For authentication to RADIUS, Microsoft NT domain or Active Directory servers (using Kerberos), you can individually define AAA users and groups. This is not required, but it enables you to create separate policies or bookmarks for individual AAA users.
When a user logs in, the SRA appliance will validate with the appropriate Active Directory, RADIUS, or NT server that the user is authorized to login. If the user is authorized, the SRA appliance will check to see if a user exists in the SRA appliance database for users and groups. If the user is defined, then the policies and bookmarks defined for the user will apply.
For example, if you create a RADIUS domain in the SRA appliance called “Miami RADIUS server”, you can add users to groups that are members of the “Miami RADIUS server” domain. These user names must match the names configured in the RADIUS server. Then, when users login to the portal, policies, bookmarks and other user settings will apply to the users. If the AAA user does not exist in the SRA appliance, then only the global settings, policies and bookmarks will apply to the user.
This section contains the following subsections:
The Virtual Office bookmark system allows bookmarks to be created at both the group and user levels. The administrator can create both group and user bookmarks which will be propagated to applicable users, while individual users can create only personal bookmarks.
Since bookmarks are stored within the SRA appliance’s local configuration files, it is necessary for group and user bookmarks to be correlated to defined group and user entities. When working with local (LocalDomain) groups and users, this is automated since the administrator must manually define the groups and users on the appliance. Similarly, when working with external (non-LocalDomain, for example, RADIUS, NT, LDAP) groups, the correlation is automated since creating an external domain creates a corresponding local group.
However, when working with external (non-LocalDomain) users, a local user entity must exist so that any user-created (personal) bookmarks can be stored within the SRA configuration files. The need to store bookmarks on the SRA appliance itself is because LDAP, RADIUS, and NT Authentication external domains do not provide a direct facility to store such information as bookmarks.
Rather than requiring administrators to manually create local users for external domain users to use personal bookmarks, the SRA appliance automatically creates a corresponding local user entity upon user login. Bookmarks can be added to the locally-created user.
For example, if a RADIUS domain called myRADIUS is created, and RADIUS user jdoe logs on to the SRA appliance, the moment jdoe adds a personal bookmark, a local user called jdoe will be created on the SRA appliance as type External, and can then be managed like any other local user by the administrator. The external local user will remain until deleted by the administrator.
The RADIUS Groups tab allows the administrator to enable user access to the SRA appliance based on existing RADIUS group memberships. By adding one or more RADIUS groups to an SRA group, only users associated with specified RADIUS group(s) are allowed to login.
|
1
|
In the Users > Local Groups page, click the configure button for the RADIUS group you want to configure.
|
|
2
|
In the RADIUS Groups tab and click the Add Group... button. The Add RADIUS Group page displays.
|
|
3
|
Enter the RADIUS Group name in the corresponding field. The group name must match the RADIUS Filter-Id exactly.
|
|
4
|
Click the Accept button. The group displays in the RADIUS Groups section.
|
The AD Groups tab allows the administrator to enable user access to the SRA appliance based on existing AD group memberships. By adding one or more AD groups to an SRA group, only users associated with specified AD group(s) are allowed to login.
|
1
|
In the Users > Local Groups page, click the configure button for the AD group you want to configure.
|
|
2
|
In the AD Groups tab and click the Add Group... button. The Add Active Directory Group page displays.
|
|
3
|
Enter the Active Directory Group name in the corresponding field.
|
|
4
|
Optionally, select the Associate with AD group check box if you wish to associate the SRA group with your AD group. This step can also be completed at a later time in the Edit Group page under the AD Groups tab.
|
|
5
|
Click the Accept button. The group displays in the Active Directory Groups section. The process of adding a group may take several moments. Do not click the Add button more than once during this process.
|
