Nortel user authentication

Chris Carlson carlsonmail at YAHOO.COM
Fri Jan 12 10:17:34 EST 2001


Unless Nortel has changed the Contivity since I used
it last, I think I have a solution for you.

It looks like you need to have the same UID/Password
for both boxes, but a different set of group

To do this, you need to maintain internal LDAP for the
box-specific group attributes, and external RADIUS for
user authentication.

External LDAP wouldn't work since both boxes would be
sharing the same users AND group information.

The other gotcha is that you need to keep the user's
Group path the same on both boxes, so you can pass the
RADIUS "class" attribute to each Contivity.

You would "fake" this by creating two groups on each
box, /Base/Group1 and /Base/Group2 (or whatever).  But
the split-tunnelling attributes would be different ON

Nortel #1
/Base/Group1 = split tunnelling yes
/Base/Group2 = split tunnelling no

Nortel #2
/Base/Group1 = split tunnelling yes
/Base/Group2 = split tunnelling yes

This means that users in Group1 get split-tunnelling
no matter which Nortel they connect to.  Users in
Group2 would only get split tunnelling on Nortel#2 and
not Nortel#1.

But utilmately, the user in RADIUS will have the same
UID, Password, and Class attribute regardless of which
box they connect to.  It'll be the Contivity-specific
group attributes that will determine what preferences
they have.

Good luck!


--- "Settle, Sean" <SeanSettle at ALLIANTFS.COM> wrote:
> I am trying to configure two independent Nortel
> Contivity units to share
> user ID information, but not group information.  Is
> this possible?  If so
> would it require external LDAP or RADIUS?
> Nortel #1 has split tunneling disabled to prevent
> user's home systems from
> being used as an unintentional gateway into the
> secured environment, but the
> internal environment allows all user's to split
> tunnel.  Selected user's who
> run personal firewalls are allowed to have split
> tunneling enabled on Nortel
> #1.  Thus on Nortel #2 a user would be a member of
> Base\Group 1\Split Tunnel
> but on Nortel #1 be a member of \Base\Group 1
> typically, with some user's
> being a member of \Base\Group 1\Split Tunnel as
> well.
> Is what I'm trying to do possible or am I barking up
> the wrong tree?
> Sean Settle
> "To sin by silence when we should protest makes
> cowards out of men" - Ella
> Wheeler Wilcox
> X Network Services Q NPC X
> Phoenix, AZ
> Phone:	480-496-5434
> Fax:	480-496-5224
> SMTP:	seansettle at
> VPN is sponsored by SecurityFocus.COM

Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list