Solved: Re: Multiple Radius Instances ?

Jickfoo_ · ‎09-04-2008

I have several different platforms from 2 different companies and I want them all to use the UAC as a Radius Box.

The question is, how do I diffirentiate which Policies these devices access ?

The only thing I can think of is to have the UAC listen on multiple IP Address and somehow try to create unique sign in policies based on these IPs. I've been trying to do this without much luck.

If anyone is doing this could you please point me in the right direction? Thanks.

Raheel_ · ‎09-04-2008

Yes, I belive creating different sign-in policy per company will work. You could then create different user realm per company and assign the specify companyÍs user realm to the specify sign-in policy. This allows specify company sign in using specify sign-in url. From each company user realmÍs role mapping policy, you could then assign to different role to differentiate users, i.e. a ïjuniperÍ role for juniper users. Then company specific policies will assign to this company specified role.

You could also create multiple location groups and then assign the sign-in policy to the location group. And assign RADIUS Client to the companyÍs specific location group. Please note that a RADIUS Client can only assign to one location group. Hence the RADIUS Client can only be utilizing for one company. You could not share the RADIUS Client among companies.

thanks

Raheel Anwar

View solution in original post

ManojReddy_ · ‎09-04-2008

can do this without making UAC listen on multiple IP Addresses:

create multiple location groups and multiple sign-in policies(and realms, roles, radius attribute policies for roles too)
attach each location group to a different sign-in URL(make sure you select required auth protocols for each sing-n URL)
add each device from your several platforms as a RADIUS client in different location group(or the way you want it to be..).

boom, you are done!!

I hope you know the rest.

Raheel_ · ‎09-04-2008

Yes, I belive creating different sign-in policy per company will work. You could then create different user realm per company and assign the specify companyÍs user realm to the specify sign-in policy. This allows specify company sign in using specify sign-in url. From each company user realmÍs role mapping policy, you could then assign to different role to differentiate users, i.e. a ïjuniperÍ role for juniper users. Then company specific policies will assign to this company specified role.

You could also create multiple location groups and then assign the sign-in policy to the location group. And assign RADIUS Client to the companyÍs specific location group. Please note that a RADIUS Client can only assign to one location group. Hence the RADIUS Client can only be utilizing for one company. You could not share the RADIUS Client among companies.

thanks

Raheel Anwar

Raheel_ · ‎09-04-2008

also in this particular case you would need to have different roles such that different policies can be applied. We could still share same switch among companies and utilize different user realms to differentiate company. Utilizing OAC client as supplicant will prompt user to select realm during authentication. 3rd parties supplicant would need to append realm name in username.

Jickfoo_ · ‎09-04-2008

Thanks,

Our problem is though we have 2 distinct companies on one NAS. So if we define location group by Source IP, both companies will go to the same location group and have to rifle through 2 distinct LDAP databases. We cant define 2 IPS on the NAS and seperate off the requests.

So given that, is our situation ok ? Multiple Virtual Ports ? Is there a better way ?

Thanks,

Justin

Jickfoo_ · ‎09-04-2008

I just read your posts again and I think I answered my own question. We are going to use multiple IPs. I think we'll only need a few. I'd consider having the users choose a realm but my users would find it annoying. (much like I find them annoying)

Thanks very much for your help.

Justin