Authenticate Users in Heterogeneous RADIUS Environments with One User Directory

Policy Server Guides › Policy Server Configuration Guide › Using the Policy Server as a RADIUS Server › Authenticate Users in Heterogeneous RADIUS Environments with One User Directory

Authenticate Users in Heterogeneous RADIUS Environments with One User Directory

A more powerful and complex deployment of the Policy Server in a RADIUS environment is one that includes multiple realms administered by multiple NAS devices. In this scenario, the Policy Server can serve as the RADIUS authentication server for multiple RADIUS clients at once.

The advantage of using a heterogeneous configuration is that you save time by using the same RADIUS authentication server (that is, the Policy Server) for each RADIUS client.

How Users are Authenticated in Heterogeneous, Single Directory Environments

An example of a heterogeneous configuration is illustrated in the following graphic:

Grapihic showing a heterogeneous configuration using single directory for authenticating users

In the network topology shown in the previous diagram, the Policy Server authenticates users of two NAS devices: a Cisco RAS and a Checkpoint Firewall. The Policy Server uses one user directory to authenticate the users.

Each NAS device has its own RADIUS Agent, which has been configured with a realm hint. When the Policy Server receives a request to authenticate the user, it uses the RADIUS Agent’s realm hint to determine the resource (domain) that the authenticated user can access.

The process of authentication when one user directory is used is as follows:

The remote user dials in from a modem and the Cisco RAS determines that it must use a RADIUS user profile to authenticate the user.
The RAS sends the user connection request to the Policy Server.
The Policy Server enacts the policy defined for the RAS, and the RADIUS Agent associated with the Cisco RAS does the following:
1. Determines the user’s domain using a realm hint.
2. Obtains the user’s name and password using the authentication scheme configured for the Agent.
The Policy Server evaluates the user information against the user directory and policy store.
The Policy Server sends an authentication response to the Cisco RAS and one of the following takes place:
- If authentication is unsuccessful, the RAS refuses the connection.
- If authentication is successful, the RAS receives a list of attributes from the user profile in the RADIUS server's database and establishes network access for the caller.
  The RAS notifies the Policy Server that the session has begun and when the session ends.

When the Internet user attempts to dial into the Internet Service Provider via the Checkpoint Firewall, a similar process of authentication occurs. Using the realm hint, the RADIUS Agent defined for the Checkpoint Firewall determines which domain the Internet user has access to. If the user is authenticated, the Policy Server passes the Firewall the correct attributes to establish the session.

User information for both NAS devices is stored in the same user directory. Each time the Policy Server receives an authentication request, it authenticates the user using the same data directory.

System and Policy Domain Configuration

This system configuration differs from the homogeneous environment; you must now create two Agents.

Within the policy domain there is one policy that includes rules and responses for the Cisco Agent and the Checkpoint Agent.

To setup CA SiteMinder® in the heterogeneous, single directory environment described above, you must:

Configure the system:
1. Define two RADIUS Agents, as described in Define Agents for a Heterogeneous, Single Directory Environment.
2. Setup a user directory against which to authenticate RADIUS users, as described in Configure the User Directory.
3. Create one policy domain, as described in Create the Policy Domain.
4. Create an authentication scheme, as described in Create the Authentication Scheme.
Configure the policy domain:
1. Define two realms--one realm for the Cisco RAS and one realm for the Checkpoint firewall. Each realm binds a RADIUS Agent with a RADIUS authentication scheme.
2. Define two rules that allow authenticated users to access the appropriate realm. Each rule binds a realm with an allow or deny access event.
3. Define two responses that provide the user profile to the NAS device and configure the characteristics of the session using response attributes. A separate response must be defined for each NAS device because each device uses a different Dictionary file.
4. Create one policy that binds the Cisco rule with the Cisco response and the Checkpoint rule with the Checkpoint response. This policy also binds the components of the policy domain (the rule and response groupings) with the RADIUS user directory.

A diagram of this policy domain is shown in the following graphic:

Graphic showing how to configure system and policy domain

Define Agents for a Heterogeneous, Single Directory Environment

For this environment, you must configure two RADIUS Agents:

One Agent must be associated with the Cisco RAS.
One must be associated with the Checkpoint Firewall.
Both RADIUS Agents must use 1 as the realm hint, which enables each Agent to identify the correct domain to protect.

Configure the User Directory

The Policy Server can authenticate users using the same user directory for both NAS devices.

Create the Policy Domain

The policy domain must identify the user directory that contains the names of the RADIUS users, the names of the Administrators who can modify the domain, and the realm that the RADIUS Agent is protecting. A RADIUS environment that uses only one user directory requires only one policy domain.