 |
» |
|
|
|
Generally,
a realm is a group of users who share a common characteristic, such
as being customers of the same Internet Service Provider (ISP).
All users of a given realm are handled the same, either proxied
to a remote server or locally authenticated using a specified method according
to the authentication type assigned to the realm. The Local Realms screen allows you to configure realms for
the RADIUS server(s) by adding a new realm to or modifying or deleting
an existing realm in the server’s authfile. Navigating
the Local Realms Screen | |
Selecting the
New Local Realm link or the following icon will display a form of
realm attributes to define a new entry: Selecting an existing realm
or the following icon will display a form of the corresponding realm’s
attributes for modification: Selecting the following icon
will display a confirmation screen before you delete the corresponding
entry: Selecting the following icon
will display the Users screen, which is used to define the users in
the realm. This icon only appears for realms defined for the File
Authentication type. The Users File screen is used for both the
default users file and realm-specific users: Selecting the following icon
will move the corresponding entry up one level: Selecting the following icon
will move the corresponding entry down one level: Selecting the following icon
will display a context sensitive HTML help screen:
| | | |  | IMPORTANT: The order of the entries is important as the first
entry that matches the request will be used to authenticate the
user. The server will ignore the remaining entries; therefore, you
should list the most specific entries first and the default entry
should be last. | | | | |
Creating
or Modifying a Realm | |
When
adding a new realm entry to the server configuration, or modifying
an existing entry, you supply values for the realm attributes through
a form’s fields. - Name:
A realm name to be mapped.
This name does not have to be a DNS host name, although it is highly
recommended that the realm name match a domain name so the user
recognizes the user@realm syntax that resembles their email address. - Realm Type:
Identifies whether the realm
is an Authentication or Tunneling realm: Authentication:
select this option if the realm is not going to be used for tunneling PEAP Tunnel: select this
option if the realm is the tunneling realm when using PEAP TTLS Tunnel: select this
option if the realm is the tunneling realm for TTLS
- User Profile Storage:
Use this field to indicate
where the AAA server should look to retrieve user profiles from: Users
File: Choose this option to store user information locally in AAA Server
flat files. Choosing this option allows you to administer user information
with Server Manager (Note: Server Manager can administer user information
stored locally in AAA server flat files only.) LDAP, Oracle, OS Security
Database, or SecurID / ACE server: refer to the individual chapters
for each system in this guide. No Store: EAP-TLS Certificates:
TLS requires certificates. If you are using TLS, you are not required
to store user information because the TLS certificates provide the
user information needed for authentication. Choose the No Store:
EAP-TLS Certificates option if you are using TLS and do not want
to store user information. No Store: Allow All Users:
Choose this option to allow all requests from a realm. No Store: Deny All Users:
Choose this option to deny all requests from a realm.
- User Storage Parameters:
Additional parameter for
each of the User Profile Storage selections. - Security Methods:
This field indicates the
authentication methods to authenticate users from the realm. If
you are using TTLS-PAP, TTLS-MSCHAP, or TTLS-CHAP, click the Password
Authentication button. For all other methods, click the EAP Authentication
button and choose at least one EAP method from the drop-down list. - Alias:
An optional, paranthesized
list of one or more aliases, delimited by commas. Each realm alias
is equivalent to the realm name. An alias may be provided for user
convenience or other purposes, such as to save typing when logging on
to your network. Aliases are allowed on wild card entries and are interpreted
as meaning *.alias rather than alias.realm or just alias. - Filter ID:
Allows the optional specification
of a packet filter name to be associated with authentication through
this realm name. It will override any explicit filter name specified
in a user profile. - Session Tracking:
Determines if session tracking
is enabled for a realm. When session tracking is enabled, accounting
records will be generated for a realm and active sessions can be
searched using the Session option of the Maintenance menu.
When adding a new realm, you select the Create button to submit
it to the AAA Server Manager program. When modifying an existing
realm, you select the Modify button to submit the changes. In either
case if each required field contains a valid value, the profile
will be created or modified; otherwise, an error message is displayed.
You can always select the Cancel button and return to the Local
Realms screen without making any changes to your server configuration. Special
Entries | |
There are a few special entries that might be used. - Wildcard Entries
When specifying the primary
realm for an entry, you can use a wild card syntax, *.realm. This
syntax provides a shorthand for associating several related realms
with a single authentication type. For example, a company may have
several branches, eastern.company.com, western.company.com, and
central.company.com. The wild card entry for that company would define
*.company.com as the realm and would match all three of these realms.
It is highly recommended that any such wild card entry be listed after
more specific entries. This order allows the preceding, specific
entries to override the wild card entry. - DEFAULT Realm
The DEFAULT realm acts as
a matching realm entry for all realms. By default, the DEFAULT realm
is configured to authenticate against the default set of users.
Disable the DEFAULT realm by choosing the No Store - Deny All Users
option in the User Profile Storage drop-down list. - NULL Realm
The Null realm authenticates
users that do not identify their realm when requesting access (for
example, the AAA server receives an access request from user, instead
of user@organization.com). By default, the NULL realm is disabled
with the No Store: Deny All Users setting.
Deleting
a Realm | |
The
Local Realm Deletion screen allows you to preview an entry before
you delete it. If the Delete button is selected, Server Manager
will delete the entry corresponding to that realm. There will be
no modification of the order of the remaining entries. |
Printable version
