 |
» |
|
|
|
Generally,
a realm is a group of users who share a common characteristic, such
as being customers of the same Internet Service Provider (ISP).
All users of a given realm are handled the same, either proxied
to a remote server or locally authenticated using a specified method according
to the authentication type assigned to the realm. While you can specify authentication types for individual
users, a RADIUS configuration includes a default user entry that
specifies the authentication type as Realm. This authentication
type directs the server to use the realm information to determine
where the user information is stored and how a request should be
processed. The Local Realms screen allows you to configure realms for
the RADIUS server(s) by adding a new realm to or modifying or deleting
an existing realm in the server's authfile. Navigating
the Local Realms Screen | |
Selecting the
New Local Realm link or the following icon will display a form of
realm attributes to define a new entry: Selecting an existing realm
or the following icon will display a form of the corresponding realm's
attributes for modification: Selecting the following icon
will display a confirmation screen before you delete the corresponding
entry: Selecting the following icon
will display the Users screen, which is used to define the users in
the realm. This icon only appears for realms defined for the File
Authentication type. The Users File screen is used for both the
default users file and realm-specific users: Selecting the following icon
will move the corresponding entry up one level: Selecting the following icon
will move the corresponding entry down one level: Selecting the following icon
will display a context sensitive HTML help screen:
| | | |  | IMPORTANT: The order of the entries is important as the first
entry that matches the request will be used to authenticate the
user. The server will ignore the remaining entries; therefore, you
should list the most specific entries first and the default entry
should be last. | | | | |
Creating
or Modifying a Realm | |
When
adding a new realm entry to the server configuration or modifying
an existing entry, you supply values for the realm attributes through
a forms fields. - Name:
A realm name to be mapped.
This name does not have to be a DNS host name, although it is highly
recommended that the realm name match a domain name so the user
recognizes the user@realm syntax that resembles their email address. - Authentication Type:
Identifies the type of authentication
to be performed for this realm name. Table 2-3 Authentication Types Listed in the Realm Attributes Screen | Type | Definition |
|---|
| Allow | Always allow requests. | | Deny | Reject all requests. | | EAP | Uses the Extensible Authentication Protocol
to perform authentication using profiles stored in a flat file. | | File | Flat file lookup of user profiles. | | Oracle | Oracle Authentication using an Oracle database. | | Passwd | For checking the local Unix /etc/passwd file. | | ProLDAP | Look up user profiles stored in an LDAP accessible directory
service. This authentication requires an extended entry. It cannot
be specified by the Authentication-Type attribute in a user profile. | | SecurID | Passwd ProLDAP SecurID RSA SecurID® identification and
authentication. |
- DNS or Filename:
Only required for the following
authentication types. For the File authentication type, the parameter
specifies the name of the file that contains the user profiles.
localhost can be specified to use the local machine's security
database. For SecurID authentication, it specifies the DNS name
or the IP address of the SecurID server. This authentication type requires
additional configuration on the SecurID server. - Alias:
An optional, paranthesized
list of one or more aliases, delimited by commas. Each realm alias
is equivalent to the realm name. An alias may be provided for user
convenience or other purposes, such as to save typing when logging on
to your network. Aliases are allowed on wild card entries and are interpreted
as meaning *.alias rather than alias.realm or just alias. - Protocol:
Is the authentication protocol
to which the entry is applicable. By default, an entry applies to
all authentication protocols, but this option will restrict the
entry to the specific protocol. If a requests authentication protocol
does not match a realm entry for that authentication protocol, the
server will reject the request. - Filter ID:
Allows the optional specification
of a packet filter name to be associated with authentication through
this realm name. It will override any explicit filter name specified
in a user profile. - Session Tracking:
Determines if session tracking
is enabled for a realm. When session tracking is enabled, accounting
records will be generated for a realm and active sessions can be
searched using the Session option of the Maintenance menu. - Extended Parameters:
Will be populated with additional
fields that are unique to the selected authentication type. Many
of the authentication types with extended parameters also require
configuration of a user profile repository.
When adding a new realm, you select the Create button to submit
it to the AAA Server Manager program. When modifying an existing
realm, you select the Modify button to submit the changes. In either
case if each required field contains a valid value, the profile
will be created or modified; otherwise, an error message is displayed.
You can always select the Cancel button and return to the Local
Realms screen without making any changes to your server configuration. Deleting
a Realm | |
The
Local Realm Deletion screen allows you to preview an entry before
you delete it. If the Delete button is selected, Server Manager
will delete the entry corresponding to that realm. There will be
no modification of the order of the remaining entries. Special
Entries | |
There are a few special entries that might be used. - Wildcard Entries
When specifying the primary
realm for an entry, you can use a wild card syntax, *.realm. This
syntax provides a shorthand for associating several related realms
with a single authentication type. For example, a company may have
several branches, eastern.company.com, western.company.com, and
central.company.com. The wild card entry for that company would define
*.company.com as the realm and would match all three of these realms.
It is highly recommended that any such wild card entry be listed after
more specific entries. This order allows the preceding, specific
entries to override the wild card entry. - DEFAULT Entry
An entry with the realm name
DEFAULT can be included to indicate how to handle authentication
requests that contain a realm name but are not explicitly configured
in the RADIUS server configuration. Usually, it will identify a
remote server to forward the request to. - NULL Entry
A NULL entry may also be
included to indicate how to handle authentication requests that
don't contain a realm name, but are being handled with
the Realm authentication type.
|
Printable version
