Re: Splitting the Authentication for Ports on a PM2 (fwd)

William Bulley (web@merit.edu)
Thu, 19 Oct 1995 10:01:00 -0400 (EDT)

According to Brian 'MegaZone' Bikowicz:
>
> Once upon a time Mike Jipping shaped the electrons to say...
> >My question is: Is it possible to run TWO authentication servers -- one
> >for our department and one for the "other" department -- that the PM2
> >box will talk to to implement this? I can come up with
>
> We can't do this with our Radius. As you said, we only contact the second
> server if the first doesn't respond.
>
> I know Merit has *something* about using alternate servers, but I am not
> familiar with their implimentation in this regard. You might want to
> check that.

Conceptually, it is really quite straightforward: the Merit version of
RADIUS supports a "proxy" or "relay" feature whereby requests (may) flow
from one server to another server, if the first server determines that
the request is not resolvable by it _and_ can identify another server
which _can_ resolve the request. This does not mean, try it here and
if it fails, try it over there. But is more of a grand-central-station
or switching/routing idea.

The means by which requests are identified (and re-directed) is through
the use of "realms" attached to the user ID, as in jdoe@foo.bah.com, and
the foo.bah.com is the realm. We try to create realms which match some
authentication domain (where a RADIUS server runs) so that the user is
less confused (it resembles an email address, sort of). :-)

Regards,

web...

-- 
William Bulley, N8NXN              Senior Systems Research Programmer
Merit Network Inc.                 Domain: web@merit.edu
4251 Plymouth Road                 MaBell: (313) 764-9993
Ann Arbor, Michigan  48105-2785    Fax:    (313) 747-3185