ClearBox Server v1.2 User's Guide |
AuthorizationAuthorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level. In other words, it is the process of establishing what a user can do. After the user is connected and authenticated (NAS may be configured to use authorization without authentication), for each command typed or resource requested, the NAS sends an authorization request to the server. The NAS can propose a configuration to be applied to the user as a list of attributes. Relying on the information of the authorization request, the server will answer granting or denying the authorization. If the authorization is actually granted, the server can tell the NAS to apply a new series of attributes to the user. For example the server can communicate to the NAS to discard the proposed IP address using on the other hand the address proposed by the server itself, and apply a certain timeout value for the connection... RADIUS AuthorizationRADIUS protocol does not separate authorization from authentication and uses one authentication request-response transaction for this purposes. Although ClearBox Server distinguishes these processes logically and allows to implement authorization as an independent part of packet processing. In RADIUS protocol when an authentication request occurs, the NAS sends at the same time a set of parameters (the attribute/values pairs) describing the user login type and requested services. The RADIUS server may analyze these attributes and decide whether to authorize the user or not. In the former case the server can include in its reply another attribute set to be applied to the user who is logging in (for example a static IP address, the address of the DNS servers, etc.). Finally the NAS may decide if this set is suitable to that user and then continue or abort the session. ClearBox Server divides RADIUS authorization process into three parts
which that can be implemented independently. AutoReject ListsThis feature allows to automatically reject authentication requests that
contain a certain attribute. If any attribute from the AutoReject list
(provided by server extension for every access request) is present in
the packet, then Access-Reject response is sent to the client. For example,
Calling-Station-ID can be used to block users who dials in from a particular
phone number. RequestMatch ListsThe RequestMatch list is a list of attributes that must accompany the request for connection. The NAS must send attributes that accord the RequestMatch list assigned to a user; otherwise, ClearBox Server will reject the user even if he has been authenticated. By including appropriate attributes in the RequestMatch list, a variety of rules could be enforced. Only certain users might be permitted to use ISDN connections, or dial in to a particular NAS. Or, Caller ID could be used to validate a user against a list of legal originating phone numbers. Response ListsThe Response list is a list of attributes that ClearBox Server must return
to the NAS once authorization succeeds. The Response list usually provides
additional parameters that the NAS needs to complete the connection, typically
as part of PPP negotiations. Read more about RADIUS attributes and their properties. See how ClearBox Server processes RADIUS authorization. TACACS+ AuthorizationIn TACACS+ protocol, every attribute proposed by the NAS in the authorization
request can be optional or mandatory. If the attribute is optional, the
server can propose an alternative attribute. If it is mandatory, the server
cannot modify such attribute. If the server thinks that such attribute
is not valid, it can only answer with a denied authorization reply. Authorization requests can occur for three different kinds of services:
Authorization to the shell (Exec) Authorization to commands Authorization to network services List of Attribute-Value pairs attribute=value where the equal "=" sign means that the attribute is mandatory
and must be applied to the user (otherwise the authorization would fail),
while the asterisk "*" sign represents an optional attribute
that can be applied or not by the NAS. See list of AV pairs supported by the Cisco NAS (with IOS operating system). See how ClearBox Server processes TACACS+
authorization packets. © 2001-2003 XPerience Technologies. www.xperiencetech.com |
Created by chm2web html help conversion utility. |