Realm Authorization Settings
This dialog helps you to configure so-called authorization lists. They are applied to an
access request after it has been accepted during the authentication
process. Only the authorization 'Reject-Response' list is applied for requests
rejected by the authentication.
These lists allow to create flexible authorization rules. The
lists may contain plain attributes defined explicitly by you or may
be retrieved from a database or directory service. Thus you may use
static, unconditional attributes for all users in the realm, and
attributes retrieved from a database specific for particular
You add the attributes that SHOULD NOT be present in the request
packet to the Black List.
Thus you may explicitly define what attributes are not granted. The
server looks through the realm black list, and if any of the
attributes from the list are found in the request, then user
connection is denied. You may configure that both attribute name
and value should match or it's sufficient that attribute present
whatever value it has, to reject the request.
Various policies can be constructed with the help of this list. For
example, Calling-Station-ID attribute can be added to block
users who dial in from a particular phone number.
The Check-List is an
alternative to the Black List. You place RADIUS attributes
that SHOULD be present in the request in the list. The request is
accepted only if all attributes from the Check List are
present in the request. You may configure that both attribute name
and value should match or it's sufficient that attribute names
should be equal to accept the request. An attribute in the list can
be marked as 'default'. In this case the attribute may be not
present in the request.
A variety of rules could be enforced by including appropriate
attributes in the Check List. Only certain users might be
permitted to use ISDN connections, or dial in to a particular NAS.
Or, Caller ID could be used to validate a user against a list of
legal originating phone numbers.
The Response List
defines what attributes should be included in the successful
response packet granting access to a user.
The Response List usually provides additional parameters
that the NAS needs to complete the connection, typically as part of
PPP negotiations. In other words, the Response List defines a
connection profile, a set of properties that are applied to a
connection when it is authorized.
By including appropriate attributes in the Response List, a variety
of connection policies could be applied. Specific users could be
assigned particular IP addresses or IPX network numbers, IP header
compression could be turned on or off, or a time limit could be
assigned to the connection.
The Reject-Response List defines what attributes should be included in the
Access-Reject response packet sent when user authentication request
The Reject List may be used in VoIP applications, for
instance, to return h323-return-code attribute to an IVR
Click 'Apply Changes' to save list changes.
© 2001-2007 XPerience Technologies. www.xperiencetech.com