Restricting Access through a Specified NAS
You may want to ensure that remote users always connect to a specific NAS. For example, if you want to control communications costs, you can ensure they connect to the NAS that is geographically closest to them.
-
In the Dynamic section of the USERS table, add a BaseDN and FILTER token to the configuration with the suffix _nasname, and assign temporary values, using the following format:
BASEDN_nasname= search_baseFilter_ nasname= (&(Objectclass=remoteUser)(uid=$UserID))
where:
-
nasname is the name of the NAS (value of the cn attribute in the directory entry for the NAS)
-
search_base is the naming context that holds the directory entries for the remote users to whom you are granting access through the NAS
-
-
Restart the dsradiusd daemon so that the new configuration file is taken into account.
# /opt/SUNWconn/ldap/sbin/dsradius stop # /opt/SUNWconn/ldap/sbin/dsradius start
For example, your Base DN for remote users is l=France, o=XYZ, c=US, and you have remote users located in Paris, Lyon, and Toulouse who can connect to the network through a local NAS at each site. The NAS names are ParisNAS, LyonNAS, and ToulouseNAS respectively. You want to ensure that remote users always connect through the nearest NAS to save on communication costs.
You would change the radius.mapping file to include:
BaseDN= l=France, o=xyz, c=us BaseDN_ParisNAS= l=Paris, l=France, o=xyz, c=us BaseDN_LyonNAS= l=Lyon, l=France, o=xyz, c=us BaseDN_ToulouseNAS= l=Toulouse, l=France, o=xyz, c=us FILTER=(&(Objectclass=remoteUser)(uid=$UserID))
When the RADIUS server receives a request from ParisNAS, it checks that the remote user belongs to the naming context l=Paris, l=France, o=XYZ, c=US.
- © 2010, Oracle Corporation and/or its affiliates