Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Configuring authGateway and GWrelay Applications for HLR Communication

The authGateway application manages all communication between SBR Carrier and the HLR. The authGateway application also implements the MAP (Mobile Application Port) protocol and MAP messages that get sent through the Signalware protocol stack and out to the HLR and back. Multiple authGateway instances can be used to process multiple authentication and authorization requests simultaneously. The GWrelay application is used to pass authentication requests between SBR Carrier and the authGateway instances in a round-robin method. The GWrelay application establishes an SCTP connection with each authGateway instance through unique source and destination ports.

Configuration of authGateway and GWrelay applications requires the activities described in the following sections of this chapter:

Configuring the authGateway Routing Location Information

This activity assigns the local routing options and the remote routing options using the MML commands listed in Table 40.

Table 40: MML Commands for Configuring authGateway Routing Location

MML Command

Description

CREATE-CPC

Identify the concerned point code (CPC), which is the destination point code and the local application (authGateway).

CREATE-REMSSN

Identify the point code of the HLR and the remote application.

CREATE-GT

Create a global title translation for the remote HLR (if Global Title routing is used).

For more information about the syntax and usage of the MML commands, see Signalware MML Commands.

Example 1—Global Title Routing Using Global Title Identification

In the following example, these actions take place:

Line 1 (CREATE-GT): Global Title type translation is used so that digits 22201 are sent to PC, SSN=61, 6. RI=GT notifies 61,6 that it needs to find the next routing hop for the request.

CREATE-GT:TT=0,NP=ISDN-MOB,NA=INT,DIG="22201",PC=61,SSN=6,RI=GT;

Example 2—PCSSN Routing Using Point Code Identification

In the following example, these actions take place:

Line 1 (CREATE-CPC): authGateway is assigned a subsystem number (SSN) of 7 on the local host and the concerned point code on the HLR is identified as 61.

Line 2 (CREATE-REMSSN): The subsystem number (application) on the remote host is identified as 6.

Line 3 (CREATE-GT): Global Title type translation is used so that digits 22201 are sent to PC, SSN=61, 6. RI=PCSSN indicates that digits 22201 are handled by PC, SSN=61, 6.

CREATE-CPC:PC=61,SSN=7;
CREATE-REMSSN:PC=61,SSN=6;
CREATE-GT:TT=0,NP=ISDN-MOB,NA=INT,DIG="22201",PC=61,SSN=6,RI=PCSSN;

Note: MML commands are saved in MML files, which can be loaded into Signalware. See Loading the MML Configuration Settings.

Configuring the authGateway.conf File

The authGateway.conf file specifies the remote routing and authorization options for the authGateway application and contains the FetchMSISDNRoutingInfoLCS parameter.

  • Remote routing options control how the remote HLR is addressed based on the incoming IMSI.
  • Authorization options control whether or not a subscriber requesting an account is authorized for WLAN access, and which Steel-Belted Radius Carrier profile or native user is used.
  • The FetchMSISDNRoutingInfoLCS parameter specifies the type of message that is used to request MSISDN information from an HLR or HSS.

Remote Routing Options

Each line in the authGateway.conf file represents a target HLR, where each HLR has its own routing options and authorization options. Indicate each HLR listed in this file with the initial digits of the subscriber password, specified by the odigits option.

Table 41 lists the remote routing options for the authGateway.conf file.

Table 41: authGateway.conf Remote Routing Options

Option

Purpose

bs

Bearer Service. See Authorization Options.

msisdn

The msisdn option can be used in place of ndigits and odigits when no translation is required. See Example 2—authGateway.conf file .

ndigits

Replacement digits for numbering plan translation (hybrid IMSI).

odb

Operator-Determined Barring. See Authorization Options.

odigits

Initial digits of IMSI or password for this HLR. For each request, the first digits of the IMSI are compared with odigits. The first line of the configuration file that matches is selected for the current request.

If the routing indicator (rri) is 0 (Global Title), the leading digits are replaced with the new digits (ndigits) to perform the numbering plan translation.

Example of direct replacement:

If the rule is “odigits 12345 ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 987656789012345.

Example of wildcard replacement:

If the rule is “odigits 12345* ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 98765.

rgti

(Global Title only) GTI value. 4 for C7; 2 for A7. (Usually 4.)

rnai

(Global Title only) Nature of Address Indicator.

rnp

(Global Title only) Numbering Plan.

Acceptable values are:

1—ISDN/Telephony

3—DATA

4—TELEX

5—Maritime Mobile

6—Land/Mobile

7—ISDN/Mobile

10—British Telecom special 1

11—British Telecom special 2

14—Private Network

rpc

Remote Point Code. Point Code of HLR or MSC.

rri

Routing indicator - 0 for GT (Global Title), 1 for PC/SSN (Point Code/Subsystem Number).

rssn

Subsystem Number of HLR.

rtt

(Global Title only) Translation Type (usually 0).

ts

Teleservice. See Authorization Options.

Authorization Options

The HLR database includes authorization information that is assigned to each subscriber. Three authorization designations are relevant to Steel-Belted Radius Carrier with the SIM authentication module:

  • BS (Bearer Service)
  • TS (Teleservice)
  • ODB (Operator-Determined Barring)

You can specify subscriber HLR authorization (and barred service) designations in the MAP Gateway authGateway.conf file.

Note: You can disable authorization completely from EAP-SIM (not fetch subscriber profile information from the HLR and not perform a SQL/LDAP query). For instructions about disabling authorization, see “Disabling Authorization from EAP-SIM” in the section on Configuring the gsmmap.gen File for the SIM Authentication Module, in the SBR Carrier Reference Guide.

Each line in the authGateway.conf file corresponds to an HLR in your network. Each line also specifies all potential authorization (and barred service) settings for any subscribers on this HLR.

Steel-Belted Radius Carrier with the SIM authentication module uses the service authorization information that you list for each HLR in authGateway.conf:

  • When a TS or BS designation is assigned to a subscriber entry in the HLR database, Steel-Belted Radius Carrier with the SIM authentication module allows the subscriber the designated class of WLAN service upon authorization request.
  • When an ODB designation is assigned to a subscriber, Steel-Belted Radius Carrier with the SIM authentication module denies the subscriber WLAN service upon authorization request.
  • When you do not specify service designations for a HLR listed in authGateway.conf, then all subscribers on that HLR are authorized for WLAN service.
  • You can specify up to six authorization strings of each type (TS, BS, or ODB) on any given line of authGateway.conf.

You can specify the service designations in authGateway.conf:

bs n1: auth1
ts n2:auth2
odb n3:auth3

Here, ni (i=1,2,3) is a decimal integer that specifies the setting, and authi (i=1,2,3) is the string returned from the MAP Gateway to Steel-Belted Radius Carrier with the SIM authentication module.

For example, you might specify the potential subscriber designations on one HLR with the following text in authGateway.conf:

bs 26:B1A ts 33:TS21 odb 128:bar

Note: If you require any HLR authorization strings to define different classes of service for your subscribers, you must also specify those TS, BS, and ODB authorization strings in certain files associated with the SIM authentication module. For information about how to match these strings to Steel-Belted Radius Carrier variables, see the “simauth.aut [ProfileMap] Section” of Configuring EAP-SIM and EAP-AKA for the SIM Authentication Module in the SBR Carrier Reference Guide.

FetchMSISDNRoutingInfoLCS Parameter

The FetchMSISDNRoutingInfoLCS parameter defined in the authGateway.conf file specifies the type of message that is used to fetch MSISDN information from an HLR or HSS.

MSISDN information is usually fetched from an HLR through the d interface using the RestoreData message. Setting the FetchMSISDNRoutingInfoLCS parameter to 0 configures the authGateway process to interact with the HLR through the RestoreData message. The default SSN configured when the authGateway process starts is used as the originating SSN in the RestoreData message.

MSISDN information is usually fetched from an HLR or HSS through the SLh or Lh interface using the SendRoutingInfoForLCS message. Setting the FetchMSISDNRoutingInfoLCS parameter to 1 configures the authGateway process to interact with the HLR or HSS through the SendRoutingInfoForLCS message. Because SBR Carrier acts as a GMLC in this case, the GMLC SSN (i.e. 145) is used as the originating SSN.

By default, this parameter is set to 0.

Example 1—authGateway.conf file

(Lines are wrapped.)

odigits 2310 ndigits 2324 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua

odigits 31026 ndigits 32476 rnai 4 rnp 7 rgti 4 rtt 0 rri 1 rpc 3003 rssn 253 bs 23:morning bs 24:afternoon ts 1:night

Example 2—authGateway.conf file

In this global title example, odigits and ndigits are the same and do not require translation. You can use the msisdn option in place of ndigits and odigits when no translation is required.

(Lines are wrapped.)

msisdn 31026 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua

Configuring the authGateway Startup Information

The CREATE-PROCESS and START-PROCESS MML commands start the authGateway (by calling authGatway.conf), using options that you specify.

Table 42 describes the MML commands needed to configure and start authGateway.

Table 42: MML Commands for Configuring the Start of authGateway

MML Command

Description

CREATE-PROCESS

Identify the authGateway configuration file and the authGateway options.

START-PROCESS

Start the process.

For more information about the syntax and usage of the MML commands, see Signalware MML Commands. See Loading the MML Configuration Settings for information about executing the MML commands.

Table 43 lists the options that you can use with the CREATE-PROCESS command.

Table 43: authGateway Process Options Used with CREATE-PROCESS

Option

Description

appctx

MAP protocol revision (2 or 3). Only MAPv3 retrieves quintets, so it must used to support EAP-AKA.

conf

Path and name of the authGateway configuration file. The default file is $RADIUSDIR/conf/authGateway.conf.

debug

Sets a debug level. Use the following:

-debug 0xff

host

Local hostname. Use the hostname associated with the IP address that the authGateway listen on, and ensure that the entry is coordinated with the radius/GWrelay.conf file. If a hostname is not specified, 0.0.0.0 is used.

invkretry

Number of invoke retry.

invktimeout

Duration of invoke timeout in seconds.

lgti

(Global Title only) Local GTI value, usually 4 for C7 and 2 for A7.

lmsisdn

(Global Title only) MSISDN of this local node.

lnai

(GT only) Nature of Address Indicator. Indicates the scope of the address value, such as whether it is an international number (includes country code) or a national number (no country code).

1 Subscriber Number—no area code (example: 5551234

2 unused

3 National Significant Number—no country code (example: 2015551234)

4 International Number—includes country code (example: 12015551234)

lnp

(Global Title only) Local Numbering Plan.

Acceptable values are:

1—ISDN/Telephony

3—DATA

4—TELEX

5—Maritime Mobile

6—Land/Mobile

7—ISDN/Mobile

10—British Telecom special 1

11—British Telecom special 2

14—Private Network

lpc

Local Point Code (PC).

lri

Routing indicator - 0 for GT (Global Title), 1 for PC/SSN.

lssn

Local Subsystem Number (SSN) (required).

ltt

(Global Title only) Local Translation Type. Generally in a live network TT is always 0.

max_requests

The maximum number of simultaneous MAP dialogs.

monitor

Activates Message Activity Monitor.

name

Name of the process.

no rst

Disables automatic restart of process.

node

Node name.

port

Port number used by the SCTP association with the client.

prot

Variant used (C7, A7, or CH7).

rssn

Subsystem number of HLR.

trace

We recommend setting this to 0xff; this enables debug tracing and displays the trace information about the console. (Consists of a trace of all MAP messages that are formatted and sent down the stack.)

Use the tracefile option to capture the trace information to a file.

tracefile

Captures the trace information to a file. The filename follows the -tracefile switch. Include the directory in the filename.

Example—Creating and Starting the authGateway Process

Notice that the SSN=7 in the CREATE-CPC of the previous example (Example 2 in Configuring the authGateway Routing Location Information) becomes the lssn (local subsystem number) in the CREATE-PROCESS command of this example. The SSN=6 in the CREATE-REMSSN command of the previous example (Example 2 in Configuring the authGateway Routing Location Information) becomes the -rssn (remote subsystem number) in this example. We recommend that you specify an absolute (full) path in the EXEC command.

The following configuration example explains how to create and start three authGateway instances:

(Lines are wrapped.)

CREATE-PROCESS:NAME="GMT", CE="sbr-blr-vm5", 
EXEC="/opt/JNPRsbr/radius/authGateway -debug 0xff -trace -name GMT -port 2003 -host sbr-blr-vm5 
-node SBRLX -prot C7 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -lri 1 
-lpc 12501 -lssn 7 -rssn 6 -appctx 3";
debug 0xff -trace -tracefile /opt/signalw/radius/authGateway.out

START-PROCESS:NAME="GMT",CE="sbr-blr-vm5";

CREATE-PROCESS:NAME="GMT1", CE="sbr-blr-vm5", 
EXEC="/opt/JNPRsbr/radius/authGateway -debug 0xff -trace -name GMT1 -port 2005 -host sbr-blr-vm5 
-node SBRLX -prot C7 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -lri 1 
-lpc 12501 -lssn 7 -rssn 6 -appctx 3";
debug 0xff -trace -tracefile /opt/signalw/radius/authGateway1.out

START-PROCESS:NAME="GMT1",CE="sbr-blr-vm5";

CREATE-PROCESS:NAME="GMT2", CE="sbr-blr-vm5", 
EXEC="/opt/JNPRsbr/radius/authGateway -debug 0xff -trace -name GMT2 -port 2007 -host sbr-blr-vm5 
-node SBRLX -prot C7 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -lri 1 
-lpc 12501 -lssn 7 -rssn 6 -appctx 3";
debug 0xff -trace -tracefile /opt/signalw/radius/authGateway2.out

START-PROCESS:NAME="GMT2",CE="sbr-blr-vm5";

Note: MML commands are saved in MML files that can be loaded into Signalware. See Loading the MML Configuration Settings.

Configuring the GWrelay.conf File

The GWrelay application is used to pass authentication requests between SBR Carrier and the authGateway instances in a round-robin method. The GWrelay.conf file is used to define the source and destination ports through which an SCTP connection is established between the GWrelay application and authGateway instances.

You can modify the LOCAL_HOST, REMOTE_HOST, and RELAY_SERVER lines in the GWrelay.conf file to define DNS names and port numbers. When you specify a DNS name for a local or remote host, you can enter the host’s IP address in brackets as a backup. We recommend that you make hostname and IP address entries in the /etc/hosts file because it is more reliable than DNS.

Example—Configuring the GWrelay.conf File

The following example explains how to define source and destination ports for three authGateway instances:

LOCAL_HOST sbr-blr-vm5:2002
REMOTE_HOST sbr-blr-vm5:2003 [10.20.0.2]

LOCAL_HOST sbr-blr-vm5:2004
REMOTE_HOST sbr-blr-vm5:2005 [10.20.0.2]

LOCAL_HOST sbr-blr-vm5:2006
REMOTE_HOST sbr-blr-vm5:2007 [10.20.0.2]

RELAY_SERVER sbr-blr-vm5:2000

Note: The specified host-name and port parameters in the REMOTE_HOST line must match the -host and -port options in the MML CREATE-PROCESS statement, respectively.

Starting the GWrelay Process

You can use the sbrd script to start and stop the GWrelay process. All sbrd commands can be executed only by the root user. To start the GWrelay process, execute ./sbrd start GWrelay. To stop the GWrelay process, execute ./sbrd stop GWrelay. To restart the GWrelay process, execute ./sbrd restart GWrelay.

Note: If you have set the GWRELAYENABLE parameter in the sbrd.conf file to 1 or answered Yes to the question Do you want to enable "GWrelay" Process? [n]: while running the SBR Carrier configuration script, then the GWrelay process will be started, stopped, or restarted when you execute the ./sbrd start, ./sbrd stop, or ./sbrd restart script respectively.

Configuring the ulcmmg.conf File

The ulcmmg.conf file establishes the connection between the GWrelay application and SBR Carrier.

The ulcmmg.conf file consists of two lines, as shown in the following example. Modify the ulcmmg.conf file shipped with SBR Carrier so that hostnames of LOCAL_HOST and REMOTE_HOST are same. If you specify a DNS name for a local or remote host, you can enter the host’s IP address in brackets as a backup. Making an entry in the /etc/hosts file is recommended because it is more reliable than DNS.

Example

LOCAL_HOST myhost.com:2001
REMOTE_HOST myhost.com:2000 [172.25.97.230]

Note: If an IP address is specified, it must be the address of the server specified as the HostName set when the Create-Process -host option is invoked.

For additional examples, see Sample authGateway Command and File.

Modified: 2017-03-07