[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring WiMAX Users and Profiles

To support WiMAX you need to configure a return list for either a user entry or profile entry that includes the attributes in Table 57:

Table 57: Mandatory Return List Attributes for WiMAX  
Attribute
Description

WiMAX-hHA-IP-MIP4

Specifies the IP address for the HA, and is also used as input to the formula for generating the keys associated with the session.

Session-Timeout

The session-timeout attribute is used as the lifetime for the keys.

WiMAX-Capabilities

Specifies the WiMAX capabilities the server supports for the session. You must also specify the associated sub-attributes for each capability you want to support, see Configuring the WiMAX-Capabilities Negotiation.


The attributes described in Table 58 can optionally be specified in the return list.

Table 58: Optional Return List Attributes for WiMAX  
Attribute
Description

WiMAX-hDCHP-Server

Optionally, you can add the WiMAX-hDCHP-Server attribute to specify the IP address for DHCP server in the return list.

If the WiMAX-hDCHP-Server attribute is attached to the Access-Accept, then Steel-Belted Radius Carrier generates and attaches the following additional attributes to the Access-Accept:

  • Wi-MAX-hDHCP-RK
  • Wi-MAX-RK-Key-ID
  • Wi-MAX-RK-Lifetime

For complete details on configuring user and profile entries with return list attributes, see Chapter 6, Administering Users and Chapter 7, Administering Profiles.

Configuring the WiMAX-Capabilities Negotiation

To configure WiMAX capabilities negotiation, you need to add the WiMAX-Capabilities attribute and sub-attributes to the return list of a user entry or profile entry. You can define the following sub-attributes (capabilities):

To enable support for a particular capability, add the sub-attribute to the return list, and enable the Echo option for the sub-attribute. When Steel-Belted Radius Carrier receives the sub-attribute (capability) in the Access-Request, it returns the sub-attribute in the Access-Accept indicating the capability is supported for the session. If you do not want Steel-Belted Radius Carrier to support a particular capability, do not enable the Echo option for it. If Steel-Belted Radius Carrier receives an Access-Request with the sub-attribute, it does not return the sub-attribute in the Access-Accept, indicating the capability is not be supported for the session. If a sub-attribute (capability) was never sent in the Access-Request, then it cannot be returned in the Access-Accept. Absence of a sub-attribute in the Access-Request indicates the device (ASN-GW or HA) does not support the capability.

If you enable Echo on the WiMAX-Capability parent attribute, you cannot add sub-attributes. The Add Child button is disabled. In this case, Steel-Belted Radius Carrier echoes back whatever WiMAX capabilities it receives in the Access-Request message.

For more details on each of the WiMAX capabilities, see WiMAX-Capability Attribute.

For complete details on adding sub-attributes to the return list of a profile entry, see Adding Structured Attributes to the Check List or Return List of a Profile. For complete details on adding sub-attributes to the return list of a user entry, see Adding Structured Attributes to the Check List or Return List of a User.

Example Configuration for New Session Hotlining

This section provides an example configuration for new session hotlining. Because this example uses the EAP-TTLS authentication method, you need to create both a request and response filter. Both filters are created using SBR Administrator. In this example the sub-attribute values are retrieved from an LDAP database (ldapauth.aut file).

Configuring the Filters

Use the following procedure to configure the request and response filters.

  1. Define a filter using SBR Administrator: Filters > Add. The Add Filter dialog displays (Figure 167).

Figure 167: Add New Session Hotlining Filter
  1. Enter the filter Name=WiMAXHotlineFilter.
  2. Set the filter Default Rule=Exclude
  3. Click Add. The Add Rule dialog is displayed (Figure 168).

Figure 168: Add Attributes and Values to Filter
  1. Set the Type = Add.
  2. Add the following attribute names and values to the filter:
  1. WiMAX-Capability.Values.Hotlining-Capabilities.Profile-based attribute with value = 01
  2. WiMAX-Capability.Values.Hotlining-Capabilities.Rule-based-ByNAS-Filter attribute with value = 01 (optional)
  1. Click OK. The Add Filter dialog displays the new filter (Figure 169).

Figure 169: Hotlining Capabilities Filter
  1. Click OK.
  2. Define a TTLS-Accept filter using SBR Administrator: Filter > Add (Figure 170).
  1. Filter Name=ttls_accept
  2. Set the filter Default Rule=Allow

Figure 170: Add TTLS-Accept Filter
  1. Click Add. The Add Rule dialog is displayed (Figure 171).

Figure 171: Add Rule for TTLS-Accept Filter Dialog
  1. Set the Type = Exclude
  2. Add the following attribute names and values to the filter:
  1. Class
  2. EAP-Message
  3. MS-MPPE-Recv-Key
  4. MS-MPPE-Send-Key
  5. MS-CHAPV2-Success
  1. Click OK. The Add Filter dialog displays the new filter (Figure 172).

Figure 172: TTLS-Accept Filter

  1. Click OK.
  2. Select Authentication Policies > EAP Methods
  3. Double-Click EAP-TTLS to open the Edit dialog.
  4. Select the Request Filters tab (Figure 173).

Figure 173: Request Filter Tab
  1. Select Transfer Outer Attribs to New: and select the WiMAXHotlineFilter from the drop-down list.
  2. Click OK and return to the EAP Methods panel.
  3. Double-Click EAP-TTLS to open the Edit dialog again.
  4. Select the Response Filters tab (Figure 174).

Figure 174: Response Filter
  1. Select Transfer Inner Atrribs to Accept and select ttls_accept from the drop-down list.
  2. Click OK.
  3. In the wimax.ini file, set the ASNGW-Accept-Filter = ttls_accept in [ASN-GW-Requests] section.

Configuring LDAP Authentication File

For this example, the ldap.aut file shipped with Steel-Belted Radius Carrier is modified to retrieve the values of the sub-attributes.

[Bootstrap]
LibraryName=ldapauth.so
Enable=1
InitializationString=WIMAX_HOTLINE

[Settings]
MaxConcurrent=1
Timeout=20
ConnectTimeout=25
QueryTimeout=10
WaitReconnect=2
MaxWaitReconnect=360
; BindName=uid=<User-Name>, ou=sales, o=bigco.com
; BindName = cn=Manager,o=sbrsms, c=US
LogLevel = 2
UpperCaseName = 0
PasswordCase=original
PasswordFormat = 0
; Search = DoLdapSearch
SSL = 0
MaxScriptSteps = 1000
ScriptTraceLevel =2
;FilterSpecialCharacterHandling = 0

[NDS]
;Enable = 0
;AllowExpiredAccountsForUsers = 0
;ProfileForExpiredUsers = profile1
;AllowGraceLoginsForUsers = 1
;ProfileForGraceLoginUsers = profile2

[Server]
s1=

[Server/s1]
Host=172.28.84.27
Port = 21002
BindName=cn=Directory Manager
BindPassword=sbrcarrier

[Failure]
;Accept=0
;Profile=xyz
;FullName=Remote User

[Request]
%UserName                       = UserName
Juniper-WiMAX-Client-Type       =clientType
WiMAX-Capability.Values.Hotlining-Capabilities.Rule-based-By-NAS-Filter= 
hotlineCaps_nas
WiMAX-Capability.Values.Hotlining-Capabilities.Profile-based= hotlineCaps_profile

[Response]
%Password                      = telephonenumber 
%Profile                      = profile 
@WiMAX-Hotline-Indicator                = hotlineIndicator
@WiMAX-Hotline-Profile-ID                    = hotlineProfile
@WiMAX-Hotline-Session-Timer                    = hotlineTimer

[Search/SubscriberRecord]
;Base = o=sbrsms, c=US
Base =dc=carrier,dc=spgma,dc=juniper,dc=net
Scope = 2
Filter = uid=<LDAPRecordKey>
Attributes = SubscriberAttr
Timeout = 20
%DN = dn

[Attributes/SubscriberAttr]
profile
telephonenumber
wimax-hotline-profile-id
wimax-hotline-session-timer
wimax-hotline-indicator


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]