Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR] Configure Anonymous authentication for users accessing a specific APN

0

0

Article ID: KB28379 KB Last Updated: 05 Mar 2017Version: 2.0
Summary:

This article describes how to configure Anonymous authentication in SBR for users accessing a specific APN.

Symptoms:

Steel-Belted Radius (SBR) rejects users who provide incorrect credentials. But, in some scenarios, customers might want to allow access to specific access point names (APN) such as "Internet APN" even if users have no credentials or provide incorrect credentials. If these users then attempt to connect to a different APN (for example, "Corporate APN") and both APNs are configured to use the same Remote Authentication Dial In User Service (RADIUS) server, the users are prompted to provide a correct set of credentials. In this situation, these users with no credentials or incorrect credentials are denied access to the APN.

Cause:

The Native User authentication method does not allow anonymous authentication.

Solution:

Configure request routing and Anonymous authentication, as described below.


Configuring Request Routing

In the Radius Access-Request sent from a user trying to access a Corporate APN and an Internet APN, the RADIUS attribute Called-Station-ID value will differ. Because of this, you must create a Directed realm based on Attribute Mapping using the attribute Called-Station-Id, then configure request routing in SBR  to route the requests to an Authentication method that will allow anonymous authentication for users trying to access the Internet APN.

1. Identify the Called-Station-Id of the Internet APN.

2. In SBR, edit proxy.ini (to reflect the settings below):

[Processing]
;Suffix
;Prefix
;DNIS
Attribute-Mapping
;Script <RealmScript>

[Directed]
;<RealmName>
Internet

[AuthAttributeMap]
Internet
     Called-Station-Id = <value of Internet APN>

3. In /opt/JNPRsbr/radius, make a copy of example.dir and rename it Internet.dir.

4. Edit Internet.dir (to reflect the settings below):

[Auth]
Enable = 1
;UseMasterDictionary = yes

[AuthMethods]
LDAP

5. Restart the SBR service (./sbrd restart).


Configuring Anonymous Authentication

1. Enable LDAPauth.aut.

[Bootstrap]
LibraryName=ldapauth.so
Enable=1
InitializationString=LDAP

[Failure]
Accept=1

2. Restart the SBR service (./sbrd restart).

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search