|
Traditional logon domains are NT and Novell Directory Services (NDS) domains. Web logon domains include Lightweight Directory Access Protocol (LDAP) directories (AD and NDS) and Remote Authentication Dial-In User Service (RADIUS) domains.
These topics describe how to set up domains, directories, and servers:
Table 4-1 describes the authorities you must have to change domains or directories in URT.
Table 4-1 Authorities Required to Change Domains and Directories
You must add the NT domains and NDS directories you want URT to manage to the NT and NDS Domains folder.
Note When you add an NT domain or NDS directory to your network, you must also add the domain or directory to URT. |
You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.
Step 2 Click Add or select Edit>Add.
The Domain Name window is displayed.
Step 3 Select the name of the NT domain or NDS directory you want to add. If the domain or directory is not in the list, enter it in the text box.
Step 4 Click OK.
URT creates a folder for the NT domain or NetWare directory, listing all users defined in the domain or directory.
Note |
You must configure domain logon options for each domain server. You can also enter a list of domain controllers for each domain to determine the order the Administrative Server uses during group (membership) to VLAN assignment refreshes.
You can set domain logon options to edit the URT logon script that resides on each domain server and runs from the network logon script. All users in a domain are assigned the domain logon options you configure.
You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.
Step 2 Select a domain folder.
Step 3 Select Customize>Configure Domain Options.
Step 4 Click the Logon Options tab.
Step 5 Select the desired domain options.
Step 6 Enter any required information.
Each option is described in Table 4-2.
Step 7 Click OK.
URT displays a list of domain servers or NDS NetWare servers found in the selected domain.
Step 8 To install the new logon script options on the domain servers, click Yes.
Note Your changes do not take effect until you install them on the domain servers; to do so, click Yes. |
Table 4-2 Domain Logon Options
To determine the order that the Administrative Server uses during group refreshes, you can enter a list of domain controllers for each domain. During a refresh, the Administrative Server checks the domain controllers in the order you specify. If the first controller in the list is unavailable, the server checks the next one on the list, and so on.
By default, the Primary Domain Controller (PDC) is first in the list, followed by all Backup Domain Controllers (BDCs).
Note You can rearrange the order to suit your needs. For example, you can place BDCs at the top to refresh first and reduce the load on your PDCs. If you move a BDC to the top of the list, it is checked before the PDC; however, you must first make sure that the BDC is properly synchronized with the PDC. You can also remove the PDCs from the list to further reduce the load. |
Step 2 Click the Group Refresh Order tab.
Step 3 To change the position of a BDC in the list, select the BDC, then click Up (to move it higher) or Down (to move it lower).
Note Click Refresh Group List to return the list to the default order. If you click this in error, click Cancel. If a domain controller has recently been added to or deleted from the network, the changes are reflected when you click Refresh Group List. |
Step 4 To delete a domain controller from the refresh list, select the domain controller, then click Remove.
Step 5 To confirm the deletion, click Yes.
Step 6 After reordering the domain controllers, click OK.
URT automatically prompts you to reinstall the logon script when you make changes that require it (for example, when changing domain logon options).
If you did not install the logon script when prompted, you can do so later using the instructions in this section.
You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.
Step 2 Select Customize>Install URT Logon Script.
URT displays a list of domain servers or NDS NetWare servers found in the selected domain.
Step 3 Click Yes.
URT installs the URT logon script (urt.bat) on the domain servers and NDS NetWare servers, and displays a message box to show the status of the installation.
Step 4 If necessary, repeat this procedure for every NT domain or NDS directory in your network.
Note You must manually add any NT domains or NDS directories that are missing from the NT and NDS Domains folder. To do so, select the NT and NDS Domains folder, then click Add or select Edit>Add. Enter the name of the missing domain or directory (or select one from the list), then click OK. |
You must update (or create) the URT logon script (urt.bat), on your primary domain server. You run this procedure once to make sure that users run the logon script at logon. Running the script directs user logons to the URT VPSs.
If you do not already have a logon script, you must either create one or associate users directly with urt.bat as the logon script.
For NT domain servers, the urt.bat file is installed in the NETLOGON directory.
The directory is %SYSTEMROOT%\system32\repl\import\scripts, where %SYSTEMROOT% is the root directory for operating system files.
For example, if you installed Windows NT into C:\WINNT, the NETLOGON directory is C:\WINNT\system32\repl\import\scripts.
Note If you set NT replication to include logon scripts and one of the backup NT domain servers is unavailable during Client Module installation, the logon scripts are copied to that domain server. If you are not using replication for logon scripts, you must update the logon script on all domain servers. |
Step 2 To associate users directly with urt.bat as the logon script:
a. Start the Windows User Manager administrative tool.
c. In the User Properties window, click Profile.
d. In the User Environment Profile, enter urt.bat in the Logon Script Name text box, then click OK.
Caution If you are using Novell NetWare, do not edit the urt.bat file. |
Use the Novell Application Launcher (NAL) program to add this instruction to the logon properties for the organization object that contains the users, groups, and other organizational units you want to manage:
If you no longer want to manage the users in a particular NT domain or NDS directory, you can remove the domain or directory from the NT and NDS Domains folder in URT.
Note Deleting a domain or directory removes all user associations to VLANs for that domain or directory. |
You must have NT Administrator authority in the domain or NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.
Step 2 Click Delete or select Edit>Delete.
Step 3 In the confirmation dialog box, click Yes.
Step 4 To remove URT completely from the domain:
a. Remove the Client Module from user workstations in the domain. For instructions, see the"Removing the URT Client Module from the Network" section.
b. Stop the domain servers from directing user logons to URT VPSs, then delete the urt.bat file. For instructions, see the "Removing URT from Its Role in Handling User Logons" section.
You can delete a VTP domain after all switches in the domain are removed.
Step 2 Click Delete or select Edit>Delete.
Step 3 In the confirmation dialog box, click Yes.
For web logons, URT supports Active Directory (AD) and NDS domains that use Lightweight Directory Access Protocol (LDAP). When a web client logs on from an LDAP domain, the VPS searches that LDAP tree to locate the user. URT searches the LDAP tree from bottom to top until it finds a VLAN association for the user. If no VLAN associations are found, the user remains in the current (logon) VLAN.
URT supports redundant LDAP servers. If the primary LDAP server fails, URT can query a second or third LDAP server for the user, group, or organizational unit assignment.
When searching for a string in the Directories folder, URT looks only in the expanded folders in the left pane, not in closed folders. You can expand your search to specific directories.
Step 2 Select the top-level directory.
Step 3 Select Edit>Find.
Step 4 Enter the search string.
You must add the LDAP servers you want URT to manage to the Directories folder in URT. You can add multiple LDAP directories and assign VLANs at any point in the LDAP tree to users, groups, or organizational units. The tree supports multiple tree levels.
You must have an LDAP logon and have NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.
Step 2 To add a new directory, click Add or select Edit>Add.
Step 3 In the Add Directory window, click the AD or NDS tab (depending on your platform).
Step 4 Enter the LDAP server host and port for the LDAP server.
Step 5 Enter your LDAP user ID in LDAP format (for example, cn=
username, cn=
Users, dc=
domainname, dc=
company, dc=
com).
Step 6 Enter your LDAP password.
Step 7 Select the interval at which the Client Module looks up the user in the LDAP tree to determine if the user's Distinguished Name (DN) has changed.
Step 8 Enter the base DN.
The base DN is the base name used to search for organizational units and users. To obtain the base DNs on the server, click Get Initial DN.
Step 9 If you are adding a directory exclusively for web logons, select the Web-only logon domain checkbox.
URT installs the logon batch script on the domain controller and supports auto-install of NT clients.
URT cannot retrieve the domain name for NDS servers. Because NDS does not support auto-install, the NT user ID and password are not required. (NDS has a proprietary Novell logon screen that prompts for a user ID and password during installation of the NDS logon script.)
Step 10 Click OK.
URT creates a folder for the domain or directory, and all defined users are listed in the new folder.
Note |
You might need to change configuration settings after adding an LDAP server.
You must have an LDAP logon and NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.
Step 2 Click Configure or select Customize>Configure.
Step 3 Make the desired changes to the configuration setup.
Step 4 Click OK.
You must have an LDAP logon and NDS read and browse privileges in the directory. For more information, see the "Having Authority in Domains" section.
Step 2 Click Delete or select Edit>Delete.
Step 3 Click Yes in the confirmation dialog box.
In addition to VLAN associations, you can set web associations for an LDAP server.
Step 2 Click the Web Associations tab.
Step 3 To log on the user and remove the logoff window, select the checkbox.
Note If you select this option, web users do not have a logoff window. They remain logged on until they power off or disconnect their systems. |
Step 4 Click OK.
For web logons, URT supports the use of RADIUS server authentication from Cisco Secure ACS and other AAA servers. You can add multiple RADIUS servers to authenticate web clients.
When a web user logs onto a RADIUS domain, the RADIUS server authenticates the user ID and password. If the user is successfully authenticated, the RADIUS attribute for the VLAN mappings is checked.
The RADIUS attribute has the following syntax:
Table 4-3 shows the URT attributes that correspond with the RADIUS attributes.
URT sends accounting records to the RADIUS server. The RADIUS server that authenticates a web user maintains the logon and logoff accounting data for that user. At a set interval, accounting packets are updated for all users logged onto URT.
You must have RADIUS authentication. For more information, see the "Having Authority in Domains" section.
Step 2 Click Add or select Edit>Add.
The Add RADIUS Server window is displayed (Figure 4-1).
Step 3 Enter the RADIUS server IP address.
Step 4 Enter the RADIUS server authentication port.
Step 5 Enter the RADIUS server accounting port.
Step 6 Enter the RADIUS reconfirm interval (in seconds). This is the frequency for sending accounting packets for currently logged on users.
Step 7 To verify client attributes while a client is logged on, select the Verify associations while logged on checkbox.
Note If you do not select this checkbox, the VPS does not verify whether client attributes have changed while a client is logged on. Attributes are checked the next time the client logs on. |
Step 8 Enter the interval for verifying client attributes. A client sync message takes 5 minutes and the default interval is 12 minutes; therefore, verification occurs every 60 minutes (12 x 5).
Step 9 Enter the domain name to display during web client logon.
Step 10 From the URT VPS Servers list, select the desired server.
Step 11 Enter the RADIUS authentication key.
Step 12 Enter the RADIUS accounting key.
Step 13 Click Add.
Tip You can reuse the domain name for a secondary (backup) RADIUS server. |
You might need to edit configuration settings after adding a RADIUS server.
You must have RADIUS authentication privileges. For more information, see the "Having Authority in Domains" section.
Step 2 Click Configure or select Customize>Configure.
Step 3 Make the desired changes to the configuration setup.
Step 4 Click Add.
You must have RADIUS authentication. For more information, see the "Having Authority in Domains" section.
Step 2 Click Delete or select Edit>Delete.
Step 3 Click Yes in the confirmation dialog box.
Posted: Tue May 20 18:32:36 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.