Policy Server Guides › Policy Server Configuration Guide › Using the Policy Server as a RADIUS Server › How to Authenticate Users in Heterogeneous RADIUS Environments with Two User Directories

How to Authenticate Users in Heterogeneous RADIUS Environments with Two User Directories

The Policy Server can also be configured to authenticate users for multiple NAS devices when the user information for each device is located in separate user directories. The NAS devices can be of different vendor types.

There are several advantages to this configuration:

• Using two user directories in a single policy domain enables you to delegate the administration of each directory to a different person.
• By configuring the Policy Server to authenticate users for multiple RADIUS clients, you save time. You do not need to install and configure a separate authentication server for each RADIUS client.
• Using existing user directories is more efficient. You do not need to merge the user information into a single directory.

An example of a heterogeneous configuration that uses two user directories is illustrated in the following graphic:

Unlike the topology described in the previous section, this Policy Server uses two user directories to authenticate the users. User information for the Cisco RAS users is stored in User Directory A. User information for the Checkpoint firewall is stored in User Directory B. The Policy Server can authenticate users using both of these directories.

By dividing the configuration into two policy domains, the need for realm hints is eliminated. Each RADIUS Agent exists in a separate policy domain and is bound to only one realm.

The process of authentication when two user directories are used is as follows:

1. The remote user dials in from a modem and the Cisco RAS determines that it must use a RADIUS user profile to authenticate the user.
2. The RAS sends the user connection request to the Policy Server.
3. The Policy Server enacts the policy defined for the RAS, and the RADIUS Agent obtains the user's name and password using the authentication scheme configured for the Agent.
4. The Policy Server evaluates the user information against the user directory and policy store associated with the policy's domain.
5. The Policy Server sends an authentication response to the Cisco RAS and one of the following takes place:
   • If authentication is unsuccessful, the RAS refuses the connection.
   • If authentication is successful, the RAS receives a list of attributes from the user profile in the RADIUS server's database and establishes network access for the caller.

     The RAS notifies the Policy Server that the session has begun and when the session ends.

When the Internet user attempts to dial into the Internet Service Provider by using the Checkpoint Firewall, this same process of authentication occurs. However, the Policy Server evaluates the Internet user's authentication information against a different user directory.