret: 09876543211234567890
Accounting Log at proxy server: checked

Refer to the ConsoleOne online help for information about specific configuration procedures.