Policy Server Guides › Policy Server Configuration Guide › Using the Policy Server as a RADIUS Server › How to Authenticate Users in a Homogeneous RADIUS Environment

How to Authenticate Users in a Homogeneous RADIUS Environment

A homogeneous RADIUS environment is the most simple to protect. You can protect the RADIUS device using just one policy. This type of environment includes only one RADIUS device, such as a Cisco RAS, and one user directory, as shown in the following graphic:

Follow these steps:

1. Configure the system:
   1. Define the RADIUS Agent, as explained in Configure a RADIUS Agent.
   2. Setup a user directory against which to authenticate RADIUS users, as explained in Set Up the User Directory
   3. Optionally, you can also define administrative users and modify the authentication schemes.
2. Configure the policy domain:
   1. Create a RADIUS authentication scheme (CHAP or PAP), as explained in Create the Authentication Scheme.
   2. Define a realm that identifies the RADIUS Agent and the RADIUS authentication scheme, as explained in Configure a Realm Protected by a RADIUS Agent.
   3. Define a rule that enables authenticated users to access the realm protected by the RADIUS Agent, as explained in Configure a Rule for Authentication Event Actions.
   4. Define a response that provides the user profile to the NAS device and configures the characteristics of the session using response attributes, as explained in Configure a Response and RADIUS Agent Response Attributes.
   5. Create a policy that binds the rule and response with the user directory, as explained in Configure a Policy.

More Information:

How RADIUS Authentication Works with the Policy Server

Set Up the User Directory

You can authenticate RADIUS users using any user directory that is supported for the NT or UNIX platform you are using.

If the user directory contains information about user privileges, you can create responses using user attributes. When the user attributes are sent back to the RADIUS device, the attributes are used to configure the user session.

You can use the following directories:

• ODBC-enabled database
• NT Domain
• Netscape or NDS LDAP

Set Up the Policy Domain

The policy domain must identify one or more user directories that contain the names of the RADIUS users, the names of the Administrators who can modify the domain, and the realm that the RADIUS Agent is protecting.

Create the Authentication Scheme

You can use any of the following authentication schemes:

• Password Authentication Protocol (PAP)

  PAP is a PPP authentication protocol that provides a simple method for a host to establish its identity in a two-way handshake. Authentication takes place only upon initial link establishment and does not use encryption.

• Challenge Handshake Authentication Protocol (CHAP)

  CHAP is also a secure PPP authentication protocol. CHAP provides a way to periodically verify the identity of a host using a three-way handshake and encryption. Authentication takes place upon initial link establishment. The RAS can repeat the authentication process any time after the connection takes place.

• Security Dynamics ACE/Server or Secure Computing SafeWord server.