Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] Can the routed proxy authentication feature be used if SBRC receives only Accounting messages from a NAD (Network Accesss Device)?

0

0

Article ID: KB25770 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
This article provides information about the support extended by SBRC for the routed proxy Authentication feature, when only accounting requests are received from a NAD (Network Access Device).
Symptoms:
  • The SBRC server is configured to receive and distribute only Accounting messages from a NAD.

  • A database, such as LDAP or SQL, should be consulted to obtain the routing information (Proxy target selection), as there is no authentication process is associated; the class attribute cannot be used.

  • Based on the database response, the User-Name attribute should be replaced by a new attribute and the proxy target should be selected.

  • Only with accounting messages, can the above requirement be achieved via the Radius proxy authentication feature?
Cause:
The Routed Proxy Authentication feature is not supported, when only accounting messages are received from a NAD and no authentication process is associated with them.
Solution:
In the SBRC admin guide, under the Routed Proxy Authentication section, you could see that routed proxy authentication supports Radius authentication; including the Radius challenge process and Radius accounting. This does not mean that SBRC will support routed proxy for accounting messages, when there are no corresponding authentication requests.

You can use Routed proxy authentication feature to select an authentication realm, based on the information received from an external SQL or LDAP database. You can use this information from the backend database to pre-authenticate the user, select a target realm for a subsequent proxy, modify the User-Name in the proxy request, and insert attributes in the response.

Workaround:

The Realm selection can be performed via JavaScript and a database accessor should be used to modify the incoming Radius attributes.

Note: The Routed proxy feature support for accounting decision is dependent on the corresponding authentication process.

So, the Routed Proxy Authentication feature is not supported, when there are only accounting messages from NAD, which have no authentication process associated with them.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search