Policy Server Guides › Policy Server Configuration Guide › Using the Policy Server as a RADIUS Server › Policies in RADIUS Environments › Use Realm Hints
Use Realm Hints
How does a RADIUS Agent protect a NAS device that must authenticate users in different domains, such as domainA and domainB? A realm hint is a RADIUS attribute that enables SiteMinder to determine the correct domain in which to authenticate a user. You must provide a RADIUS Agent with one of the following realm hint values:
- 0--(Default) Signifies that there is only one realm in the policy domain and therefore, a hint is not needed. The realm is bound to the NAS device directly.
- 1--(RADIUS User-Name attribute) SiteMinder parses the realm name from the user name in this attribute, then finds the associated domain, as explained below.
- An attribute that contains the actual name of the domain. This attribute is not available for all NAS devices. see your NAS device product documentation for more information.
When the realm hint is set to 1, the realm name is parsed from the user name attribute. The user_name-realm separator must be "@" or "/".
- If the separator is "@" then the element following the "@" is the realm name. For example, in jack@realmA.com, the realm is realmA.com.
- If the separator is "/" then the element preceding the "/" is the realm name. For example, in x5/jack, the realm is x5.
The following diagram and explanation shows how a proxy server determines the correct SiteMinder domain in which to authenticate a user.
- One RADIUS agent protects both SiteMinder domains. The RADIUS Agent is configured with the realm hint value of 1.
- When Jill tries to access the ISP's proxy server, the RADIUS agent intercepts the request and forwards Jill's user name attribute jill@realmB.com to the Policy Server.
- The Policy Server parses the user_name and realm_name from the user name attribute.
Example: jill@realmB.com, where jill is the user_name and realmB.com is the realm_name.
The Policy Server identifies the domain associated with the realm_name. The domain associated with realmB.com is domainB.
- The Policy Server authenticates the user_name in the appropriate directory. The user_name jill is authenticated in the NT user domain defined for Policy B: realmB.com:domainB.