Configuring LDAP Authentication for the RAD-Series RADIUS Server
The SRC software assumes that all RADIUS authentications are performed against the SDX LDAP directory. This section also applies to RAD-Series Server integration with a JUNOSe router if RAD-Series RADIUS Server authenticates against an LDAP directory.
Configuring the RAD-Series Server Manager
The RAD-Series Server Manager configuration for the ProLDAP AATV is done through the authfile file, which is stored in the configuration directory /opt/aaa/etc. The configuration can be performed either manually by editing the authfile or through the Administration panes of RAD-Series Server Manager. The following methods are to be configured:
- How RAD-Series RADIUS Server authenticates
- Which external database is used for authentication, based on the realm name
Administrators must create a table in the authfile file for each realm name.
realm PROLDAP description{Filter-Type bin | cisDirectory directory-1{Host dir1.host.comPort port-numberAdministrator directory-manager-dn[Password directory-manager-password]SearchBase realm-search-base-in-directoryAuthenticate Auto | Bind | Search}...}
- realm—Identifies realm name, which is used during PPP login (username@realm). The special value NULL specifies treatment of any incoming access request, where no realm name is submitted during the PPP login.
- PROLDAP—Identifies that this table is valid for the ProLDAP AATV.
- Filter-Type—Identifies the treatment of the user ID. Valid values are either case sensitive (bin) or not case sensitive (cis).
- Directory—Identifies the start of the directory section. Up to four directory sections are supported per realm. If the value contains spaces or tabs, it must be enclosed by either the double-quote or the single-quote character. RAD-Series RADIUS Server uses the round-robin method for those identified directories.
- Host—The value (fully qualified DNS name or IP address) identifies the LDAP directory.
- Port—Identifies the port the LDAP server listens to.
- Administrator—DN, which specifies the user entry that RAD-Series RADIUS Server uses to log in against the LDAP directory. This must be specified if Authenticate is set to Search.
- SearchBase—DN, which represents the starting point of the LDAP search operation for that realm.
- Authenticate—Identifies how RAD-Series RADIUS Server authenticates incoming access requests. Valid values are:
- Auto—RAD-Series RADIUS Server performs a search as the configured administrator (searches anonymously if no configured administrator), anticipating that the password is in the result. It binds as the user if the password is not available.
- Bind—RAD-Series RADIUS Server tries to bind with the user ID and password specified during the PPP login.
- Search—RAD-Series RADIUS Server binds and performs a search operation. LDAP returns the user password, which is compared with the submitted password during the PPP login.
The following authfile example depicts the treatment of PPP logins without any realms and with the realm name isp1.com.
# This is a realm entry for an LDAP Server with PROLDAP with NO Realm#NULL PROLDAP Default-Setting{Filter-Type BINDirectory SSC{Host 123.45.3.1Port 389Administrator "cn=umcadmin, o=umc"Password "umc"SearchBase "retailerName=default, o=users, o=umc"Authenticate search}}# This is a realm entry for two LDAP Server with PROLDAP with Realm isp1.com#virneo.com PROLDAP Virneo-Setting{Filter-Type BINDirectory virneo{Host 245.3.4.5Port 389Administrator "cn=umcadmin, o=umc"Password "umc"SearchBase "retailerName=SP, o=users, o=umc"Authenticate search}Directory virneo-backup{Host 245.3.4.6Port 389Administrator "cn=umcadmin, o=umc"Password "umc"SearchBase "retailerName=SP, o=users, o=umc"Authenticate searchConfiguring Realm Administration
The RAD-Series Server Manager allows you to perform realm administration.
To configure realm administration:
- From the RAD-Series Server Manager navigation pane, click Edit Configuration and Local Realms.
- Click on the New Local Realm link.
The Local Realms: Modify Local Realm pane appears.
![]()
Configuring LDAP Settings
To configure the LDAP settings:
The LDAP Directory window appears.
![]()
Configuring RADIUS Profiles with the LDAP Directory
RADIUS servers search objects from the type umcRadiusPerson to authenticate incoming PPP sessions. If RADIUS and JUNOSe-specific attributes must be returned to the JUNOSe router during the authentication process, RAD-Series RADIUS Server expects some special AAA attributes:
- aaaReply—A response sent back from the server (for example, a session time limit)
- aaaCheck—An attribute that must be present in the user entry for the entry to evaluate as True
- aaaDeny —An attribute that must NOT be present in the user entry for the entry to evaluate as True
These attributes are multivalued attributes containing the RADIUS attribute value pairs to be processed by RAD-Series RADIUS Server.
The following example depicts a umcRadiusPerson object, which returns the RADIUS attribute values for Session-Timeout, Idle-Timeout, and Class, and the JUNOSe-specific attribute for the virtual router to be used on the JUNOSe router. This entry is shown in LDIF notation:
dn:serviceName=bras,uniqueID=jane,ou=local,retailerName=isp1,o=Users, o=umcobjectClass: umcRadiusPersonobjectClass: umcServiceProfileobjectClass: topuid: janeuserPassword: secretserviceName: bras1usedService: serviceName=bras,o=Services,o=umcaaaReply: Virtual-Router-Name=DefaultaaaReply: Class=1,uid,brasaaaReply: Idle-Timeout=2700aaaReply: Session-Timeout=10800