I'm setting up a remote access solution for a client that entails
thousands of users connecting to their Intranet, with various groups of
users requiring specific services or applications on the network both as a
node on the network, and as a simple asynchronous remote client.
Secondary authentication is being implemented in order that employees
access the Intranet and the NT domain securely - using the ActiveCard
product in unison with a Radius security server. All this is tied into
several Bay Networks remote annex 6300 series modem pools.
There are three tiers of network access levels - primary authentication or
modem access, secondary authentication (node on the Intranet), and NT
domain access - full network access.
A UNIX host is being used for primary authentication for the annex
machines, using the UNIX userid and passwd scheme inherant to the O.S.
I have a couple questions I was hoping to get some help with from the
1. If I use a UNIX host for primary authentication, and then
determine which services or servers/hosts can be accessed by groups of
a. Is it better to use the Bay Networks acp login control mechanisms
or to use UNIX shell scripts to control the login process after primary
authentication? How would I deny service or disallow ip address access?
b. What is the best way to differentiate which servers/hosts can be seen
by remote users on the network once they are authenticated secondarily,
and have become a node on the network? In terms of a DNS server or some
2. Is there a simple or painless method for synchronizing UNIX
/etc/passwd files with NT SAMS database files? I don't want to maintain
userids and passwords for 40,000 users on multiple system if I can help
3. Is three levels of authentication out of the ordinary for this kind of
4. Is anyone out there using Radius for primary and secondary
authentication and how is that working out?
It seems each time we try to implement NT servers in this scenario, we get
hammered by proprietary file formats of one type or another and end up
reverting to UNIX services to accomplish login control, authentication,
and secondary authentication. I'm stuck with NT for domain login control,
however, and I'm not liking it very much...
Donald R. Martin
New Edge Technologies
Starduster Software, Inc.
email: grey @
web : www.usa.net/~grey/
PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----