Panasonic NN46110-600 User Manual

Chapter 1 Authentication services 19

Figure 2

Authentication servers

LDAP 3

The user ID (UID) is checked against the LDAP profile database. If the UID is
found in the LDAP database, the user is assigned to a group and acquires that
group’s attributes. Next, the password is checked, and if it is correct, the VPN

Router forms a tunnel.

If the UID is not in the profile LDAP (internal or external) database, and if you

specified RADIUS as the next server to check, the UID and password is checked
against the RADIUS database. If the UID and password are correct, the VPN

Router checks to see if the RADIUS server returned a class attribute. The
RADIUS class attribute is treated as an LDAP group name. If a RADIUS class

attribute is returned, and it names an existing LDAP group, the VPN Router
applies the attributes of this group to this user’s session, and forms a tunnel. If the

group name does not exist, the user is given the RADIUS default group’s

attributes. If the UID and password are incorrect, the VPN Router rejects the user

request.

IPsec behaves the same as a PPTP session; the RADIUS server defines the group
for the user after authentication using the class attribute group identifier. The only
difference between IPsec and PPTP is that if the RADIUS server does not return a
class attribute, the group associated with the IPsec group ID is used instead of the

Nortel VPN Router Security — Servers, Authentication, and Certificates