Overview

The RADIUS server provided with Sun Directory Services 3.1 is an authentication and authorization information server for a Network Access Server (NAS). A NAS is a device that provides an access point to the network for remote users connecting using SLIP, PPP or any other remote access protocol. The NAS transmits the information provided in the connection request from the remote user to the RADIUS server. The RADIUS server checks this information against the entry for the remote user in the directory. It then returns to the NAS an authorization or denial for the remote user connection. It can also provide the appropriate connection parameters for the remote user connection.

A NAS is also often referred to as a Remote Access Server (RAS) or as a RADIUS client.

Figure 6-4 summarizes the way in which RADIUS operates with Solaris Bandwidth Manager.

Figure 6-4 RADIUS Operation with Solaris Bandwidth Manager

The user is an entity requesting access to network resources. In the directory database, a user is identified by a unique uid attribute. This and all other attributes describing a remote user are defined in the remoteUser object class.

The NAS is the device to which remote users connect. The NAS queries the RADIUS server for authentication status, user profiles, and authorizations. In the directory database, each NAS is identified by a unique ipHostNumber attribute. This and all other attributes describing a RADIUS client are defined in the nas object class.

The RADIUS server authenticates the NAS, then checks the remote user's identity and authorization in the directory database. It returns the user's status and configuration information to the NAS. If the RADIUS server cannot authenticate the NAS, it ignores the request -- there is no connection rejection.

Once the authentication process is complete, the NAS sends accounting information on the remote connection to the RADIUS server. This is logged dynamically in the user's directory entry. The information logged is contained in the dynamicIPaddress, dynamicSessionId, dynamicSessionCounter, and dynamicAddressBinding attributes.

This information is then replicated to the Solaris Bandwidth Manager configuration using a Replication Event.

An exchange of information between Solaris Bandwidth Manager and Sun Directory Services then takes place, in which the Solaris Bandwidth Manager configuration is updated with the dynamic information. The filters and classes that are created, are named using the relevant uid and sessionId names. If the action LSaction has the attribute queueName, no class is created.

When interoperating with Solaris Bandwidth Manager, dynamic accounting is used. Refer to the documentation delivered with Sun Directory Services for information on other approaches.