Configuring Realm Selection Scripts

You can configure realm selection scripts using either of these two methods:

For core realm selection—Core realm selection occurs first for all RADIUS requests. Add the script keyword to the [Processing] section of the proxy.ini file and specify the base filename of the realm selection script file as its argument.
For tunneled authentication methods (PEAP and TTLS)—Using the Web GUI, specify a realm selection script from the Inner Authentication tab of the Selected EAP Method pane for the authentication method.
Note
For both realm selection script configuration methods, do not include the .jsi extension when you enter or specify the name of the script file.

Core Realm Selection Scripts

To configure core realm selection, you configure realm selection scripts in the [Processing] section of proxy.ini. All authentication requests go through this phase even if a second realm selection script is run from a tunneled authentication method.

When scripted realm selection is configured in proxy.ini from the [Processing] section, it runs before (and possibly replaces) all other realm selection methods.

[Processing] Section

If no [Processing] section is present in the proxy.ini file, then the standard methods are applied following this specific default order: Suffix, Prefix, DNIS, Attribute-mapping, and Undecorated.

If a [Processing] section (Table 127) is present in the proxy.ini file, it enables you to specify which realm selection rules are applied and the order in which they are applied.

Table 127: proxy.ini [Processing] Syntax

Parameter	Description
RealmSelector	This can be one of six methods: `attribute-mapping`, `DNIS`, `prefix`, `suffix`, `undecorated`, or `script` scriptname. These are case-insensitive; except for the script file rootname is case-sensitive. If a [Processing] section is present in the `proxy.ini` file, then these special rules apply: If no scripts are declared in the [Processing] section, then all methods are applied using the order in which they appear in the list. If a script is declared anywhere within the [Processing] section, then the `script` scriptname method runs first. If a script cannot determine the realm, it might return the null keyword, an empty string, or the `SCRIPT_RET_SUCCESS` return code. In this case, the remaining declared methods are applied using the order in which they appear in the list.

Parameter

Description

RealmSelector

This can be one of six methods: attribute-mapping, DNIS, prefix, suffix, undecorated, or script scriptname. These are case-insensitive; except for the script file rootname is case-sensitive.

If a [Processing] section is present in the proxy.ini file, then these special rules apply:

If no scripts are declared in the [Processing] section, then all methods are applied using the order in which they appear in the list.
If a script is declared anywhere within the [Processing] section, then the script scriptname method runs first.
If a script cannot determine the realm, it might return the null keyword, an empty string, or the SCRIPT_RET_SUCCESS return code. In this case, the remaining declared methods are applied using the order in which they appear in the list.

This example shows a [Processing] section with a declared script:

Matching rules for the methods are as defined in the [Realms] and [Directed] sections of proxy.ini.

Tunneled Authentication Plug-in Realm Selection Scripts

To specify a realm selection script for the inner authentication method of a tunneled authentication method, you must use the Web GUI.

To specify a realm selection script using the Web GUI:

Select RADIUS Configuration > Authentication Policies > EAP Methods.
The EAP Methods List page (Figure 280) appears.
Figure 280: EAP Methods List Page
Select an EAP authentication method, for example EAP-TTLS. The Selected EAP Method: EAP-TTLS pane appears with the Client Certification Validation tab selected.
Click the Inner Authentication tab (Figure 281) to specify a realm selection script for the authentication method.
Figure 281: EAP-TTLS—Inner Authentication
Note
When using JavaScripting, setting the disposition of an inner authentication request (for example, in TTLS) to discard does not suppress the sending of an Access-Reject by the outer request.
To specify a realm for the authentication method, enter the name of the realm in the Directed Realm field.
To specify a realm selection script for the authentication method, enter the name of the script in the Realm Selection Script field.
Click Save to save the changes.