Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Creating Realm Selection Scripts


This chapter describes developing realm selection scripts that execute built-in methods or more advanced script logic to authenticate requests. This chapter contains these topics:

Steel-Belted Radius Carrier executes built-in or scripted realm selection methods to determine the authentication realm for processing a request. For built-in methods, you specify the methods and their order of execution in the [Processing] section of the proxy.ini configuration file. You specify matching rules in the [Realms] and [Directed] sections. For more information about the proxy.ini configuration file, see the section on Realm Configuration Files in the SBR Carrier Reference Guide.

For scripted realm selection, use the script setting in proxy.ini to declare the name of a JavaScript initialization (.jsi) file. If the script setting appears anywhere in the [Processing] section, Steel-Belted Radius Carrier executes the realm selection script first, before trying any other built-in methods. If the script returns a valid realm name, Steel-Belted Radius Carrier sends the current request to that realm for processing. If the script returns the code SCRIPT_RET_SUCCESS instead of a realm name, Steel-Belted Radius Carrier invokes the remaining methods in the [Processing] section to try to determine the realm for the request.

You can also specify a realm selection script for the inner authentication setting of tunneled authentication methods using Web GUI.

Realm selection scripts are useful when your realm selection strategy is too complex to be implemented using basic matching rules. Realm selection scripts can perform any of these actions:

  • Retrieve RADIUS request attribute and process their values.

  • Execute program logic to determine the realm name.

  • Execute built-in Steel-Belted Radius Carrier realm selection methods.

  • Invoke SQL queries and LDAP searches, and process the results.

  • Specify a profile to be merged with the response.

  • Change the authentication username.