Complete Contents
Introduction
Chapter 1 Introducing RADIUS
Chapter 2 Initializing and Configuring RADIUS
Chapter 3 Using Deja to Update RADIUS Information
Chapter 4 RADIUS/LDAP Information Mapping
Chapter 5 Command & File Reference
Appendix A Mapping Syntax and Semantics
RADIUS Extension Guide: Introducing RADIUS
Previous Next Contents Index


Chapter 1 Introducing RADIUS

This chapter contains background information about the RADIUS protocol and about the RADIUS server provided with Solaris Extensions for Netscape Directory Server 4.11. For configuration information, refer to Chapter  2, "Initializing and Configuring RADIUS." For information on installing the RADIUS server refer to Solaris Extensions Installation Guide.

This chapter contains the following sections:


RADIUS Authentication
The Remote Access Dialup User Service (RADIUS) protocol improves network security by providing a mechanism for authenticating remote users connecting to the network. It does this by carrying authentication, authorization and configuration information between a Network Access Server (NAS) and a RADIUS server.

A NAS, also known as a Remote Access Server (RAS), is a device that provides an access point to a network for remote users connecting through remote access protocols such as telnet, ftp or PPP.

Figure 1.1 Network Access Server.

The configuration shown in Figure 1.1 relies on security mechanisms provided by the connection protocol in use, for example PPP, to prevent unauthorized access to the network. Using RADIUS, you can keep a single source of authentication information in a directory and use it to authenticate remote users. The security mechanism is the same regardless of the connection protocol.


RADIUS Accounting
You can also use the RADIUS server to collect information about remote user connections. You can keep statistics on a per user basis.

A NAS can send accounting information about remote user connections to the RADIUS server. This information is logged separately for each NAS, in a log file called detail. The detail file is stored in a log directory called /var/opt/SUNWconn/ldap/radacct/nasname, where nasname is the value of the common name (cn) attribute in the directory entry for the NAS.

If the RADIUS server is unable to authenticate the NAS, accounting information is nonetheless logged, although it is marked as unverified in the nasname/detail file.

All the accounting information provided by the NAS is logged in the detail file.

Some accounting information can also be stored dynamically in the remote user's directory entry: it is added when the user connects, and deleted when the user disconnects.

To configure the RADIUS server to log dynamic accounting information, refer to "Configuring Dynamic Accounting".


RADIUS Architecture
When RADIUS is in use, the authentication architecture is shown in Figure 1.2.

Figure 1.2 RADIUS Authentication Architecture

A user is any entity requesting access to network resources. Each user is identified by a unique uid in the LDAP directory database.

The NAS, also referred to as the RADIUS client, is the device to which remote users connect. The client queries the RADIUS server for authentication status, user profiles and authorizations. In the directory database, each client is identified by a unique ipHostNumber. The ipHostNumber attribute, and all other attributes describing a RADIUS client are defined in the nas object class.

The RADIUS server authenticates the NAS, then checks the remote user's identity and authorization in the directory database. It returns the user's status (connection authorized or refused) and configuration information to the NAS.

If the RADIUS server is unable to authenticate the NAS, the request from the NAS is ignored. The RADIUS server does not respond, not even with a connection rejection.


Components Providing RADIUS Service
This section describes the components supplied with Solaris Extensions for Netscape Directory Server 4.11 to provide the RADIUS service.

RADIUS Daemon

The RADIUS daemon, dsradiusd, is the RADIUS server. It handles connection requests received from NAS devices. It connects to the directory server daemon, ns-slapd, to search for NAS and remote user information. It checks the information held in the directory against the information supplied in the connection request from the remote user. If the information supplied in the connection request is valid, it returns an accept-connection response that can include the connection parameters.

See "dsradiusd" for more information on the RADIUS server daemon.

RADIUS Configuration Files

The configuration of the RADIUS server is mainly stored in the dsradiusd.conf file. However, some configuration parameters are stored in the radius.mapping file.

See "Configuring RADIUS" for details on the configuration parameters.

RADIUS Schema Objects

RADIUS-specific object classes and attributes are required to support the RADIUS server, in particular to store information about NAS devices and remote users in the LDAP directory.

The RADIUS-specific LDAP attributes are mapped onto the RADIUS attributes that are actually used in the communications between the NAS and the RADIUS server. This mapping is defined in the radius.mapping file.

For information on RADIUS schema objects, see "RADIUS Schema".

RADIUS Console

The RADIUS Console is a graphical tool that offers a friendly way of performing RADIUS administration and configuration tasks. It is integrated in the Netscape management framework. An icon representing the RADIUS console is listed under the Server Group subtree in the Netscape Console.

For information on starting the RADIUS Console, see "Configuring RADIUS".

PAM Module

You can use the plugable authentication module (PAM) to offer authentication mechanisms such as Kerberos, RSA or smart cards on top of RADIUS. The PAM module is part of the Solaris operating system.

For general information on the PAM authentication modules and API, refer to the pam(3) man page. For information on configuring PAM authentication modules, refer to the pam.conf(4) man page.

For information on configuring the RADIUS server to operate with the PAM module, refer to "Configuring RADIUS to Use PAM".
 

Copyright © 1999 Sun Microsystems, Inc. Some preexisting portions Copyright © 1999 Netscape Communications Corporation