[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring LDAP Authentication for the Merit AAA Server

The SRC software assumes that all RADIUS authentications are performed against the SDX LDAP directory. This section also applies to Merit AAA server integration with a JUNOSe router if Merit AAA authenticates against an LDAP directory. Integration of the JUNOSe-specific attributes, such as primary Domain Name System (DNS), virtual router, and others, must be performed, which is outlined in this section.

Configuring the Merit AAA Server

The Merit AAA server configuration for the ProLDAP AATV is done through the authfile file, which is stored in the configuration directory /opt/UMC/radius/etc. You must configure these tasks:

Administrators must create a table in the authfile file for each realm name. Merit AAA supports up to four LDAP directories, which could be used for authentication for each realm.

realm     PROLDAP     description

{

Filter-Type bin | cis

Directory directory-1

{

Host dir1.host.com

Port port-number

Administrator directory-manager-dn

[Password directory-manager-password]

SearchBase realm-search-base-in-directory

Authenticate Auto | Bind | Search

}

...

}

where

The following authfile example depicts the treatment of PPP logins without any realms and with the realm name isp1.com:

# This is a realm entry for an LDAP Server with PROLDAP with NO Realm

#

NULL  PROLDAP Default-Setting

{

Filter-Type BIN

Directory SDX

{

Host 123.45.3.1

Port 389

Administrator "cn=radius,ou=components,o=operators,o=umc"

Password      "radius"

SearchBase    "retailerName=default, o=users, o=umc"

Authenticate  search

}

}

# This is a realm entry for two LDAP Server with PROLDAP with Realm isp1.com

#

virneo.com PROLDAP Virneo-Setting

{

Filter-Type BIN

Directory virneo

{

Host 245.3.4.5

Port 389

Administrator "cn=radius,ou=components,o=operators,o=umc"

Password      "radius"

SearchBase    "retailerName=SP,o=users,o=umc"

Authenticate  search

}

    Directory virneo-backup

{

Host 245.3.4.6

Port 389

Administrator "cn=radius,ou=components,o=operators,o=umc"

Password      "radius"

SearchBase    "retailerName=SP,o=users,o=umc"

Authenticate  search

After the installation of Merit AAA from the SRC software distribution, the NULL realm is enabled by default.

Configuring RADIUS Profiles with the LDAP Directory

RADIUS servers search objects from the type umcRadiusPerson to authenticate incoming PPP sessions. If RADIUS and JUNOSe-specific attributes must be returned to the JUNOSe router during the authentication process, Merit AAA expects some special AAA attributes:

These attributes are multivalued attributes containing the RADIUS attribute value pairs to be processed by the Merit AAA server.

The following depicts a umcRadiusPerson object that returns the RADIUS attribute values for Session-Timeout, Idle-Timeout, and Class, and the JUNOSe-specific attribute for the virtual router to be used on the JUNOSe router. This entry is shown in Lightweight Data Interchange Format (LDIF) notation:

dn:serviceName=bras,uniqueID=jane,ou=local,retailerName=isp1,

o=Users,o=umc

objectClass: umcRadiusPerson

objectClass: umcServiceProfile

objectClass: top

uid: jane

userPassword: secret

serviceName: bras1

usedService: serviceName=bras,o=Services,o=umc

aaaReply: Virtual-Router-Name=Default

aaaReply: Class=1,uid,bras

aaaReply: Idle-Timeout=2700

aaaReply: Session-Timeout=10800

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]