Steel Belted Radius Carrier 7.0 Administration and Configuration Guide > SIM Authentication Module > Configuring Special Attribute Handling Features (Optional)

Configuring Special Attribute Handling Features (Optional)

Two special attribute handling features are available in the SIM authentication module:

• Assigning IP Addresses Based on Access Point Name (APN)360
• Adding Attributes to an Access-Accept361

Assigning IP Addresses Based on Access Point Name (APN)

Steel-Belted Radius Carrier along with the SIM authentication module, can assign IP addresses to mobile devices based on the access point name (APN).

Overview

APN-based IP address assignment enables Steel-Belted Radius Carrier to perform the task of address assignment, rather than requiring the AP to assign addresses.

This feature works by configuring IP address pools, each of which consists of a set of IP addresses that can be assigned to a mobile device. You then configure an access point name (APN) to be associated with a particular pool. When an Access-Request is received, Steel-Belted Radius Carrier selects an IP address from the pool that is assigned to the APN handling the request.

Figure 160 shows the configuration of IP address assignment based on APN.

Figure 160: IP Address Assignment Based on Access Point Name

NOTE: As shown in Figure 160, assigning IP addresses based on access point name is supported in both the SIM and SMS authentication modules. This release of Steel-Belted Radius Carrier supports only the SIM authentication module.

NOTE: APN-based IP address assignment takes precedence over all other methods of IP address assignment except if an IP address (or pool name) is added to an Access-Accept as the value of the Framed-IP-Address attribute. For information about how to add any attribute from a subscriber database (such as a SQL database), see Adding Attributes to an Access-Accept361. For example, you can retrieve the IP address from a SQL database and include it as the value of Framed-IP-Address in an Access-Accept.

Tasks for Assigning IP Address Based on Access Point Name

Assigning IP addresses based on access point name involves the following main tasks:

• Configure simauth.aut - see Chapter 19, Configuring the Special Attribute Handling Features in the Steel-Belted Radius Carrier Reference Guide.
• Create an address pool - see Administering Address Pools147.

Adding Attributes to an Access-Accept

This feature enables you to add attribute values retrieved from an external subscriber database to an Access-Accept message. For example, you might want to include the subscriber's level of service in the Access-Accept as the value of the attribute Reply-Message. Another example might be retrieving the IP address to be assigned to a mobile node and returning it in the Access-Accept as the value of the attribute Framed-IP-Address.

Overview

An Access-Accept can include attribute values. Two authentication plug-ins are used to accomplish the tasks of authentication and adding attributes to an Access-Accept. The authentication plug-ins are:

• SIMAuth (acting as an EAP helper)
  This authenticator provides EAP authentication.
• Helped authenticator (for example: radsql.aut)
  This authenticator accesses the database, retrieves the specified attributes, and attaches them to the Access-Accept. In this situation, the helped authenticator does not perform any authentication tasks and its password-checking is suppressed. All authentication is performed by SIMAuth, the EAP helper.

Data Flow

Authentication of the Access-Request and the addition of attributes to the Access-Accept is handled according to the following flow of data:

1. The mobile device sends an Access-Request to Steel-Belted Radius Carrier.
2. SIMAuth manages the EAP negotiation (challenge and response).
3. If SIMAuth authenticates the request, it attaches the IMSI and MSISDN of the mobile device, and sends the request to radsql.aut.
4. radsql.aut can use the IMSI or MSISDN as a key to query the database and request attribute values (as a separate step from the SIMAuth authentication).
5. Helped authenticator (for example the SQL plug-in: radsql.aut) returns the Access-Accept with attribute values attached.
   

   NOTE: SIMAuth is known as a Steel-Belted Radius Carrier EAP helper because it performs the EAP authentication for the helped authentication method (in this case, the SQL plug-in: radsql.aut). Although radsql.aut is usually used for authentication, in this case, it accesses the subscriber database, retrieves attributes, and returns them with the Access-Accept. For complete information about EAP helpers, see Automatic EAP Helpers.

   
   

Figure 161 shows an example data flow in which Steel-Belted Radius Carrier, SIMAuth, and radsql.aut work together to perform the following tasks:

• Access authentication (performed by SIMAuth)
• Addition of MSISDN and IMSI to the request (performed by SIMAuth)
• Database access and attribute retrieval (performed by the SQL plug-in: radsql.aut)
• Addition of retrieved attributes to the Access-Accept (performed by radsql.aut)

Figure 161: Example Data Flow for Addition of Attribute to Access-Accept

Configuration Tasks for Adding Attributes to Access-Accept

To add attributes to the Access-Accept, you need to perform the following main tasks:

• Configure the related files, as described in Configuring Files for Adding Attributes to Access-Accept363.
• Activate authentication as described in Activate the Authentication Method364.

Configuring Files for Adding Attributes to Access-Accept

The following files require special configuration for the addition of attributes to the Access-Accept:

• simauth.aut
• simauth.eap
• radsql.aut, radsqljdbc.aut, or ldapauth.aut
• eap.ini

Refer to "Adding Attributes to an Access-Accept" in the Steel-Belted Radius Carrier Reference Guide.

Activate the Authentication Method

After you have configured the files described "Adding Attributes to an Access-Accept" in the Steel-Belted Radius Carrier Reference Guide, you need to activate the helped authentication method.

To activate the helped authentication:

1. Log in to the Steel-Belted Radius Carrier server using the SBR Administrator and select Authentication Policies > Order of Methods.
2. Select the helped authentication method and use the right arrow to place the authentication method in the list of Active Authentication Methods.

In this case, the helped authentication method is named SQLAUTH, as shown in the list of Inactive Authentication Methods (Figure 162).

Figure 162: Activate the Helped Authentication Method

The name of the helped authentication method, or EAP helper, is user-defined. This name is specified in "Configuring Files for Adding Attributes to Access-Accept" in the Steel-Belted Radius Carrier Reference Guide.

3. After the helped authentication method has been moved to the list of Active Authentication Methods, double-click it to open the Setup EAP dialog (Figure 163).

Figure 163: Setup EAP Dialog

4. Ensure that both the Use EAP authentication only and Handle via Auto-EAP first check boxes are selected.
5. Ensure that both SIM and AKA are listed under the Active EAP Methods list.
   

   NOTE: If you completed the steps correctly in "Configuring Files for Adding Attributes to Access-Accept" in the Steel-Belted Radius Carrier Reference Guide, both Step 4 and 5 are already completed.

   
   
6. Click OK.
7. Optionally, change the order of the authentication methods so the helped authentication method is first. Disable authentication methods that are no longer applicable. Refer to Order of Authentication Methods and Enabling EAP Methods.