Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to setup request routing in SBR for Undecorated user-names



Article ID: KB25008 KB Last Updated: 04 Mar 2017Version: 2.0
This article provides information on how to set up request routing for undecorated user-names in SBR.
The Goal here is to route the radius authentication requests, which contain undecorated user-names, to the same authentication method that authenticates the decorated user-names.

For Example, if request routing is configured based on the @ suffix delimiter and the realm suffix is, there will not be any issues in routing a request that contains the user to the correct realm. However, in the incoming request, if the username is bdavid instead of, then there will be issues in the request getting routed to the correct realm.

As the the bdavid user-name is not decorated (it does not contain the realm suffix character), the request will not be routed to the realm as defined in Proxy.ini; instead  it will fall back to the local processing and result in rejection, if no matching user is found.

To setup request routing for undecorated user-names, a separate realm should be created and the following changes should be made in the Proxy.ini:

  1. Edit Proxy.ini. Under the [Processing] section, add the Undecorated entry.

  2. Under the [Directed] section (if directed realm is configured), configure a separate realm and create a separate .dir by using the same realm name in the SBR install directory.

  3. Under the [Realms] section (if the proxy realm is configured), configure a separate realm and create a separate .pro file by using the same realm name in SBR install directory.

  4. Associate an <Undecorated> marker with a Directed realm name or Proxy realm name, which were created in step 2 and 3.

Note: Only one realm listed in the '[Realms]' or '[Directed]' sections of proxy.ini can be configured with the '= <undecorated>' setting. If more than one realm is associated with the '= <undecorated>' setting, Steel-Belted Radius enables the first entry it finds and writes an error message, which identifies the duplicate realms to the radius log file.

The following example is a proxy.ini that can perform request routing for Undecorated user-names.
  • The realm suffix character is @.

  • The ream suffix is

  • Request routing for Decorated names is performed by using the Realm1 directed realm.

  • Request routing for Undecorated names is performed by using the Realm2 directed realm.

Note: realm1.dir and realm2.dir should exist in the SBR install directory and configured with the corresponding auth methods.
;Script <RealmScript>


realm1 =
realm2 = <Undecorated>

;<Description> = <PathAndFile>

; <Attribute> = <Value>
; <Attribute>
; <~Attribute> = <Value>
; <~Attribute>

; <Attribute> = <Value>
; <Attribute>
; <~Attribute> = <Value>
; <~Attribute>

;RealmPrefix = /
RealmSuffix = @
;UseMasterDictionary = yes
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search