Configuring LDAP Authentication
The SRC software assumes that all RADIUS authentications are performed against the SDX LDAP directory. The information in this section also applies to the Steel-Belted Radius/SPE server integration with a JUNOSe router, provided that the Steel-Belted Radius/SPE server uses an LDAP server as an external database for authentication.
Integration of the JUNOSe-specific attributes, such as primary Domain Name System (DNS) and virtual router, must be performed. Steel-Belted Radius/SPE server supports such an external authentication method by using several configuration files.
These files tell the RADIUS server:
- How the RADIUS server communicates with an external database (LDAP)
- How the RADIUS server queries the external database for authentication
- How the RADIUS server formulates the response from the query result
You configure LDAP authentication by modifying properties in the ldapauth.aut file, which is located in the server directory (opt/UMC/SPE). If you do not specify options in this file, the SPE assumes the default values. You can also view a sample ldapauth.aut file in the SRC software distribution in the folder steel_belted_radius.
The sections of the LDAP authentication file are described below.
[Bootstrap] Section
The [Bootstrap] section specifies information that the Steel-Belted Radius/SPE server uses to load and start the LDAP authentication plug-in. You must set the library used, and you must enable LDAP authentication.
This section should look like:
[Bootstrap]LibraryName=ldapauth.soEnable=1InitializationString=LDAP[Settings] Section
The [Settings] section forms a basis for all Bind and Search requests against the LDAP server. The information presented here applies to all LDAP servers specified in this file.
Steel-Belted Radius/SPE supports two kinds of LDAP authentication:
- Bind—Steel-Belted Radius/SPE attempts to bind to the LDAP server, using the username and password from the incoming access request (one authentication is performed at one time).
- BindName—Steel-Belted Radius/SPE binds once with credentials to the LDAP server and performs a Search operation against the LDAP server to validate username and password from the incoming access request (multiple authentications are performed at the same time).
The SRC software supports the BindName option, which must be specified in the [Settings] section. The BindName option requires specifying credentials, which Steel-Belted Radius/SPE uses to bind against the LDAP directory. If you want to use the same credentials for each LDAP directory, specify BindName and BindPassword in the [Settings] section; otherwise, use the [Server/name] sections, as described below:
- LogLevel—Activates LDAP logging, written into the activity log file (<date>.log)
- PasswordFormat—Identifies whether RADIUS handles clear-text, UNIXcrypt, or SHA1+Base64 hash-encrypted passwords. The value auto instructs Steel-Belted Radius/SPE to parse each password value that it retrieves from the LDAP server.
- PasswordCase—Tells SPE whether the password is always converted to uppercase or to lowercase or not converted at all. The default is Original.
- UpperCaseName—Identifies whether the username is converted to uppercase or not. The default is 0 (no conversion).
The Search option specifies a string name, referencing to a section where the LDAP Search request is specified.
The section looks like the following:
[Settings]MaxConcurrent=25Timeout=20ConnectTimeout=25QueryTimeout=10WaitReconnect=2MaxWaitReconnect=360LogLevel = 0UpperCaseName = 0PasswordCase=originalPasswordFormat=autoSearch = DoLdapSearchSSL = 0[Server] Section
The [Server] section lists the LDAP servers that may be used to perform authentication. Optionally, it also can be used to specify multiple LDAP servers for load balancing or backup. If more than one LDAP server is specified, Steel-Belted Radius/SPE always uses round-robin. The following depicts how to list one or more LDAP servers.
The list contains serverName = TargetNumber pairs, where the serverName is used in the [server/serverName] section, described in the next paragraph. TargetNumber is an activation target number that controls when the server is activated for backup. TargetNumber is optional and may be left blank. For example:
[Server] s1= s2= s3=[Server/serverName] Section
Each [server/serverName] section contains information about a single LDAP server. You must provide a [server/serverName] section for each server you specify in the [server] section. The value for Host identifies the IP address of the LDAP server, and the value for Port specifies the port used for LDAP communications. By default, any LDAP server listens at port 389. The credentials used by Steel-Belted Radius/SPE to bind to the LDAP server are specified in BindName and BindPassword. The SSL value indicates whether an SSL connection is used for the RADIUS-LDAP connection. If the last three mentioned parameters are not specified, Steel-Belted Radius/SPE takes the configuration out of the [Settings] section.
[Server/s1] Host=127.0.0.1 Port=389 BindName=cn=radius,ou=components,o=operators,o=umc BindPassword=radius SSL=0 [Server/s2] Host=10.20.2.12 Port=389 [Server/s3] Host=10.10.40.19 Port=389[Search/name] Section
The referenced [Search/name] section includes the search filter, base object, scope, and attribute list, which are included in the LDAP Search operation. If you reference this section in the [Settings] section, the specified options are valid for all LDAP directories. If you want to specify separate Search options for each LDAP directory, you must reference this section in each [server/name] section. In the following example, "DoLdapSearch" is used as name.
Because the SRC software uses the BindName authentication method, you must ensure that the user's password is included in the attribute list, referenced by the attributes option. In the SRC software case, we would like to search only objects where the LDAP attribute uid matches the specified username, and we therefore set Filter=uid=<User-Name>. The location within the directory where the search is started is specified in the Base variable. The SRC software for residential users uses the base retailerName=default, o=Users, o=umc. The scope of the search is a subtree search (Scope=2). The variable %DN is used for holding the distinguished name of the LDAP search result. The attribute list is a reference to another section of the ldapauth.aut file.
[Search/DoLdapSearch] Base=retailerName=default,o=users,o=umc Scope=2Filter=uid=<User-Name> Attributes = AttrList Timeout = 20 %DN = dnFor another authentication strategy, see Configuring Directed Authentication. This strategy is more suited for cases in which the service provider outsources services from retailer ISPs.
[Attribute/name] Section
Within the [Attribute/name] section, the LDAP attributes are determined, which are requested by the LDAP search. If the entry that matches the search filter contains values of these attribute types, these values will be part of the search result; RADIUS uses them in the values for checking and replying purposes. Again, the user password attribute is mandatory in the BindName authentication method, which is used in our case. The [Attribute/name] section looks like the following:
[Attributes/AttrList]userPassworduidalternateCliAuthLevelalternateCliVrouterNameascendFilterCmdatmMBSatmPCRatmSCRatmServiceCategorycliAllowAllVRAccesscliInitialAccessLevelegressPolicyNameegressStatisticsframedIpRouteTagigmpEnableingressPolicyNameingressStatisticsipv6LocalInterfaceipv6PrimaryDNSipv6SecondaryDNSipv6VirtualRouterlocalAddressPoollocalInterfacepppoeDescriptionpppoeMaxSessionspppoeUrlqosProfileNameqosProfileInterfaceTyperadiusChapPasswordradiusAcctInterimIntervalradiusCalledStationIdradiusCallingStationIdradiusConnectInforadiusFilterIdradiusFramedIPAddressradiusFramedIPNetmaskradiusReplyMessageradiusFramedProtocolradiusFramedRouteradiusFramedPoolradiusSessionTimeOutradiusNASIdentifierradiusNASIPAddressradiusNASPortradiusNASPortIdradiusNASPortTyperadiusClassradiusIdleTimeOutradiusServiceTyperedirectVRNamepppAuthenticateProtocolpppPasswordpppUsernameprimaryDNSsecondaryDNSprimaryWINSsaValidatesdxServiceNamesessionVolumeQuotasecondaryWINSserviceBundletunnelAssignmentIDtunnelClientEndPointtunnelClientAuthIDtunnelMaximumSessionstunnelMediumTypetunnelNasPortMethodtunnelPreferencetunnelTOStunnelTypetunnelServerEndPointtunnelServerAuthIDtunnelPasswordtunnelVirtualRoutertunnelBearerTypetunnelDialoutNumbertunnelInterfaceIdtunnelMaximumBpstunnelMinimumBpsvirtualRouterName[Request] Section
In the [Request] section, the incoming RADIUS attributes (from Access-Request) must be determined and mapped to LDAP attributes. Steel-Belted Radius/SPE places these values in the variable table before moving on to the LDAP Bind and Search requests as defined earlier.
[Request]%UserName = User-NameNAS-IP-Address = radiusNASIPAddressNAS-Port = radiusNASPortService-Type = radiusServiceType[Response] Section
The [Response] section tells Steel-Belted Radius/SPE what to do with the information that it has retrieved from the incoming access request and from the LDAP database. It completes the authentication and issues an access response to the RADIUS client.
[Response]%Password = userpasswordAcct-Interim-Interval = radiusAcctInterimIntervalAddress-Pool-Name = localAddressPoolAlt-CLI-Auth-Level = alternateCliAuthLevelAlt-CLI-Virtual-Router = alternateCliVrouterNameAtm-MBS = atmMBSAtm-PCR = atmPCRAtm-SCR = atmSCRAtm-Service-Category = atmServiceCategoryClass = radiusClassCLI-Allow-All-VR-Access = cliAllowAllVRAccessCLI-Initial-Auth-Level = cliInitialAccessLevelEgress-Policy-Name = egressPolicyNameEgress-Statistics = egressStatisticsFilter-Id = radiusFilterIdFramed-IP-Address = radiusFramedIPAddressFramed-IP-Netmask = radiusFramedIPNetMaskFramed-Ip-Route-Tag = framedIpRouteTagFramed-Pool = radiusFramedPoolFramed-Route = radiusFramedRouteIdle-Timeout = radiusIdleTimeOutIgmp-Enable = igmpEnableIngress-Policy-Name = ingressPolicyNameIngress-Statistics = ingressStatisticsIpv6-Virtual-Router = ipv6VirtualRouterIpv6-Local-Interface = ipv6LocalInterfaceIpv6-Primary-DNS = ipv6PrimaryDNSIpv6-Secondary-DNS = ipv6SecondaryDNSLocal-Loopback = localInterfacePpp-Authenticate-Protocol = pppAuthenticateProtocolPpp-Password = pppPasswordPpp-Username = pppUsernamePppoe-Max-Sessions = pppoeMaxSessionsPppoe-Url = pppoeUrlPrimary-DNS = primaryDNSPrimary-WINS = primaryWINSQos-Profile-Interface-Type = qosProfileInterfaceTypeQos-Profile-Name = qosProfileNameRedirect-VR-Name = redirectVRNameSa-Validate = saValidateSdx-Service-Name = sdxServiceNameSdx-Session-Volume-Quota = sessionVolumeQuotaSecondary-DNS = secondaryDNSSecondary-WINS = secondaryWINSService-Type = radiusServiceTypeService-Bundle = serviceBundleSession-Timeout = radiusSessionTimeOutTunnel-Bearer-Type = tunnelBearerTypeTunnel-Dialout-Number = tunnelDialoutNumberTunnel-Interface-Id = tunnelInterfaceIdTunnel-Maximum-Bps = tunnelMaximumBpsTunnel-Minimum-Bps = tunnelMinimumBpsTunnel-Assignment-ID = tunnelAssignmentIDTunnel-Type = tunnelTypeTunnel-Maximum-Sessions = tunnelMaximumSessionsTunnel-Medium-Type = tunnelMediumTypeTunnel-Nas-Port-Method = tunnelNasPortMethodTunnel-Server-Endpoint = tunnelServerEndPointTunnel-Password = tunnelPasswordTunnel-Preference = tunnelPreferenceTunnel-Tos = tunnelTOSTunnel-Virtual-Router = tunnelVirtualRouterVirtual-Router-Name = virtualRouterName