[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring LDAP Authentication

The SRC software assumes that all RADIUS authentications are performed against the SDX LDAP directory. The information in this section also applies to the Steel-Belted Radius/SPE server integration with a JUNOSe router, provided that the Steel-Belted Radius/SPE server uses an LDAP server as an external database for authentication.

Integration of the JUNOSe-specific attributes, such as primary Domain Name System (DNS) and virtual router, must be performed. Steel-Belted Radius/SPE server supports such an external authentication method by using several configuration files.

These files tell the RADIUS server:

You configure LDAP authentication by modifying properties in the ldapauth.aut file, which is located in the server directory (opt/UMC/SPE). If you do not specify options in this file, the SPE assumes the default values. You can also view a sample ldapauth.aut file in the SRC software distribution in the folder steel_belted_radius.

The sections of the LDAP authentication file are described below.

[Bootstrap] Section

The [Bootstrap] section specifies information that the Steel-Belted Radius/SPE server uses to load and start the LDAP authentication plug-in. You must set the library used, and you must enable LDAP authentication.

This section should look like:

[Bootstrap]
LibraryName=ldapauth.so
Enable=1
InitializationString=LDAP

[Settings] Section

The [Settings] section forms a basis for all Bind and Search requests against the LDAP server. The information presented here applies to all LDAP servers specified in this file.

Steel-Belted Radius/SPE supports two kinds of LDAP authentication:

The SRC software supports the BindName option, which must be specified in the [Settings] section. The BindName option requires specifying credentials, which Steel-Belted Radius/SPE uses to bind against the LDAP directory. If you want to use the same credentials for each LDAP directory, specify BindName and BindPassword in the [Settings] section; otherwise, use the [Server/name] sections, as described below:

The Search option specifies a string name, referencing to a section where the LDAP Search request is specified.

The section looks like the following:

[Settings]
MaxConcurrent=25
Timeout=20
ConnectTimeout=25
QueryTimeout=10
WaitReconnect=2
MaxWaitReconnect=360
LogLevel = 0
UpperCaseName = 0
PasswordCase=original
PasswordFormat=auto
Search = DoLdapSearch
SSL = 0

[Server] Section

The [Server] section lists the LDAP servers that may be used to perform authentication. Optionally, it also can be used to specify multiple LDAP servers for load balancing or backup. If more than one LDAP server is specified, Steel-Belted Radius/SPE always uses round-robin. The following depicts how to list one or more LDAP servers.

The list contains serverName = TargetNumber pairs, where the serverName is used in the [server/serverName] section, described in the next paragraph. TargetNumber is an activation target number that controls when the server is activated for backup. TargetNumber is optional and may be left blank. For example:

[Server]

s1=

s2=

s3=

[Server/serverName] Section

Each [server/serverName] section contains information about a single LDAP server. You must provide a [server/serverName] section for each server you specify in the [server] section. The value for Host identifies the IP address of the LDAP server, and the value for Port specifies the port used for LDAP communications. By default, any LDAP server listens at port 389. The credentials used by Steel-Belted Radius/SPE to bind to the LDAP server are specified in BindName and BindPassword. The SSL value indicates whether an SSL connection is used for the RADIUS-LDAP connection. If the last three mentioned parameters are not specified, Steel-Belted Radius/SPE takes the configuration out of the [Settings] section.

[Server/s1]

Host=127.0.0.1

Port=389

BindName=cn=radius,ou=components,o=operators,o=umc

BindPassword=radius

SSL=0



[Server/s2]

Host=10.20.2.12

Port=389



[Server/s3]

Host=10.10.40.19

Port=389

[Search/name] Section

The referenced [Search/name] section includes the search filter, base object, scope, and attribute list, which are included in the LDAP Search operation. If you reference this section in the [Settings] section, the specified options are valid for all LDAP directories. If you want to specify separate Search options for each LDAP directory, you must reference this section in each [server/name] section. In the following example, "DoLdapSearch" is used as name.

NOTE: This name is referenced in the [Settings] section.


Because the SRC software uses the BindName authentication method, you must ensure that the user's password is included in the attribute list, referenced by the attributes option. In the SRC software case, we would like to search only objects where the LDAP attribute uid matches the specified username, and we therefore set Filter=uid=<User-Name>. The location within the directory where the search is started is specified in the Base variable. The SRC software for residential users uses the base retailerName=default, o=Users, o=umc. The scope of the search is a subtree search (Scope=2). The variable %DN is used for holding the distinguished name of the LDAP search result. The attribute list is a reference to another section of the ldapauth.aut file.

[Search/DoLdapSearch]

Base=retailerName=default,o=users,o=umc

Scope=2Filter=uid=<User-Name>

Attributes = AttrList

Timeout = 20

%DN = dn

For another authentication strategy, see Configuring Directed Authentication. This strategy is more suited for cases in which the service provider outsources services from retailer ISPs.

[Attribute/name] Section

Within the [Attribute/name] section, the LDAP attributes are determined, which are requested by the LDAP search. If the entry that matches the search filter contains values of these attribute types, these values will be part of the search result; RADIUS uses them in the values for checking and replying purposes. Again, the user password attribute is mandatory in the BindName authentication method, which is used in our case. The [Attribute/name] section looks like the following:

[Attributes/AttrList]
userPassword
uid
alternateCliAuthLevel
alternateCliVrouterName
ascendFilterCmd
atmMBS
atmPCR
atmSCR
atmServiceCategory
cliAllowAllVRAccess
cliInitialAccessLevel
egressPolicyName
egressStatistics
framedIpRouteTag
igmpEnable
ingressPolicyName
ingressStatistics
ipv6LocalInterface
ipv6PrimaryDNS
ipv6SecondaryDNS
ipv6VirtualRouter
localAddressPool
localInterface
pppoeDescription
pppoeMaxSessions
pppoeUrl
qosProfileName
qosProfileInterfaceType
radiusChapPassword
radiusAcctInterimInterval
radiusCalledStationId
radiusCallingStationId
radiusConnectInfo
radiusFilterId
radiusFramedIPAddress
radiusFramedIPNetmask
radiusReplyMessage
radiusFramedProtocol
radiusFramedRoute
radiusFramedPool
radiusSessionTimeOut
radiusNASIdentifier
radiusNASIPAddress
radiusNASPort
radiusNASPortId
radiusNASPortType
radiusClass
radiusIdleTimeOut
radiusServiceType
redirectVRName
pppAuthenticateProtocol
pppPassword
pppUsername
primaryDNS
secondaryDNS
primaryWINS
saValidate
sdxServiceName
sessionVolumeQuota
secondaryWINS
serviceBundle
tunnelAssignmentID
tunnelClientEndPoint
tunnelClientAuthID
tunnelMaximumSessions
tunnelMediumType
tunnelNasPortMethod
tunnelPreference
tunnelTOS
tunnelType
tunnelServerEndPoint
tunnelServerAuthID
tunnelPassword
tunnelVirtualRouter
tunnelBearerType
tunnelDialoutNumber
tunnelInterfaceId
tunnelMaximumBps
tunnelMinimumBps
virtualRouterName

[Request] Section

In the [Request] section, the incoming RADIUS attributes (from Access-Request) must be determined and mapped to LDAP attributes. Steel-Belted Radius/SPE places these values in the variable table before moving on to the LDAP Bind and Search requests as defined earlier.

[Request]
%UserName = User-Name
NAS-IP-Address = radiusNASIPAddress
NAS-Port = radiusNASPort
Service-Type = radiusServiceType

[Response] Section

The [Response] section tells Steel-Belted Radius/SPE what to do with the information that it has retrieved from the incoming access request and from the LDAP database. It completes the authentication and issues an access response to the RADIUS client.

[Response]
%Password = userpassword
Acct-Interim-Interval = radiusAcctInterimInterval
Address-Pool-Name = localAddressPool
Alt-CLI-Auth-Level = alternateCliAuthLevel
Alt-CLI-Virtual-Router = alternateCliVrouterName
Atm-MBS = atmMBS
Atm-PCR = atmPCR
Atm-SCR = atmSCR
Atm-Service-Category = atmServiceCategory
Class = radiusClass
CLI-Allow-All-VR-Access = cliAllowAllVRAccess
CLI-Initial-Auth-Level = cliInitialAccessLevel
Egress-Policy-Name = egressPolicyName
Egress-Statistics = egressStatistics
Filter-Id = radiusFilterId
Framed-IP-Address = radiusFramedIPAddress
Framed-IP-Netmask = radiusFramedIPNetMask
Framed-Ip-Route-Tag = framedIpRouteTag
Framed-Pool = radiusFramedPool
Framed-Route = radiusFramedRoute
Idle-Timeout = radiusIdleTimeOut
Igmp-Enable = igmpEnable
Ingress-Policy-Name = ingressPolicyName
Ingress-Statistics = ingressStatistics
Ipv6-Virtual-Router = ipv6VirtualRouter
Ipv6-Local-Interface = ipv6LocalInterface
Ipv6-Primary-DNS = ipv6PrimaryDNS
Ipv6-Secondary-DNS = ipv6SecondaryDNS
Local-Loopback = localInterface
Ppp-Authenticate-Protocol = pppAuthenticateProtocol
Ppp-Password = pppPassword
Ppp-Username = pppUsername
Pppoe-Max-Sessions = pppoeMaxSessions
Pppoe-Url = pppoeUrl
Primary-DNS = primaryDNS
Primary-WINS = primaryWINS
Qos-Profile-Interface-Type = qosProfileInterfaceType
Qos-Profile-Name = qosProfileName
Redirect-VR-Name = redirectVRName
Sa-Validate = saValidate
Sdx-Service-Name = sdxServiceName
Sdx-Session-Volume-Quota = sessionVolumeQuota
Secondary-DNS = secondaryDNS
Secondary-WINS = secondaryWINS
Service-Type = radiusServiceType
Service-Bundle = serviceBundle
Session-Timeout = radiusSessionTimeOut
Tunnel-Bearer-Type = tunnelBearerType
Tunnel-Dialout-Number = tunnelDialoutNumber
Tunnel-Interface-Id = tunnelInterfaceId
Tunnel-Maximum-Bps = tunnelMaximumBps
Tunnel-Minimum-Bps = tunnelMinimumBps
Tunnel-Assignment-ID = tunnelAssignmentID
Tunnel-Type = tunnelType
Tunnel-Maximum-Sessions = tunnelMaximumSessions
Tunnel-Medium-Type = tunnelMediumType
Tunnel-Nas-Port-Method = tunnelNasPortMethod
Tunnel-Server-Endpoint = tunnelServerEndPoint
Tunnel-Password = tunnelPassword
Tunnel-Preference = tunnelPreference
Tunnel-Tos = tunnelTOS
Tunnel-Virtual-Router = tunnelVirtualRouter
Virtual-Router-Name = virtualRouterName

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]