Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Configuring a Proxy RADIUS Realm

A proxy RADIUS server treats a realm as a destination against which it performs authentication and accounting. Proxy realms are configurable only through configuration files.

Table 30 outlines the process of configuring a new proxy RADIUS realm for SBR Carrier. Table 30 also lists the sections that you must edit in configuration files to accomplish each step. You must perform each step in the process unless it is labeled as optional.

Table 30: Proxy Realm Configuration

Step

Proxy RADIUS Configuration Task

File and Section

1

Complete the preparatory steps outlined in the Stage One of Realm Configuration section.

2

Register the realm name with SBR Carrier. Optionally, you can use wildcards to specify matching rules for realms, and you can specify the default realm for undecorated User-Name attributes.

proxy.ini

[Realms]

Realm1

Realm2 = *.msn.com

Realm3 = <undecorated>

3

Create a realm configuration file for each realm you register.

Realm1.pro

Realm2.pro

Realm3.pro

4

Study the customer's current (or planned) RADIUS configuration. The customer's RADIUS servers are the target servers in the new realm.

  • Are authentication and accounting packets directed to different RADIUS servers?
  • What is their need for a fast-fail policy, primary-secondary server strategy, or round-robin load balancing?
  • Are some servers used for authentication and some for accounting?
  • What is the IP address of each RADIUS server?
  • What UDP port and shared secret does each server use for authentication or accounting?

5

Does the customer want its RADIUS servers to receive Accounting-On and Accounting-Off messages? If so, add the new realm to your static proxy accounting configuration.

See Static Proxy Accounting.

proxy.ini

[StaticAcct]

7=name

8=name

[name]

realm=RealmName

6

Use the Web GUI to create a proxy entry for each target in the new realm. For authentication targets, verify that the Make Available as an Authentication Method check box is cleared.

Create Proxy Target pane in Web GUI
Selected Target pane in Web GUI

7

Give the customer the IP address of the SBR Carrier server as well as the UDP port and shared secret it uses for authentication and accounting. Instruct the customer that for each target in the new realm, the SBR Carrier server must be added to the target's database as a RADIUS client. Presumably, someone at the customer site performs this task by running the target server's RADIUS configuration utility.

8

Enable authentication in this realm.

RealmName.pro

[Auth]

Enable=1

9

(Optional) Indicate that any realm names and delimiters are to be stripped from the User-Name before it is sent to the target server for authentication.

  • A value of 0 indicates realm names should not be stripped.
  • A value of 1 indicates realm names should be stripped.

StripRealm=

10

Specify which target servers receive authentication packets. Configure load balancing and other details of realm and target selection for authentication packets.

This is a multi-step process:
(1) In the [Auth] section of the RealmName.pro file, set Enable to 1 and assign a name to the TargetsSection parameter; (2) create a [name] section in the file; and (3) within this section list the targets for authentication. When listing a target, use the name you assigned to it in the Proxy dialog.

TargetsSection=name

.

.

.

[name]

Server=

11

(Optional) Specify an attribute filter to apply to authentication requests going out to the realm from SBR Carrier.

This is a multi-step process:
(1) In the [Auth] section of RealmName.pro, assign a name to the FilterOut parameter;
(2) Create a [name] section in the filter.ini file; and
(3) In the filter.ini [name] section, list the rules for editing the attributes in a RADIUS authentication request packet before forwarding the packet out to a proxy RADIUS realm.

RealmName.pro

[Auth]

FilterOut=name

filter.ini

[name]

.

.

.

12

(Optional) Specify an attribute filter to apply to authentication responses returning into SBR Carrier from the realm.

This is a multi-step process: (1) In the [Auth] section of RealmName.pro, assign a name to the FilterIn parameter; (2) create a [name] section in the filter.ini file; and (3) within the filter.ini [name] section list the rules for editing the attributes in an authentication response packet as it returns in from the proxy RADIUS realm, before relaying the packet back to the RADIUS client.

RealmName.pro

[Auth]

FilterIn=name

filter.ini

[name]

.

.

.

13

Enable proxy RADIUS accounting in this realm.

RealmName.pro

[Acct]

Enable=1

14

(Optional) Indicate that any realm names and delimiters are to be stripped from the User-Name before it is sent to the target server for accounting.

  • A value of 0 indicates realm names should not be stripped.
  • A value of 1 indicates realm names should be stripped.

StripRealm=1

15

(Optional) Indicate that accounting attributes should be logged locally on the SBR Carrier server as well as being directed to the realm.

  • A value of 0 indicates accounting attributes should not be logged locally.
  • A value of 1 indicates accounting attributes should be logged locally.

RecordLocally=1

16

Specify which target servers receive accounting packets. Configure load balancing and other details of realm and target selection for accounting packets.

This is a multi-step process: (1) In the [Acct] section of the RealmName.pro file, set Enable to 1 and assign a name to the TargetsSection parameter; (2) create a [name] section in the file; and (3) within this section list the targets for accounting. When listing a target, use the name you assigned to it in the Proxy dialog.

TargetsSection=name

.

.

.

[name]

Server=

17

(Optional) Specify an attribute filter to apply to accounting requests going out to the realm from SBR Carrier. This is a multi-step process: (1) In the [Acct] section of RealmName.pro, assign a name to the FilterOut parameter; (2) create a [name] section in the filter.ini file; and (3) within the filter.ini [name] section list the rules for editing the attributes in a RADIUS accounting request packet before forwarding the packet out to a proxy RADIUS realm.

RealmName.pro

[Acct]

FilterOut=name

 

 

filter.ini

[name]

.

.

.

18

(Optional) Specify an attribute filter to apply to accounting responses returning into SBR Carrier from the realm.

This is a multi-step process: (1) In the [Acct] section of RealmName.pro, assign a name to the FilterIn parameter; (2) create a [name] section in the filter.ini file; and (3) within the filter.ini [name] section list the rules for editing the attributes in an accounting response packet as it returns in from the proxy RADIUS realm, before relaying the packet back to the RADIUS client.

RealmName.pro

[Acct]

FilterIn=name

 

filter.ini

[name]

.

.

.

19

(Optional) Provide DNIS information for this realm.

RealmName.pro

[Called-Station-ID]

20

(Optional) Specify a proxy fast-fail policy for the realm.

[FastFail]

21

(Optional) Enable SBR Carrier to map the presence or absence of certain attributes or values to this realm.

proxy.ini

[AuthAttributeMap]

RealmName

 

[AcctAttributeMap]

RealmName

22

It is possible to load your new realm configuration dynamically, without stopping and restarting the server by issuing the SIGHUP (1) signal to the SBR Carrier process:

#./sbrd hup

SBR Carrier re-reads proxy.ini, filter.ini, and all .pro files in the server directory, and resets its realm configuration accordingly.

Note: Rarely, you must edit radius.ini while configuring a realm. If you do edit radius.ini, you must stop and restart SBR Carrier before your new configuration is fully loaded.

Modified: 2017-09-27