Identity & Policy Control - SBR Carrier & SRC
Identity & Policy Control - SBR Carrier & SRC

Prefix routing

‎07-19-2019 01:57 AM

Hi,

 

I am running SBR Carrier and am configuring roaming share with a partner. I have configured normal proxy forwarding and have no problem with that, but they have now come back stating that they will require "prefix routing"... So, the format of the NAI is as follows:

 

example/joe.blog@iamhere.com

 

So, they need the prefix "example" stripping and being read along with the "realm (iamhere.com)"

 

I configured the realm in the proxy.ini and have also created the .pro file for the realm. I have also created the profile and the proxy targets on the carrier SBR. But I am now stuck as to how to resolve gettting the prefix stripped and read. 

 

As this is TTLS, the SBR has to be able to note the prefix and username so the "/" is the delimiter...


Can anyone help with this please?


Where and what to configure?

6 REPLIES 6
Identity & Policy Control - SBR Carrier & SRC

Re: Prefix routing

‎07-19-2019 04:32 AM

you can change username (strip substring or any other action) with script file (javascript)

Identity & Policy Control - SBR Carrier & SRC

Re: Prefix routing

‎07-29-2019 08:37 AM

Unfortunately, I am not a scripting person and no idea how to create a Javascript file to complete this.

 

As far as I know, scripting is one way to go.... another is using the proxy.ini and create the prefix (somehow) and then create a .pro file.

 

What I don't know, is how all of these files are linked together

 

If you could expand to let me know how they are linked to be able to utilise the prefix routing, that would be great.

Identity & Policy Control - SBR Carrier & SRC

Re: Prefix routing

‎07-29-2019 08:57 AM

You can utilize the Prefix functionality in proxy.ini file. You must ensure that [Configuration] and RealmPrefix fields are uncommented (removing the Smiley Wink.

 

By default, RealmPrefix is set to / for a delimiter, however, other characters can be used.

 

More information can be found in the SBR Reference Guide:

 

https://www.juniper.net/documentation/en_US/sbr-carrier8.5.0/information-products/topic-collections/...

 

In regards to configuring your realm, what will you be using? You can utilize the [Realms] section, and define "match_rule" using wildcards specific to your prefix characteristics:

 

https://www.juniper.net/documentation/en_US/sbr-carrier8.5.0/information-products/topic-collections/...

 

Please note, when defining a 'RealmName' that realm configuration must match your .pro file name. i.e.:

 

proxy.ini

.....

[Realms]

test

......

 

# cp example.pro test.pro

 

Please note that SBR provides some example files for Realms, which will help with required fields.

 

https://www.juniper.net/documentation/en_US/sbr-carrier8.5.0/information-products/topic-collections/...

 

In this regards, you should not necessarily have to use the JavaScript feature in SBR.

 

Please let us know if you require any additional information in regards to the RealmPrefix functionality in Proxy.

Identity & Policy Control - SBR Carrier & SRC

Re: Prefix routing

[ Edited ]
‎07-29-2019 12:50 PM

Thank you.

 

So, if I was to take my example as the realm and user name as follows:

example/joe.blog@iamhere.com

 

My guess is that I would have to add the following to the proxy.ini

[Processing]
Prefix

[Realms]

iamhere.com

iamhere.com=example

[Configuration]
RealmPrefix = /

 

The only section there I am unsure of is the "iamhere.com=example" (example being the prefix)

 

Then I would need to create a .pro file with the name "iamhere.pro"?

 

What would I then need to add in there?

 

From what I can see, the following sections:

;[CallCheck]
;FilterOut = prevpopidaol
;Attribute = Service-Type 10

[Auth]
Enable = 1
;RealmConcurrency = Before
TargetsSection = AuthTargets
RoundRobin = 2
StripRealm = 0
RequestTimeout = 7
NumAttempts = 2
MessageAuthenticator = 0
FilterOut = something in the filter.ini file
FilterIn = something in the filter.ini file
;PasOutboundTransferFilter=pasout

 

[Acct]
Enable = 1
TargetsSection = AcctTargets
RoundRobin = 2
StripRealm = 0
RequestTimeout = 7
NumAttempts = 2
;PasOutboundTransferFilter=pasout
FilterOut = Something in the filter.ini file
;FilterIn =
RecordLocally = 1


[AuthTargets]
The AAA actual authentication servers

 

[AcctTargets]
Same as above bit for accounting

 

[Called-Station-Id]
Don't know

 

[FastFail]
MinFailures = 3
MinSeconds = 3
ResetSeconds = 1800

 

What do I need to add into the filter.ini file, if anything?

 

How is "example" read as the prefix or is this automated from the proxy.ini file?

 

Thanks

 

Identity & Policy Control - SBR Carrier & SRC

Re: Prefix routing

‎07-30-2019 01:15 PM

Will "example" always be your prefix? If it is expected to be different, you would need to add additional entries in your Realms configuration. Or, if you expect something similar to "example" you can use a wild card.

 

As for your Proxy Realm name. Yes, you are correct, however,since you have defined the Realm as "iamhere.com" it would be iamhere.com.pro. You need to ensure that the defined names in your proxy.ini Realms configuration are the same as the defined Proxy Realm files.

 

Do you expect to have filters on these RADIUS packets to your Proxy Target or received from the Target and back to your NAS? These are not required, only if you expect to add or change RADIUS Attributes.

 

The easiest way to create filters is through your SBR Web GUI. This will allow you to create the filters quickly and copy those filters to create additional ones.

 

The last inquiry, the "example" is read as a prefix as you ahve defined in proxy.ini.

 

Hope this information helps to deploy SBR.

Identity & Policy Control - SBR Carrier & SRC

Re: Prefix routing

‎08-01-2019 04:31 AM

Okay.

 

Thank for the help everyone.

 

I created a Javascript file (after much reading).

Created the realm (example)

Created the example.pro file

Edited the filter.ini

 

Testing and all works