test

SunScreen 3.1 Administration Guide

FTP Proxy Service With RADIUS User Authentication

The following information is used in this example:

To simplify administration, the Proxy User name and the Authorized User name may use the same name as the Backend User name.

To Set Up the Service

  1. Follow the steps in the section above, "Configuring RADIUS Authentication for SunScreen."

  2. Configure the FTP Proxy Service:

    1. Create a Proxy user group, for example, ftp-grp.

    2. Add pre-defined users radius and securid to ftp-grp.


       # ssadm edit <Policy>> proxyuser add
ftp-grp GROUP> proxyuser 
addmember ftp-grp radius
> proxyuser addmember ftp-grp securid

    3. For each user that will be using the FTP Proxy:

      • Create a record in the Authorized User database.

      • Create a record in the Proxy User database.

      • Add the user as member of ftp-grp:


        # ssadm edit <Policy>> authuser add au11
PASSWORD=\{ au1_pw \}> 
proxyuser add pu1 auth_user_name=au1 \
backend_user_name=BkEndUsrName
> proxyuser addmember ftp-grp pu1

      This example assumes C shell, the back slash, \ before the brackets is the escape key from special characters { and }. For Bourne shell, the backslash is not necessary.

      Since there are typically many users to administer, this can be done through a script.

    4. Add a rule to allow the FTP proxy for the proxy user group, ftp-grp.


      # ssadm edit <Policy>edit > Add Rule
ftp USER ftp-grp ALLOW 
PROXY_FTP \FTP_GET FTP_CHDIR
edit > save
# ssadm activate <Policy>

  3. Test the FTP Proxy with RADIUS authentication:


    # ftp EFS_Screen_nameUsername @Hostname: radius_user@ftp_server
Password: radius_user_pw@password_at_ftp_server