Proxy Realm Configuration Files
This section describes how to set up the proxy realm configuration files.
Sample radius.ini Realm Settings
The following settings in your radius.ini file enables the realm feature and the attribute filtering feature. These two features must be enabled for the sample proxy realm configuration files to work:
[Configuration]
ExtendedProxy=1
AttributeEdit=1
 |
NOTE: For syntax details, see [Configuration] Section. |
Examples
The following proxy.ini file registers a proxy realm called sample.com and adds that realm to the list of target realms for static proxy accounting.
[Realms]
sample.com
[StaticAcct]
7=CustAOnOff
8=CustAOnOff
[CustAOnOff]
realm=sample.com
|
NOTE: For syntax details, see proxy.ini File. |
The following proxy.ini file entry specifies that otto@rtt.other.com and carol@3g.other.com would both map to the other.com proxy realm.
[Realms]
other.com = *.other.com
The following proxy.ini file specifies that otto@rtt.other.com and carol@3g.other.com would map to the other.com proxy realm and that caitlin@groton.other.com would map to the groton.other.com proxy realm.
[Realms]
other.com = *.other.com
groton.other.com
Sample Proxy RADIUS (.pro) File
The following complete file must be called sample.com.pro for it to work with the sample proxy.ini file shown on 152.
[Auth]
Enable = 1
TargetsSection = AuthTargets
RoundRobin = 2
StripRealm = 0
RequestTimeout = 5
NumAttempts = 3
FilterOut = CustAOut
FilterIn = CustAIn
MessageAuthenticator = 0
UseMasterDictionary = yes
[Acct]
Enable = 1
TargetsSection = AcctTargets
RoundRobin = 1
StripRealm = 0
RequestTimeout = 5
NumAttempts = 3
FilterOut = CustAOut
; FilterIn =
RecordLocally = 1
; Block = 1
UseMasterDictionary = yes
[AuthTargets]
bunion=1
desktop=1
[AcctTargets]
desktop
[Called-Station-ID]
8885551212
5551234
[FastFail]
MinFailures = 3
MinSeconds = 3
ResetSeconds = 30
|
NOTE: For syntax details, see Proxy RADIUS Configuration (.pro) File. |
This example expects the Steel-Belted Radius Carrier database to contain Proxy entries with target names Desktop and Bunion. These entries are required to provide the network routing information (IP address, RADIUS shared secret, and UDP ports) that allows forwarded packets to reach the target servers at the customer site.
Sample filter.ini File
The following complete sample filter.ini file defines the two attribute filters referenced in the sample.com.pro file shown on 153.
[CustAOut]
ALLOW
EXCLUDE NAS-IP-Address
ADD NAS-IP-Address 1.2.3.4
[CustAIn]
EXCLUDE
ALLOW Session-Timeout
ALLOW Idle-Timeout
ALLOW Service-Type Framed
ADD Service-Type Framed
ADD Framed-IP-Address CustAPool
The CustAOut filter in this example is designed to be applied to request packets coming into the Steel-Belted Radius Carrier server that are directed out to the realm. It allows all of the attributes in the packet to go out to the realm, with the exception of the RADIUS client's IP address. It replaces this IP address with the specific dummy address 1.2.3.4. This filter enhances overall security by not publishing routing information to the network when it is not necessary to do so.
The CustAIn filter in this example is designed to be applied to response packets returning to the Steel-Belted Radius Carrier server, which are relayed, in turn, to the RADIUS client. Most attributes are excluded; however, if any timeout values are returned, they are allowed through. If the Service-Type attribute is present in the response and it has the value Framed (a string alias for the Service-Type integer value 2), it is allowed in the packet. Steel-Belted Radius Carrier adds the Service-Type attribute to the packet if it is not already there, and assigns it the value Framed (2).
The CustAIn filter in this example expects the Steel-Belted Radius Carrier database to contain an IP address pool entry called CustAPool, which specifies the customer's valid address ranges. If this entry is not present, the CustAIn filter fails. CustAPool is referenced in the filter's final entry, which assigns a value to the Framed-IP-Address attribute. As shown in the example, this entry causes Steel-Belted Radius Carrier to (1) add the Framed-IP-Address attribute to the packet; (2) select an available address from CustAPool, and (3) assign this value to the Framed-IP-Address attribute.
