Navigation
Back up to About Overview
[+] Expand All
[-] Collapse All
- Steel-Belted Radius Carrier 8.3.0 Administration
and Configuration Guide
- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- About This Guide
- Product Overview
- Steel-Belted Radius Carrier Overview
- Introduction to Steel-Belted Radius Carrier
- SBR Carrier Core Features
- Management Interfaces
- Optional SIM Authentication Module
- Optional WiMAX Mobility Module Features
- Optional Session Control Module
- Optional Scripting Module
- Optional Session State Register (High Availability) Module
- Optional Concurrency Module
- Optional 3GPP AAA Module
- Licensing
- Steel-Belted Radius Carrier Overview
- Web GUI Overview
- Using Web GUI
- Running the Web GUI
- Navigating in the Web GUI
- Adding License Keys
- Displaying Version Information
- Closing the Web GUI
- Using Web GUI
- RADIUS Operations
- RADIUS Basics
- RADIUS Overview
- RADIUS Packets
- RADIUS Ports
- RADIUS Configuration
- Multiple RADIUS Servers
- Shared Secrets
- Accounting
- Attributes
- Dictionaries
- Structured Attributes
- User Attribute Lists
- Attribute Values
- Default Values
- Wildcard Support
- Attribute Filtering
- Adding NAS Location Attributes to Access-Requests
- Specifying IPv4 Address Classes
- Centralized Configuration Management
- Proxy RADIUS
- Authentication
- Authentication Methods
- Configuring the Authentication Sequence
- Configuring Authentication Methods
- Advanced Options
- Two-Factor Authentication
- Password Protocols
- Accounting
- Request Routing
- Match Rules
- User-Names with a Single Delimiter
- User-Names with Multiple Suffix Delimiters
- User-Names with Multiple Prefix Delimiters
- Undecorated User-Names
- Request Routing by DNIS
- Request Routing by Any Attribute
- Local Services
- Control over Routing Methods
- Radius Client Groups
- IP Address Assignment
- Resource Management
- Network Address Assignment
- Concurrent Network Connections
- Attribute Value Pooling
- Phantom Records
- IPv6 Support
- RADIUS Overview
- Administering RADIUS Clients and Client Groups
- Administering RADIUS Location Groups
- Administering Users
- Users Overview
- User Files
- Setting Up Native Users
- Setting Up UNIX Users or Groups
- Administering Profiles
- Administering Proxy RADIUS
- Proxy RADIUS Overview
- Adding a Proxy Target
- Editing a Proxy Target
- Deleting a Proxy Target
- Steel-Belted Radius Carrier as a Target
- Administering RADIUS Tunnels
- About RADIUS Tunnels
- Tunnel Authentication Sequence
- Configuring Tunnel Support
- Concurrent Tunnel Connections
- Configuring RADIUS Tunnels
- Configuring Tunnel Name Parsing
- About RADIUS Tunnels
- Administering Address Pools
- Address Pools for Standalone Servers versus Servers in a SSR Cluster
- Address Pool Files
- Adding an IPv4 Address Pool
- Editing an IPv4 Address Pool
- Deleting an IPv4 Address Pool
- Specifying an IP Address Pool for User/Profile Records
- NAD-Specific IP Address Pools
- Service-Level IP Address Pools
- Specifying IP Address Assignment from a DHCP Server
- Setting Up Administrator Accounts
- Configuring Realm Support
- Setting Up Filters
- Setting Up Authentication Policies
- Authentication Policy Overview
- Order of Authentication Methods
- Adding EAP Methods to an Authentication Policy
- Certificates
- Certificate Chains
- Certificate Revocation Lists
- Configuring Server Certificates
- Trusted Root Certificates
- Configuring a CRL Distribution Point Web Proxy
- Configuring Authentication Rejection Messages
- Configuring the Server
- Setting Up EAP Methods
- About the Extensible Authentication Protocol
- EAP-TLS Authentication Protocol
- Configuring EAP-TLS as an EAP Authentication Method
- Configuring EAP-TLS as an Automatic EAP Helper
- EAP-TTLS Authentication Protocol
- Configuring EAP-TTLS as an EAP Authentication Method
- EAP-PEAP Authentication Protocol
- Configuring EAP-PEAP as an EAP Authentication Method
- EAP-MD5-Challenge Authentication Protocol
- EAP-MS-CHAP-V2 Authentication Protocol
- EAP-SIM and EAP-AKA Authentication Protocols
- Configuring Replication
- Overview of Replication
- Replication Requirements
- Adding a Replica Server
- Enabling a Replica Server
- Editing a Replica Server
- Deleting a Replica Server
- Publishing Server Configuration Information
- Notifying Replica RADIUS Servers
- Designating a New Primary Server
- Making a Standalone Server the Primary Server
- Making a Standalone Server a Replica Server
- Verifying the Primary and Replica Servers Are Enabled
- Demote a Primary or Replica Server to a Standalone Server
- Recovering a Replica After a Failed Configuration Package Download
- Changing the Name or IP Address of a Server
- Replication Error Messages
- 3GPP Support
- RADIUS Basics
- Diameter Operations
- Diameter Basics
- Diameter Overview
- Communication between SBR Carrier Server and the Elements in LTE Network
- Diameter Authentication Process
- Diameter Authorization Process
- RADIUS to Diameter Translation
- Administering the Local Network Element
- Local Network Element Overview
- Configuring SBR Carrier Server Identification
- Configuring the Diameter Message Transport
- Administering Diameter Remote Network Elements
- Remote Network Element Overview
- Creating and Configuring a New Diameter Remote Network Element
- Adding Diameter Connections to the Diameter Remote Network Element
- Assigning Functions to the Diameter Remote Network Element
- Configuring Implicit Routing Rules
- Editing a Diameter Remote Network Element
- Deleting a Diameter Remote Network Element
- Administering the Diameter Policy
- Policy Overview
- Configuring a Local Profile
- Creating a Local Profile
- Configuring Authorization Attributes
- Configuring a Non-3GPP Interworking Policy for SWa Reference Point
- Configuring a Non-3GPP Interworking Policy for SWm Reference Point
- Configuring a Non-3GPP Interworking Policy for S6b Reference Point
- Editing a Local Profile
- Deleting a Local Profile
- Creating a Local Profile
- Configuring Local Profile Selection
- Creating a New Profile Selection Rule Set
- Creating New Matching Rules
- Editing Profile Selection Rule Sets
- Deleting Profile Selection Rule Sets
- Creating a New Profile Selection Rule Set
- Administering Request Routing Rules
- Request Routing Rules Overview
- Configuring Request Routing Rules
- Defining Explicit Routing Rules
- Displaying Diameter Statistics
- Diameter Basics
- Back-End Authentication and Accounting Methods
- Configuring SQL Authentication
- Overview of SQL Authentication
- Configuring SQL Authentication
- Connecting to the SQL Database
- SQL Statement Construction
- Overlapped Execution of SQL Statements
- %result Parameter
- SQL Authentication and Password Format
- Working with Stored Procedures in Oracle
- Working with Stored Procedures in MS-SQL
- Example 1
- Example 2
- Tips on Using SQL Stored Procedures
- Calling Stored Procedures
- Using the Insert Function
- Configuring
SQL Accounting
- SQL Accounting Overview
- Configuring SQL Accounting
- Connecting to the SQL Database
- SQL Statement Construction
- SQL Accounting Return Values
- Accounting Stored Procedure Example
- Configuring LDAP Authentication
- LDAP Authentication Overview
- LDAP Variable Table
- Types of LDAP Authentication
- Configuring LDAP Authentication
- Supporting Secure Sockets Layer
- Files
- LDAP Database Schema
- LDAP Authentication and Password Format
- LDAP Authentication Sequence
- LDAP Authentication Examples
- LDAP Authentication Overview
- SS7 and SIGTRAN Gateway Support
- Proxy RADIUS Authentication and Accounting
- HSS-Subscriber Database
- Configuring SQL Authentication
- Management Interfaces
- Simple Network Management Protocol
- SNMP and Steel-Belted Radius Carrier Overview
- Configuring the SNMP Agent
- Running the SNMP Agent
- Logging Behavior of the SNMP Agent
- Verifying SNMP Agent Operation
- Resetting Rate Statistics
- Troubleshooting
- Using the LDAP Configuration Interface
- LDAP Configuration Interface File
- LDAP Configuration Interface Overview
- LDAP Utilities
- LDAP Requests
- Downloading the LDAP Utilities
- LDAP Version Compliance
- Configuring the LDAP TCP Port
- Configuring the LCI Password
- LDAP Virtual Schema
- LDAP Rules and Limitations
- Using the LCI to Define Structured Attributes in Check Lists and Return Lists
- LDAP Command Examples
- LDIF File Examples
- Statistics Variables
- Simple Network Management Protocol
- Optional Authentication Modules
- SIM Authentication Module
- SIM Authentication Module Component Overview
- Operation Overview
- SIM Authentication Module Configuration
- Special Attribute Handling Features
- Assigning IP Addresses Based on Access Point Name (APN)
- Adding Attributes to an Access-Accept
- Configuration Tasks for Adding Attributes to Access-Accept
- Kineto S1 Support
- Summary of Configuration Tasks for the SIM Authentication Module
- SIM Authentication Module Configuration with a SIGHUP (1) Signal
- Overview of the WiMAX Mobility Module
- Supported Features of the WiMAX Mobility Module
- WiMAX Network Reference Model
- AAA-Generated Cryptographic Keys
- Home Agent Root Key (HA-RK)
- DHCP Server Root Key (DHCP-RK)
- EAP Authentication Methods and EAP-Derived Cryptographic Keys
- WiMAX Vendor Specific Attribute (VSA) Format
- WiMAX Capabilities Negotiation
- WiMAX-Capability Attribute
- WiMAX-Capability Structured Attribute
- Enabling WiMAX Capabilities Negotiation
- WiMAX-Capability Attribute
- Home Agent and DHCP Server Assignment
- WiMAX Post-Paid (Offline) Accounting
- WiMAX Prepaid Accounting
- Prepaid Scenarios
- Single-Service Prepaid Solution
- Multi-Service Prepaid Solution
- Data Flow for Prepaid Accounting in SBR Carrier
- Data Flow for Single-Service Prepaid Accounting Model
- Data Flow for Multi-Service Prepaid Accounting Models
- Prepaid Scenarios
- Categorizing Access-Requests from Different Devices
- Configuring the WiMAX Mobility Module
- Before You Begin
- Configuring the radius.ini File for WiMAX
- Configuring the Home Agent and DHCP Server Assignment
- Define the List of Home Agents and DHCP Servers
- Configuring Return List Attributes to Assign the Home Agent
and DHCP Server
- Assignment When Acting as the HAAA Server
- Assignment When Acting as the VAAA Server
- Configuring Statically Weighted Round-Robin Groups to Assign the Home Agent and DHCP Server
- Configuring the Smart Dynamic Home Agent Assignment Feature
- Smart Dynamic Home Agent Assignment Configuration Overview
- Operation of the Smart Dynamic Home Agent Assignment Feature
- Access-Request Processing
- Configuring WiMAX Clients
- Configuring WiMAX Users and Profiles
- Configuring the WiMAX-Capabilities Negotiation
- Example Configuration for New Session Hotlining
- Configuring the WiMAX-Capabilities Negotiation
- Configuring the EAP Methods for WiMAX
- SIM Authentication Module
- Optional Session State Register (High Availability) Module
for a Clustered Environment
- Session State Register Overview
- SSR Cluster Overview
- Data Replication Between Two Different or Remote SSR Clusters
- SSR Cluster Concepts and Terminology
- Supported SBR Carrier SSR Cluster Configurations
- Failover Overview
- Failover Examples
- Failover Overview
- Session State Register Database Tables
- Session State Register Administration
- SSR Administration Overview
- Overview of Starting and Stopping a Session State Register Cluster
- Administration Scripts Overview
- SSR Database Management Scripts
- Steel-Belted Radius Carrier Node Administration Scripts
- Using IP Address and IP Address Pool Scripts
- Using Management Mode
- ClearCache.sh
- ShowCaches.sh
- AddPool.sh
- RenamePool.sh
- DelPool.sh
- ShowPools.sh
- AddRange.sh
- DelRange.sh
- ShowRanges.sh
- KillZombieAddrs.sh
- ShowAddrs.sh
- BackupIP.sh
- RestoreIP.sh
- Using IP Address and IP Address Pool Scripts
- SSR Session Management
- Administration Script Control Files
- Session State Register Overview
- Optional Concurrency Module
- Managing User Concurrency with Session State Register
- Overview
- How User Concurrency Works
- UserConcurrencyID Construction
- Retrospective Dynamicity
- Managing
Concurrency with Attributes in Session State Register
- Overview
- How Attribute-Based Concurrency Works
- Configuring Attribute-Based Concurrency
- Managing User Concurrency with Session State Register
- Managing and Controlling Sessions
- Introduction to Managing and Controlling Sessions in SBR Carrier
- Overview of Managing and Controlling Sessions in SBR Carrier
- Introduction
- Storing Sessions in the CST in a Standalone Server versus the
SSR Cluster
- Storing Sessions in the CST of a Standalone Server
- Storing Sessions in the CST of the SSR Cluster
- Session Management and Control Capabilities
- Available User Interfaces for Managing and Controlling Sessions
- Overview of Managing and Controlling Sessions in SBR Carrier
- Hosting CST As a Separate Executable Process
- Separate Session Database Process Overview
- Starting the RADIUS Process and Separate Session Database Process
- Stopping the RADIUS Process and Separate Session Database Process
- High Availability Functionality of the RADIUS and Separate Session Database Processes
- Overview of the Optional Session Control Module
- Change of Authorization/Disconnect Messages Overview
- How Steel-Belted Radius Carrier Processes CoA/DM Messages
- Current Sessions Table
- Formatting and Sending CoA/DM Requests with the Correct Attributes
- Controlled Devices and Actions
- Sequence and Flow of CoA/DM Requests Through Steel-Belted Radius Carrier
- Implementing CoA/DM Support
- Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Server
- Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Target
- Settings to Support the Proxy CoA/DM Functionality
- Using Web GUI to Manage and Control Sessions
- Current Sessions Overview
- Searching for Sessions Using Web GUI
- Setting Session Limits with Web GUI
- Executing CoA and Disconnect Requests Using Web GUI
- Using the Command Line Utility to Manage and Control Sessions
- Command Line Utility Overview
- Starting the Command Line Utility
- Using Command Line Arguments
- Access Control Arguments
- Action Arguments
- Setting Session Limits Using the Command Line Utility
- Examples of Issuing CoA/DM Requests Using the Command Line Utility
- Shortcut Arguments
- Finding All Sessions Using the Command Line Utility
- Command Line Utility Overview
- Configuring the deviceModels.xml File
- Summary of Allowed Elements in the deviceModels.xml File
- Element: action
- Element: actions
- Element: attributes
- Element: controlledDeviceModel
- Element: controlledDeviceModels
- Element: defaultAttribute
- Element: localSessionQuery
- Element: onFailure
- Element: onSuccess
- Element: onTimeout
- Element: overrideAttribute
- Element: radiusPort
- Element: radiusPorts
- Element: radiusRequest
- Element: requiredAttribute
- Element: sessionStop
- XML over HTTPS Interface
- XML over HTTPS Interface Overview
- XML Statement Construction
- Client Request Schema Example
- Client Request Elements
- Element: attribute
- Element: attributes
- Element: body
- Element: envelope
- Element: header
- Element: request
- Client Request Examples
- Client Response Schema Example
- Client Response Elements
- Element: attribute
- Element: attributes
- Element: body
- Element: clientRequest
- Element: clientResponse
- Element: clientResult
- Element: clientResults
- Element: defaultAttribute
- Element: deviceRequest
- Element: deviceRequestSpec
- Element: deviceResponse
- Element: deviceResult
- Element: deviceResults
- Element: envelope
- Element: header
- Element: optionalAttribute
- Element: overrideAttribute
- Element: requiredAttribute
- Element: sessionData
- Element: sessionRequest
- Element: sessionResponse
- Element: sessionResult
- Element: sessionResults
- Client Response Examples
- Example: Client Response to Query for Username ‘bob’
- Example: Client Response to Query for Any Username Using Wildcard
- Example: Client Response to Request for Action Called “foo” on Username TestUser9
- Example: Client Response to Request for Action Called “foo” on Username TestUser99
- Example: Client Response to RADIUS Disconnect
- Example: Client Response to Action Intercept
- Example: Client Response to Action Intercept
- Example: Client Response to Action Intercept
- Example CoA/DM Configuration
- Requirements of the CoA/DM Requests
- Requirements for Supporting the Attributes in CoA/DM Requests
- Configuring the Attribute Handling Parameters
- Example Result
- Configuring Lawful-Intercept between SBR Carrier and ERX Device
- Introduction to Managing and Controlling Sessions in SBR Carrier
- Statistics and Reporting
- Displaying Statistics
- Logging and Reporting
- Logging Files
- Displaying Authentication Log Files
- Using the Locked Accounts List
- Configuring the Log Retention Period
- Using the Server Log File
- Using the Authentication Log File
- Using the Accounting Log File
- Optional Scripting Module
- Introduction to Scripting
- Creating
Scripts
- Script Development Steps
- JavaScript Initialization Files
- Writing Steel-Belted Radius Carrier Scripts in JavaScript
- Saving the Script File
- Sample Script
- Debugging Scripts
- Creating LDAP Scripts
- LDAP Basics
- LDAP Request Life Cycle
- Unscripted LDAP Searches
- LDAP Script Basics
- Choosing the Return Code
- LDAP Script Return Codes
- LDAP Script Examples
- Creating Realm Selection Scripts
- Realm Selection Script Functions
- Enabling Built-In Realm Selection Methods
- Choosing the Return Code
- Configuring Realm Selection Scripts
- Core Realm Selection Scripts
- Tunneled Authentication Plug-in Realm Selection Scripts
- Realm Selection Script Examples
- Creating Attribute Filter Scripts
- Using Attribute Filter Scripts
- Attribute Filter Script Functions
- Choosing the Return Code
- Configuring Attribute Filter Scripts
- Attribute Filter Script Examples
- Working with Data Accessors
- Data Accessor Overview
- Variable Containers
- Internal Variable Table (LDAP Only)
- Data Accessor Configuration
- SQL Data Accessor Configuration
- LDAP Data Accessor Configuration
- Data Conversion Rules
- Data Accessor Configuration File Examples
- Script Reference
- JavaScript Types
- API Method Support by Script Type
- Local and Global Variable Declarations
- Global Object
- Logging and Diagnostic Methods
- SbrWriteToLog()
- SbrWriteToLogEx()
- SbrTrace()
- Logging and Diagnostic Methods
- Ldap Object
- Ldap Methods
- Ldap.Search()
- Ldap Methods
- LdapVariables Object
- LdapVariables Methods
- LdapVariables.Get()
- LdapVariables.Add()
- LdapVariables.Reset()
- LdapVariables Methods
- RealmSelector Object
- Constructor
- new RealmSelector()
- new CSTAccessor()
- new SessionControl()
- RealmSelector Methods
- Execute()
- SetAuthUserName()
- SetAuthProfile()
- SetLocationGroupProfile()
- CSTAccessor Methods
- Get()
- SetAuthUserName()
- SetAuthProfile()
- SetLocationGroupProfile()
- Constructor
- SessionControl Object
- AttributeFilter Object
- Constructor
- new AttributeFilter()
- AttributeFilter Methods
- AttributeFilter API
- Constructor
- DataAccessor Object
- Properties
- Constructor
- new DataAccessor()
- Methods
- SetInputVariable()
- GetOutputVariable()
- Execute()
- Clear()
- Appendixes
- When and How to Stop and Restart Steel-Belted Radius Carrier
- Authentication Protocols
- Importing and Exporting Data
- Technical Bulletins
- Service Type Mapping
- Configuration
- servtype.ini File
- Ascend Filter Translation
- Changing IP Addresses in an SSR Cluster Without Redefining the Cluster
- Service Type Mapping
- SIR.sh Script
- Thread and Flood Control Mechanism
- Glossary
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.
Communication between SBR Carrier Server and the Elements in LTE Network
The network devices that are used to setup an LTE network are called network elements. Each network element performs a specific function. The network elements communicate with each other over reference points, which can also be referred to the interface. Figure 124 illustrates the usage of SBR Carrier in a LTE network environment.
Figure 124: SBR Carrier in a LTE Network Environment
Communication with Non-3GPP Network
The SWa reference point connects the non-3GPP access network with the SBR Carrier server or proxy server (that is, 3GPP AAA server or proxy server) and transports access authentication, authorization and charging-related information in a secure manner. The SWa reference point determines whether the non-3GPP access network is trusted or not during the authentication and authorization procedures executed between the non-3GPP access network and the 3GPP AAA server.
Some specific characteristics of the SWa reference point are:
- It may not include the information about the user's service request and the access network in the authentication and authorization request.
- It does not download the information that describes the user's subscription profile to the non-3GPP access network.
Communication with HSS
SBR Carrier uses Diameter to communicate with an HSS through the SWx reference point to obtain authentication, subscription and PDN connection-related data. HSS contains subscriber information and authentication credentials such as user identity keys and subscription information (for example, International Mobile Subscriber Identity (IMSI), mobile station ISDN (MSISDN), and user profile information), including service subscription states and QoS parameters specific to the user.
The SWx reference point is used to perform non-3GPP access location management procedure for the following purposes:
- To register the current SBR Carrier server address in the HSS for a 3GPP user. SBR Carrier initiates the registration procedure after authenticating a new subscriber (either during attach or handover). As part of the response, HSS returns the subscriber's user profile data (QoS profile, user capabilities, and so on.) to SBR Carrier.
- To de-register the currently registered SBR Carrier server address in the HSS for the 3GPP user and purge any related non-3GPP user status data in the HSS. SBR Carrier de-registers its address and purges user status data when the user is not within the non-3GPP access coverage area, another evolved packet core (EPC) network entity (for example, charging system) has initiated a disconnection, or a re-authentication failure occurs.
- To purge the user equipment from SBR Carrier. HSS initiates the purging process when the user's subscription has been cancelled or for other operator-determined reasons.
Communication with Proxy Servers
The SWd reference point connects the proxy servers, possibly through intermediate networks, to the SBR Carrier server. Some specific characteristics of this reference point are:
- Carries data for authentication and authorization signaling between the proxy server and the SBR Carrier server.
- Carries keying data for the purpose of radio interface integrity protection and encryption.
- Purges a user from the access network for immediate service termination.
Communication with ePDG
The SWm reference point connects the Evolved Packet Data Gateway (ePDG) with the SBR Carrier server or proxy server (that is, 3GPP AAA server or proxy server) and transports access authentication, authorization, and subscription profile data from the SBR Carrier server or proxy server to the ePDG. The subscription profile information is fetched from the HSS by the SBR Carrier server. The SWm reference point is also used to transport session termination indications and requests initiated from both the SBR Carrier server and ePDG. Figure 125 illustrates the EAP authentication message flow between the ePDG and HSS.
Figure 125: EAP Authentication - Message Flow
The SWm reference point supports both pseudonym authentication and fast re-authentication. SBR Carrier makes access restriction decisions based on the values in the following AVPs that are transmitted from the HSS as part of the Non-3GPP-User-Data AVP, which is a Grouped AVP:
- Non-3GPP-IP-Access
- Non-3GPP-IP-Access-APN
- Service-Selection
- Visited-Network-Identifier
- VPLMN-Dynamic-Address-Allowed
 | Note: SBR Carrier supports all the mandatory SWm AVPs specified in 3GPP TS 29.273. |
Communication with PDG or PGW
The S6b reference point connects the packet data gateway (PDG) (that is, Packet Data Network Gateway (PGW)) with the SBR Carrier server or proxy server (that is, 3GPP AAA server or proxy server). The S6b reference point is used to authenticate and authorize the user equipment and update the PDG address to the SBR Carrier server or proxy server and HSS. The S6b reference point is also used to download subscriber information to the PDG. Figure 126 and Figure 127 respectively illustrate the EAP authentication message flow and authorization message flow between the PDG and HSS.
| Note:
|
Figure 126: EAP Authentication Message Flow Between PDG and HSS
Figure 127: Authorization Message Flow Between PDG and HSS
