Previous Topic: Authenticate Users in Heterogeneous RADIUS Environments with One User Directory

Next Topic: System and Policy Domain Configuration

How Users are Authenticated in Heterogeneous, Single Directory Environments

An example of a heterogeneous configuration is illustrated in the following graphic:

In the network topology shown in the previous diagram, the Policy Server authenticates users of two NAS devices: a Cisco RAS and a Checkpoint Firewall. The Policy Server uses one user directory to authenticate the users.

Each NAS device has its own RADIUS Agent, which has been configured with a realm hint. When the Policy Server receives a request to authenticate the user, it uses the RADIUS Agent's realm hint to determine the resource (domain) that the authenticated user can access.

The process of authentication when one user directory is used is as follows:

  1. The remote user dials in from a modem and the Cisco RAS determines that it must use a RADIUS user profile to authenticate the user.
  2. The RAS sends the user connection request to the Policy Server.
  3. The Policy Server enacts the policy defined for the RAS, and the RADIUS Agent associated with the Cisco RAS does the following:
    1. Determines the user's domain using a realm hint.
    2. Obtains the user's name and password using the authentication scheme configured for the Agent.
  4. The Policy Server evaluates the user information against the user directory and policy store.
  5. The Policy Server sends an authentication response to the Cisco RAS and one of the following takes place:

When the Internet user attempts to dial into the Internet Service Provider via the Checkpoint Firewall, a similar process of authentication occurs. Using the realm hint, the RADIUS Agent defined for the Checkpoint Firewall determines which domain the Internet user has access to. If the user is authenticated, the Policy Server passes the Firewall the correct attributes to establish the session.

User information for both NAS devices is stored in the same user directory. Each time the Policy Server receives an authentication request, it authenticates the user using the same data directory.


Copyright © 2010 CA. All rights reserved. Email CA about this topic