Configuring LDAP Authentication for the Merit AAA Server

The SRC software assumes that all RADIUS authentications are performed against the SDX LDAP directory. This section also applies to Merit AAA server integration with a JUNOSe router if Merit AAA authenticates against an LDAP directory. Integration of the JUNOSe-specific attributes, such as primary Domain Name System (DNS), virtual router, and others, must be performed, which is outlined in this section.

Configuring the Merit AAA Server

The Merit AAA server configuration for the ProLDAP AATV is done through the authfile file, which is stored in the configuration directory /opt/UMC/radius/etc. You must configure these tasks:

How the Merit AAA server performs authentication
Which external database is used for authentication, based on the realm name

Administrators must create a table in the authfile file for each realm name. Merit AAA supports up to four LDAP directories, which could be used for authentication for each realm.

realm     PROLDAP     description

{

Filter-Type bin | cis

Directory directory-1

{

Host dir1.host.com

Port port-number

Administrator directory-manager-dn

[Password directory-manager-password]

SearchBase realm-search-base-in-directory

Authenticate Auto | Bind | Search

}

...

}

where

realm—Identifies the realm name that is used during PPP login (username@realm). The special value NULL specifies treatment of any incoming access request, where no realm name is submitted during the PPP login.
PROLDAP—Identifies that this table is valid for the ProLDAP AATV.
Filter-Type—Identifies treatment of the user ID. Valid values are either case sensitive (bin) or not case sensitive (cis).
Directory—Identifies the start of the directory section. Up to four directory sections are supported per realm. If the value contains spaces or tabs, it must be enclosed by either the double-quote or the single-quote character. Merit AAA uses the round-robin method for those identified directories.
Host—The value (fully qualified DNS name or IP address) identifies the LDAP directory.
Port—Identifies the port the LDAP server listens to.
Administrator—DN that specifies the user entry AAA uses to log in against the LDAP directory. The DN must be specified if Authenticate is set to search.
SearchBase—DN that represents the start point of the LDAP search operation for that realm.
Authenticate—Identifies how Merit AAA authenticates incoming access requests. Valid values are:

Auto—AAA performs a search as the configured administrator (searches anonymously if no configured administrator), anticipating that the password is in the result. It binds as the user if the password is not available.
Bind—AAA tries to bind with the user ID and password specified during the PPP login.
Search—AAA binds and performs search operation. LDAP returns the user password, which is compared with the password submitted during the PPP login.

NOTE: The SRC software uses the search option.

The following authfile example depicts the treatment of PPP logins without any realms and with the realm name isp1.com:

# This is a realm entry for an LDAP Server with PROLDAP with NO Realm

#

NULL  PROLDAP Default-Setting

{

Filter-Type BIN

Directory SDX

{

Host 123.45.3.1

Port 389

Administrator "cn=radius,ou=components,o=operators,o=umc"

Password      "radius"

SearchBase    "retailerName=default, o=users, o=umc"

Authenticate  search

}

}

# This is a realm entry for two LDAP Server with PROLDAP with Realm isp1.com

#

virneo.com PROLDAP Virneo-Setting

{

Filter-Type BIN

Directory virneo

{

Host 245.3.4.5

Port 389

Administrator "cn=radius,ou=components,o=operators,o=umc"

Password      "radius"

SearchBase    "retailerName=SP,o=users,o=umc"

Authenticate  search

}

    Directory virneo-backup

{

Host 245.3.4.6

Port 389

Administrator "cn=radius,ou=components,o=operators,o=umc"

Password      "radius"

SearchBase    "retailerName=SP,o=users,o=umc"

Authenticate  search

After the installation of Merit AAA from the SRC software distribution, the NULL realm is enabled by default.

Configuring RADIUS Profiles with the LDAP Directory

RADIUS servers search objects from the type umcRadiusPerson to authenticate incoming PPP sessions. If RADIUS and JUNOSe-specific attributes must be returned to the JUNOSe router during the authentication process, Merit AAA expects some special AAA attributes:

aaaReply—A response sent back from the server (for example, a session time limit)
aaaCheck—An attribute that must be present in the user entry for the entry to evaluate as True
aaaDeny—An attribute that must NOT be present in the user entry for the entry to evaluate as True

These attributes are multivalued attributes containing the RADIUS attribute value pairs to be processed by the Merit AAA server.

The following depicts a umcRadiusPerson object that returns the RADIUS attribute values for Session-Timeout, Idle-Timeout, and Class, and the JUNOSe-specific attribute for the virtual router to be used on the JUNOSe router. This entry is shown in Lightweight Data Interchange Format (LDIF) notation:

dn:serviceName=bras,uniqueID=jane,ou=local,retailerName=isp1,

o=Users,o=umc

objectClass: umcRadiusPerson

objectClass: umcServiceProfile

objectClass: top

uid: jane

userPassword: secret

serviceName: bras1

usedService: serviceName=bras,o=Services,o=umc

aaaReply: Virtual-Router-Name=Default

aaaReply: Class=1,uid,bras

aaaReply: Idle-Timeout=2700

aaaReply: Session-Timeout=10800

阅读(1372) | 评论(0) | 转发(0) |

上一篇：【MIT】Kerberos vs. LDAP for authentication ？

下一篇：Why use LDAP?

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6