Navigation
Back up to About Overview
[+] Expand All
[-] Collapse All
- Steel-Belted Radius Carrier 8.3.0 Administration
and Configuration Guide
- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- About This Guide
- Product Overview
- Steel-Belted Radius Carrier Overview
- Introduction to Steel-Belted Radius Carrier
- SBR Carrier Core Features
- Management Interfaces
- Optional SIM Authentication Module
- Optional WiMAX Mobility Module Features
- Optional Session Control Module
- Optional Scripting Module
- Optional Session State Register (High Availability) Module
- Optional Concurrency Module
- Optional 3GPP AAA Module
- Licensing
- Steel-Belted Radius Carrier Overview
- Web GUI Overview
- Using Web GUI
- Running the Web GUI
- Navigating in the Web GUI
- Adding License Keys
- Displaying Version Information
- Closing the Web GUI
- Using Web GUI
- RADIUS Operations
- RADIUS Basics
- RADIUS Overview
- RADIUS Packets
- RADIUS Ports
- RADIUS Configuration
- Multiple RADIUS Servers
- Shared Secrets
- Accounting
- Attributes
- Dictionaries
- Structured Attributes
- User Attribute Lists
- Attribute Values
- Default Values
- Wildcard Support
- Attribute Filtering
- Adding NAS Location Attributes to Access-Requests
- Specifying IPv4 Address Classes
- Centralized Configuration Management
- Proxy RADIUS
- Authentication
- Authentication Methods
- Configuring the Authentication Sequence
- Configuring Authentication Methods
- Advanced Options
- Two-Factor Authentication
- Password Protocols
- Accounting
- Request Routing
- Match Rules
- User-Names with a Single Delimiter
- User-Names with Multiple Suffix Delimiters
- User-Names with Multiple Prefix Delimiters
- Undecorated User-Names
- Request Routing by DNIS
- Request Routing by Any Attribute
- Local Services
- Control over Routing Methods
- Radius Client Groups
- IP Address Assignment
- Resource Management
- Network Address Assignment
- Concurrent Network Connections
- Attribute Value Pooling
- Phantom Records
- IPv6 Support
- RADIUS Overview
- Administering RADIUS Clients and Client Groups
- Administering RADIUS Location Groups
- Administering Users
- Users Overview
- User Files
- Setting Up Native Users
- Setting Up UNIX Users or Groups
- Administering Profiles
- Administering Proxy RADIUS
- Proxy RADIUS Overview
- Adding a Proxy Target
- Editing a Proxy Target
- Deleting a Proxy Target
- Steel-Belted Radius Carrier as a Target
- Administering RADIUS Tunnels
- About RADIUS Tunnels
- Tunnel Authentication Sequence
- Configuring Tunnel Support
- Concurrent Tunnel Connections
- Configuring RADIUS Tunnels
- Configuring Tunnel Name Parsing
- About RADIUS Tunnels
- Administering Address Pools
- Address Pools for Standalone Servers versus Servers in a SSR Cluster
- Address Pool Files
- Adding an IPv4 Address Pool
- Editing an IPv4 Address Pool
- Deleting an IPv4 Address Pool
- Specifying an IP Address Pool for User/Profile Records
- NAD-Specific IP Address Pools
- Service-Level IP Address Pools
- Specifying IP Address Assignment from a DHCP Server
- Setting Up Administrator Accounts
- Configuring Realm Support
- Setting Up Filters
- Setting Up Authentication Policies
- Authentication Policy Overview
- Order of Authentication Methods
- Adding EAP Methods to an Authentication Policy
- Certificates
- Certificate Chains
- Certificate Revocation Lists
- Configuring Server Certificates
- Trusted Root Certificates
- Configuring a CRL Distribution Point Web Proxy
- Configuring Authentication Rejection Messages
- Configuring the Server
- Setting Up EAP Methods
- About the Extensible Authentication Protocol
- EAP-TLS Authentication Protocol
- Configuring EAP-TLS as an EAP Authentication Method
- Configuring EAP-TLS as an Automatic EAP Helper
- EAP-TTLS Authentication Protocol
- Configuring EAP-TTLS as an EAP Authentication Method
- EAP-PEAP Authentication Protocol
- Configuring EAP-PEAP as an EAP Authentication Method
- EAP-MD5-Challenge Authentication Protocol
- EAP-MS-CHAP-V2 Authentication Protocol
- EAP-SIM and EAP-AKA Authentication Protocols
- Configuring Replication
- Overview of Replication
- Replication Requirements
- Adding a Replica Server
- Enabling a Replica Server
- Editing a Replica Server
- Deleting a Replica Server
- Publishing Server Configuration Information
- Notifying Replica RADIUS Servers
- Designating a New Primary Server
- Making a Standalone Server the Primary Server
- Making a Standalone Server a Replica Server
- Verifying the Primary and Replica Servers Are Enabled
- Demote a Primary or Replica Server to a Standalone Server
- Recovering a Replica After a Failed Configuration Package Download
- Changing the Name or IP Address of a Server
- Replication Error Messages
- 3GPP Support
- RADIUS Basics
- Diameter Operations
- Diameter Basics
- Diameter Overview
- Communication between SBR Carrier Server and the Elements in LTE Network
- Diameter Authentication Process
- Diameter Authorization Process
- RADIUS to Diameter Translation
- Administering the Local Network Element
- Local Network Element Overview
- Configuring SBR Carrier Server Identification
- Configuring the Diameter Message Transport
- Administering Diameter Remote Network Elements
- Remote Network Element Overview
- Creating and Configuring a New Diameter Remote Network Element
- Adding Diameter Connections to the Diameter Remote Network Element
- Assigning Functions to the Diameter Remote Network Element
- Configuring Implicit Routing Rules
- Editing a Diameter Remote Network Element
- Deleting a Diameter Remote Network Element
- Administering the Diameter Policy
- Policy Overview
- Configuring a Local Profile
- Creating a Local Profile
- Configuring Authorization Attributes
- Configuring a Non-3GPP Interworking Policy for SWa Reference Point
- Configuring a Non-3GPP Interworking Policy for SWm Reference Point
- Configuring a Non-3GPP Interworking Policy for S6b Reference Point
- Editing a Local Profile
- Deleting a Local Profile
- Creating a Local Profile
- Configuring Local Profile Selection
- Creating a New Profile Selection Rule Set
- Creating New Matching Rules
- Editing Profile Selection Rule Sets
- Deleting Profile Selection Rule Sets
- Creating a New Profile Selection Rule Set
- Administering Request Routing Rules
- Request Routing Rules Overview
- Configuring Request Routing Rules
- Defining Explicit Routing Rules
- Displaying Diameter Statistics
- Diameter Basics
- Back-End Authentication and Accounting Methods
- Configuring SQL Authentication
- Overview of SQL Authentication
- Configuring SQL Authentication
- Connecting to the SQL Database
- SQL Statement Construction
- Overlapped Execution of SQL Statements
- %result Parameter
- SQL Authentication and Password Format
- Working with Stored Procedures in Oracle
- Working with Stored Procedures in MS-SQL
- Example 1
- Example 2
- Tips on Using SQL Stored Procedures
- Calling Stored Procedures
- Using the Insert Function
- Configuring
SQL Accounting
- SQL Accounting Overview
- Configuring SQL Accounting
- Connecting to the SQL Database
- SQL Statement Construction
- SQL Accounting Return Values
- Accounting Stored Procedure Example
- Configuring LDAP Authentication
- LDAP Authentication Overview
- LDAP Variable Table
- Types of LDAP Authentication
- Configuring LDAP Authentication
- Supporting Secure Sockets Layer
- Files
- LDAP Database Schema
- LDAP Authentication and Password Format
- LDAP Authentication Sequence
- LDAP Authentication Examples
- LDAP Authentication Overview
- SS7 and SIGTRAN Gateway Support
- Proxy RADIUS Authentication and Accounting
- HSS-Subscriber Database
- Configuring SQL Authentication
- Management Interfaces
- Simple Network Management Protocol
- SNMP and Steel-Belted Radius Carrier Overview
- Configuring the SNMP Agent
- Running the SNMP Agent
- Logging Behavior of the SNMP Agent
- Verifying SNMP Agent Operation
- Resetting Rate Statistics
- Troubleshooting
- Using the LDAP Configuration Interface
- LDAP Configuration Interface File
- LDAP Configuration Interface Overview
- LDAP Utilities
- LDAP Requests
- Downloading the LDAP Utilities
- LDAP Version Compliance
- Configuring the LDAP TCP Port
- Configuring the LCI Password
- LDAP Virtual Schema
- LDAP Rules and Limitations
- Using the LCI to Define Structured Attributes in Check Lists and Return Lists
- LDAP Command Examples
- LDIF File Examples
- Statistics Variables
- Simple Network Management Protocol
- Optional Authentication Modules
- SIM Authentication Module
- SIM Authentication Module Component Overview
- Operation Overview
- SIM Authentication Module Configuration
- Special Attribute Handling Features
- Assigning IP Addresses Based on Access Point Name (APN)
- Adding Attributes to an Access-Accept
- Configuration Tasks for Adding Attributes to Access-Accept
- Kineto S1 Support
- Summary of Configuration Tasks for the SIM Authentication Module
- SIM Authentication Module Configuration with a SIGHUP (1) Signal
- Overview of the WiMAX Mobility Module
- Supported Features of the WiMAX Mobility Module
- WiMAX Network Reference Model
- AAA-Generated Cryptographic Keys
- Home Agent Root Key (HA-RK)
- DHCP Server Root Key (DHCP-RK)
- EAP Authentication Methods and EAP-Derived Cryptographic Keys
- WiMAX Vendor Specific Attribute (VSA) Format
- WiMAX Capabilities Negotiation
- WiMAX-Capability Attribute
- WiMAX-Capability Structured Attribute
- Enabling WiMAX Capabilities Negotiation
- WiMAX-Capability Attribute
- Home Agent and DHCP Server Assignment
- WiMAX Post-Paid (Offline) Accounting
- WiMAX Prepaid Accounting
- Prepaid Scenarios
- Single-Service Prepaid Solution
- Multi-Service Prepaid Solution
- Data Flow for Prepaid Accounting in SBR Carrier
- Data Flow for Single-Service Prepaid Accounting Model
- Data Flow for Multi-Service Prepaid Accounting Models
- Prepaid Scenarios
- Categorizing Access-Requests from Different Devices
- Configuring the WiMAX Mobility Module
- Before You Begin
- Configuring the radius.ini File for WiMAX
- Configuring the Home Agent and DHCP Server Assignment
- Define the List of Home Agents and DHCP Servers
- Configuring Return List Attributes to Assign the Home Agent
and DHCP Server
- Assignment When Acting as the HAAA Server
- Assignment When Acting as the VAAA Server
- Configuring Statically Weighted Round-Robin Groups to Assign the Home Agent and DHCP Server
- Configuring the Smart Dynamic Home Agent Assignment Feature
- Smart Dynamic Home Agent Assignment Configuration Overview
- Operation of the Smart Dynamic Home Agent Assignment Feature
- Access-Request Processing
- Configuring WiMAX Clients
- Configuring WiMAX Users and Profiles
- Configuring the WiMAX-Capabilities Negotiation
- Example Configuration for New Session Hotlining
- Configuring the WiMAX-Capabilities Negotiation
- Configuring the EAP Methods for WiMAX
- SIM Authentication Module
- Optional Session State Register (High Availability) Module
for a Clustered Environment
- Session State Register Overview
- SSR Cluster Overview
- Data Replication Between Two Different or Remote SSR Clusters
- SSR Cluster Concepts and Terminology
- Supported SBR Carrier SSR Cluster Configurations
- Failover Overview
- Failover Examples
- Failover Overview
- Session State Register Database Tables
- Session State Register Administration
- SSR Administration Overview
- Overview of Starting and Stopping a Session State Register Cluster
- Administration Scripts Overview
- SSR Database Management Scripts
- Steel-Belted Radius Carrier Node Administration Scripts
- Using IP Address and IP Address Pool Scripts
- Using Management Mode
- ClearCache.sh
- ShowCaches.sh
- AddPool.sh
- RenamePool.sh
- DelPool.sh
- ShowPools.sh
- AddRange.sh
- DelRange.sh
- ShowRanges.sh
- KillZombieAddrs.sh
- ShowAddrs.sh
- BackupIP.sh
- RestoreIP.sh
- Using IP Address and IP Address Pool Scripts
- SSR Session Management
- Administration Script Control Files
- Session State Register Overview
- Optional Concurrency Module
- Managing User Concurrency with Session State Register
- Overview
- How User Concurrency Works
- UserConcurrencyID Construction
- Retrospective Dynamicity
- Managing
Concurrency with Attributes in Session State Register
- Overview
- How Attribute-Based Concurrency Works
- Configuring Attribute-Based Concurrency
- Managing User Concurrency with Session State Register
- Managing and Controlling Sessions
- Introduction to Managing and Controlling Sessions in SBR Carrier
- Overview of Managing and Controlling Sessions in SBR Carrier
- Introduction
- Storing Sessions in the CST in a Standalone Server versus the
SSR Cluster
- Storing Sessions in the CST of a Standalone Server
- Storing Sessions in the CST of the SSR Cluster
- Session Management and Control Capabilities
- Available User Interfaces for Managing and Controlling Sessions
- Overview of Managing and Controlling Sessions in SBR Carrier
- Hosting CST As a Separate Executable Process
- Separate Session Database Process Overview
- Starting the RADIUS Process and Separate Session Database Process
- Stopping the RADIUS Process and Separate Session Database Process
- High Availability Functionality of the RADIUS and Separate Session Database Processes
- Overview of the Optional Session Control Module
- Change of Authorization/Disconnect Messages Overview
- How Steel-Belted Radius Carrier Processes CoA/DM Messages
- Current Sessions Table
- Formatting and Sending CoA/DM Requests with the Correct Attributes
- Controlled Devices and Actions
- Sequence and Flow of CoA/DM Requests Through Steel-Belted Radius Carrier
- Implementing CoA/DM Support
- Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Server
- Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Target
- Settings to Support the Proxy CoA/DM Functionality
- Using Web GUI to Manage and Control Sessions
- Current Sessions Overview
- Searching for Sessions Using Web GUI
- Setting Session Limits with Web GUI
- Executing CoA and Disconnect Requests Using Web GUI
- Using the Command Line Utility to Manage and Control Sessions
- Command Line Utility Overview
- Starting the Command Line Utility
- Using Command Line Arguments
- Access Control Arguments
- Action Arguments
- Setting Session Limits Using the Command Line Utility
- Examples of Issuing CoA/DM Requests Using the Command Line Utility
- Shortcut Arguments
- Finding All Sessions Using the Command Line Utility
- Command Line Utility Overview
- Configuring the deviceModels.xml File
- Summary of Allowed Elements in the deviceModels.xml File
- Element: action
- Element: actions
- Element: attributes
- Element: controlledDeviceModel
- Element: controlledDeviceModels
- Element: defaultAttribute
- Element: localSessionQuery
- Element: onFailure
- Element: onSuccess
- Element: onTimeout
- Element: overrideAttribute
- Element: radiusPort
- Element: radiusPorts
- Element: radiusRequest
- Element: requiredAttribute
- Element: sessionStop
- XML over HTTPS Interface
- XML over HTTPS Interface Overview
- XML Statement Construction
- Client Request Schema Example
- Client Request Elements
- Element: attribute
- Element: attributes
- Element: body
- Element: envelope
- Element: header
- Element: request
- Client Request Examples
- Client Response Schema Example
- Client Response Elements
- Element: attribute
- Element: attributes
- Element: body
- Element: clientRequest
- Element: clientResponse
- Element: clientResult
- Element: clientResults
- Element: defaultAttribute
- Element: deviceRequest
- Element: deviceRequestSpec
- Element: deviceResponse
- Element: deviceResult
- Element: deviceResults
- Element: envelope
- Element: header
- Element: optionalAttribute
- Element: overrideAttribute
- Element: requiredAttribute
- Element: sessionData
- Element: sessionRequest
- Element: sessionResponse
- Element: sessionResult
- Element: sessionResults
- Client Response Examples
- Example: Client Response to Query for Username ‘bob’
- Example: Client Response to Query for Any Username Using Wildcard
- Example: Client Response to Request for Action Called “foo” on Username TestUser9
- Example: Client Response to Request for Action Called “foo” on Username TestUser99
- Example: Client Response to RADIUS Disconnect
- Example: Client Response to Action Intercept
- Example: Client Response to Action Intercept
- Example: Client Response to Action Intercept
- Example CoA/DM Configuration
- Requirements of the CoA/DM Requests
- Requirements for Supporting the Attributes in CoA/DM Requests
- Configuring the Attribute Handling Parameters
- Example Result
- Configuring Lawful-Intercept between SBR Carrier and ERX Device
- Introduction to Managing and Controlling Sessions in SBR Carrier
- Statistics and Reporting
- Displaying Statistics
- Logging and Reporting
- Logging Files
- Displaying Authentication Log Files
- Using the Locked Accounts List
- Configuring the Log Retention Period
- Using the Server Log File
- Using the Authentication Log File
- Using the Accounting Log File
- Optional Scripting Module
- Introduction to Scripting
- Creating
Scripts
- Script Development Steps
- JavaScript Initialization Files
- Writing Steel-Belted Radius Carrier Scripts in JavaScript
- Saving the Script File
- Sample Script
- Debugging Scripts
- Creating LDAP Scripts
- LDAP Basics
- LDAP Request Life Cycle
- Unscripted LDAP Searches
- LDAP Script Basics
- Choosing the Return Code
- LDAP Script Return Codes
- LDAP Script Examples
- Creating Realm Selection Scripts
- Realm Selection Script Functions
- Enabling Built-In Realm Selection Methods
- Choosing the Return Code
- Configuring Realm Selection Scripts
- Core Realm Selection Scripts
- Tunneled Authentication Plug-in Realm Selection Scripts
- Realm Selection Script Examples
- Creating Attribute Filter Scripts
- Using Attribute Filter Scripts
- Attribute Filter Script Functions
- Choosing the Return Code
- Configuring Attribute Filter Scripts
- Attribute Filter Script Examples
- Working with Data Accessors
- Data Accessor Overview
- Variable Containers
- Internal Variable Table (LDAP Only)
- Data Accessor Configuration
- SQL Data Accessor Configuration
- LDAP Data Accessor Configuration
- Data Conversion Rules
- Data Accessor Configuration File Examples
- Script Reference
- JavaScript Types
- API Method Support by Script Type
- Local and Global Variable Declarations
- Global Object
- Logging and Diagnostic Methods
- SbrWriteToLog()
- SbrWriteToLogEx()
- SbrTrace()
- Logging and Diagnostic Methods
- Ldap Object
- Ldap Methods
- Ldap.Search()
- Ldap Methods
- LdapVariables Object
- LdapVariables Methods
- LdapVariables.Get()
- LdapVariables.Add()
- LdapVariables.Reset()
- LdapVariables Methods
- RealmSelector Object
- Constructor
- new RealmSelector()
- new CSTAccessor()
- new SessionControl()
- RealmSelector Methods
- Execute()
- SetAuthUserName()
- SetAuthProfile()
- SetLocationGroupProfile()
- CSTAccessor Methods
- Get()
- SetAuthUserName()
- SetAuthProfile()
- SetLocationGroupProfile()
- Constructor
- SessionControl Object
- AttributeFilter Object
- Constructor
- new AttributeFilter()
- AttributeFilter Methods
- AttributeFilter API
- Constructor
- DataAccessor Object
- Properties
- Constructor
- new DataAccessor()
- Methods
- SetInputVariable()
- GetOutputVariable()
- Execute()
- Clear()
- Appendixes
- When and How to Stop and Restart Steel-Belted Radius Carrier
- Authentication Protocols
- Importing and Exporting Data
- Technical Bulletins
- Service Type Mapping
- Configuration
- servtype.ini File
- Ascend Filter Translation
- Changing IP Addresses in an SSR Cluster Without Redefining the Cluster
- Service Type Mapping
- SIR.sh Script
- Thread and Flood Control Mechanism
- Glossary
This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.
Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Target
SBRC keeps track of the device (either a proxy server or a NAS client) that sent the packet. This ensures that CoA/DM requests are sent to the originating NAS client using the same path (in reverse direction) that the authorization and accounting requests traversed. When a CoA/DM request is generated, the message is sent to the device.
To help the proxy target determine which device model is used for a given session, a new attribute, Funk-Device-Model, is added to forward authentication and accounting requests. The Funk-Device-Model attribute is a string attribute and contains the make or model name of the NAS client associated with a request. The Funk-Device-Model is useful only when the proxy target is also a SBRC server (SBRC 7.5.0 or greater). If a Funk-Device-Model attribute is received as part of an authorization or accounting request, the attribute details are saved in the Sbr_NasDeviceModel field of the CST and passed along without any modification to the proxy target. By default, the Sbr_NasDeviceModel field is disabled, and to enable it you need to add it in the CST. This feature enables SBRC servers acting as proxy targets to determine which attributes to use to send a CoA/DM request through a proxy without having to configure a RADIUS client for every possible NAS client on the network. However, there are configurations in which this information is not required to generate the correct list of attributes, so the Funk-Device-Model attribute is optional, and can be disabled through a configuration variable.
When a CoA/DM request is created, the attributes included in the message are determined by the device model of the originating upstream device (NAS client). The Funk-Device-Model attribute, if present in the proxy authentication and accounting requests, is used to determine the device model.
 | Note: The Funk-Device-Model attribute does not determine the port to send the request to. The port is determined in advance for each NAS client. |
If the Funk-Device-Model attribute is not implemented, then you need to create a device model that is a superset of all the possible devices on the network that receives CoA/DM requests. This generic superset device model needs to be configured for any client that receives CoA/DM requests.
