User Guide

OmniAccess SafeGuard OS Administration Guide

205

Chapter 6: Configuring Authentication and Role Derivation

— System attributes: source IP, source MAC, port number, VLAN ID,

authentication type, mapping type, user name, role name, domain name, and

time of day

— DHCP attributes: requested IP address, subnet mask.

— Active Directory attributes: member of, title, department, host operating

system, and version

— RADIUS attributes: calling station, called station, network access server (NAS)

IP and Vendor Specific Attributes (VSAs)

For more details, see Configuring the Rule Map Attributes on page 281.

Limiting Access with Trusted Servers

SafeGuard OS provides two methods of filtering authentication events:

■ trusted servers

■ grey lists

To create a trusted server, the SafeGuard device can be configured to respond only to

authentication events from specific servers, such as Kerberos or RADIUS. When so

configured, the system applies a default action to leases from all unrecognized servers.

To configure access to services, use the aaa session-tracking trusted-server Global

Configuration command.

aaa session-tracking trusted-server [default-action protocol | ip-address

ipaddr] action [deny|permit]

Syntax Description protocol The protocol to permit or deny by default.

Valid values are:

■ all

■ dhcp

■ kerberos

■ lsp (only for default action)

■ radius

ipaddr IP address of the server. This address is

obtained from the SERVER_ID field of the

packet.

deny The mapping table does not accept new

mappings.

permit The mapping table is updated to reflect the

new mapping. Permit is the default action.