Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SBR Carrier] How to allocate IP addresses on a proxy radius server

0

0

Article ID: KB35331 KB Last Updated: 20 Dec 2019Version: 1.0
Summary:

In a proxy RADIUS scenario, where SBR Carrier is the proxy, you might want SBR to replace any IP addresses assigned by the proxy target with one from a local SBR-managed address pool.  This article outlines the primary components of this configuration.
 

Solution:
  1. ‚ÄčIn proxy.ini, configure the proxy realm and any attribute maps to route requests to that realm.

    a. Ensure the processing section is uncommented if you need a specific realm matching order:

    [Processing]
    ;Suffix
    ;Prefix
    ;DNIS
    Attribute-Mapping
    ;Script realm_script_name
    ;Undecorated

    b. Configure the proxy realm in the realms section:

    [Realms]
    myrealm

    c. Configure the attribute map as needed:

    [AuthAttributeMap]
    myrealm
        Called-Station-Id=cs-id-1-1
        NAS-IP-Address=10.14.12.9

  2. In the SBR Web GUI, create a named IP address pool under RADIUS Configuration > Address Pools > IP

    Example: MYPOOL

  3. In the SBR Web GUI, add the proxy target details under RADIUS Configuration > Proxy Targets

    Example: MYTARGET

  4. In the SBR Web GUI, create a named filter under RADIUS Configuration > Filters, that will exclude any Framed-IP-Address attributes returned from the proxy target and add a new one from the local pool.

    NOTE: You can start with either an Allow or Exclude default rule in this example.

    Filter Name = MYFILTER
    a. Default rule: Allow or Exclude (as needed)
    b. Exclude Framed-IP-Address
    c. Add Framed-IP-Address MYPOOL

  5. Create a proxy realm configuration file in the radius install directory (/opt/JNPRsbr/radius) for the realm name added in Step 1b, e.g. myrealm.pro

    NOTE: You can use sample.pro as a template.

    a. In the auth section, set Filter-In to the name of the filter created in Step 4 above

    [Auth]
    Enable = 1
    ...
    TargetsSection = AuthTargets
    ...
    FilterIn = MYFILTER

    b. Configure the AuthTargets section referenced in the auth section above to the name(s) of the proxy target(s) configured in Step 3.

    [AuthTargets]
    MYTARGET=1

  6. Restart SBR

    NOTE: SBR requires a restart to activate config file changes. A restart is NOT required for changes made in the SBR Web GUI.

    When testing, a debug level log will show the filter being applied:

    12/02/2020 14:27:30.830 (0976) TxId 0xac75f67bc164e55d00000003: Applying filter MYFILTER
    12/02/2020 14:27:30.830 (0976) TxId 0xac75f67bc164e55d00000003: Allowing attribute Class
    12/02/2020 14:27:30.830 (0976) TxId 0xac75f67bc164e55d00000003: Disallowing attribute Framed-IP-Address
    ...
    12/02/2020 14:27:30.831 (0976) TxId 0xac75f67bc164e55d00000003: Adding attribute Framed-IP-Address.
    12/02/2020 14:27:30.831 (0976) TxId 0xac75f67bc164e55d00000003: GetIPAddressFromPoolOrDHCP: Attempt to allocate from local pool (pool mypool)
    12/02/2020 14:27:30.831 (0976) TxId 0xac75f67bc164e55d00000003: poolGetNextAddress: Pool 'mypool' - IP address a640101, ref-cnt 1

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search