Nortel user authentication

Settle, Sean SeanSettle at ALLIANTFS.COM
Fri Jan 12 11:29:01 EST 2001

The advice is very much appreciated!

After futzing around with it for many hours into the evening, this is more
or less the exact solution that I came up with :).  I was/am planning on
posting a summary of what I did to make it work like I wanted, but this
message pretty well sums that up.  Anybody that requires non-standard access
on either of the two boxes (untrusted consultant on the inside Nortel (no
split tunnel) or trusted network guru on the outside Nortel (split tunnel)
would just have to live with the fact that they'd have different user ID and
passwords to deal with because they requested special access, and I would
use the internal LDAP for that purpose.

I did find one solution that would allow me to return to the NAS a different
class attributed based on criteria such as (more or less) "which box asked
to authenticate this user" by using the Windows 2000 IAS service.... BUT the
IAS service returns some kind of weird data for the class attribute.  I
posted to Microsoft.public.internet.radius to see what the deal was with
that.  If I can get the IAS server to work then I can simply create
different policies that will set the class attribute to the appropriate
group for any device.

 -----Original Message-----
From: 	Chris Carlson [mailto:carlsonmail at]
Sent:	Friday, January 12, 2001 8:18 AM
Subject:	Re: Nortel user authentication


Unless Nortel has changed the Contivity since I used
it last, I think I have a solution for you.

It looks like you need to have the same UID/Password
for both boxes, but a different set of group

To do this, you need to maintain internal LDAP for the
box-specific group attributes, and external RADIUS for
user authentication.

External LDAP wouldn't work since both boxes would be
sharing the same users AND group information.

The other gotcha is that you need to keep the user's
Group path the same on both boxes, so you can pass the
RADIUS "class" attribute to each Contivity.

You would "fake" this by creating two groups on each
box, /Base/Group1 and /Base/Group2 (or whatever).  But
the split-tunnelling attributes would be different ON

Nortel #1
/Base/Group1 = split tunnelling yes
/Base/Group2 = split tunnelling no

Nortel #2
/Base/Group1 = split tunnelling yes
/Base/Group2 = split tunnelling yes

This means that users in Group1 get split-tunnelling
no matter which Nortel they connect to.  Users in
Group2 would only get split tunnelling on Nortel#2 and
not Nortel#1.

But utilmately, the user in RADIUS will have the same
UID, Password, and Class attribute regardless of which
box they connect to.  It'll be the Contivity-specific
group attributes that will determine what preferences
they have.

Good luck!


--- "Settle, Sean" <SeanSettle at ALLIANTFS.COM> wrote:
> I am trying to configure two independent Nortel
> Contivity units to share
> user ID information, but not group information.  Is
> this possible?  If so
> would it require external LDAP or RADIUS?
> Nortel #1 has split tunneling disabled to prevent
> user's home systems from
> being used as an unintentional gateway into the
> secured environment, but the
> internal environment allows all user's to split
> tunnel.  Selected user's who
> run personal firewalls are allowed to have split
> tunneling enabled on Nortel
> #1.  Thus on Nortel #2 a user would be a member of
> Base\Group 1\Split Tunnel
> but on Nortel #1 be a member of \Base\Group 1
> typically, with some user's
> being a member of \Base\Group 1\Split Tunnel as
> well.
> Is what I'm trying to do possible or am I barking up
> the wrong tree?
> Sean Settle
> "To sin by silence when we should protest makes
> cowards out of men" - Ella
> Wheeler Wilcox
> X Network Services Q NPC X
> Phoenix, AZ
> Phone:	480-496-5434
> Fax:	480-496-5224
> SMTP:	seansettle at
> VPN is sponsored by SecurityFocus.COM

Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list