Previous Topic: RADIUS vs. Non-RADIUS Resources

Next Topic: Responses in RADIUS Policy Domains

Use Realm Hints

How does a RADIUS Agent protect a NAS device that must authenticate users in different domains, such as domainA and domainB? A realm hint is a RADIUS attribute that enables SiteMinder to determine the correct domain in which to authenticate a user. You must provide a RADIUS Agent with one of the following realm hint values:

When the realm hint is set to 1, the realm name is parsed from the user name attribute. The user_name-realm separator must be "@" or "/".

The following diagram and explanation shows how a proxy server determines the correct SiteMinder domain in which to authenticate a user.

  1. One RADIUS agent protects both SiteMinder domains. The RADIUS Agent is configured with the realm hint value of 1.
  2. When Jill tries to access the ISP's proxy server, the RADIUS agent intercepts the request and forwards Jill's user name attribute jill@realmB.com to the Policy Server.
  3. The Policy Server parses the user_name and realm_name from the user name attribute.

    Example: jill@realmB.com, where jill is the user_name and realmB.com is the realm_name.

    The Policy Server identifies the domain associated with the realm_name. The domain associated with realmB.com is domainB.

  4. The Policy Server authenticates the user_name in the appropriate directory. The user_name jill is authenticated in the NT user domain defined for Policy B: realmB.com:domainB.


Copyright © 2010 CA. All rights reserved. Email CA about this topic