3GPP2.ini File

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

Steel-Belted Radius Carrier 7.2.x Reference Guide > CDMA Mobility Module Configuration File > 3GPP2.ini File
3GPP2.ini File
This section summarizes the sections and settings of the 3gpp2.ini file, which controls the functionality of the optional CDMA mobility module.

The 3gpp2.ini file is read whenever Steel-Belted Radius Carrier restarts or receives a HUP signal.

The 3gpp2.ini file, which contains the settings for the CDMA mobility module, consists of the sections described in Table 190

Table 190: 3gpp2.ini Sections

Section

Description

[Settings]

Enables or disables 3GPP2 processing.

[Authorize-Only-Requests]

Enables prepaid online requests.

See [Authorize-Only-Requests] Section431 for more information.

[FA-User-Auth-Requests]

Specifies options for processing foreign agent user authentication requests.

See [FA-User-Auth-Requests] Section432 for more information.

[HA-Key-Distribution-Requests]

Specifies options for processing home agent key distribution requests.

See [HA-Key-Distribution-Requests] Section432 for more information.

[MN-HA-Shared-Key-Requests]

Specifies options for processing MN-HA shared key requests.

See [MN-HA-Shared-Key-Requests] Section434 for more information.

[HA-User-Auth-Requests]

Specifies options for processing home agent user authentication requests.

See [HA-User-Auth-Requests] Section434 for more information.

[SIP-User-Auth-Requests]

Specifies options for processing Simple IP user authentication requests.

See [SIP-User-Auth-Requests] Section435 for more information.

[Other-Requests]

Specifies options for processing other (none of the above) requests.

See [Other-Requests] Section435 for more information.

[Attributes]

Identifies dictionary attributes necessary for request processing.

See [Attributes] Section435 for more information.

[HAs]

Lists the identities of home agents and whether and how they are to be authenticated.

See [HAs] Section436 for more information.

.

The 3gpp2.ini file may also contain one or more sections named [FA-User-Auth-Requests/name], where name is the value of a FA-User-Auth-Requests-Section setting in the [3gpp2] section of a proxy realm (.pro) configuration file.

The radius.dct file shipped with Steel-Belted Radius Carrier has been configured with the attributes necessary for supporting Mobile IP services in compliance with the 3GPP2 standards.

[Settings] Section

The [Settings] section (Table 191) contains the master switch that enables the CDMA 3GPP2 feature set.

Table 191: [Settings] Section

Section

Description

Enable

Set this field to 1 to enable support for 3GPP2 features.

Set this field to 0 to disable support for 3GPP2 features.

S-Seconds

Set to the lifetime, in seconds, for each new S-Key that the server generates. After this many seconds, a new S-Key is generated.

The S-Key is used in processing foreign agent user authentication and home agent key distribution requests.This value also defines the frequency with which a home agent must make new home agent key distribution requests for communicating with foreign agents.

MIPSessions
ForDevice
MustHaveSame
HomeAndHA
Addresses

Inter-PDSN Handoff field. See Inter-PDSN Handoff in the Steel-Belted Radius Carrier 7.2 Administration and Configuration Guide for more information.

Set to 1 (default) to enable inter-PDSN handoff.

Comment out or set to 0 to disable inter-PDSN handoff.

UniqueDevice
Identifier

Inter-PDSN Handoff field for identifying how a session is determined to be an existing session. If the User-Name, Calling-Station-Id, or both for an Access-Request match an existing session, the session is considered to be an existing session. See Inter-PDSN Handoff in the Steel-Belted Radius Carrier 7.2 Administration and Configuration Guide for more information.

Valid values are:

User-Name

Calling-Station-Id

User-Name, Calling-Station-Id

Example
[Settings]
Enable = 1
S-Seconds = 3600
AddFunk3GPP2RequestTypeToRequest = 1
MIPSessionsForDeviceMustHaveSameHomeAndHAAddresses=1
UniqueDeviceIdentifier=User-Name, Calling-Station-Id
[Authorize-Only-Requests] Section

The [Authorize-Only-Requests] section (Table 192) specifies how prepaid online requests are handled. For more information about the prepaid data services supported in the CDMA module, see Prepaid Data Services in the Steel-Belted Radius Carrier 7.2 Administration and Configuration Guide.

Table 192: [Authorize-Only-Requests] Section

Section

Description

Accept-Requests

Set to 1 to enable prepaid data services.

Set to 0 to disable prepaid data services.

Filter

Specifies the name of the filter applied to attributes in an Access-Accept that is issued in response to a foreign agent user authentication request. The filter must be defined using the Filters panel in SBR Administrator.

If no filter is specified, all attributes are returned unchanged.

[FA-User-Auth-Requests] Section

The [FA-User-Auth-Requests] section (Table 193) specifies how foreign agent user authentication requests are handled.

Table 193: [FA-User-Auth-Requests] Section

Section

Description

Accept-Requests

If set to 0, foreign agent user authentication request handling is disabled. Set Accept-Requests to 0 only if the feature that you are planning to use is the MN-HA shared key distribution support.

If set to 1 (the default), foreign agent user authentication request handling is enabled.

HA-Address-Mismatch

Specifies the action to take if a foreign agent user authentication request contains a specific HA-Address that is different than the HA-Address in the return list:

If set to response (the default), the HA-Address returned in the Access-Accept is the value from the mobile user's return list.

If set to request, the HA-Address from the request is returned in the Access-Accept, overriding the HA-Address in the return list.

If set to reject, the request is rejected.

Filter

The name of the filter applied to attributes in an Access-Accept that is issued in response to a foreign agent user authentication request. The filter must be defined using the Filters panel in SBR Administrator.

If no filter is specified, all attributes are returned unchanged.

HA-Address-Round-
Robin-Group

Enables dynamic home agent assignment and specifies the name of the round robin file used to control the assignment of home agents. For more information about dynamic home agent assignment and round robin files, see Assigning the Home Agent Dynamically455.

Example
[FA-User-Auth-Requests]
Accept-Requests = 1
HA-Address-Mismatch = response
Filter = Filter1
HA-Address-Round-Robin-Group=ha_assign.rr
[HA-Key-Distribution-Requests] Section

The [HA-Key-Distribution-Requests] section (Table 194) specifies how home agent key distribution requests are handled.

Table 194: [HA-Key-Distribution-Requests] Section

Section

Description

Accept-Requests

If set to 0, home agent key distribution request handling is disabled. Use this setting only if you are not expecting any foreign agent user authentication requests that require IPsec keying information.

If set to 1 (the default), home agent key distribution request handling is enabled.

Use-S-Request-As-Marker

If set to 1, the presence of the S-Request attribute is required for a request to be processed as a home agent key distribution request.

If set to 0 (the default), the only requirements a home agent key distribution request must meet is that it not contain attributes that classify the request as a foreign agent or MN-HA shared secret request, and that the User-Name attribute consist of two ASCII-formatted IP addresses, with the second being a valid home agent address.

Check-Source-Address

If set to 1, each home agent key distribution request is validated to ensure that the home agent address matches the source IP address of the Access-Request.

If set to 0 (the default), this check is not performed.

Check-NAS-IP-Address

If set to 1, each home agent key distribution request is validated to ensure that the home agent address matches the value of the NAS-IP-Address attribute in the request.

If set to 0 (the default), this check is not performed.

Auth

If set to Native, each home agent key distribution request is authenticated against the password configured for a native user in the Steel-Belted Radius Carrier server's database. The name of the native user account that is used for the check is constructed by concatenating the HA-Prefix value with an ASCII representation of the home agent's address.

If set to default (the default), the password check is performed based on the definition of each home agent in the [HAs] section.

Auth-Prefix

Set to the prefix string to which to append a home agent address when home agent key distribution requests are to be authenticated and the password for each home agent is maintained in the Steel-Belted Radius Carrier server's database under a native user account.

The default string value is HA-.

Filter

The name of the filter applied to attributes in an Access-Accept that is issued in response to a home agent key distribution request. The filter must be defined using the Filters panel in SBR Administrator.

If no filter is specified, all attributes are returned unchanged.

Example
[HA-Key-Distribution-Requests]
Accept-Requests = 1
Filter = Filter2
Check-Source-Address = 1
Check-NAS-IP-Address = 0
Auth = default
[MN-HA-Shared-Key-Requests] Section

The [MN-HA-Shared-Key-Requests] section (Table 195) specifies how MN-HA shared key requests are handled.

Table 195: [MN-HA-Shared-Key-Requests] Section

Section

Description

Accept-Requests

If set to 0 (the default), local MN-HA shared key distribution request handling is disabled. These requests can still be handled by proxy targets.

If set to 1, MN-HA shared key distribution request handling is enabled.

Filter

The name of the filter applied to attributes in an Access-Accept that is issued in response to an MN-HA shared key distribution request.The filter must be defined using the Filters panel in SBR Administrator.

If no filter is specified, all attributes are returned unchanged.

Example
[MN-HA-Shared-Key-Requests]
Accept-Requests = 1
Filter = Filter3
[HA-User-Auth-Requests] Section

The [HA-User-Auth-Requests] section (Table 196) specifies how home agent user authentication requests are handled.

Table 196: [HA-User-Auth-Requests] Section

Section

Description

Accept-Requests

If set to 0, home agent user authentication request handling is disabled, and any home agent user authentication requests are treated as being of type Other.

If set to 1 (the default), home agent user authentication request handling is enabled.

HA-Address

Specifies how a home agent user authentication request is to be recognized. Because this type of request is not required to contain a unique attribute, a mechanism must be specified for recognizing that this is a request from a home agent that does not fit the criteria for home agent key distribution or MN-HA shared key requests.

If set to Source-IP-Address (the default), the source address of the packet that contained the request must match one of the home agent addresses listed in the [HAs] section.

If set to NAS-IP-Address, the request must include a NAS-IP-Address attribute and the contents of this attribute must match one of the home agent addresses listed in the [HAs] section.

Filter

The name of the filter applied to attributes in an Access-Accept that is issued in response to a home agent user authentication request.The filter must be defined using the Filters panel in SBR Administrator.

If no filter is specified, all attributes are returned unchanged.

Example
[HA-User-Auth-Requests]
Accept-Requests = 1
HA-Address = source-IP-address
Filter = Filter4
[SIP-User-Auth-Requests] Section

The [SIP-User-Auth-Requests] section (Table 197) specifies how Simple IP user authentication requests are handled.

Table 197: [SIP-User-Auth-Requests] Section

Section

Description

Accept-Requests

If set to 0, Simple IP user authentication request handling is disabled, and any Simple IP user authentication requests are treated as being of type Other.

If set to 1 (the default), Simple IP user authentication request handling is enabled.

Filter

The name of the filter applied to attributes in an Access-Accept that is issued in response to a Simple IP user authentication request. The filter must be defined using the Filters panel in SBR Administrator.

If no filter is specified, all attributes are returned unchanged.

Example
[SIP-User-Auth-Requests]
Accept-Requests = 1
Filter = Filter5
[Other-Requests] Section

The [Other-Requests] section (Table 198) specifies how other requests (ones that do not fit in any of the other categories) are handled.

Table 198: [Other-Requests] Section

Section

Description

Filter

The name of the filter to be applied to attributes in an Access-Accept in response to all requests of type Other. The filter must be defined using the Filters panel in SBR Administrator.

If no filter is specified, all attributes are returned unchanged.

Example
[Other-Requests]
Filter = DefaultFilter
[Attributes] Section

The [Attributes] section lists the names of the special purpose attributes used for Mobile IP, as follows:
[Attributes]
Pre-Shared-Secret-Request = 3GPP2-Pre-Shared-Secret-Request
Pre-Shared-Secret = 3GPP2-Pre-Shared-Secret
HA-Address = 3GPP2-Home-Agent-Address
Key-ID = 3GPP2-Key-ID
S-Key = 3GPP2-S-Key
S-Lifetime = 3GPP2-S-Lifetime
Correlation-Id = 3GPP2-Correlation-ID
Session-Continue = 3GPP2-Session-Continue
S-Request = 3GPP2-S-Request
MN-HA-SPI = 3GPP2-MN-HA-SPI
MN-HA-Shared-Key = 3GPP2-MN-HA-Shared-Key
 NOTE: These are the standard 3GPP2 attributes specified in IS-835-B. Do not change anything in this section unless your foreign agent or home agent requires attributes that are not consistent with this standard.
[HAs] Section

The [HAs] section lists the address of each home agent from which the server is to accept a home agent key distribution request, along with an optional password.
[HAs]
HA-address [= password]
...
If the Auth setting in the [HA-Key-Distribution-Requests] section is set to native, only the HA-address needs to be specified, because all home agent requests are checked against native user accounts in the Steel-Belted Radius Carrier server's database. The remainder of this section describes options that apply only when HA-Auth is omitted or specified as default.

If the password parameter is omitted, no password check is performed. If the equal sign (=) is present but no password is specified, a check is performed for an empty (zero-length) password.

In the following example (with Auth set to default), home agent key distribution requests from the home agent at 200.200.200.1 are checked against the password swordfish, those from 200.200.200.2 are checked for an empty password, and those from 200.200.200.3 are accepted without performing a password check.
[HAs]
200.200.200.1 = swordfish
200.200.200.2 =
200.200.200.3
[FA-User-Auth-Requests/name] Sections

Multiple sections with names of the style [FA-User-Auth-Requests/name] can also exist in the 3gpp2.ini file. These sections are only referenced when a proxy realm's configuration file (.pro) contains an FA-User-Auth-Requests-Section setting in its [3gpp2] section.

Specifying this option in a realm's configuration file puts the options in the matching foreign agent user authentication request processing section of the 3gpp2.ini file in effect for all foreign agent user authentication request transactions that are processed by the proxy realm. As a result, the settings in this section are used instead of the settings in the [FA-User-Auth-Requests] section for transactions processed against the proxy realm.

The options in these sections are identical to those documented for the [FA-User-Auth-Requests] section, which is described on 432.

Example
[FA-User-Auth-Requests/Acme]
Accept-Requests = 1
HA-Address-Mismatch = reject
Filter = FilterAcme
HA-Address-Round-Robin-Group=ha_assign.rr

Section	Description
[Settings]	Enables or disables 3GPP2 processing.
[Authorize-Only-Requests]	Enables prepaid online requests. See [Authorize-Only-Requests] Section431 for more information.
[FA-User-Auth-Requests]	Specifies options for processing foreign agent user authentication requests. See [FA-User-Auth-Requests] Section432 for more information.
[HA-Key-Distribution-Requests]	Specifies options for processing home agent key distribution requests. See [HA-Key-Distribution-Requests] Section432 for more information.
[MN-HA-Shared-Key-Requests]	Specifies options for processing MN-HA shared key requests. See [MN-HA-Shared-Key-Requests] Section434 for more information.
[HA-User-Auth-Requests]	Specifies options for processing home agent user authentication requests. See [HA-User-Auth-Requests] Section434 for more information.
[SIP-User-Auth-Requests]	Specifies options for processing Simple IP user authentication requests. See [SIP-User-Auth-Requests] Section435 for more information.
[Other-Requests]	Specifies options for processing other (none of the above) requests. See [Other-Requests] Section435 for more information.
[Attributes]	Identifies dictionary attributes necessary for request processing. See [Attributes] Section435 for more information.
[HAs]	Lists the identities of home agents and whether and how they are to be authenticated. See [HAs] Section436 for more information.

Section	Description
Enable	Set this field to 1 to enable support for 3GPP2 features. Set this field to 0 to disable support for 3GPP2 features.
S-Seconds	Set to the lifetime, in seconds, for each new S-Key that the server generates. After this many seconds, a new S-Key is generated. The S-Key is used in processing foreign agent user authentication and home agent key distribution requests.This value also defines the frequency with which a home agent must make new home agent key distribution requests for communicating with foreign agents.
MIPSessions ForDevice MustHaveSame HomeAndHA Addresses	Inter-PDSN Handoff field. See Inter-PDSN Handoff in the Steel-Belted Radius Carrier 7.2 Administration and Configuration Guide for more information. Set to 1 (default) to enable inter-PDSN handoff. Comment out or set to 0 to disable inter-PDSN handoff.
UniqueDevice Identifier	Inter-PDSN Handoff field for identifying how a session is determined to be an existing session. If the User-Name, Calling-Station-Id, or both for an Access-Request match an existing session, the session is considered to be an existing session. See Inter-PDSN Handoff in the Steel-Belted Radius Carrier 7.2 Administration and Configuration Guide for more information. Valid values are: User-Name Calling-Station-Id User-Name, Calling-Station-Id

Section	Description
Accept-Requests	Set to 1 to enable prepaid data services. Set to 0 to disable prepaid data services.
Filter	Specifies the name of the filter applied to attributes in an Access-Accept that is issued in response to a foreign agent user authentication request. The filter must be defined using the Filters panel in SBR Administrator. If no filter is specified, all attributes are returned unchanged.

Section	Description
Accept-Requests	If set to 0, foreign agent user authentication request handling is disabled. Set Accept-Requests to 0 only if the feature that you are planning to use is the MN-HA shared key distribution support. If set to 1 (the default), foreign agent user authentication request handling is enabled.
HA-Address-Mismatch	Specifies the action to take if a foreign agent user authentication request contains a specific HA-Address that is different than the HA-Address in the return list: If set to response (the default), the HA-Address returned in the Access-Accept is the value from the mobile user's return list. If set to request, the HA-Address from the request is returned in the Access-Accept, overriding the HA-Address in the return list. If set to reject, the request is rejected.
Filter	The name of the filter applied to attributes in an Access-Accept that is issued in response to a foreign agent user authentication request. The filter must be defined using the Filters panel in SBR Administrator. If no filter is specified, all attributes are returned unchanged.
HA-Address-Round- Robin-Group	Enables dynamic home agent assignment and specifies the name of the round robin file used to control the assignment of home agents. For more information about dynamic home agent assignment and round robin files, see Assigning the Home Agent Dynamically455.

Section	Description
Accept-Requests	If set to 0, home agent key distribution request handling is disabled. Use this setting only if you are not expecting any foreign agent user authentication requests that require IPsec keying information. If set to 1 (the default), home agent key distribution request handling is enabled.
Use-S-Request-As-Marker	If set to 1, the presence of the S-Request attribute is required for a request to be processed as a home agent key distribution request. If set to 0 (the default), the only requirements a home agent key distribution request must meet is that it not contain attributes that classify the request as a foreign agent or MN-HA shared secret request, and that the User-Name attribute consist of two ASCII-formatted IP addresses, with the second being a valid home agent address.
Check-Source-Address	If set to 1, each home agent key distribution request is validated to ensure that the home agent address matches the source IP address of the Access-Request. If set to 0 (the default), this check is not performed.
Check-NAS-IP-Address	If set to 1, each home agent key distribution request is validated to ensure that the home agent address matches the value of the NAS-IP-Address attribute in the request. If set to 0 (the default), this check is not performed.
Auth	If set to Native, each home agent key distribution request is authenticated against the password configured for a native user in the Steel-Belted Radius Carrier server's database. The name of the native user account that is used for the check is constructed by concatenating the HA-Prefix value with an ASCII representation of the home agent's address. If set to default (the default), the password check is performed based on the definition of each home agent in the [HAs] section.
Auth-Prefix	Set to the prefix string to which to append a home agent address when home agent key distribution requests are to be authenticated and the password for each home agent is maintained in the Steel-Belted Radius Carrier server's database under a native user account. The default string value is HA-.
Filter	The name of the filter applied to attributes in an Access-Accept that is issued in response to a home agent key distribution request. The filter must be defined using the Filters panel in SBR Administrator. If no filter is specified, all attributes are returned unchanged.

Section	Description
Accept-Requests	If set to 0 (the default), local MN-HA shared key distribution request handling is disabled. These requests can still be handled by proxy targets. If set to 1, MN-HA shared key distribution request handling is enabled.
Filter	The name of the filter applied to attributes in an Access-Accept that is issued in response to an MN-HA shared key distribution request.The filter must be defined using the Filters panel in SBR Administrator. If no filter is specified, all attributes are returned unchanged.

Section	Description
Accept-Requests	If set to 0, home agent user authentication request handling is disabled, and any home agent user authentication requests are treated as being of type Other. If set to 1 (the default), home agent user authentication request handling is enabled.
HA-Address	Specifies how a home agent user authentication request is to be recognized. Because this type of request is not required to contain a unique attribute, a mechanism must be specified for recognizing that this is a request from a home agent that does not fit the criteria for home agent key distribution or MN-HA shared key requests. If set to Source-IP-Address (the default), the source address of the packet that contained the request must match one of the home agent addresses listed in the [HAs] section. If set to NAS-IP-Address, the request must include a NAS-IP-Address attribute and the contents of this attribute must match one of the home agent addresses listed in the [HAs] section.
Filter	The name of the filter applied to attributes in an Access-Accept that is issued in response to a home agent user authentication request.The filter must be defined using the Filters panel in SBR Administrator. If no filter is specified, all attributes are returned unchanged.

Section	Description
Accept-Requests	If set to 0, Simple IP user authentication request handling is disabled, and any Simple IP user authentication requests are treated as being of type Other. If set to 1 (the default), Simple IP user authentication request handling is enabled.
Filter	The name of the filter applied to attributes in an Access-Accept that is issued in response to a Simple IP user authentication request. The filter must be defined using the Filters panel in SBR Administrator. If no filter is specified, all attributes are returned unchanged.

Section	Description
Filter	The name of the filter to be applied to attributes in an Access-Accept in response to all requests of type Other. The filter must be defined using the Filters panel in SBR Administrator. If no filter is specified, all attributes are returned unchanged.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]