Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Authentication Gateway

This section explains the configurations of ulcmmg.conf, GWrelay.conf, and authGateway.conf files.

Configuring the ulcmmg.conf File

The ulcmmg.conf file establishes the connection between the GWrelay application and SBR Carrier.

The ulcmmg.conf file contains lines of the following form (the angle brackets <> indicate required parameters and should not be included in the actual configuration):

LOCAL_HOST <host-name>: <port>
REMOTE_HOST <host-name>:<port><ip-address>
DEBUG
LOG_FILE <file-name>

The LOCAL_HOST line is required. The required host-name parameter specifies the name of the local host, for example, the machine on which the SBRC is executing. The required port parameter specifies the outbound socket port number (2001 by default) that is used by the SBRC to transmit messages to the GWrelay process.

The REMOTE_HOST line is required. The required host-name parameter specifies the name of the host on which the GWrelay process is executing. The required port parameter specifies the inbound socket port number (2000 by default) that is used by the GWrelay process to listen for messages from SBRC. The required ip-address parameter specifies the IP address corresponding to the host-name parameter.

The DEBUG line is optional. When present, it enables debug messages to be emitted on the Signalware console device. Enabling debug messages degrades the performance and should be avoided in production environments.

The LOG_FILE line is optional. When present it enables diagnostic messages, including debug messages if enabled, to be written to the log file that is specified by the required file-name parameter. The file-name parameter should specify an absolute path-name for the log file.

For more information, see the SBR Carrier Installation Guide.

Configuring the GWrelay.conf File

The GWrelay.conf file is used to define the source and destination ports through which an SCTP connection is established between the GWrelay application and authGateway instances.

The GWrelay.conf file contains lines of the following form (the angle brackets <> indicate required parameters and should not be included in the actual configuration):

LOCAL_HOST <host-name>: <portA>
REMOTE_HOST <host-name>:<porta><ip-address>

LOCAL_HOST <host-name>: <portB>
REMOTE_HOST <host-name>:<portb><ip-address>

...

LOCAL_HOST <host-name>: <portZ>
REMOTE_HOST <host-name>:<portz><ip-address>

RELAY_SERVER <host-name>: <port>
NumberofRetries <retry_value>
DelayBetweenRetries <delay_time>
LogLevel <level>
LogPath <file-path>
LogSize <file-size>

The LOCAL_HOST line is required. The required host-name parameter specifies the name of the local host on which the GWrelay process is executing. The required port parameter specifies the outbound socket port number that is used by the GWrelay application to listen for responses from the authGateway instances.

The REMOTE_HOST line is required. The required host-name parameter specifies the name of the host on which the authGateway process is executing. The host-name parameter value must match the value set in the -host option in the MML CREATE-PROCESS statement that is used to start the authGateway process. The host-name parameter value should also match the value in the LOCAL_HOST line, that is, the authGateway process is intended to execute on the same host as SBR Carrier. The required port parameter specifies the inbound socket port number that is used by the authGateway instances to listen for messages from the GWrelay application. The port parameter value must match the value set in the -port option in the MML CREATE-PROCESS statement. The required ip-address parameter specifies the IP address corresponding to the host-name parameter.

RELAY_SERVER line is required. The required host-name parameter specifies the name of the local host on which the GWrelay process is executing. The required port parameter specifies the inbound socket port number that is used by the GWrelay application to listen for messages from SBR Carrier.

The NumberofRetries is optional. The retry_value parameter specifies the number of retry attempts to be performed by the SCTP socket when attempting to connect to the authGateway instance. Default value is 3.

The DelayBetweenRetries line is optional. The delay_time parameter specifies the number of seconds the SCTP socket must wait between retry attempts. Default value is 2 seconds.

The LogLevel line is optional. The level parameter activates logging for the GWrelay process and sets the level of details of the message. If the level parameter is set to 0, the entries in the GWrelay log file contain default information. If this parameter is set to 1, the entries in the GWrelay log file contain debug information. Default value is 0.

The LogPath line is optional. The file-path parameter specifies the path of the GWrelay log file. You can specify any valid path that exists in the SBR machine. Default path is /opt/JNPRsbr/radius.

The LogSize line is optional. The file-size parameter specifies the rollover size limit (in bytes) for the GWrelay log file. After the file size exceeds this limit, the current log file is closed and a new one is created. Default value is 2,147,483,647 bytes.

For more information, see the SBR Carrier Installation Guide.

Starting and Stopping the GWrelay Process

You can use the sbrd script to start, stop, or restart the GWrelay process. All sbrd commands can be executed only by the root user. The syntax for the sbrd usage is:

sbrd <start|stop|restart> <GWrelay> [force]
sbrd <status> <GWrelay>

You can use the start, stop, and restart arguments with the GWrelay option to start, stop, and restart the GWrelay process. The status argument displays information about the status of the GWrelay process. The force argument makes sbrd attempt to disregard or overcome any errors that occur when processing the command. The sbrd script halts if any error occurs, when executed without the force argument. For example, the sbrd start command does not attempt to start the software that is already running, but the sbrd start force command ignores a running process. This may produce unintended results, so use the force argument with great care.

Note: The GWrelay application gets terminated automatically when all the configured authGateway instances are down. So, you must manually start the GWrelay application when the authGateway instances are restarted.

If you have set the GWRELAYENABLE parameter in the sbrd.conf file to 1 or answered Yes to the question Do you want to enable "GWrelay" Process? [n]: while running the SBR Carrier configuration script, then the GWrelay process will be started, stopped, or restarted when you execute the ./sbrd start, ./sbrd stop, or ./sbrd restart script respectively.

Configuring the authGateway.conf File

The authGateway.conf file specifies the remote routing and authorization options for the authGateway application and contains the FetchMSISDNRoutingInfoLCS parameter.

  • Remote routing options control how the remote HLR is addressed based on the incoming IMSI.
  • Authorization options control whether or not a subscriber requesting an account is authorized for WLAN access, and which Steel-Belted Radius Carrier profile or native user is used.
  • The FetchMSISDNRoutingInfoLCS parameter specifies the type of message that is used to request MSISDN information from an HLR or HSS.

Remote Routing Options

Each line in the authGateway.conf file represents a target HLR, where each HLR has its own routing options and authorization options. Indicate each HLR listed in this file with the initial digits of the subscriber password, specified by the odigits option.

Table 192 lists the remote routing options for the authGateway.conf file.

Table 192: authGateway.conf Remote Routing Options

Option

Purpose

bs

Bearer Service. See Authorization Options.

msisdn

The msisdn option can be used in place of ndigits and odigits when no translation is required. See Example 2—authGateway.conf file .

ndigits

Replacement digits for numbering plan translation (hybrid IMSI).

odb

Operator-Determined Barring. See Authorization Options.

odigits

Initial digits of IMSI or password for this HLR. For each request, the first digits of the IMSI are compared with odigits. The first line of the configuration file that matches is selected for the current request.

If the routing indicator (rri) is 0 (Global Title), the leading digits are replaced with the new digits (ndigits) to perform the numbering plan translation.

Example of direct replacement:

If the rule is “odigits 12345 ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 987656789012345.

Example of wildcard replacement:

If the rule is “odigits 12345* ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 98765.

rgti

(Global Title only) GTI value. 4 for C7; 2 for A7. (Usually 4.)

rnai

(Global Title only) Nature of Address Indicator.

rnp

(Global Title only) Numbering Plan.

Acceptable values are:

1—ISDN/Telephony

3—DATA

4—TELEX

5—Maritime Mobile

6—Land/Mobile

7—ISDN/Mobile

10—British Telecom special 1

11—British Telecom special 2

14—Private Network

rpc

Remote Point Code. Point Code of HLR or MSC.

rri

Routing indicator - 0 for GT (Global Title), 1 for PC/SSN (Point Code/Subsystem Number).

rssn

Subsystem Number of HLR.

rtt

(Global Title only) Translation Type (usually 0).

ts

Teleservice. See Authorization Options.

Authorization Options

The HLR database includes authorization information that is assigned to each subscriber. Three authorization designations are relevant to Steel-Belted Radius Carrier with the SIMauthentication module:

  • BS (Bearer Service)
  • TS (Teleservice)
  • ODB (Operator-Determined Barring)

You can specify subscriber HLR authorization (and barred service) designations in the MAP Gateway authGateway.conf file.

Note: You can disable authorization completely from EAP-SIM (not fetch subscriber profile information from the HLR and not perform a SQL/LDAP query). For instructions about disabling authorization, see “Disabling Authorization from EAP-SIM” in the section on Configuring the gsmmap.gen File for the SIM Authentication Module, in the SBR Carrier Reference Guide.

Each line in the authGateway.conf file corresponds to an HLR in your network. Each line also specifies all potential authorization (and barred service) settings for any subscribers on this HLR.

Steel-Belted Radius Carrier with the SIM authentication module uses the service authorization information that you list for each HLR in authGateway.conf:

  • When a TS or BS designation is assigned to a subscriber entry in the HLR database, Steel-Belted Radius Carrier with the SIM authentication module allows the subscriber the designated class of WLAN service upon authorization request.
  • When an ODB designation is assigned to a subscriber, Steel-Belted Radius Carrier with the SIM authentication module denies the subscriber WLAN service upon authorization request.
  • When you do not specify service designations for a HLR listed in authGateway.conf, then all subscribers on that HLR are authorized for WLAN service.
  • You can specify up to six authorization strings of each type (TS, BS, or ODB) on any given line of authGateway.conf.

You can specify the service designations in authGateway.conf:

bs n1:auth1
ts n2:auth2
odb n3:auth3

Here, ni (i=1,2,3) is a decimal integer that specifies the setting, and authi (i=1,2,3) is the string returned from the MAP Gateway to Steel-Belted Radius Carrier with the SIM authentication module.

For example, you might specify the potential subscriber designations on one HLR with the following text in authGateway.conf:

bs 26:B1A ts 33:TS21 odb 128:bar

Note: If you require any HLR authorization strings to define different classes of service for your subscribers, you must also specify those TS, BS, and ODB authorization strings in certain files associated with the SIM authentication module. For information about how to match these strings to Steel-Belted Radius Carrier variables, see the “simauth.aut [ProfileMap] Section” of Configuring EAP-SIM and EAP-AKA for the SIM Authentication Module in the SBR Carrier Reference Guide.

FetchMSISDNRoutingInfoLCS Parameter

The FetchMSISDNRoutingInfoLCS parameter defined in the authGateway.conf file specifies the type of message that is used to fetch MSISDN information from an HLR or HSS.

MSISDN information is usually fetched from an HLR through the d interface using the RestoreData message. Setting the FetchMSISDNRoutingInfoLCS parameter to 0 configures the authGateway process to interact with the HLR through the RestoreData message. The default SSN configured when the authGateway process starts is used as the originating SSN in the RestoreData message.

MSISDN information is usually fetched from an HLR or HSS through the SLh or Lh interface using the SendRoutingInfoForLCS message. Setting the FetchMSISDNRoutingInfoLCS parameter to 1 configures the authGateway process to interact with the HLR or HSS through the SendRoutingInfoForLCS message. Because SBR Carrier acts as a GMLC in this case, the GMLC SSN (i.e. 145) is used as the originating SSN.

By default, this parameter is set to 0.

Example 1—authGateway.conf file

(Lines are wrapped.)

odigits 2310 ndigits 2324 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua

odigits 31026 ndigits 32476 rnai 4 rnp 7 rgti 4 rtt 0 rri 1 rpc 3003 rssn 253 bs 23:morning bs 24:afternoon ts 1:night

Example 2—authGateway.conf file

In this global title example, odigits and ndigits are the same and do not require translation. You can use the msisdn option in place of ndigits and odigits when no translation is required.

(Lines are wrapped.)

msisdn 31026 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua

Configuring the authGateway Startup with MML Commands

The CREATE-PROCESS and START-PROCESS MML commands start the authGateway (by calling authGatway.conf), using options that you specify.

Table 193 describes the MML commands needed to configure and start authGateway.

Table 193: MML Commands for Configuring the Start of authGateway

MML Command

Description

CREATE-PROCESS

Identify the authGateway configuration file and the authGateway options.

START-PROCESS

Start the process.

For more information about the syntax and usage of the MML commands, see Signalware MML Commands. See SBR Carrier Installation Guide for information about executing the MML commands.

Table 194 lists the options that you can use with the CREATE-PROCESS command.

Table 194: authGateway Process Options Used with CREATE-PROCESS

Option

Description

appctx

MAP protocol revision (2 or 3). Only MAPv3 retrieves quintets, so it must used to support EAP-AKA.

conf

Path and name of the authGateway configuration file. The default file is $RADIUSDIR/conf/authGateway.conf.

debug

Sets a debug level. Use the following:

-debug 0xff

host

Local hostname. Use the hostname associated with the IP address that the authGateway listen on, and ensure that the entry is coordinated with the radius/GWrelay.conf file. If a hostname is not specified, 0.0.0.0 is used.

invkretry

Number of invoke retry.

invktimeout

Duration of invoke timeout in seconds.

lgti

(Global Title only) Local GTI value, usually 4 for C7 and 2 for A7.

lmsisdn

(Global Title only) MSISDN of this local node.

lnai

(GT only) Nature of Address Indicator. Indicates the scope of the address value, such as whether it is an international number (includes country code) or a national number (no country code).

1 Subscriber Number—no area code (example: 5551234

2 unused

3 National Significant Number—no country code (example: 2015551234)

4 International Number—includes country code (example: 12015551234)

lnp

(Global Title only) Local Numbering Plan.

Acceptable values are:

1—ISDN/Telephony

3—DATA

4—TELEX

5—Maritime Mobile

6—Land/Mobile

7—ISDN/Mobile

10—British Telecom special 1

11—British Telecom special 2

14—Private Network

lpc

Local Point Code (PC).

lri

Routing indicator - 0 for GT (Global Title), 1 for PC/SSN.

lssn

Local Subsystem Number (SSN) (required).

ltt

(Global Title only) Local Translation Type. Generally in a live network TT is always 0.

max_requests

The maximum number of simultaneous MAP dialogs.

monitor

Activates Message Activity Monitor.

name

Name of the process.

no rst

Disables automatic restart of process.

node

Node name.

port

Port number used by the SCTP association with the client.

prot

Variant used (C7, A7, or CH7).

rssn

Subsystem number of HLR.

trace

We recommend setting this to 0xff; this enables debug tracing and displays the trace information about the console. (Consists of a trace of all MAP messages that are formatted and sent down the stack.)

Use the tracefile option to capture the trace information to a file.

tracefile

Captures the trace information to a file. The filename follows the -tracefile switch. Include the directory in the filename.

Example—Creating and Starting the authGateway Process

We recommend that you specify an absolute (full) path in the EXEC command. The following configuration example explains how to create and start three authGateway instances:

(Lines are wrapped.)

CREATE-PROCESS:NAME="GMT", CE="sbr-blr-vm5", 
EXEC="/opt/JNPRsbr/radius/authGateway -debug 0xff -trace -name GMT -port 2003 -host sbr-blr-vm5 
-node SBRLX -prot C7 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -lri 1 
-lpc 12501 -lssn 7 -rssn 6 -appctx 3";
debug 0xff -trace -tracefile /opt/signalw/radius/authGateway.out

START-PROCESS:NAME="GMT",CE="sbr-blr-vm5";

CREATE-PROCESS:NAME="GMT1", CE="sbr-blr-vm5", 
EXEC="/opt/JNPRsbr/radius/authGateway -debug 0xff -trace -name GMT1 -port 2005 -host sbr-blr-vm5 
-node SBRLX -prot C7 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -lri 1 
-lpc 12501 -lssn 7 -rssn 6 -appctx 3";
debug 0xff -trace -tracefile /opt/signalw/radius/authGateway1.out

START-PROCESS:NAME="GMT1",CE="sbr-blr-vm5";

CREATE-PROCESS:NAME="GMT2", CE="sbr-blr-vm5", 
EXEC="/opt/JNPRsbr/radius/authGateway -debug 0xff -trace -name GMT2 -port 2007 -host sbr-blr-vm5 
-node SBRLX -prot C7 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -lri 1 
-lpc 12501 -lssn 7 -rssn 6 -appctx 3";
debug 0xff -trace -tracefile /opt/signalw/radius/authGateway2.out

START-PROCESS:NAME="GMT2",CE="sbr-blr-vm5";

Note: MML commands are saved in MML files that can be loaded into Signalware. See the SBR Carrier Installation Guide for more information.

Modified: 2017-03-07