Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Special Attribute Handling Features

Two special attribute handling features are available to use with the authentication modules:

Assigning IP Addresses Based on Access Point Name (APN)

This feature enables Steel-Belted Radius Carrier to assign IP addresses to mobile devices based on the access point name (APN).

Overview

APN-based IP address assignment enables Steel-Belted Radius Carrier to perform the task of address assignment, rather than requiring the access point to assign addresses.

This feature works by configuring IP address pools, each of which consists of a set of IP addresses that can be assigned to a mobile device. You then configure an access point name (APN) to be associated with a particular pool. When an Access-Request is received, Steel-Belted Radius Carrier selects an IP address from the pool that is assigned to the APN handling the request.

Figure 222 shows the configuration of IP address assignment based on APN.

Figure 222: IP Address Assignment Based on Access Point Name

IP Address Assignment Based on Access
Point Name

Note: APN-based IP address assignment takes precedence over all other methods of IP address assignment except when an IP address (or pool name) is added to an Access-Accept as the value of the Framed-IP-Address attribute.

For information about how to add any attribute from a subscriber database (such as a SQL database), see Adding Attributes to an Access-Accept. For example, you can retrieve the IP address from a SQL database and include it as the value of Framed-IP-Address in an Access-Accept.

Configuration Tasks for Assigning IP Address Based on Access Point Name

Assigning IP addresses based on access point name involves the following main tasks:

  • Configure simauth.aut. See the chapter on Configuring the Special Attribute Handling Features for Use With the SIM Authentication Module in the SBR Carrier Reference Guide.
  • Create an address pool. See Administering Address Pools.

Adding Attributes to an Access-Accept

This feature enables you to add attribute values retrieved from an external subscriber database to an Access-Accept message. For example, you might want to include the subscriber’s level of service in the Access-Accept as the value of the attribute Reply-Message. Another example might be retrieving the IP address to be assigned to a mobile node and returning it in the Access-Accept as the value of the attribute Framed-IP-Address.

Overview

An Access-Accept can include attribute values. Two authentication plug-ins are used to accomplish the tasks of authentication and adding attributes to an Access-Accept. The authentication plug-ins are:

  • SIMAuth (acting as an EAP helper)
    This authenticator provides EAP authentication.
  • Helped authenticator (for example: radsql.aut)
    This authenticator accesses the database, retrieves the specified attributes, and attaches them to the Access-Accept. In this situation, the helped authenticator does not perform any authentication tasks and its password-checking is suppressed. All authentication is performed by SIMAuth.aut, the EAP helper.

Data Flow

Authentication of the Access-Request and the addition of attributes to the Access-Accept is handled according to the following flow of data:

  1. The mobile device sends an Access-Request to Steel-Belted Radius Carrier.
  2. SIMAuth manages the EAP negotiation (challenge and response).
  3. If SIMAuth authenticates the request, it attaches the IMSI and MSISDN of the mobile device, and sends the request to radsql.aut.
  4. radsql.aut can use the IMSI or MSISDN as a key to query the database and request attribute values (as a separate step from the SIMAuth authentication).
  5. Helped authenticator (for example the SQL plug-in: radsql.aut) returns the Access-Accept with attribute values attached.

    Note: SIMAuth is known as a Steel-Belted Radius Carrier EAP helper because it performs the EAP authentication for the helped authentication method (in this case, the SQL plug-in: radsql.aut). Although radsql.aut is usually used for authentication, in this case, it accesses the subscriber database, retrieves attributes, and returns them with the Access-Accept.

    For complete information about EAP helpers, see Automatic EAP Helpers.

Figure 223 shows an example data flow in which Steel-Belted Radius Carrier, SIMAuth, and radsql.aut work together to perform the following tasks:

  • Access authentication (performed by SIMAuth)
  • Addition of MSISDN and IMSI to the request (performed by SIMAuth)
  • Database access and attribute retrieval (performed by the SQL plug-in: radsql.aut)
  • Addition of retrieved attributes to the Access-Accept (performed by radsql.aut)

    Figure 223: Example Data Flow for Addition of Attribute to Access-Accept

    Example Data Flow for Addition of Attribute
to Access-Accept

Configuration Tasks for Adding Attributes to Access-Accept

To add attributes to the Access-Accept, you need to perform the following main tasks:

Files to Configure for Adding Attributes to Access-Accept

The following files require special configuration for the addition of attributes to the Access-Accept:

  • simauth.aut
  • radsql.aut, radsqljdbc.aut, or ldapauth.aut
  • eap.ini

Refer to the chapter on Configuring the Special Attribute Handling Features for Use With the SIM Authentication Module in the SBR Carrier Reference Guide.

Activating the Authentication Method

After you have configured the files described in the chapter on Configuring the Special Attribute Handling Features for Use With the SIM Authentication Module in the SBR Carrier Reference Guide, you need to activate the helped authentication method.

To activate the helped authentication using the Web GUI:

  1. Select RADIUS Configuration > Authentication Policies > Order of Methods. The Authentication Methods page (Figure 224) appears.
  2. Select the helped authentication method and click the Right arrow to place the authentication method in the Active Authentication Methods area.

    In this case, the helped authentication method is named SQLAUTH, as shown in the Inactive Authentication Methods area (Figure 224).

    Figure 224: Activate the Helped Authentication Method

    Activate
the Helped Authentication Method

    The name of the helped authentication method, or EAP helper, is user-defined. This name is specified in section on Configuring Files for Adding Attributes to Access-Accept in the SBR Carrier Reference Guide.

  3. After the helped authentication method has been moved to the Active Authentication Methods area, select the method and click EAP Setup. The Setup EAP for SQLAUTH dialog box (Figure 225) appears.

    Figure 225: Setup EAP for SQLAUTH Dialog

    Setup EAP for
SQLAUTH Dialog
  4. Ensure that both the Use EAP Authentication Only and Handle via Auto-EAP First check boxes are selected.
  5. Ensure that both SIM and AKA are listed under the Active EAP Methods area.

    Note: If you completed the steps correctly in the section Configuring Files for Adding Attributes to Access-Accept in the SBR Carrier Reference Guide, both Steps 4 and 5 are already completed.

  6. Click OK.
  7. Optionally, change the order of the authentication methods so the helped authentication method is first. Disable authentication methods that are no longer applicable. Refer to Order of Authentication Methods and Enabling EAP Methods.

Modified: 2017-03-07