Realm Rules Settings
This dialog lets you define a realm rule which determines when
the realm is selected to process a newly received authentication or
accounting request from a client.
Besides, realm rules allow to specify possible user name
transformations.
Realm ID. This is an arbitrary name given to the realm at
its creation and uniquely identifying it. No two realms may have
equal IDs.
Default realm. Check this option to mark a realm as
default, i.e. one selected for a request handling when no other
matching realms were found. Note, that only one one realm can be
marked as 'default'.
None. Select this option to turn off realm matching
rules. This realm can be chosen for packet handling only if it's
marked as default or it's selected as default in client settings.
Available realm rules
 By user
name. Select this option if a realm should handle
requests with user name in form <user name><some
delimiter><user domain name> or <user domain
name><some delimiter><user name>, where the most
common delimiter is the at sign '@'.
- Domain/user name delimiter. Specifies what character
separates user name and domain name. The most common cases are @, \
or /.
- Domain. The realm matches a request if the domain name
is equal to this parameter. If this field is empty then the realm
ALWAYS matches a request. Let's look at some examples. If the user
name in the request is 'mike@mydomain.com', Domain field is
set to 'mydomain' and Domain/user delimiter is @, then this
realm matches the request. If Domain is empty then both
'mike@mydomain.com' and 'mike@anotherdomain.com' will match the
realm rule. But if Domain is set to some other
value (e.g. 'third_domain.com') then this realms will not be
selected to process the request.
- Domain name comes first. Check this option if you
expect user names to be in <user domain name><some
delimiter><user name> form (e.g. OUR_OFFICE\Michael). If
user name precedes domain name (e.g. Michael@our_office.com), then
uncheck this option.
- Strip domain name. Check this option if you need to
strip off the domain name from the user name included in the
request, and authenticate only actual user name. User name (denoted
as $u) will be the short part, while
{User-Name} is the full original name. This option is useful when
users enter their full login like user@domain.com, while only short
'user1' is stored in authentication database.
- Return changed name in Access-Accept. This option is
used with Strip domain name and makes actual user name to be
included in Access-Accept packet granting access to the user. The
RADIUS client should then include this new name in pending
accounting requests.
By fully
qualified user name. This option is an advanced
version of the previous rule type. Select it when a user name may
come in one of the listed forms with arbitrary domain or list of
domains. This rule is particularly useful when a realm should be
selected during inner PEAP authentication phase.
- Use this rule only for wireless PEAP inner
authentication. In PEAP wireless authentication, a supplicant
may send fake user name in so-called 'outer' phase and send real
user name only during secure SSL-encrypted so-called 'inner'
authentication phase. Set this option, if a realm should be
selected by this real user name sent through the inner secure
channel. The realm won't be chosen for simple authentication.
- Possible forms. Mark one or more combinations of a user
name and domain form, which a full user name may take.
- Where domain is.... Click Any string
if a user name may be from any domain or use + and - buttons to set
the list of allowed domains.
- Strip domain name. Check this option if you need to
strip off the domain name from the user name included in the
request, and authenticate only by actual user name (denoted as
$u), while {User-Name} is the full
original name.
By client IP
address. Choose this option to make the realm be
selected according to a request source IP address. (Note that NAS
address may differ from client address: original request issued by
a NAS may be forwarded to the server by RADIUS proxy. In this case
that proxy is the RADIUS client.) You may add several clients to
the list of realm clients.
Click "+" button to add a client from the list.
Click "—" button to remove a client from the list.
Besides selecting a statically defined
client, you may add a so-called 'dynamic client' address, used
when the client secret was retrieved from a data source. This
address may contain wildcards. For example, 192.168.2.*, which
means that for all clients with addresses in the range [192.168.2.1
- 192.168.2.255] this realm is selected for a request handling.
By RADIUS attributes. Choose
this option when a realm should be selected by one or several
attributes from a request packets. ClearBox Server may a realm if
an attribute is present in the request; not present; its value is
equal or not equal to some value.
Click "+" button to add a new condition. Choose an
attribute name from the first drop down list. Then select
its value in the second list or type the value yourself. Select the
comparison type from the first drop down list.
- 'equal': this attribute should have exactly the same value
as an attribute with the same name in a request. Attribute value is
mandatory.
- 'not equal': this attribute should not have the same value
as an attribute with the same name in a request. Attribute value is
mandatory.
- 'present': an attribute with this name should be present
in a request. No value may be specified for the attribute.
- 'not present': an attribute with this name
should not be present in a request. No value may be specified for
the attribute.
- 'like' is similar to 'equal', but is used
for text attributes only: an
attribute values may start with the same letters as the same
attribute in a request.
- 'regular expression' performs comparison of the attribute
value (only for text attributes)
from a request against a regular expression pattern defined in the
Value box. The help on regular expression syntax can be
found here.
When the attributes in the list have no Required to match the
realm flag, the realm is selected if any of the conditions are
satisfied. If any attribute is marked with Required to match the
realm, its condition MUST be satisfied in order get the realm
selected.
Rewrite User Name. Click the button to bring up the
dialog window where you can specify the user name selection rule.
It allows choosing one of the three options:
- 'Use 'User-Name' attribute': ClearBox performs usual
user names handling.
- 'Take the user name from': this option allows to specify
what attribute should be treated as a user name. For example, if
Calling-Station-ID attribute is selected, then its value
will substitute the user name. Besides, you may check Return
this name in Access-Accept to make this new user name be sent
in pending accounting requests.
- 'Rewrite user name according to this rule': ClearBox uses
regular expression to transform the user name. Use {} braces to
specify the actual text in the input that matches the expression
inside the braces and should be placed as the user name. Regular
expression syntax is explained here. If
the actual name doesn't match the pattern set, it's not rewritten
at all.
For example, when the rewriting rule is
{[a-zA-z]*}([0-9]*){[a-zA-z]*}, and UserName=test45645login,
the server translates it to testlogin. The first pair of {}
brackets puts 'test' into the resulting name, digits are skipped,
the second group of letters indicated by {} is added to the name.
The result is testlogin. Click Test... to
test your regular expressions.
- Use the second rule to define additional $x constant
from a user name. Simple rewriting with a regular
expression rule may be not enough when two separate parts of a user
name should be used somewhere. This option allows to extract some
part from a user name, add a prefix and/or a
suffix to the result and assign to the
$x key. This key then may be used along with other
keys. $x is empty (no suffix and
prefix are added) if the second rule was not matched and
Use the suffix and the prefix only when input matches the
rule option is set.
Say, a user specifies his login name in the following manner:
8635678761@john, where 8635678761 is a phone number to make a
callback call to, and john is the name itself. You may rewrite the
name to john to authenticate him, but callback number may be
useful, too. Using the second rule, you may extract the number:
{\d+}@\a+, and assign it to $x. It may be used
later in a SQL command, for instance.
Click 'Apply Changes' to save your changes.
© 2001-2007 XPerience Technologies. www.xperiencetech.com
|
