Working with a RADIUS Server
The RADIUS server provided with Sun Directory Services 3.1 offers an authentication service for remote users. For full information on the RADIUS server, refer to the documentation delivered with Sun Directory Services 3.1.
Overview
The RADIUS server provided with Sun Directory Services 3.1 is an authentication and authorization information server for a Network Access Server (NAS). A NAS is a device that provides an access point to the network for remote users connecting using SLIP, PPP or any other remote access protocol. The NAS transmits the information provided in the connection request from the remote user to the RADIUS server. The RADIUS server checks this information against the entry for the remote user in the directory. It then returns to the NAS an authorization or denial for the remote user connection. It can also provide the appropriate connection parameters for the remote user connection.
Note -
A NAS is also often referred to as a Remote Access Server (RAS) or as a RADIUS client.
Figure 6-4 summarizes the way in which RADIUS operates with Solaris Bandwidth Manager.
Figure 6-4 RADIUS Operation with Solaris Bandwidth Manager
The user is an entity requesting access to network resources. In the directory database, a user is identified by a unique uid attribute. This and all other attributes describing a remote user are defined in the remoteUser object class.
The NAS is the device to which remote users connect. The NAS queries the RADIUS server for authentication status, user profiles, and authorizations. In the directory database, each NAS is identified by a unique ipHostNumber attribute. This and all other attributes describing a RADIUS client are defined in the nas object class.
The RADIUS server authenticates the NAS, then checks the remote user's identity and authorization in the directory database. It returns the user's status and configuration information to the NAS. If the RADIUS server cannot authenticate the NAS, it ignores the request -- there is no connection rejection.
Once the authentication process is complete, the NAS sends accounting information on the remote connection to the RADIUS server. This is logged dynamically in the user's directory entry. The information logged is contained in the dynamicIPaddress, dynamicSessionId, dynamicSessionCounter, and dynamicAddressBinding attributes.
This information is then replicated to the Solaris Bandwidth Manager configuration using a Replication Event.
An exchange of information between Solaris Bandwidth Manager and Sun Directory Services then takes place, in which the Solaris Bandwidth Manager configuration is updated with the dynamic information. The filters and classes that are created, are named using the relevant uid and sessionId names. If the action LSaction has the attribute queueName, no class is created.
Note -
When interoperating with Solaris Bandwidth Manager, dynamic accounting is used. Refer to the documentation delivered with Sun Directory Services for information on other approaches.
Configuration
To be able to use the RADIUS protocol, you must carry out configuration on Solaris Bandwidth Manager, and on Sun Directory Services. Refer to the documentation delivered with Sun Directory Services for configuration instructions and schema information.
-
Edit the /opt/SUNWconn/ba/html/beans/QRasPolicy.html file, so that Solaris Bandwidth Manager can reply to replication events.
-
Enable dynamic accounting for the RADIUS server.
-
In the database, create the necessary entries for NAS devices and remote users. For each user, in addition to an object class of type remoteUser, you must create an object class of type policyAux. The policyAux object class must have the same Distinguished Name (DN) as the remoteUser object class. This is because the remoteUser object class cannot contain a policyRef attribute. The policyRef attribute must point to a valid policy.
-
Set a replication schedule for the replication of information between the directory and the policy agents. Set replication to immediate, so that whenever modifications are made to entries that are within the scope of the replica, they are automatically pushed to the policy agent.
-
Replicate the subtree containing remote user entries. If you do not want to replicate all attributes in the remote user entries, make sure that you include at least the following attributes: dynamicIPaddress, dynamicSessionID, dynamicSessionCounter.
-
Insure that Replication Events contain a Replication Password. This is the password you set when installing the Solaris Bandwidth Manager packages, and is defined in the /etc/opt/SUNWconn/ba/agent.properties file. You will be prompted for this when configuring the DN of the administrator of the remote system. The DN itself is ignored.
Policy Behavior
The policyRef attribute contained in the policyAux object class for a user must point to an entry of type Policy. This can do one of the following:
-
Create a filter containing the IP address of the newly connected user.
-
Create a class and a filter containing the IP address of the newly connected user.
Creating a filter only
A service provider offers three classes of service: Standard, StandardPlus and Premium. Each has a different level of guaranteed bandwidth. Administrative and other incidental traffic is handled by the root class:
|
Class Name |
Guaranteed Bandwidth |
|---|---|
|
Premium |
50% |
|
StandardPlus |
30% |
|
Standard |
10% |
User Fred Smith has a subscription to the Premium class.
On receiving traffic from Fred Smith, the policyRef attribute in the policyAux class is checked. It points to the policy "Premium". The "Premium" policy contains an LSaction "ActionPremiumClass" with the attribute queueName "Premium".
A filter is created containing Fred Smith's IP address and is added to the Premium class. Traffic from Fred Smith is then filtered into the Premium class. The filter name is the UID of Fred Smith's user entry in the directory, plus the sessionID.
It would also be possible to add conditions to the policy, specifying a service, for example.
Creating a class and a filter
A service provider offers three classes of service: Standard, StandardPlus and Premium. Each has a different level of guaranteed bandwidth. Administrative and other incidental traffic is handled by the root class. From time to time, however, the service's administrators need to send high priority messages to each other. To do so, they send email from an account called admin-urgent. Doing so creates a class with a priority of 1 and a guaranteed bandwidth of 10%, so that these messages are dealt with immediately.
Jane Brown needs to send an urgent message to the other administrators. To do so, she logs in as admin-urgent. On receiving traffic from admin-urgent, the policyRef atribute of the policyAux class is checked. It points to the policy Urgent. The Urgent policy contains an LSaction with the attributes ceilingRate, guaranteedRate, and queuePriority. The absence of the queueName attribute tells the Solaris Bandwidth Manager software to create a class called urgent with the specified maximum and guaranteed bandwidth and priority. A filter is then created containing the IP address from which the admin-urgent message was sent. The filter's name is composed of the UID and sessionID.
- © 2010, Oracle Corporation and/or its affiliates