Table of Contents
Advertisement
Chapter 6: Authentication Using External Servers
The Port number should be 88, the value assigned to Kerberos by the Internet
Assigned Number Authority.
Enter the Kerberos realm name in the Realm Name field.
3.
In Kerberos, realm names are case sensitive. While it is strongly encouraged that all
realm names be uppercase, this recommendation has not been adopted by all sites.
Accounting
To enable RADIUS accounting for this server, select the name of the external RADIUS
accounting server from the Accounting server drop-down list. See "RADIUS Accounting"
on page 7-1 to configure a new RADIUS accounting server for selection in the drop-down
list. Alternatively, you can select the Create... option to open a window that enables you
to configure a new RADIUS accounting server. After you save the server information, you
are returned to the New Kerberos server page where you can select the RADIUS
accounting server from the drop-down list.
Mapping
Define the rules to determine if the user is authenticated.For each rule:
1.
Kerberos
a)
attributes to
b)
roles
c)
d)
2.
Optional. Use the commands included in the Row Management drop-down list to
change the order of rules, add new blank rules, clear rule data, or delete a rule, etc.
Remember, the BSC evaluates rules in the order in which they are listed here on the
New Kerberos server page.
Select the default user role from the Default role drop-down list. The selected default
3.
role is the role the BSC assigns the user if none of rules is true.
Location
Optional. Specify the user location from which the Kerberos authentication request must
originate by selecting a defined user location from the drop-down menu. If a user location
is specified, the authentication request will not be attempted if the request does not come
from that location.
Notes
Optional. Enter a meaningful description for the external Kerberos authentication server.
Saving the
Click Save to store the information to the BSC database or Save and create another to
settings
continue to define external Kerberos authentication servers.
You may be prompted to restart the BSC. We recommend that you do not restart the BSC
until you have completely finished configuring the BSC for use in your network.
Cosign Authentication
Cosign ("Cookie Signer") is a web-based single-sign on system developed by the
University of Michigan Web Services team.
Cosign sessions have both idle and hard timeouts. Users can log out of all Cosign-
enabled web services by visiting a single URL.
6-24
Enter the appropriate Kerberos attribute in the Attribute field.
Select the appropriate logic operator (equal to, not equal to, starts with, ends
with, contains, or [is a role]) from the Logic drop-down list.
Enter the appropriate Value to check against the specified attribute.
Select the role to assign to the user if the rule evaluates as true and the user is
authenticated from the Role drop-down list.
See "Defining User Roles to Enforce Network Usage Policies" on page 8-2 to
define a new role available for selection in the drop-down list.
Alternatively, select the Create New... option to open a window that enables you
to define a new role. After you save the role information, you are returned to the
New Kerberos server page where you can select the role from the drop-down list.
Advertisement
Table of Contents
