Realm Authorization Settings
This dialog helps you to configure so-called authorization lists. They
may be applied to an access request received by ClearBox and allows creating
flexible authentication/authorization rules. They are the part of authentication
process used by the server to validate access requests.
The lists may contain plain attributes defined explicitly by you or may
be retrieved by queries to a database source. Thus you may use static, unconditional
attributes for all users in the realm, and attributes retrieved from a database
specific for particular users.
Black List
You add to the first list, Auto-Reject, or
Black List, attributes that SHOULD NOT be present in the request
packet. Thus you may explicitly define what attributes are not granted.
The server looks through the realm reject list, and if any of the attributes
from the list are found in the request then user name is rejected. You
may configure that both attribute name and value should match or it's
sufficient that attribute names should be equal to reject the request.
Various policies can be constructed with the help of this list. For example,
Calling-Station-ID attribute can be added to block users who dial
in from a particular phone number.
Click "+" to add an attribute to the list. When the
dialog window is brought up, select an attribute name from the first
drop list. Select its value or type it yourself in the second drop-down
list if you require exact attribute matching or check Ignore attribute
value option to reject all requests with such attribute whatever
value it has.
Click Attributes by database query to specify that ClearBox Server
should include in the list attributes retrieved by a query to a database.
Select a data source from the list and type in the query. ClearBox expects
that query returns rows consisting of one or two fields. The first field
ALWAYS has string value = attribute name or numeric value = attribute
type number. The second field is optional and may denote an attribute
value. ClearBox can read attribute values from text, numeric, binary and
date/time fields. If the query returns only one field then it's assumed
that attributes should be compared against attributes from the request
by their names only (same as Ignore attribute value for plain attributes).
You may use special keys in queries to substitute user name and realm
from the request packet:
$u, $r, $c, $n. Their meaning is explained
here.
For example, if you configure the query <SELECT Attribute, [Value]
FROM UserAttributes WHERE UserID IN (SELECT ID FROM Users WHERE Username='$u')>
then on reception of an access request with user name 'john' it's executed
as <SELECT Attribute, [Value] FROM UserAttributes WHERE UserID
IN (SELECT ID FROM Users WHERE Username='john')>.
You may use regular expressions to perform comparison of attribute
values from a request and the value configured here. Check the 'Value
is a regular expression' option to specify that the Value
box is a regular expression pattern. For example, you check this option,
select 'Calling-Station-Id' attribute and set '800+' value. This means
that the server will reject all requests where Calling-Station-Id
attribute value starts with '800'. Full description of regular expression
syntax is placed here.
Check List
The Check-List, or RequestMatch list,
is an alternative to the Autoreject List. You place here RADIUS
attributes that SHOULD be present in the request. The request is accepted
only if all attributes from the Check List are present in the request.
You may configure that both attribute name and value should match or it's
sufficient that attribute names should be equal to accept the request.
An attribute in the list can be marked as 'default'. In this case the
attribute may be not present in the request.
A variety of rules could be enforced by including appropriate attributes
in the Check List. Only certain users might be permitted to use ISDN
connections, or dial in to a particular NAS. Or, Caller ID could be used
to validate a user against a list of legal originating phone numbers.
Click "+" to add an attribute to the list. When a
dialog window opens, select an attribute name from the first drop list.
Select its value or type it yourself in the second drop-down list if
you require exact attribute matching or check Ignore attribute value
option to require the attribute with such name be present in the request
whatever value it has.
When an attribute is added with the option May be not present in
the request packet, it means that ClearBox can authorize a request
if such attribute is not present in the packet.
Click Attributes by database query to specify that ClearBox Server
should include in the list attributes retrieved by a query to a database.
Select a data source from the list and type in the query. The query
should return rows consisting of one or two fields. The first field
ALWAYS has string value = attribute name or numeric value = attribute
type number. The second field is optional and may denote attribute value.
You may use the following special keys in queries to substitute user
name and realm from the request packet: $u, $r, $c, $n,
described above.
Both plain and database check list items may contain private
RADIUS attributes. Currently Login-Time is supported.
You may use regular expressions to perform comparison of attribute
values from a request and the value configured here. Check the 'Value
is a regular expression' option to specify that the Value
box is a regular expression pattern. For example, you check this option,
select 'Calling-Station-Id' attribute and set '800+' value. This means
that the server will accepts only the requests where Calling-Station-Id
attribute value starts with '800'. Full description of regular expression
syntax is placed here.
Reply List
The Reply List defines what attributes
should be included in the successful response packet granting access to
a user.
The Reply List usually provides additional parameters that the
NAS needs to complete the connection, typically as part of PPP negotiations.
In other words the Response List defines a profile, a set of properties
that are applied to a connection when the connection is authorized.
By including appropriate attributes in the Response List, a variety of
connection policies could be applied. Specific users could be assigned
particular IP addresses or IPX network numbers, IP header compression
could be turned on or off, or a time limit could be assigned to the connection.
Click "+" to add an attribute to the list. When a dialog
opens, select an attribute name from the first drop list. Select its value
or type it yourself in the second drop-down list.
You may mark an attribute as 'echoed' (Can be taken from the request
packet option). It means that ClearBox should take the value for this
attribute from the request packet attribute if there's one rather from
the Response List. Suppose you have an attribute Service-Type=Framed
[echo]. If the request has no Service-Type then the response
will contain Service-Type=Framed. In other case if there's Service-Type=Login
in the request then ClearBox will echo this value and include Service-Type=Login
in the response.
Click Attributes by database query option to specify that ClearBox
Server should include in the list attributes retrieved by a query to a
database. Select a data source from the list and type in the query. The
query should return rows consisting of two fields. The first field ALWAYS
has string value = attribute name or numeric value = attribute type number.
The second field contains an attribute value.
Besides special keys, $u, $r, $c, $n, you may insert attribute
values from the request packet into the query. Read
more about this.
Sample query: <SELECT 'Session-Time', TimeCredit FROM Users WHERE
Name='$u' AND CallerID='{Calling-Station-ID}'>
Click 'Apply Changes' to save list changes.
© 2001-2004 XPerience Technologies. www.xperiencetech.com
|