Realm Authorization Settings
This dialog helps you to configure so-called authorization lists. They are applied to an
access request after it has been accepted during the authentication
process. Only the authorization 'Reject-Response' list is applied for requests
rejected by the authentication.
These lists allow to create flexible authorization rules. The
lists may contain plain attributes defined explicitly by you or may
be retrieved from a database or directory service. Thus you may use
static, unconditional attributes for all users in the realm, and
attributes retrieved from a database specific for particular
users.
 Black
List
You add the attributes that SHOULD NOT be present in the request
packet to the Black List.
Thus you may explicitly define what attributes are not granted. The
server looks through the realm black list, and if any of the
attributes from the list are found in the request, then user
connection is denied. You may configure that both attribute name
and value should match or it's sufficient that attribute present
whatever value it has, to reject the request.
Various policies can be constructed with the help of this list. For
example, Calling-Station-ID attribute can be added to block
users who dial in from a particular phone number.
Click "+" to add an attribute to the list. When the
dialog window is brought up, select an attribute name from the
first drop list. Select its value or type it yourself in the second
drop-down list if you require exact attribute matching or check
Ignore attribute value option to reject all requests with
such attribute with any value.
You may use regular expressions for a flexible attribute
comparison. Check the 'Value is a regular expression' option
to specify that the Value box is a regular expression
pattern. For example, you check this option, select
'Calling-Station-Id' attribute and set '800.+' value. This means
that the server will reject all requests where
Calling-Station-Id attribute value starts with '800'. Full
description of regular expression syntax is placed here.
Click Attributes by database query to specify that
ClearBox Server should include attributes retrieved by a query to a
database in the list. Select a data source from the list and type
in a SQL command. ClearBox expects that query selects several rows
consisting of one or two fields. The first field is mandatory and
ALWAYS has string value = attribute name or numeric value =
attribute type number. The second field is optional and may denote
the attribute value. ClearBox can read attribute values from text,
numeric, binary and date/time fields. If the query returns only one
field then it's assumed that attributes should be compared against
attributes from the request by their names only (same as Ignore
attribute value for plain attributes).
You may use special keys ($u, $r, $c, $n, explained here) and any request RADIUS
attributes in a command string.
For example, if you configure the query
<SELECT Attribute, [Value] FROM UserDeniedAttributes
WHERE UserID IN (SELECT ID FROM Users WHERE Username='$u')
and {Framed-Protocol}=1 >
then on reception of
an access request with user name 'john' it's executed as
<SELECT Attribute, [Value] FROM UserAttributes WHERE
UserID IN (SELECT ID FROM Users WHERE Username='john') and 1=1
>.
Click Attributes from LDAP directory to specify that
ClearBox Server should include attributes retrieved from an LDAP
directory in the list. Select an LDAP server from the list. Type in
base DN of an object whose attributes are retrieved. You may
use special keys ($u, $r, $c, $n, explained here) and any request RADIUS
attributes in this template string. Type in search filter to
specify what attributes should be filtered out from the result
set.
ClearBox uses special attribute mapping table to convert an
attribute retrieved from a directory to a valid RADIUS attribute.
Click LDAP -> RADIUS Attributes Mapping to open it for
editing. Select an appropriate target RADIUS attribute in the left
drop-down list, type a corresponding LDAP attribute name in the
right box. Click Add to add this pair to the table, select a
pair from the list and click Remove to remove it. You may
check on Override LDAP attribute with a fixed value option
to put a static value for the RADIUS attribute instead of LDAP
attribute's value.
Check
List
The Check-List is an
alternative to the Black List. You place RADIUS attributes
that SHOULD be present in the request in the list. The request is
accepted only if all attributes from the Check List are
present in the request. You may configure that both attribute name
and value should match or it's sufficient that attribute names
should be equal to accept the request. An attribute in the list can
be marked as 'default'. In this case the attribute may be not
present in the request.
A variety of rules could be enforced by including appropriate
attributes in the Check List. Only certain users might be
permitted to use ISDN connections, or dial in to a particular NAS.
Or, Caller ID could be used to validate a user against a list of
legal originating phone numbers.
Click "+" to add an attribute to the list. When a dialog
window opens, select an attribute name from the first drop list.
Select its value or type it yourself in the second drop-down list
if you require exact attribute matching or check Ignore
attribute value option to require the attribute with such name
be present in the request whatever value it has.
When an attribute is added with the option May be not present
in the request packet, it means that ClearBox can authorize a
request if such attribute is not present in the packet.
You may use regular expressions for a flexible attribute
comparison. Check the 'Value is a regular expression' option
to specify that the Value box is a regular expression
pattern. For example, you check this option, select
'Calling-Station-Id' attribute and set '800.+' value. This means
that the server will accepts only the requests where
Calling-Station-Id attribute value starts with '800'. Full
description of regular expression syntax is placed here.
Click Attributes by database query to specify that
ClearBox Server should include in the list attributes retrieved by
a query to a database. Select a data source from the list and type
in a SQL command. The query should select rows consisting of one or
two fields. The first field is mandatory and ALWAYS has string
value = attribute name or numeric value = attribute type number.
The second field is optional and may denote the attribute
value.
| Field |
Meaning |
Type |
| 1 |
Attribute name |
string (name)/integer (attribute number) |
| 2 (optional) |
Attribute value |
any |
You may use special keys ($u, $r, $c, $n, explained here) and any request RADIUS
attributes in a command string.
Both plain and database check list items may contain private RADIUS attributes. Currently
Login-Time is supported.
Click Attributes from LDAP directory to specify that
ClearBox Server should include attributes retrieved from an LDAP
directory in the list. Select an LDAP server from the list. Type in
base DN of an object whose attributes are retrieved. You may
use special keys ($u, $r, $c, $n, explained here) and any request RADIUS
attributes in this template string. Type in search filter to
specify what attributes should be filtered out from the result
set.
ClearBox uses special attribute mapping table to convert an
attribute retrieved from a directory to a valid RADIUS attribute.
Click LDAP -> RADIUS Attributes Mapping to open it for
editing. Select an appropriate target RADIUS attribute in the left
drop-down list, type a corresponding LDAP attribute name in the
right box. Click Add to add this pair to the table, select a
pair from the list and click Remove to remove it.
Response
List
The Response List
defines what attributes should be included in the successful
response packet granting access to a user.
The Response List usually provides additional parameters
that the NAS needs to complete the connection, typically as part of
PPP negotiations. In other words, the Response List defines a
connection profile, a set of properties that are applied to a
connection when it is authorized.
By including appropriate attributes in the Response List, a variety
of connection policies could be applied. Specific users could be
assigned particular IP addresses or IPX network numbers, IP header
compression could be turned on or off, or a time limit could be
assigned to the connection.
Click "+" to add an attribute to the list. When a dialog
opens, select an attribute name from the first drop list. Select
its value or type it yourself in the second drop-down list.
You may mark an attribute as 'echoed' (Can be taken from the
request packet option). It means that ClearBox should primarily
take the value for this attribute from the request packet if it is
present there. Suppose you have added Service-Type=Framed
[echo] to the Response list. If the request has no
Service-Type, then ClearBox Server add
Service-Type=Framed to its response. In other case, if
there's Service-Type=Login in the request, then ClearBox
will echo this value and include Service-Type=Login in the
response.
Click the Attributes by database query option to specify
that ClearBox Server retrieve the attribute-values list by a
database query. Select a data source from the list and type in a
SQL command.
The SQL command should select rows consisting of two fields. The
query may a) select a non-negative value to reject a user and pass
a hint to the Reject-Response list; b)The
first field ALWAYS has string value = attribute name or numeric
value = attribute type number. The second field contains an
attribute value.
Besides special keys, $u, $r, $c, $n, you may
insert RADIUS attributes from a request packet into the command
string. Read more about it .
| Field |
Meaning |
Type |
| 1 |
Attribute name |
string (name)/integer (attribute number) |
| 2 (optional) |
Attribute value |
any |
Sample query: <SELECT 'Session-Time', TimeCredit
FROM Users WHERE Name='$u' AND
CallerID='{Calling-Station-ID}'>
Click Attributes from LDAP directory to specify that
ClearBox Server should include attributes retrieved from an LDAP
directory in the list. Select an LDAP server from the list. Type in
base DN of an object whose attributes are retrieved. You may
use special keys ($u, $r, $c, $n, explained here) and any request RADIUS
attributes in this template string. Type in search filter to
specify what attributes should be filtered out from the result
set.
ClearBox uses special attribute mapping table to convert an
attribute retrieved from a directory to a valid RADIUS attribute.
Click LDAP -> RADIUS Attributes Mapping to open it for
editing. Select an appropriate target RADIUS attribute in the left
drop-down list, type a corresponding LDAP attribute name in the
right box. Click Add to add this pair to the table, select a
pair from the list and click Remove to remove it.
Reject-Response List
The Reject-Response List defines what attributes should be included in the
Access-Reject response packet sent when user authentication request
is rejected.
The Reject List may be used in VoIP applications, for
instance, to return h323-return-code attribute to an IVR
script.
Click "+" to add an attribute to the list. When a dialog
opens, select an attribute name from the first drop list. Select
its value or type it yourself in the second drop-down list.
Click Attributes by database query option to specify that
ClearBox Server should include in the list attributes retrieved by
a SQL query to a database. Select a data source from the list and
type in the SQL command. The SQL command should return rows
consisting of two fields. The first field ALWAYS has string value =
attribute name or numeric value = attribute type number. The second
field contains an attribute value.
The command may include use any common
keys, $h (possibly returned by authentication commands or Response list
items as a hint) and RADIUS attributes.
| Field |
Meaning |
Type |
| 1 |
Attribute name |
string (name)/integer (attribute number) |
| 2 (optional) |
Attribute value |
any |
Click Attributes from LDAP directory to specify that
ClearBox Server should include attributes retrieved from an LDAP
directory in the list. Select an LDAP server from the list. Type in
base DN of an object whose attributes are retrieved. You may
use special keys ($u, $r, $c, $n, explained here) and any request RADIUS
attributes in this template string. Type in search filter to
specify what attributes should be filtered out from the result
set.
ClearBox uses special attribute mapping table to convert an
attribute retrieved from a directory to a valid RADIUS attribute.
Click LDAP -> RADIUS Attributes Mapping to open it for
editing. Select an appropriate target RADIUS attribute in the left
drop-down list, type a corresponding LDAP attribute name in the
right box. Click Add to add this pair to the table, select a
pair from the list and click Remove to remove it.
Click 'Apply Changes' to save list changes.
© 2001-2007 XPerience Technologies. www.xperiencetech.com
|
