Technical Documentation

Techpubs Home
Report an Error

Entire manual as PDF [7187 KB]

About This Guide
Objective
Audience
Documentation Conventions
Related Documentation
Requests for Comments (RFCs)
3GPP Technical Specifications
WiMAX Technical Specifications
Third-Party Products
Obtaining Documentation
Documentation Feedback
Requesting Technical Support
Self-Help Online Tools and Resources
Opening a Case with JTAC
Steel-Belted Radius Carrier Overview
Introduction to Steel-Belted Radius Carrier
SBR Carrier Core Features
3rd Generation Partnership Project (3GPP) Support
Native Support for Structured Attributes
Adding NAD Location Information to Access-Requests
Support for Additional EAP Authentication Protocols
Statistics and Reporting Capabilities
Management Interfaces and Operations Support Systems (OSS)
Optional SIM Authentication Module Features
Optional WiMAX Mobility Module Features
Optional Scripting Module
Licensing
SBR Administrator
Migration / Upgrade Bundles
From SBR-Service Provider Edition (SPE) / SBR-SPE + EAP
From SBR SPE full license
From SBR-SIM
From SBR SPE with SIM-AKA
From SBR SPE JavaScript
RADIUS Basics
RADIUS Overview
RADIUS Packets
RADIUS Ports
RADIUS Configuration
RADIUS Server Configuration
RADIUS Client Configuration
Multiple RADIUS Servers
Shared Secrets
RADIUS Secret
Replication Secret
Node Secret
Accounting
Attributes
Dictionaries
Vendor-Specific Attributes
Dictionaries and the Make/Model Field
Updating Attribute Information
Structured Attributes
User Attribute Lists
Check List Attributes
Return List Attributes
Structured Attributes in Check Lists and Return Lists
Attribute Values
Single- and Multi-Valued Attributes
Orderable Multi-Valued Attributes
System Assigned Values
Echo Property
Default Values
Wildcard Support
Attribute Filtering
Adding NAD Location Attributes to Access-Requests
Centralized Configuration Management
Proxy RADIUS
Proxy RADIUS Authentication
Proxy RADIUS Accounting
Authentication
Authentication Methods
Native User Authentication
Pass-Through Authentication
Proxy RADIUS Authentication
External Authentication
Directed Authentication
HTTP Digest Access Authentication
Authenticate-Only Requests
Configuring the Authentication Sequence
Configuring Authentication Methods
Advanced Options
Account Lockout
Account Redirection
Blacklisting
Allowed Access Hours
Two-Factor Authentication
Password Protocols
Password Authentication Protocol
Challenge Handshake Authentication Protocol
MS-CHAP v2
Accounting
Accounting Sequence
Comma-Delimited Log Files
Proxy RADIUS Accounting
External Accounting
Tunneled Accounting
Directed Accounting
Accounting Spooling
Request Routing
Match Rules
User-Names with a Single Delimiter
User-Names with a Single Tunnel Delimiter
User-Names with a Single Realm Delimiter
User-Names with Multiple Suffix Delimiters
User-Names with Multiple Prefix Delimiters
Undecorated User-Names
Configuring Undecorated User-Name Support
Example
Request Routing by DNIS
Request Routing by Any Attribute
Local Services
Control Over Routing Methods
Radius Client Groups
IP Address Assignment
Address Pools and Replication
Hints
Resource Management
Network Address Assignment
How Address Assignment Works
Setting Return List Attributes
Handling Address Leaks
Address Leakage Upon Stopping and Starting the Server
Overlapping Address Ranges
Order of Address Assignment
Concurrent Network Connections
Concurrent User Connections
Concurrent Tunnel Connections
Attribute Value Pooling
Phantom Records
IPv6 Support
IPv6 and Steel-Belted Radius Carrier
IPv6 Features
IPv6 Addressing
Address Notation
Address Prefixes
Address Interface IDs
IPv6 Network Numbers
IPv6 Support in Steel-Belted Radius Carrier
RADIUS IPv6 Attributes
NAS-IPv6-Address
Framed-Interface-Id
Framed-IPv6-Prefix
Login-IPv6-Host
Framed-IPv6-Pool
Framed-IPv6-Route
Enabling IPv6 Networking
Configuring IPv6 Scope IDs
Configuring IPv6 Addresses for RADIUS Client Connections
Configuring DNSv6 Support
Using SBR Administrator
Running the SBR Administrator
Navigating in SBR Administrator
SBR Administrator Panels
SBR Administrator Sidebar
SBR Administrator Menus
File Menu
Edit Menu
Tools Menu
Web Menu
Help Menu
SBR Administrator Toolbar
SBR Administrator Dialogs
Adding an Entry
Editing an Entry
Cutting/Copying/Pasting Records
Resizing Columns
Changing Column Sequence
Sorting Information
Adding License Keys
Displaying Version Information
Closing the SBR Administrator
Administering RADIUS Clients and Client Groups
Overview
RADIUS Clients Panel
Adding a RADIUS Client or Client Group
Verifying a Shared Secret
Deleting a RADIUS Client
Administering RADIUS Location Groups
About RADIUS Location Groups
Location Groups Panel
Adding a Location Group
Deleting a Location Group
Administering Users
User Files
Users Panels
Setting Up Native Users
Adding a Native User
Editing a Native User
Deleting a Native User
Adding a Check List or Return List Attribute to a User
Adding Structured Attributes to the Check List or Return List of a User
Setting Up SecurID Users
Adding a SecurID User
Setting Up UNIX Users
Editing User Settings
Assigning a Profile to a User
Setting Attribute Values
Removing Attribute/Value Pairs
Reordering Attributes
Changing Attributes Inherited from a Profile
Concurrent Connection Limits
Allowed Access Hours
Deleting a User
Administering Profiles
About Profiles
Adding a Check List or Return List Attribute to a Profile
Resolving Profile and User Attributes
Setting Up Profiles
Adding a Profile
Adding Structured Attributes to the Check List or Return List of a Profile
Removing a Profile
Administering Proxy RADIUS
Proxy RADIUS Overview
Proxy RADIUS Authentication
Proxy RADIUS Accounting
Proxy RADIUS Realms
Target Selection Within a Realm
Message-Authenticator Support
Proxy Fast-Fail
Static Proxy Accounting
Proxy AutoStop Feature
Routed Proxy Authentication
Operation
Adding a Proxy Target
Maintaining an Accounting Shared Secret
Deleting a Proxy Target
Steel-Belted Radius Carrier as a Target
Dictionaries When Steel-Belted Radius Carrier is the Target
Accepting Packets from Any Proxy
Administering RADIUS Tunnels
About RADIUS Tunnels
Tunnel Authentication Sequence
Configuring Tunnel Support
Called Station Id
Dictionaries for Tunnel Support
Concurrent Tunnel Connections
Configuring RADIUS Tunnels
Adding a Tunnel
Editing a Tunnel
Deleting a Tunnel
Configuring Tunnel Name Parsing
Administering Address Pools
Address Pool Files
Setting Up IP Address Pools
Adding an IPv4 Address Pool
Editing an IP Address Pool
Removing an IP Address Pool
Specifying an IP Address Pool for User/Profile Records
NAD-Specific IP Address Pools
Service-Level IP Address Pools
Specifying IP Address Assignment from a DHCP Server
Address Allocation
Address Renewal
Address Release
DHCP Option Mapping
Using Multiple Servers
Setting Up Administrator Accounts
Administrators Panel
Adding an Administrator or Group
Deleting an Administrator or Group
Administrator Configuration Files
Configuring Realm Support
Realm Configuration Files
Stage One of Realm Configuration
Configuring a Proxy RADIUS Realm
Configuring a Directed Realm
Editing the radius.ini Realm Settings
Editing the proxy.ini File
Setting Up Smart Static Accounting
Setting Up Proxy RADIUS Realms
Configuration Tasks
Setting Up Directed Realms
How to Update Realm Configuration
Setting up Filters
Overview
Order of Filter Rules
Values in Filter Rules
Referencing Attribute Filters
Filters Panel
Adding a Filter
Searching the Filter List
Setting Up Authentication Policies
Authentication Policy Overview
Order of Authentication Methods
Adding EAP Methods to an Authentication Policy
Enabling EAP Methods
Activating an EAP Method
Certificates
Certificate Chains
Certificate Revocation Lists
Configuring Server Certificates
Adding a Certificate
Trusted Root Certificates
Adding a Trusted Root Certificate
Configuring a CRL Distribution Point Web Proxy
Configuring Authentication Rejection Messages
Configuring the Server
Configuring External Databases
Configuring SecurID Authentication
Set the Location of the sdconf.rec File
Setting Up EAP Methods
About the Extensible Authentication Protocol
Handling EAP Requests
Automatic EAP Helpers
Authentication Request Routing
EAP-Only Setting
First-Handle-Via-Auto-EAP Setting
EAP-NAK Notifications
Reauthenticating Connections
Certificates
Certificate Chains
Certificate Revocation Lists
EAP-TLS Authentication Protocol
Configuring EAP-TLS as an EAP Authentication Method
Configuring Client Certificate Validation
Configuring Session Resumption
Configuring Advanced Server Settings
Configuring EAP-TLS as an Automatic EAP Helper
Configuring Client Certificate Validation
Configuring Secondary Authentication
Configuring Session Resumption
Configuring Advanced Server Settings
EAP-TTLS Authentication Protocol
Configuring EAP-TTLS as an EAP Authentication Method
Configuring Request Filters
Configuring Response Filters
Configuring Client Certificate Validation
Configuring Session Resumption
Configuring Inner Authentication Settings
Configuring Advanced Server Settings
EAP-PEAP Authentication Protocol
Configuring EAP-PEAP as an EAP Authentication Method
Configuring Request Filters
Configuring Response Filters
Configuring Session Resumption
Configuring Inner Authentication Settings
Configuring Advanced Server Settings
EAP-LEAP Authentication Protocol
EAP-POTP Authentication Protocol
EAP-GTC Authentication Protocol
EAP-MD5-Challenge Authentication Protocol
EAP-MS-CHAP-V2 Authentication Protocol
EAP-SIM and EAP-AKA Authentication Protocols
Configuring Replication
Overview of Replication
Replication Requirements
Configuring Replica Servers
Adding a Replica Server
Enabling a Replica Server
Deleting a Replica Server
Publishing Server Configuration Information
Notifying Replica RADIUS Servers
Designating a New Primary Server
Making a Standalone Server the Primary Server
Making a Standalone Server a Replica Server
Verifying the Primary and Replica Servers Are Enabled
Demote a Primary or Replica Server to a Standalone Server
Recovering a Replica After a Failed Configuration Package Download
Changing the Name or IP Address of a Server
Replication Error Messages
Error Messages on Replica Servers
Error Messages on Primary Servers
3GPP Support
Overview
Data Connection Process
Accounting Process
3GPP Configuration
Configuring SQL Authentication
Overview of SQL Authentication
SQL Authentication Process
Stored Procedures
Connectivity Issues
Configuring SQL Authentication
Files
Using the SQL Authentication Configuration File
Using Multiple SQL Authentication Methods
Connecting to the SQL Database
SQL Statement Construction
Password Parameters
Overlapped Execution of SQL Statements
%result Parameter
SQL Authentication and Password Format
Hashed Passwords
Automatic Parsing
Working with Stored Procedures in Oracle
Working with Stored Procedures in MS-SQL
Example 1
Example 2
Tips on Using SQL Stored Procedures
Calling Stored Procedures
Using the Insert Function
Configuring SQL Accounting
SQL Accounting Overview
Stored Procedures
Connectivity Issues
Configuring SQL Accounting
Files
Using the SQL Accounting Configuration File
Using Multiple SQL Databases
Connecting to the SQL Database
SQL Statement Construction
INSERT Statement and VALUES Section
Using Multiple SQL Statements
Overlapped Execution of SQL Statements
SQL Accounting Return Values
Accounting Stored Procedure Example
Configuring LDAP Authentication
LDAP Authentication Overview
LDAP Variable Table
Types of LDAP Authentication
BindName Authentication
Bind Authentication
Attributes and LDAP Authentication
Configuring LDAP Authentication
Supporting Secure Sockets Layer
Files
LDAP Database Schema
LDAP Authentication and Password Format
Hashed Passwords
Automatic Parsing
LDAP Authentication Sequence
LDAP Authentication Examples
Bind Authentication with Default Profile
BindName Authentication with Callback Number Returned
LDAP Bind with Profile Based on Network Access Device
SS7 and SIGTRAN Gateway Support
Proxy RADIUS Authentication and Accounting
Proxy RADIUS as an Authentication Method
Proxy RADIUS Accounting
Simple Network Management Protocol
SNMP and Steel-Belted Radius Carrier Overview
The SBR SNMP Package
Supported MIBs
Configuring the SNMP Agent
Running the SNMP Agent
Starting the SNMP Agent
Stopping the SNMP Agent
Rereading the jnprsnmpd.conf File
Verifying SNMP Agent Operation
Running the testagent.sh Script
Using the snmpget Command
Using the snmpwalk Command
Resetting Rate Statistics
Troubleshooting
Using the LDAP Configuration Interface
LDAP Configuration Interface File
LDAP Configuration Interface Overview
LDAP Utilities
LDAP Requests
Downloading the LDAP Utilities
LDAP Version Compliance
Configuring the LDAP TCP Port
Example
Configuring the LCI Password
LDAP Virtual Schema
LDAP Rules and Limitations
Using the LCI to Define Structured Attributes in Check Lists and Return Lists
LCI XML Format
LDAP Command Examples
Searching for Records
Modifying Records
Importing Records From Another LDAP Database
Deleting Records
LDIF File Examples
Adding RADIUS Clients with LDIF
Adding Users with LDIF
Adding Proxy Targets with LDIF
Adding Tunnels with LDIF
Adding IP Address Pools with LDIF
Configuring a RADIUS Server with LDIF
Statistics Variables
Counter Statistics
stattype: server
stattype: authentication
stattype: accounting
stattype: proxy
Rate Statistics
SIM Authentication Module
Overview of Components in the SIM Authentication Module
SIMAuth
Ulticom Signalware SS7 and SIGTRAN Protocol Stacks
Ulticom SS7 Interface Board
CDR Accounting
MAP Gateway
Database Accessors
Kineto S1 Support
Special Attribute Handling Features
Assigning IP Addresses Based on Access Point Name (APN)
Adding Attributes to an Access-Accept Message
Overview of Operation
SIM Card-Based Authentication
EAP-SIM/EAP-AKA Authorization/Service Delivery
EAP-SIM/EAP-AKA Identities
EAP-SIM/EAP-AKA Fast Reauthentication
Overview of Configuration Activities
Install and Start Signalware
Configure the SS7/IP Network Communication
Configure the SS7 or SIGTRAN Protocol Stack
Configure the authGateway Application for HLR Communication
Load the MML Configuration Settings
Configure the Steel-Belted Radius Carrier Configuration Files
Configure the gsmmap.gen File
Configure the SQL and LDAP Data Accessors (optional)
Configure the Call Detail Record Accounting Capability
Configure EAP-SIM/EAP-AKA Authentication
Configuring Special Attribute Handling Features (Optional)
Assigning IP Addresses Based on Access Point Name (APN)
Overview
Tasks for Assigning IP Address Based on Access Point Name
Adding Attributes to an Access-Accept
Overview
Data Flow
Configuration Tasks for Adding Attributes to Access-Accept
Configuring Files for Adding Attributes to Access-Accept
Activate the Authentication Method
Overview of the WiMAX Mobility Module
Supported Features of the WiMAX Mobility Module
WiMAX Network Reference Model
Home Network Communication Flow Example
AAA-Generated Cryptographic Keys
Home Agent Root Key (HA-RK)
Allowing the VAAA to Assign the HA-RK
DHCP Server Root Key (DHCP-RK)
EAP Authentication Methods and EAP-Derived Cryptographic Keys
Master Session Key (MSK)
Extended Master Session Key (EMSK)
EMSK-Derived Key Generation and Identification
MSK and EMSK-Derived Key Lifetime and Deprecation
EMSK-Derived Key Storage and Retrieval
WiMAX Vendor Specific Attribute (VSA) Format
Structured Attributes
WiMAX Capabilities Negotiation
WiMAX-Capability Attribute
WiMAX-Capability Structured Attribute
Enabling WiMAX Capabilities Negotiation
Assigning the IP Address of the HA and DHCP Server
Assignment When Acting as the HAAA Server
Load-balancing the IP Address Assignment
Assignment When Acting as the VAAA Server
Configuring the VAAA
Configuring the HAAA
Post-Paid (Offline) Accounting
Flow-Based Accounting
IP-Session-Based Accounting
Categorizing the Access-Requests from Different Devices
Access-Request from the ASN-GW
Access-Request from the HA
Access-Request from the DHCP Server
Categorization Rules
Configuring the Optional WiMAX Mobility Module
Before You Begin
Configuring the Server to Support WiMAX Requests
Editing the radius.ini File
Editing the wimax.ini File
Allow-VAAA-To-Assign-Home-Agent-And-DHCP-Server Parameter
Define the List of HA and DHCP Servers
Editing the mip.ini File
Configuring WiMAX Clients
Configuring WiMAX Users and Profiles
Configuring the WiMAX-Capabilities Negotiation
Example Configuration for New Session Hotlining
Configuring the EAP Methods for WiMAX
Displaying Statistics
Displaying Authentication Statistics
Displaying Accounting Statistics
Displaying Proxied Request Statistics
Displaying RADIUS Client Statistics
Displaying RADIUS Proxy Targets Statistics
Displaying IP Address Pool Statistics
Logging and Reporting
Logging Files
Displaying the Current Sessions List
Searching the Current Sessions List
Deleting Entries from the Sessions List
Displaying Authentication Log Files
File Permissions for Log Files
Security Groups and Permissions
Using the User File Creation Mode Mask
Implementing Default File Permissions in Steel-Belted Radius Carrier
Implementing Override File Permissions in Steel-Belted Radius Carrier
Enabling and Disabling the Authentication Log Files
Viewing the Authentication Log Files
Saving the Log Files
Searching the Log Files
Using the Locked Accounts List
Configuring Locked Account Settings
Displaying the Locked Accounts List
Unlocking a Locked Account
Configuring the Log Retention Period
Using the Server Log File
Level of Logging Detail
Using the Authentication Log File
Authentication Log File Format
First Line Headings
Comma Placeholders
Using the Accounting Log File
Accounting Log File Format
First Line Headings
Comma Placeholders
Standard RADIUS Accounting Attributes
Introduction to Scripting
Scripting Overview
Script Types
LDAP Authentication
Realm Selection
Attribute Filter
About JavaScript
Creating Scripts
Script Development Steps
JavaScript Initialization Files
[Settings] Section
[Script] Section
[ScriptTrace] Section
[Failure] Section
Writing Steel-Belted Radius Carrier Scripts in JavaScript
Programming in JavaScript
Hidden Wrapper Function
Script Return Values
Initializing Reusable Data Objects
General Recommendations
Saving the Script File
Sample Script
Debugging Scripts
SbrWriteToLog()
SbrTrace and ScriptTraceLevel
scriptcheck
Unpacking the scriptcheck Utility
Running the scriptcheck Utility
Creating LDAP Scripts
LDAP Basics
LDAP Request Life Cycle
Unscripted LDAP Searches
LDAP Script Basics
Working with the Variable Table
Invoking LDAP Queries
Writing to the Steel-Belted Radius Carrier Log
Choosing the Return Code
Script Return Codes
SCRIPT_RET_SUCCESS
SCRIPT_RET_DO_NOT_AUTHENTICATE
SCRIPT_RET_TRY_NEXT_AUTH_METHOD
SCRIPT_RET_NOT_AUTHENTICATED
SCRIPT_RET_FAILURE
LDAP Script Return Codes
LDAP Script Examples
Example 1: Simple Authentication
Example 2: Profile Assignment
Example 3: Received Attribute Normalization
Example 4: Conditional Profile Assignment from User Attribute
Creating Realm Selection Scripts
Realm Selection Script Functions
Enabling Built-In Realm Selection Methods
Choosing the Return Code
Configuring Realm Selection Scripts
Core Realm Selection Scripts
[Processing] Section
Tunneled Authentication Plug-in Realm Selection Scripts
Realm Selection Script Examples
Example 1: Querying Multiple SQL Databases
Example 2: Using JavaScript to Manipulate Request Attributes
Creating Attribute Filter Scripts
Using Attribute Filter Scripts
Attribute Filter Script Functions
Choosing the Return Code
Configuring Attribute Filter Scripts
Defining Scripted Filters
Attribute Filter Script Examples
Example 1: Using an LDAP Query to Select a Static Filter to Execute
Example 2: Adding Values to Multi-Valued Attributes
Working with Data Accessors
Data Accessor Overview
Variable Containers
Internal Variable Table (LDAP Only)
Data Accessor Configuration
SQL Data Accessor Configuration
[Bootstrap] Section
[Results] Section
[Settings] Section
[VariableTypes] Section
LDAP Data Accessor Configuration
[Bootstrap] Section
[Attributes/name] Sections
[Response] Section
[Search/name] Sections
[Request] Section
[Defaults] Section
[Server/name] Sections
[Server] Section
[Settings] Section
[VariableTypes] Section
Data Conversion Rules
Output Container
Input Container
Examples
Example 1
Example 2
Example 3
Supported Data Types and Conversions
Data Accessor Configuration File Examples
Example: LDAP Data Accessor Configuration File
Example: SQL Data Accessor Configuration File
Script Reference
JavaScript Types
API Method Support by Script Type
Local and Global Variable Declarations
Global Object
Logging and Diagnostic Methods
SbrWriteToLog()
SbrTrace()
Ldap Object
Ldap Methods
Ldap.Search()
LdapVariables Object
LdapVariables Methods
LdapVariables.Get()
LdapVariables.Add()
LdapVariables.Reset()
RealmSelector Object
Constructor
new RealmSelector()
RealmSelector Methods
Execute()
SetAuthUserName()
SetAuthProfile()
AttributeFilter Object
Constructor
new AttributeFilter()
AttributeFilter Methods
Get()
Add()
Reset()
Replace()
Execute()
AttributeFilter API
DataAccessor Object
Properties
FOUND
NOTFOUND
FAILED
Constructor
new DataAccessor()
Methods
SetInputVariable()
GetOutputVariable()
Execute()
Clear()
When and How to Stop and Restart Steel-Belted Radius Carrier
Stopping the Steel-Belted Radius Carrier Server
Starting the Steel-Belted Radius Carrier Server
Authentication Protocols
Importing and Exporting Data
Importing Information from an XML File
Exporting Information to an XML File
Technical Bulletins
Service Type Mapping
Configuration
Local User Database Entries
servtype.ini File
CCA Support for 3COM
Configuration
Setting User and Profile Attributes
Ascend Filter Translation
Configuration
Syntax
Ericsson Enhanced Token Caching
Enhanced Token Caching Configuration
Enhanced Token Caching Administration
Ericsson e-h235 Authentication Protocol
Operation
Configuration
Uniport Plug-In
Operation
Configuration
Glossary
Index