ADTRAN BlueSecure Controller Setup And Administration Manual page 126

Chapter 6: Authentication Using External Servers
Many other LDAP servers (e.g. Windows 2000/2003 Server Active Directory LDAP
4.
server) are not designed store the user password in an MD4 hashed format. This
necessitates the manual or automated conversion of the user password from clear text
to an MD4 hash.
Make sure you mark the Remove Realm Name checkbox if the domain name is
5.
included in username.
Enable EAP Mark the radio buttons corresponding to the protocols (TTLS EAP, PAP, CHAP, MSCHAP or
methods MSCHAP2; PEAP or FAST) you wish to use.
Inner authentication protocols can be proxied to the External RADIUS Server or
authenticated by using the local user database on the BSC.
Force Re- Optional. Enter the period of time (in seconds) after which TTLS, PEAP, or FAST clients
authentication must re-authenticate in the Session Limit field.
The default settings is 1200 seconds (i.e., 20 minutes).
Session 1. Optional. Mark the Enable TLS session-resumption checkbox to utilize fast reconnect.
Resumption (Fast
Enter the period of time (in hours) the BSC is to keep user session information in
2.
Reconnect)
cache for fast reconnects in the Session Cache Timeout field.
Authentication Optional. Mark the Remove the realm from username checkbox if usernames include the
Settings realm information(i.e. domain name) and you wish to remove this before querying the
local database. For example, jsmith@abc.com would become jsmith.
Accounting To enable RADIUS accounting for this server, select the name of the external RADIUS
accounting server from the Accounting server drop-down list. See "RADIUS Accounting"
on page 7-1 to configure a new RADIUS accounting server for selection in the drop-down
list. Alternatively, you can select the Create... option to open a window that enables you
to configure a new RADIUS accounting server. After you save the server information, you
are returned to the New RADIUS server page where you can select the RADIUS
accounting server from the drop-down list.
Mapping Local 1. Define the rules to determine if the user is authenticated. For each rule:
802.1X
a)
Authentication
b)
attributes to
roles
c)
d)
Optional. Use the commands included in the Row Management drop-down list to
2.
change the order of rules, add new blank rules, clear rule data, or delete a rule, etc.
Remember, the BSC evaluates rules in the order in which they are listed here on the
Local 802.1X Authentication server page.
Select a default user role from the Default role drop-down list drop-down list. The
3.
selected default role is the role the BSC assigns the user if none of rules are true.
Alternatively, select an LDAP/Active Directory authentication server from the Using
LDAP/Active Directory Server drop-down list to resume rules checking using the rules
configured for the selected LDAP/Active Directory authentication server.
Location Optional. Specify the user location from which the local 802.1x authentication request
must originate by selecting a defined user location from the Location drop-down menu. If
a user location is specified, the authentication request will not be attempted if the request
does not come from that location.
Notes Optional. Enter a description for the internal BSC 802.1X authentication server.
6-22
Enter the appropriate Local 802.1X attribute in the Attribute field.
Select the appropriate logic operator (equal to, not equal to, starts with, ends
with, or contains) from the Logic drop-down list.
Enter the appropriate Value to check against the specified attribute.
Select the role to assign to the user if the rule evaluates as true and the user is
authenticated from the Role drop-down list.