AAA/802.1x
Reply
Contributor
Gerard
Posts: 18
Registered: ‎09-08-2008
0

forward specific access requests to a separate RADIUS server

Dear all,

 

I wan't that specific access requests should go to a different RAIUS server. If I setup by SBR to proxy the requests to a different server, all the requests are sent to this new server. how can I configure my SBR to only forward requests from a specific device to go to a different radius server?

 

regards,

 

Gerard

Trusted Contributor
gdavies
Posts: 115
Registered: ‎11-05-2007
0

Re: forward specific access requests to a separate RADIUS server

Hi Gerard,

 

Which specific requests do you want to proxy?  How might SBR be able to differentiate them from other requests that you want handled locally?  Are they in a different realm?  You might be able to proxy for a specific realm and handle other realms locally.

 

Rgds,

 

Guy 

---
Guy Davies
Contributor
Gerard
Posts: 18
Registered: ‎09-08-2008
0

Re: forward specific access requests to a separate RADIUS server

 Hi Guy,

 

thank you for your reply.

just to give you an idea what I'm trying to realise.

 

I want to use the SBR for multiple authentications. so for vpn, wifi, switch acces, etc. so instead of using multiple radius servers, I would like to use 1 (ok 2 for redundancy). users can login via domain (active directory) account and via the profile it will check if you're allowed to login. But it some cases (e.g. vpn) a different autentication method is needed.

 

we have a vpn box where users can login via a token server. so requests coming from a specific IP address should go to a different validation server.

 

I'm currently testing the SBR with the Digipass plugin, but still the problem is that I only want to use the plugin if users want to login via the vpn.

 

hopefully it is more clear. if not I'll try to make a diagram of the "problem".

 

regards,

 

Gerard 

Trusted Contributor
gdavies
Posts: 115
Registered: ‎11-05-2007
0

Re: forward specific access requests to a separate RADIUS server

Hi Gerard,

 

If you can pin it down to a particular subset of authenticators (RADIUS clients) that always use a proxy, you may be able to do that with location profiles.  I stress the word *may* because I've never tried this but I suspect that you may be able to do it that way.  You'll need SBR 6.0+ to use location profiles, IIRC.

 

That would allow you to group the relevant clients and have them behave in a particular way.

 

Alternatively, if you put all the methods in place with your Digipass as the last option, then it may just work.  For example, my demo server has SQL, followed by LDAP,  followed by Native.  If a single name appears in all with a different password, then it tries all three and only rejects once all three mechanisms fail.

 

Rgds,

 

Guy 

---
Guy Davies
Contributor
Gerard
Posts: 18
Registered: ‎09-08-2008
0

Re: forward specific access requests to a separate RADIUS server

Hi Guy,

 

I've manged to fix it somehow. I'm checking how a user is trying to connect. so if it is via ethernet or virtual. also i don't have the GEE edition, where you can create location groups. this should make it easier.

 

regards,

 

Gerard

Visitor
Armen_inTechnology
Posts: 1
Registered: ‎11-23-2008
0

Re: forward specific access requests to a separate RADIUS server

Hi Gerard,

 

Unfortunately, Location Groups are a GEE only feature, so it will be greyed out in administrative views of EE servers.

 

When dealing with mixed access types and mixed authentication sources in EE, checklist attributes are usually the way to go.

A user with both an ADS and a token account technically exists as two separate users in the RADIUS system. each account would have a profile mapped against it. When setting up checklist attributes, it is important to know which RADIUS attributes you want to limit access against.

 

NAS-IP-Address is commonly used to restrict allowed services, with Service-Type used alternatively or in conjunction with it.

Usually remote and local access have different Service-Type/NAS-IP-Address values. You would include the local-related attributes as checklist attributes to the ADS-related profile, while including the remote access-related Service-Type values in the VPN account's checklist. This forces SBR to accept authenticaiton only when both the password is correct AND when the authentication request contains a matching set of attributes.

 

Key point to remember is that the checklists for profile must not overlap. overlapping attributes may result in access being granted when using the wrong credentials.

Contributor
Gerard
Posts: 18
Registered: ‎09-08-2008
0

Re: forward specific access requests to a separate RADIUS server

@ Armen, thanks for your reply. it helped a lot.

 

dear all,

it's been a while, but finally I've got the GEE version up and running!

 I have the location groups option, but somehow this is not synced with the replication server. it does see the groups, but it doesn't see the clients. I did enable the options in radius.ini

 

I also tried to use in radius.ini

AddFunkClientGroupToRequest     = 1

 

but somehow I only see the client group with the first authentication request. If I try to login again, it doesn't add this to the request. so this makes filtering very difficoult. 

 

anybody any ideas?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.