Setting Up Domains, Directories, and Servers

Traditional logon domains are NT and Novell Directory Services (NDS) domains. Web logon domains include Lightweight Directory Access Protocol (LDAP) directories (AD and NDS) and Remote Authentication Dial-In User Service (RADIUS) domains.

These topics describe how to set up domains, directories, and servers:

Having Authority in Domains

Table 4-1 describes the authorities you must have to change domains or directories in URT.

Table 4-1 Authorities Required to Change Domains and Directories

Domain or Directory	Required Authority
Microsoft Networking domain	To install files on the domain server and view the domain, you must have Administrator authority in that domain. If you try to perform tasks on a domain for which you do not have Administrator authority, URT prompts you for a username and password with the appropriate authority. Enter the username using the format NT_domain\username. If you log onto a domain from a non-Administrator account, you cannot make changes to settings for that domain in URT.
Novell NetWare NDS directory	To make changes to an NDS directory, you must have read and browse privileges for that directory. If you are not logged onto the NDS directory you are changing, you are prompted to log on with a user account with privileges. If you are logged onto NDS without browse and read privileges for the directory, you must exit URT and log onto the NetWare network from an appropriate account.
LDAP directory	To manage LDAP servers, you must enter your LDAP user ID in LDAP format (for example, cn=username, `cn=`Users, `dc=`domainname, `dc=`company, `dc=`com) and enter your LDAP password.
RADIUS server	To manage RADIUS servers, you must enter your RADIUS authentication and accounting keys.

Adding NT Domains and NDS Directories to URT

You must add the NT domains and NDS directories you want URT to manage to the NT and NDS Domains folder.

Note When you add an NT domain or NDS directory to your network, you must also add the domain or directory to URT.

You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Step 1 Select the NT and NDS Domains folder.

Step 2 Click Add or select Edit>Add.

The Domain Name window is displayed.

Step 3 Select the name of the NT domain or NDS directory you want to add. If the domain or directory is not in the list, enter it in the text box.

Step 4 Click OK.

URT creates a folder for the NT domain or NetWare directory, listing all users defined in the domain or directory.

Note

If the domain or directory has a long list of users, groups, or organizational units, it might take several minutes to download the list.

Users, groups, and organizational units assigned to a VLAN are represented by blue icons; those not assigned to a VLAN are represented with gray icons.

Configuring Domain Options

You must configure domain logon options for each domain server. You can also enter a list of domain controllers for each domain to determine the order the Administrative Server uses during group (membership) to VLAN assignment refreshes.

Setting Domain Logon Options

You can set domain logon options to edit the URT logon script that resides on each domain server and runs from the network logon script. All users in a domain are assigned the domain logon options you configure.

You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Step 1 Open the NT and NDS Domains folder.

Step 2 Select a domain folder.

Step 3 Select Customize>Configure Domain Options.

Step 4 Click the Logon Options tab.

Step 5 Select the desired domain options.

Step 6 Enter any required information.

Each option is described in Table 4-2.

Step 7 Click OK.

URT displays a list of domain servers or NDS NetWare servers found in the selected domain.

Step 8 To install the new logon script options on the domain servers, click Yes.

Note Your changes do not take effect until you install them on the domain servers; to do so, click Yes.

Table 4-2 Domain Logon Options

Option	Description	Usage Notes
Enable auto install and upgrade for Windows NT/2000 (supported on Microsoft Networking only)	Installs and upgrades the URT Client Module automatically on Windows NT, Windows 2000, and Windows XP (Professional) clients (enabled by default).	If you use NetWare, you must use ZENworks to automate installation of the URT Client Module.
Sleep time to wait for auto install completion (in seconds)	Number of seconds to wait before retrying automatic installation of the URT Client Module.	Enter the number of seconds; use this option on slower systems.
Unmap network drives on log out	Unmaps network drives when the user logs off.	Select to enable.
Enable trace	Adds debug and trace information to the OnOffHandler.log and UrtService.log files on users' workstations. When trace is not enabled, only error and critical messages are written to the log files. The OnOffHandler.log file, stored in the user's %TEMP% directory, or (depending on the Windows platform) drive:\Windows\Temp or drive:\WINNT\Temp, records the installation and upgrade of the Client Module. The UrtService.log file, stored in the user's %TEMP% directory, or (depending on the Windows platform) drive:\Windows\Temp or drive:\WINNT\Temp, records interactions between the Client Module and the VPS.	Enable to troubleshoot or debug a problem.
Quit when logon failure occurs	Logs off users on static and dynamic ports after logon failures.	Select if there are several static ports in your network. Static port logon failures can cause excessive network traffic.
Delay running of URT Client Module after logon (secs)	Number of seconds to delay running the Client Module.	Enter the number of seconds to delay. Use this option to avoid conflicts between the Client Module and other services on startup.
Delay switching of VLAN after logoff (secs)	Number of seconds to delay switching a user's VLAN on logoff (selected by default with a delay value of 1).	Enter the number of seconds to delay. Use this option to provide Windows 2000 enough time to write a user's roaming profile during logoff.
Batch file to execute after URT Client module completes	Batch filename and path to run automatically after the Client Module completes.	Enter a batch filename and path to run. Use this option for map files or to run programs such as a virus detection program.
Other future options	Reserved for future use.	—

Setting the Group Refresh Order

To determine the order that the Administrative Server uses during group refreshes, you can enter a list of domain controllers for each domain. During a refresh, the Administrative Server checks the domain controllers in the order you specify. If the first controller in the list is unavailable, the server checks the next one on the list, and so on.

By default, the Primary Domain Controller (PDC) is first in the list, followed by all Backup Domain Controllers (BDCs).

Note You can rearrange the order to suit your needs. For example, you can place BDCs at the top to refresh first and reduce the load on your PDCs. If you move a BDC to the top of the list, it is checked before the PDC; however, you must first make sure that the BDC is properly synchronized with the PDC. You can also remove the PDCs from the list to further reduce the load.

Step 1 Select Customize>Configure Domain Options.

Step 2 Click the Group Refresh Order tab.

Step 3 To change the position of a BDC in the list, select the BDC, then click Up (to move it higher) or Down (to move it lower).

Note Click Refresh Group List to return the list to the default order. If you click this in error, click Cancel. If a domain controller has recently been added to or deleted from the network, the changes are reflected when you click Refresh Group List.

Step 4 To delete a domain controller from the refresh list, select the domain controller, then click Remove.

Step 5 To confirm the deletion, click Yes.

Step 6 After reordering the domain controllers, click OK.

Manually Installing the URT Logon Script

URT automatically prompts you to reinstall the logon script when you make changes that require it (for example, when changing domain logon options).

If you did not install the logon script when prompted, you can do so later using the instructions in this section.

You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Step 1 Select an NT domain or NDS directory.

Step 2 Select Customize>Install URT Logon Script.

URT displays a list of domain servers or NDS NetWare servers found in the selected domain.

Step 3 Click Yes.

URT installs the URT logon script (urt.bat) on the domain servers and NDS NetWare servers, and displays a message box to show the status of the installation.

Step 4 If necessary, repeat this procedure for every NT domain or NDS directory in your network.

Note You must manually add any NT domains or NDS directories that are missing from the NT and NDS Domains folder. To do so, select the NT and NDS Domains folder, then click Add or select Edit>Add. Enter the name of the missing domain or directory (or select one from the list), then click OK.

Configuring Users to Run the Domain Logon Script

You must update (or create) the URT logon script (urt.bat), on your primary domain server. You run this procedure once to make sure that users run the logon script at logon. Running the script directs user logons to the URT VPSs.

To edit the logon script on the NT domain server, you must log onto the system from an account that has Administrator privileges, or be able to connect to the drive containing the script from another workstation where you have Administrator privileges.
For NDS, you must have read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Domain Logon Script Configuration Procedure for Microsoft Networking

If you do not already have a logon script, you must either create one or associate users directly with urt.bat as the logon script.

For NT domain servers, the urt.bat file is installed in the NETLOGON directory.

The directory is %SYSTEMROOT%\system32\repl\import\scripts, where %SYSTEMROOT% is the root directory for operating system files.

For example, if you installed Windows NT into C:\WINNT, the NETLOGON directory is C:\WINNT\system32\repl\import\scripts.

Note If you set NT replication to include logon scripts and one of the backup NT domain servers is unavailable during Client Module installation, the logon scripts are copied to that domain server. If you are not using replication for logon scripts, you must update the logon script on all domain servers.

Step 1 To update a logon script, add the following instruction as the first line of the logon script on the NT primary domain server:

 
@call %0\..\urt.bat

Step 2 To associate users directly with urt.bat as the logon script:

a. Start the Windows User Manager administrative tool.

b. Double-click a username.

c. In the User Properties window, click Profile.

d. In the User Environment Profile, enter urt.bat in the Logon Script Name text box, then click OK.

Domain Logon Script Configuration Procedure for Novell NetWare

Caution If you are using Novell NetWare, do not edit the urt.bat file.

Use the Novell Application Launcher (NAL) program to add this instruction to the logon properties for the organization object that contains the users, groups, and other organizational units you want to manage:

 
@\\%FILE.SERVER\sys\public\urt\urt.bat %FILE_SERVER

Deleting NT Domains or NDS Directories from URT

If you no longer want to manage the users in a particular NT domain or NDS directory, you can remove the domain or directory from the NT and NDS Domains folder in URT.

Note Deleting a domain or directory removes all user associations to VLANs for that domain or directory.

You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Step 1 Select the domain or directory in the NT and NDS Domains folder.

Step 2 Click Delete or select Edit>Delete.

Step 3 In the confirmation dialog box, click Yes.

Step 4 To remove URT completely from the domain:

a. Remove the Client Module from user workstations in the domain. For instructions, see the"Removing the URT Client Module from the Network" section.

b. Stop the domain servers from directing user logons to URT VPSs, then delete the urt.bat file. For instructions, see the "Removing URT from Its Role in Handling User Logons" section.

Deleting a VTP Domain from URT

You can delete a VTP domain after all switches in the domain are removed.

Step 1 Select the VTP domain folder to delete.

Step 2 Click Delete or select Edit>Delete.

Step 3 In the confirmation dialog box, click Yes.

Managing LDAP Servers

For web logons, URT supports Active Directory (AD) and NDS domains that use Lightweight Directory Access Protocol (LDAP). When a web client logs on from an LDAP domain, the VPS searches that LDAP tree to locate the user. URT searches the LDAP tree from bottom to top until it finds a VLAN association for the user. If no VLAN associations are found, the user remains in the current (logon) VLAN.

URT supports redundant LDAP servers. If the primary LDAP server fails, URT can query a second or third LDAP server for the user, group, or organizational unit assignment.

Searching an LDAP Directory

When searching for a string in the Directories folder, URT looks only in the expanded folders in the left pane, not in closed folders. You can expand your search to specific directories.

Step 1 Expand the folders under the Directories folder.

Step 2 Select the top-level directory.

Step 3 Select Edit>Find.

Step 4 Enter the search string.

Adding LDAP Servers

You must add the LDAP servers you want URT to manage to the Directories folder in URT. You can add multiple LDAP directories and assign VLANs at any point in the LDAP tree to users, groups, or organizational units. The tree supports multiple tree levels.

You must have an LDAP logon and have NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Step 1 Select the Directories folder.

Step 2 To add a new directory, click Add or select Edit>Add.

Step 3 In the Add Directory window, click the AD or NDS tab (depending on your platform).

Step 4 Enter the LDAP server host and port for the LDAP server.

Step 5 Enter your LDAP user ID in LDAP format (for example, cn=username, cn=Users, dc=domainname, dc=company, dc=com).

Step 6 Enter your LDAP password.

Step 7 Select the interval at which the Client Module looks up the user in the LDAP tree to determine if the user's Distinguished Name (DN) has changed.

Step 8 Enter the base DN.

The base DN is the base name used to search for organizational units and users. To obtain the base DNs on the server, click Get Initial DN.

Note You can add the same LDAP server multiple times if the base DN is unique for each instance.

Step 9 If you are adding a directory exclusively for web logons, select the Web-only logon domain checkbox.

Note If you also want to use the directory for traditional logons, do not select this checkbox.

For AD servers—Enter the NT Administrator user ID and password in the User ID and Password fields.

URT installs the logon batch script on the domain controller and supports auto-install of NT clients.

For NDS servers—Enter the domain name or select it from the Domain Name list.

URT cannot retrieve the domain name for NDS servers. Because NDS does not support auto-install, the NT user ID and password are not required. (NDS has a proprietary Novell logon screen that prompts for a user ID and password during installation of the NDS logon script.)

Step 10 Click OK.

URT creates a folder for the domain or directory, and all defined users are listed in the new folder.

Note

Users who are not assigned to a VLAN are represented by gray icons.

Hosts assigned to a VLAN are represented by blue icons.

Configuring LDAP Servers

You might need to change configuration settings after adding an LDAP server.

You must have an LDAP logon and NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Step 1 In the Directories folder, click the LDAP server to be reconfigured.

Step 2 Click Configure or select Customize>Configure.

Step 3 Make the desired changes to the configuration setup.

Step 4 Click OK.

Deleting LDAP Servers

You must have an LDAP logon and NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.

Step 1 In the Directories folder, click the LDAP server to delete.

Step 2 Click Delete or select Edit>Delete.

Step 3 Click Yes in the confirmation dialog box.

Setting LDAP Web Associations

In addition to VLAN associations, you can set web associations for an LDAP server.

Step 1 In the Directories folder, double-click an LDAP server.

Step 2 Click the Web Associations tab.

Step 3 To log on the user and remove the logoff window, select the checkbox.

Note If you select this option, web users do not have a logoff window. They remain logged on until they power off or disconnect their systems.

Step 4 Click OK.

Managing RADIUS Servers

For web logons, URT supports the use of RADIUS server authentication from Cisco Secure ACS and other AAA servers. You can add multiple RADIUS servers to authenticate web clients.

Overview of RADIUS Authentication Support

When a web user logs onto a RADIUS domain, the RADIUS server authenticates the user ID and password. If the user is successfully authenticated, the RADIUS attribute for the VLAN mappings is checked.

If no VLAN mapping is found, the user remains in the current VLAN and the event is logged.
If the VLAN mapping is found, URT searches the VTP domain and places the user in the assigned VLAN.

The RADIUS attribute has the following syntax:

 
VTPDomainName\VLANName;VTPDomainName\VLANName;

For example:

 
URT:Vlan-Association=URT-1\Vlan6;

 
URT:Vlan-Association=URT-2\Vlan16;

 
URT:Allow-Multiple-Users=TRUE;

 
URT:Logon-User-Only=FALSE

Table 4-3 shows the URT attributes that correspond with the RADIUS attributes.

Table 4-3 Corresponding URT and RADIUS Attributes

URT Attribute	RADIUS Attribute (Attribute Number)
User Name	User-Name (1)
Client IP Address	Framed-IP-Address (8)
MAC Address	Calling-Station-Id (31)
Subnet Address	Framed-IP-Netmask (9)
Gateway Address	Framed-Route (20)
Switch Address	NAS-IP-Address (4)
Switch Port	NAS-Port (5)
URT VPS	Called-Station-ID (30)
VTP Domain Name/VLAN Name	Vendor-Specific (24)

URT sends accounting records to the RADIUS server. The RADIUS server that authenticates a web user maintains the logon and logoff accounting data for that user. At a set interval, accounting packets are updated for all users logged onto URT.

Adding RADIUS Servers

You must have RADIUS authentication. For more information, see the "Having Authority in Domains" section.

Step 1 Select the RADIUS Servers folder.

Step 2 Click Add or select Edit>Add.

The Add RADIUS Server window is displayed (Figure 4-1).

Figure 4-1 Adding a RADIUS Server

Step 3 Enter the RADIUS server IP address.

Step 4 Enter the RADIUS server authentication port.

Step 5 Enter the RADIUS server accounting port.

Step 6 Enter the RADIUS reconfirm interval (in seconds). This is the frequency for sending accounting packets for currently logged on users.

Step 7 To verify client attributes while a client is logged on, select the Verify associations while logged on checkbox.

Note If you do not select this checkbox, the VPS does not verify whether client attributes have changed while a client is logged on. Attributes are checked the next time the client logs on.

Step 8 Enter the interval for verifying client attributes. A client sync message takes 5 minutes and the default interval is 12 minutes; therefore, verification occurs every 60 minutes (12 x 5).

Step 9 Enter the domain name to display during web client logon.

Step 10 From the URT VPS Servers list, select the desired server.

Step 11 Enter the RADIUS authentication key.

Step 12 Enter the RADIUS accounting key.

Note The authentication and accounting keys are the same for the Cisco ACS RADIUS server.

Step 13 Click Add.

Tip You can reuse the domain name for a secondary (backup) RADIUS server.

Configuring RADIUS Servers

You might need to edit configuration settings after adding a RADIUS server.

You must have RADIUS authentication privileges. For more information, see the "Having Authority in Domains" section.

Step 1 In the RADIUS Servers folder, click the RADIUS server to reconfigure.

Step 2 Click Configure or select Customize>Configure.

Step 3 Make the desired changes to the configuration setup.

Step 4 Click Add.

Deleting RADIUS Servers

You must have RADIUS authentication. For more information, see the "Having Authority in Domains" section.

Step 1 In the RADIUS Servers folder, click the RADIUS server to delete.

Step 2 Click Delete or select Edit>Delete.

Step 3 Click Yes in the confirmation dialog box.

Table of Contents