Configuring Juniper Steel-Belted RADIUS

Thank you to Samuel Petreski at Georgetown University for contributing these instructions and images to the documentation.
If you have any questions or comments regarding these instructions please contact the eduroam-US Team and we will work with you to assist as much as possible.

Description

Juniper Steel-Belted Radius (SBR) provides uniform security policy enforcement across all network access methods, including WLAN, remote/VPN, dial, and identity-based (wired 802.1X).

The Juniper SBR configuration for an eduroam-US institution can be seen as two major components: the general configuration via modifying the SBR Administrator and editing/creating Radius configuration files. The Global Enterprise Edition of the SBR software is required in order to support the eduroam-US configuration. The Enterprise Edition of the SBR software does not support the configuration of RADIUS proxy and therefore is not compatible with the eduroam-US requirements.

Instructions

The first step is to define a Proxy Target in the SBR Administrator configuration. Click on “Proxy Targets” and click on “Add” and enter the information in the dialog box as shown bellow,

Proxy Target

The Name attribute is important because it will be later referred to in the configuration files, the IP Address field contains the IP/FQDN of the eduroam-US Top-Level server.  The shared secret filed should contain the secret configured between the Top-Level eduroam-US server and your institutions.

The second step is to define the eduroam-US Top-Level server as a RADIUS client. Click on ‘RADIUS Client’ and click on ‘Add’ and enter the information in the dialog box as shown bellow,

RADIUS Client

The second component involves making RADIUS configuration file modifications.

Open the ‘radius.ini’ file located in the Juniper SBR directory, and enable Extended Proxy by adding the following lines (if you have the section heading , then only add the configuration parameters):

[Configuration]
ExtendedProxy=1
AttributeEdit=1

[Self]
homeinstitution.edu

Open the 'proxy.ini' file located in the Juniper SBR directory and add the following directives:

[Processing]
Suffix
Undecorated

[Realms]
eduroam.edu
eduroam.edu = *.edu

[StaticAcct]
7=EduRoamOnOff
8=EduRoamOnOff

[EduRoamOnOff]
realm=eduroam.edu

Open the 'eap.ini' file located in the Juniper SBR directory, add the following directives:

[proxy: EDUROAMUS]
EAP-Only=0
First-Handle-Via-Auto-EAP=0
EAP-Type=
Available-EAP-Only-Values=0,1
Available-Auto-EAP-Values=0,1
Available-EAP-Types=LEAP|MD5-Challenge|MS-CHAP-V2|TLS|TTLS

Create a file named 'eduroam.edu.pro' containing the following directives:

[Auth]
Enable = 1
TargetsSection = AuthTargets
StripRealm = 0
RequestTimeout = 5
NumAttempts = 10
MessageAuthenticator = 0

[Acct]
Enable = 1
TargetsSection = AcctTargets
StripRealm = 0
RequestTimeout = 5
NumAttempts = 3
RecordLocally = 1

[AuthTargets]
EDUROAMUS=1

[AcctTargets]
EDUROAMUS

[FastFail]
MinFailures = 3
MinSeconds = 3
ResetSeconds = 30

Lastly restart the Juniper SBR service for the new file configurations to be read by the RADIUS server.

For complete documentation on configuration of Juniper SBR please see the corresponding reference manual.