ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiy_5.4.0.1/rzaiyradiusexample.htm

114 lines
8.1 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Scenario: Authenticate dial-up connections with RADIUS NAS" />
<meta name="abstract" content="A Network Access Server (NAS) running on the iSeries server can route authentication requests from dial-in clients to a separate RADIUS server. If authenticated, RADIUS can also control the IP addresses to the user." />
<meta name="description" content="A Network Access Server (NAS) running on the iSeries server can route authentication requests from dial-in clients to a separate RADIUS server. If authenticated, RADIUS can also control the IP addresses to the user." />
<meta name="DC.Relation" scheme="URI" content="rzaiyscenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiysysauth.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiyradiusovw.htm" />
<meta name="DC.Relation" scheme="URI" content="rzaiycfgradiusdhcp.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaiyradiusexample" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Authenticate dial-up connections with RADIUS NAS</title>
</head>
<body id="rzaiyradiusexample"><a name="rzaiyradiusexample"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Authenticate dial-up connections with RADIUS NAS</h1>
<div><p>A Network Access Server (NAS) running on the iSeries™ server
can route authentication requests from dial-in clients to a separate RADIUS
server. If authenticated, RADIUS can also control the IP addresses to the
user. </p>
<div class="section"><h4 class="sectiontitle">Situation</h4><p>Your corporate network has remote users
dialing into two iSeries servers
from a distributed dial-up network. You need a way to centralize authentication,
service and accounting, allowing one server to handle requests for validating
user IDs and passwords, and determining which IP addresses are assigned to
them. </p>
</div>
<div class="section"><div class="fignone"><span class="figcap">Figure 1. Authenticate dial up connections with a RADIUS server</span><br /><img src="rzaiy511.gif" alt="Authenticate dial-up connections with a RADIUS server" /><br /></div>
</div>
<div class="section"><h4 class="sectiontitle">Solution</h4><p>When users attempt to connect, the NAS
running on the iSeries servers
forwards the authentication information to a RADIUS server on the network.
The RADIUS server, which maintains all authentication information for your
network, processes the authentication request and responds. If the user is
validated, the RADIUS server can also be configured to assign the peers's
IP address, and can activate accounting to track user activity and usage.
To support RADIUS, you must define the RADIUS NAS server on the iSeries.</p>
</div>
<div class="section"><h4 class="sectiontitle">Sample configuration</h4><ol><li> In iSeries Navigator,
expand <span class="uicontrol">Network</span>, right-click <span class="uicontrol">Remote Access
Services</span> and select <span class="uicontrol">Services</span>.</li>
<li>On the RADIUS tab, select <span class="uicontrol">Enable RADIUS Network Access Server
connection</span>, and <span class="uicontrol">Enable RADIUS for authentication</span>.
Depending on your RADIUS solution, you may also choose to have RADIUS handle
connection accounting and TCP/IP address configuration.</li>
<li>Click the <span class="uicontrol">RADIUS NAS settings</span> button.</li>
<li>On the General page, enter a description for this server.</li>
<li>On the Authentication Server (and optionally Accounting Server) pages,
click <span class="uicontrol">Add</span> and enter the following information: <ol type="a"><li>In the Local IP address box, enter the IP address for the iSeries interface
used to connect with the RADIUS server. </li>
<li>In the Server IP address box, enter the IP address for the RADIUS server.</li>
<li>In the Password box, enter the password used to identify the iSeries server
to the RADIUS server. </li>
<li>In the Port box, enter the port on the iSeries used to communicate with the
RADIUS server. The defaults are port 1812 for the authentication server or
1813 for the accounting server. </li>
</ol>
</li>
<li>Click <span class="uicontrol">OK</span>. </li>
<li>In iSeries Navigator,
expand <span class="menucascade"><span class="uicontrol">Network</span> &gt; <span class="uicontrol">Remote Access
Services</span></span>.</li>
<li>Select the Connection profile that will use the RADIUS server for authentication.
RADIUS services are only applicable for Receiver connection profiles. </li>
<li>On the Authentication page, select <span class="uicontrol">Require this iSeries server
to verify the identity of the remote system</span>.</li>
<li>Select <span class="uicontrol">Authenticate remotely using a RADIUS server</span>.</li>
<li>Select the authentication protocol. (PAP, or CHAP-MD5) This protocol must
also be used by the RADIUS server. </li>
<li>Select <span class="uicontrol">Use RADIUS for connection editing and accounting</span>.</li>
<li>Click <span class="uicontrol">OK</span> to save the change to the connection profile.</li>
</ol>
</div>
<div class="section"><p>You must also setup the RADIUS server, including support for the
authentication protocol, user data, passwords, and accounting information.
Refer to your RADIUS vendor for more information.</p>
</div>
<div class="section"><p>When users dial in using this connection profile, the iSeries will
forward the authentication information to the specified RADIUS server. If
the user is validated, the connection will be allowed, and will use any connection
restrictions specified in the user's information about the RADIUS server.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiyscenarios.htm" title="The scenarios in this topic help you understand how PPP works, and how you can implement a PPP environment in your network. These scenarios introduce fundamental PPP concepts from which beginners and experienced users can benefit before they proceed to the planning and configuration tasks.">Scenarios</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzaiycfgradiusdhcp.htm" title="To enable RADIUS or DHCP services for PPP receiver connection profiles, follow these steps.">Enable RADIUS and DHCP services for connection profiles</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzaiysysauth.htm" title="PPP connections with an iSeries server support several options for authenticating both remote clients dialing in to the iSeries, and connections to an ISP or other server that the iSeries is dialing.">System authentication</a></div>
<div><a href="rzaiyradiusovw.htm" title="Remote Authentication Dial In User Service (RADIUS) is an Internet standard protocol which provides centralized authentication, accounting and IP management services for remote access users in a distributed dial-up network.">RADIUS overview</a></div>
</div>
</div>
</body>
</html>