Advanced Configuration of RADIUS Searches
Through the Admin Console, you can perform a basic configuration of the naming contexts that the RADIUS server will search for user and NAS information. You can manually edit the radius.mapping file to:
-
Provide temporary access to a remote user whose entry is not in the naming context normally searched for users
-
Associate remote users with a particular NAS, and grant access through that NAS only
-
Combine the options above to provide temporary access through a specified NAS
-
Manage remote users connecting from a virtual domain
The naming contexts searched by the RADIUS server are specified in the /etc/opt/SUNWconn/ldap/current/mapping/radius.mapping file. In the Dynamic section of the USERS table, the following lines define access for remote users:
BaseDN= l=Paris, o=xyz, c=us FILTER=(&(Objectclass=remoteUser)(uid=$UserID))
In this example, the RADIUS server searches for the user ID passed in the request from the NAS in the naming context l=Paris, o=XYZ, c=US among all entries with an object class of remoteUser.
Providing Temporary Access
Without changing your basic configuration, you can allow temporary access to a remote user whose entry is in a different naming context.
-
In the Dynamic section of the USERS table, add a BaseDN and FILTER token to the configuration with the prefix TMP_ , and assign temporary values, using the following format:
TMP_BASEDN = new_search_baseTMP_Filter = (&(Objectclass=remoteUser)(uid=$UserID)(uid=userid))
where:
-
new_search_base is the naming context that holds the remoteUser entry for the person to whom you are granting temporary access. If this naming context is stored on a different server, ensure that a referral is defined between the two servers
-
userid is the actual userid of the remote user. This ensures that you grant access to that user alone, and not to all the entries with the object class remoteUser in the new search base
-
-
Restart the dsradiusd daemon so that the new configuration file is taken into account.
# /opt/SUNWconn/ldap/sbin/dsradius stop # /opt/SUNWconn/ldap/sbin/dsradius start
For example, if your Base DN for remote users is l=Paris, o=XYZ, c=US, and you want to provide temporary access to the remote user Felipe Gonzalez located in Madrid, you would change the local radius.mapping file to include:
BaseDN= l=Paris, o=xyz, c=us TMP_BaseDN= l=Madrid, o=xyz, c=us FILTER=(&(Objectclass=remoteUser)(uid=$UserID)) TMP_Filter=(&(Objectclass=remoteUser)(uid=$UserID)(uid=fgonzalez))
This example assumes that a referral exists between the local directory server and the directory server holding the naming context l=Madrid, o=XYZ, c=US.
If you want to temporarily extend permission to all remote users within the XYZ corporation, you would use the following temporary base DN token:
TMP_BaseDN= o=xyz, c=us
This example assumes that there is a default referral from the server that holds the l=Paris, o=XYZ, c=US data store to the server that holds the o=XYZ, c=US data store. It also assumes that the o=XYZ, c=US data store contains referral entries to all data stores held on other servers.
Restricting Access through a Specified NAS
You may want to ensure that remote users always connect to a specific NAS. For example, if you want to control communications costs, you can ensure they connect to the NAS that is geographically closest to them.
-
In the Dynamic section of the USERS table, add a BaseDN and FILTER token to the configuration with the suffix _nasname, and assign temporary values, using the following format:
BASEDN_nasname= search_baseFilter_ nasname= (&(Objectclass=remoteUser)(uid=$UserID))
where:
-
nasname is the name of the NAS (value of the cn attribute in the directory entry for the NAS)
-
search_base is the naming context that holds the directory entries for the remote users to whom you are granting access through the NAS
-
-
Restart the dsradiusd daemon so that the new configuration file is taken into account.
# /opt/SUNWconn/ldap/sbin/dsradius stop # /opt/SUNWconn/ldap/sbin/dsradius start
For example, your Base DN for remote users is l=France, o=XYZ, c=US, and you have remote users located in Paris, Lyon, and Toulouse who can connect to the network through a local NAS at each site. The NAS names are ParisNAS, LyonNAS, and ToulouseNAS respectively. You want to ensure that remote users always connect through the nearest NAS to save on communication costs.
You would change the radius.mapping file to include:
BaseDN= l=France, o=xyz, c=us BaseDN_ParisNAS= l=Paris, l=France, o=xyz, c=us BaseDN_LyonNAS= l=Lyon, l=France, o=xyz, c=us BaseDN_ToulouseNAS= l=Toulouse, l=France, o=xyz, c=us FILTER=(&(Objectclass=remoteUser)(uid=$UserID))
When the RADIUS server receives a request from ParisNAS, it checks that the remote user belongs to the naming context l=Paris, l=France, o=XYZ, c=US.
Combining Temporary Access and NAS Restriction
You can combine temporary access permission and restrict access to a particular NAS by combining the TMP_ prefix and _nasname suffix on the BaseDN or the FILTER tokens.
For example, if you want to grant Felipe Gonzalez from Madrid remote access to the Paris NAS just for the duration of a business trip to Paris, you would modify the radius.mapping file to include the following lines in the Dynamic section of the USERS table:
BaseDN= l=France, o=xyz, c=us TMP_BaseDN= l=Madrid, o=xyz, c=us FILTER=(&(Objectclass=remoteUser)(uid=$UserID)) TMP_Filter_ParisNAS=(&(Objectclass=remoteUser)(uid=$UserID)(uid=fgonzalez))
In this example, the _nasname suffix is added to the temporary filter rather than to the temporary base DN. The reason is that you may want to grant other people from the Madrid office access through a different NAS from the Paris NAS. In this case, the temporary base DN remains valid, you just need to create the temporary filter with the appropriate _nasname suffix.
Managing Virtual Domains
You can manage remote user connections from users who belong to a virtual domain, that is, a domain that you manage on behalf of another organization.
For example, if ABC corporation decided to use ISP corporation to manage their internet mail service, ABC would be assigned a domain name such as abc.com, and a pool of IP addresses. ISP corporation manages user information, and remote user connections for ABC corporation. When an employee from ABC corporation connects to request remote access, the connection parameters are the user login and the user password.
For example, John Smith logs in with the following parameters:
-
Login: jsmith@abc.com
-
Password: secret
The RADIUS server of ISP corporation needs to separate the user ID from the domain information. The beginning of the USERS table and the variables defined in the Dynamic section are shown below:
Table: USERS Common: BaseDN= o=isp, c=us Dynamic userID=>$myID@$virtualDomainT || $myID FILTER=(&(Objectclass=remoteUser)(uid=$myID))
In this configuration example, the username variable accepts two alternative expressions so that it can handle equally well remote users who have a domain name appended to their user ID, and those who do not.
The domain name must be checked during the authentication procedure, therefore the directory entry of John Smith includes these attributes:
-
uid: jsmith
-
userPassword: * (protected)
-
authSuffixName: @abc.com
-
grpCheckInfo: userPassword, authSuffixName
Processing Order for RADIUS Search Parameters
During a search, the RADIUS server handles the BaseDN and FILTER tokens in the following manner: it first performs an ordinary search, then, if this search fails, it performs a search on temporary tokens.
The ordinary search starts from the most restrictive to the most general:
-
FILTER_nasname
-
FILTER
-
BaseDN_nasname
-
BaseDN
If the ordinary search fails, the temporary search is handled in the same way:
-
TMP_FILTER_nasname
-
TMP_FILTER
-
TMP_BaseDN_nasname
-
TMP_BaseDN
- © 2010, Oracle Corporation and/or its affiliates