Solaris Bandwidth Manager 1.5 Administration Guide

Working with a RADIUS Server

The RADIUS server provided with Sun Directory Services 3.1 offers an authentication service for remote users. For full information on the RADIUS server, refer to the documentation delivered with Sun Directory Services 3.1.

Overview

The RADIUS server provided with Sun Directory Services 3.1 is an authentication and authorization information server for a Network Access Server (NAS). A NAS is a device that provides an access point to the network for remote users connecting using SLIP, PPP or any other remote access protocol. The NAS transmits the information provided in the connection request from the remote user to the RADIUS server. The RADIUS server checks this information against the entry for the remote user in the directory. It then returns to the NAS an authorization or denial for the remote user connection. It can also provide the appropriate connection parameters for the remote user connection.


Note -

A NAS is also often referred to as a Remote Access Server (RAS) or as a RADIUS client.


Figure 6-4 summarizes the way in which RADIUS operates with Solaris Bandwidth Manager.

Figure 6-4 RADIUS Operation with Solaris Bandwidth Manager

Graphic

The user is an entity requesting access to network resources. In the directory database, a user is identified by a unique uid attribute. This and all other attributes describing a remote user are defined in the remoteUser object class.

The NAS is the device to which remote users connect. The NAS queries the RADIUS server for authentication status, user profiles, and authorizations. In the directory database, each NAS is identified by a unique ipHostNumber attribute. This and all other attributes describing a RADIUS client are defined in the nas object class.

The RADIUS server authenticates the NAS, then checks the remote user's identity and authorization in the directory database. It returns the user's status and configuration information to the NAS. If the RADIUS server cannot authenticate the NAS, it ignores the request -- there is no connection rejection.

Once the authentication process is complete, the NAS sends accounting information on the remote connection to the RADIUS server. This is logged dynamically in the user's directory entry. The information logged is contained in the dynamicIPaddress, dynamicSessionId, dynamicSessionCounter, and dynamicAddressBinding attributes.

This information is then replicated to the Solaris Bandwidth Manager configuration using a Replication Event.

An exchange of information between Solaris Bandwidth Manager and Sun Directory Services then takes place, in which the Solaris Bandwidth Manager configuration is updated with the dynamic information. The filters and classes that are created, are named using the relevant uid and sessionId names. If the action LSaction has the attribute queueName, no class is created.


Note -

When interoperating with Solaris Bandwidth Manager, dynamic accounting is used. Refer to the documentation delivered with Sun Directory Services for information on other approaches.


Configuration

To be able to use the RADIUS protocol, you must carry out configuration on Solaris Bandwidth Manager, and on Sun Directory Services. Refer to the documentation delivered with Sun Directory Services for configuration instructions and schema information.

On Solaris Bandwidth Manager:

On Sun Directory Services:

Policy Behavior

The policyRef attribute contained in the policyAux object class for a user must point to an entry of type Policy. This can do one of the following:

Creating a filter only

A service provider offers three classes of service: Standard, StandardPlus and Premium. Each has a different level of guaranteed bandwidth. Administrative and other incidental traffic is handled by the root class:

Class Name 

Guaranteed Bandwidth 

Premium 

50% 

StandardPlus 

30% 

Standard 

10% 

User Fred Smith has a subscription to the Premium class.

On receiving traffic from Fred Smith, the policyRef attribute in the policyAux class is checked. It points to the policy "Premium". The "Premium" policy contains an LSaction "ActionPremiumClass" with the attribute queueName "Premium".

A filter is created containing Fred Smith's IP address and is added to the Premium class. Traffic from Fred Smith is then filtered into the Premium class. The filter name is the UID of Fred Smith's user entry in the directory, plus the sessionID.

It would also be possible to add conditions to the policy, specifying a service, for example.

Creating a class and a filter

A service provider offers three classes of service: Standard, StandardPlus and Premium. Each has a different level of guaranteed bandwidth. Administrative and other incidental traffic is handled by the root class. From time to time, however, the service's administrators need to send high priority messages to each other. To do so, they send email from an account called admin-urgent. Doing so creates a class with a priority of 1 and a guaranteed bandwidth of 10%, so that these messages are dealt with immediately.

Jane Brown needs to send an urgent message to the other administrators. To do so, she logs in as admin-urgent. On receiving traffic from admin-urgent, the policyRef atribute of the policyAux class is checked. It points to the policy Urgent. The Urgent policy contains an LSaction with the attributes ceilingRate, guaranteedRate, and queuePriority. The absence of the queueName attribute tells the Solaris Bandwidth Manager software to create a class called urgent with the specified maximum and guaranteed bandwidth and priority. A filter is then created containing the IP address from which the admin-urgent message was sent. The filter's name is composed of the UID and sessionID.