TechLibrary

[+] Expand All

[-] Collapse All

Steel-Belted Radius Carrier 8.4.0 Reference Guide
- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- About This Guide
- Introduction
  - Introduction to Configuration Files
    - Configuration Files
    - Tips for Editing Configuration Files
- Steel-Belted Radius Carrier Core and Radius Front-End Files
  - Operations Files
    - access.ini File
      - [Settings] Section
      - [Users] and [Groups] Sections
    - admin.ini File
      - [AccessLevel] Section
      - [SNMPAgent] Section
    - events.ini File
      - [EventDilutions] Section
        Example
      - [Suppress] Section
        Example
      - [Thresholds] Section
        Example
    - events.xml File
    - radius.ini File
      - [Addresses] Section
        Example 1
        Example 2
      - [AuditLog] Section
      - [AuthRejectLog] Section
      - [Configuration] Section
      - [CurrentSessions] Section
      - [DynAuthProxy]
      - [LatencyLog]
      - [EmbedInClass] Section
      - [HiddenEAPIdentity] Section
      - [IPPoolSuffixes] Section
      - [IPv6] Section
      - [JavaScript] Section
      - [LDAP] Section
      - [LDAPAddresses] Section
      - [Logging] Section
        Log File Naming Conventions and Log Rollover
        Thread Identifiers
        Session Identifiers
        Example
        Enhanced Proxy Logging
      - [MsChapNameStripping] Section
      - [PurgeThreadLogging] Section
      - [Ports] Section
      - [Self] Section
      - [StaticAcctProxy] Section
      - [Status] Section
      - [Strip] Section
      - [StripPrefix] Section
      - [StripSuffix] Section
      - [UserNameTransform] Section
        Example
      - [ValidateAuth] and [ValidateAcct] Sections
    - sbrd.conf File
    - services File
    - servtype.ini File
    - update.ini File
      - [HUP] and [USR2] Sections
        Example
    - Auto-Restart Files
      - Perl SNMP Support
      - Perl System Log Support
      - sbrd.conf File
      - radiusd.conf File
        radiusd.conf Configuration File
  - Authentication Configuration Files
    - authlog.ini File
    - authReport.ini File
    - authReportAccept.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportBadSharedSecret.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportReject.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportUnknownClient.ini File
      - [Attributes] Section
      - [Settings] Section
    - blacklist.ini File
    - lockout.ini File
      - [ClientExclusionList] Section
      - [UserExclusionList] Section
    - redirect.ini File
      - [Settings] Section
      - [ClientExclusionList] Section
    - statlog.ini File
      - [Settings] Section
      - [Statistics] Section
  - Attribute Processing Files
    - Dictionary Files
      - .dct Files
        .dct File Location
        .dct File Records
        Editing .dct Dictionary Files
        Include Records
        Master Dictionary for .dct Files
        ATTRIBUTE Records
        Attribute Name and Identifier
        Syntax Type Identifier
        Compound Syntax Types
        Flag Characters
        VALUE Records
        Macro Records
        OPTION Records
      - .dic Files
        .dic File Location
        <?dict> Element
        <vendor> Element
        <attribute> Element
        Editing .dic Dictionary Files
    - Structured Attributes
      - Structured Attribute Dictionary Definitions
        XML Format of Dictionary Files
        <dictionary> Element
        <attribute> Element
        Subattribute Elements
        <constant>
      - Functional Areas That Use Subattributes
        Packet Parsing and Formatting
        Features that Support the Use of Structured and Subattributes
        Single Subattribute Insertion
        Attribute Filtering
        Proxy Attribute Mapping
        Structured Attributes in Return Lists and Check Lists
        Using Web GUI to Configure Subattributes in Return Lists and Checklists
        Using the LCI to Define Subattributes in Return Lists and Check Lists
        Javascript
        Converting Previous Attribute Flatteners with Subattributes
        Plug-in Attribute Access
      - Example of Configuration and Usage of a Structured Attribute
        3GPP2 Data Definition
        SBR Carrier XML Dictionary Definition
        Example Data
        LCI Encoding
    - classmap.ini File
      - [AttributeName] Section
    - filter.ini File
      - Filter Rules
      - Order of Filter Rules
        Examples
      - Values in Filter Rules
      - Referencing Attribute Filters
    - sample.rr File
    - spi.ini File
      - [Keys] Section
      - [Hosts] Section
    - vendor.ini File
      - [Vendor-Product Identification] Section
      - Product-Scan Settings
    - Adding NAS Location Information to Access-Request Messages
      - Location-Specific Configuration Files
      - locspec.ctrl File
        Example
        Example
        Example
        Example
      - proxy.ini File
        Example
      - realm.pro File
        Example realm.pro file:
      - Example Configuration for Adding NAS Location Attributes to Access-Request
        Example Overview
        Example Configuration
  - Address Assignment Files
    - dhcp.ini File
      - [Settings] Section
      - [Pools] Section
    - pool.dhc Files
  - Accounting Configuration Files
    - account.ini File
    - acctReport.ini File
    - sessionTable.ini File
      - [Settings] Section
  - Realm Configuration Files
    - Proxy Realm Configuration Files
    - Directed Realm Configuration Files
      - Sample proxy.ini File
      - Sample Directed Realm (.dir) File
    - proxy.ini File
    - Proxyrl.ini File
    - Proxy RADIUS Configuration (.pro) File
      - [Auth] Section
      - [Acct] Section
      - [AutoStop] Section
      - [Called-Station-ID] Section
      - [DynAuth] Section
      - Target Selection Rules
        Round-Robin Load Balancing
        Selecting a Backup Server
        Realm Retry Policy
      - [FastFail] Section
      - [ModifyUser] Section
      - [SpooledAccounting] Section
        Retry Sequence
    - Directed Realm Configuration (.dir) File
    - radius.ini Realm Settings
  - EAP Configuration Files
    - eap.ini File
    - peapauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request Filters] Section
      - [Response Filters] Section
      - [Session_Resumption] Section
    - tlsauth.aut File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.aut File
    - tlsauth.eap File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Secondary_Authorization] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.eap File
      - Configuring Secondary Authorization
        SQL Authentication
        LDAP Authentication
    - ttlsauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request_Filters] Section
      - [Response_Filters] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample ttlsauth.aut File
  - Session State Register (SSR) Configuration Files
    - Configuring the config.ini File
    - Configuring the dbclusterndb.gen File
      - [Bootstrap] Section
      - [NDB] Section
        [Database] Section
      - [IpAddressPools] Section
      - [IpAddressPools:PoolName] Section
    - Using the georedSess.ses File to Configure the Geo-Redundancy Feature
  - Local CST Configuration Files
    - dbclusterRPC.gen File
    - cstserver.ini File
      - [Configuration] Section
      - [HA-Settings] Section
- Back-End Authentication and Accounting
  - SQL Plug-Ins
    - Common Configuration Items
      - [Bootstrap] Section
      - [Settings] Section
        Limitations of Underlying Database APIs
        SQL Parameter
        ErrorMap
        mssql.ini File
        [SoftErrors] Section
        mysql.ini File
        [SoftErrors] Section
        oracle.ini File
        [SoftErrors] Section
        LogLevel
      - [Server] Section
      - [Server/name] Sections
        Last Resort Server
      - Load Balancing Example
      - JDBC Plug-ins
    - SQL Authentication
      - [Settings] Section
        PasswordFormat
        ClearTextBinary
        DefaultResults
        SuccessResult
        UpperCaseName
      - [Results] Section
        Default [Results] Parameters
      - [FailedSuccessResultAttributes] Section
      - [Failure] Section
      - [Strip] Sections
      - Example: SQL Authentication Configuration File
    - SQL Accounting
    - SQL Accessors
    - Detailed Use Cases
      - Working with Stored Procedures
      - SQL Database Data Retrieval Methods
        SQL=SELECT Method for Data Retrieval from SQL Databases
        SQL=SELECT Method: SELECT Statement
        SQL=SELECT Method: [Results] Section
        SQL=SELECT Method: Section Correlations Illustrated
        Stored Procedure Method for Data Retrieval from SQL Databases
        Stored Procedure Method: BEGIN Statement of sqlaccessor.gen
        Stored Procedure Method: [Results] Section of sqlaccessor.gen
        Stored Procedure Method: Database Schema
        Stored Procedure Method: Data Retrieval
        Stored Procedure Method: Example
  - LDAP Plug-Ins
    - Overview
    - Common Configurations
    - LDAP Authentication
    - LDAP Accessor Files
  - CDR Accounting Plug-Ins
    - CDR Process Overview
    - Types of Call Detail Records
    - Configuring Accounting Options with cdracct.acc
      - [Bootstrap] Section of cdracct.acc
        Example
      - [Settings] Section of cdracct.acc
        Example
    - Displaying CDR Information
    - CDR Fields
    - CDR Field Formats for Binary and ASN.1 CDR Files
      - Field Formats for Binary Version 1 and Binary Version 2 CDR Files
- SIM Authentication Module
  - Common Configurations
    - ss7db.gen File
      - [Bootstrap] Section
      - [Settings] Section
    - gsmmap.gen File
      - [Bootstrap] Section
      - [Settings] Section
      - [Realms] Section
      - Configuring Each Realm Section
        Example
        Relationship Between Sections
      - Network Equipment and Data Needed for Processing Access-Requests
        Example: Authorization String
        Disabling Authorization from EAP-SIM
      - Target Module Section
        Target Module Fields (General Case)
        MAP Gateway Target Module Fields
        Example of MAP Gateway Target Module Fields
        SQL Database Target Module Fields
        Example of SQL Database Target Module
        LDAP Database Target Module Fields
        Example of LDAP Database Target Module
    - Signalware MML Commands
  - SIM/AKA Authentication
    - Overview
    - Configuring the simauth.aut File
    - Authentication Gateway
      - Configuring the ulcmmg.conf File
      - Configuring the GWrelay.conf File
      - Starting and Stopping the GWrelay Process
      - Configuring the authGateway.conf File
        [Routing-Configuration] Section
        Authorization Options
        Example 1—authGateway.conf file [Routing-Configuration] Section
        Example 2—authGateway.conf file [Routing-Configuration] Section
        [Supported-MAP-Messages] Section
        [Common-AGW-Configurations] Section
        [Process<name>] Section
        Example
      - Configuring the authGateway Startup with MML Commands
        Example—Creating and Starting the authGateway Process
- Optional Mobility Module Configuration Files
  - WiMAX Mobility Module Configuration File
    - wimax.ini File
- SNMP Configuration Files
  - SNMP Configuration Overview
  - SNMP Traps and Statistics Overview
- Appendixes
  - Authentication Protocols
  - Vendor-Specific Attributes
  - Configuration Examples
    - Steel-Belted Radius Carrier: 3G-to-Wi-Fi Offload Solution Using the SBR MAP Gateway with EAP-SIM or EAP-AKA
  - Detailed Use Cases
    - Using SQL Accessors
      - Configuring gsmmap.gen for Key Field Identification
        Examples
      - Configuring sqlaccessor.gen or sqlaccessor_jdbc.gen for Key Field Identification
        Examples
    - Using LDAP Accessors
      - Configuring ldapaccessor.gen for Key Field Identification
    - Assigning IP Addresses Based on APN
    - Adding Attributes to an Access-Accept
      - Overview
      - Data Flow
      - Configuration Tasks
      - Configuring Files for Adding Attributes to Access-Accept
      - Example Configuration for Adding Attributes to Access-Accept
        Example Overview
        Example Notes
        Access-Request
        SIMAuth
        Radsql.aut
        Eap.ini
        SQL Database Table 1
        Access-Accept
      - Activate the Authentication Method
    - Interfacing with a Kineto IP Network Controller
      - Attribute Handling Methods
      - Access-Request Conversion
      - Access-Accept Conversion
      - Access-Reject Conversion
      - Configuring the SIM Authentication Module for Handling Kineto Attributes
        Configuring the kinetoUMAAttrHandler.ctrl File
        Example kinetoUMAAttrHandler.ctrl file
        Configuring the controlpoints.ini File
        Configuring Kineto Attribute Recognition
        Activating the Authentication Method
        Developing Applications for the S1 Interface
    - Using Managed IPv6 Address Pools
  - SIR.conf File
  - Glossary
    - Numerics
    - A
    - B
    - C
    - D
    - E
    - F
    - G
    - H
    - I
    - J
    - L
    - M
    - N
    - O
    - P
    - Q
    - R
    - S
    - T
    - U
    - V
    - W

Download This Guide

Download this guide: Steel-Belted Radius Carrier 8.4.0 Reference Guide

Directed Realm Configuration (.dir) File

A directed realm specifies target methods for directed authentication and directed accounting. Its realm configuration file is called RealmName.dir. By default, a sample .dir file (example.dir) is installed with Steel-Belted Radius Carrier.

The directed authentication feature permits the server to bypass its Authentication Methods list and map an incoming RADIUS request to one or more specific authentication methods. Steel-Belted Radius Carrier chooses the destination method based on routing information found in the request packet. The destination methods may be any authentication methods already configured on the local Steel-Belted Radius Carrier server, regardless of how they were configured; for example, a method may have been configured using Web GUI, the LDAP configuration interface, or an .aut configuration file.

If no directed authentication method is configured, every request percolates through the same Authentication Methods list, as defined in the authentication methods listed in the Authentication Methods page in Web GUI. This behavior may or may not be ideal for every customer. Directed authentication lets you tailor an Authentication Methods list to a customer’s needs.

Directed accounting is also possible. The destination accounting method may be the Steel-Belted Radius Carrier accounting log, an external database configured using an .acc file, or a distinct accounting log file that contains entries only for this customer.

To activate these features, you must create RealmName.dir files, place them in the Steel-Belted Radius Carrier directory, and list them in the [Directed] section of proxy.ini. Subsequently, any requests that arrive addressed to one of these realm names are processed on the local server using the instructions you provided in proxy.ini and the corresponding RealmName.dir file.

After you edit a RealmName.dir file, you must apply your changes. If you have added or changed:

Any directed accounting methods, you must stop and restart the server to load your new configuration.
Directed authentication methods in which external database (SQL or LDAP) authentication is used, you must stop and restart the server to load your new configuration.
Directed authentication methods in which local or pass-through (Native, UNIX, or Host) authentication is used, you can apply your configuration changes dynamically, without stopping the server.
Issue the SIGHUP (1) signal to the Steel-Belted Radius Carrier process.
#./sbrd hup
Steel-Belted Radius Carrier re-reads proxy.ini, filter.ini, and all .pro and .dir files in the server directory, and resets its realm configuration accordingly.
Note: If you edit radius.ini while configuring a realm, you must restart Steel-Belted Radius Carrier to load your new configuration.

[Auth] Section

Directed authentication is enabled in a realm by setting the Enable parameter in the [Auth] section (Table 106) of the corresponding RealmName.dir file, where RealmName is the name of the realm. The syntax is:

[Auth]
Enable = 1
StripRealm = 1
UseMasterDictionary = yes
FilterOut = name
FilterIn = name
ServerCertificate =

Table 106: RealmName.dir [Auth] Syntax

Parameter	Function
Enable	If set to 1 in the [Auth] section of a RealmName.dir file, the directed authentication realm called *RealmName* is enabled. If set to 0, the realm is disabled. By enabling a directed authentication realm, you make it possible for Steel-Belted Radius Carrier to override the Authentication Methods list on the local server by providing an alternate list - for requests addressed to this realm only. Details of this list are provided in the [AuthMethods] section of the same RealmName.dir file.
ServerCertificate	Specifies the name of the server certificate (as mentioned under the Name column of the Server Certificates List page in Web GUI) that must be used for EAP requests received from the directed realm. The certificate specified in this parameter should have been added through the Web GUI; otherwise, EAP requests will be rejected. If this parameter is left blank, the default certificate configured through the Web GUI will be used for EAP authentication protocols. Note: A server certificate can be mapped to one or more directed realms.
StripRealm	If set to 1, Steel-Belted Radius Carrier strips the realm name from the username before attempting to authenticate the user's request. If set to 0, realm name stripping is disabled. Note: For directed realms, realm name is enabled (StripRealm = 1) by default. If you want to disable it, you must explicitly set StripRealm to 0.
UseMasterDictionary	If set to yes, inbound proxy responses for this realm use the master Steel-Belted Radius Carrier dictionary when authentication attributes are filtered in. If set to no, proxy responses for this realm use the client-specific dictionary when authentication attributes are filtered in. Default value is yes. The default value is the global setting configured in the UseMasterDictionary parameter in the proxy.ini file. Note: This value overrides the global setting configured in the UseMasterDictionary parameter in the proxy.ini file.
FilterOut = name	The FilterOut=name parameter causes Steel-Belted Radius Carrier to apply the filtering rules found in the [name] section of filter.ini. These rules are applied while Steel-Belted Radius Carrier is processing the incoming RADIUS request packet, and before it directs the packet out to the destination realm. You may also think of this as filtering various attributes and values out of the request before directing it to the realm.
FilterIn = name	The FilterIn=name parameter causes Steel-Belted Radius Carrier to apply the filtering rules found in the [name] section of filter.ini. These rules are applied after Steel-Belted Radius Carrier has received a response in from the destination realm, and while it is preparing the RADIUS response packet for its client. You may also think of this as filtering various attributes and values in to the response before returning it to the client.

[AuthMethods] Section

If directed authentication is enabled, the [AuthMethods] section of a RealmName.dir file lists one or more authentication methods to be used.

The syntax is:

[AuthMethods]DescriptionDescription...

where Description is the official name of an authentication method configured on the Steel-Belted Radius Carrier server. For example:

[AuthMethods]
Native User
UNIX User
UNIX Group
<InitializationString=SQL>
<InitializationString=LDAP>

If you want your [AuthMethods] section to reference an external authentication method, a Description string must match the names of that method. If you want your [AuthMethods] section to reference an external database, enter the InitializationString value from the [Bootstrap] section of the corresponding .aut file.

Note: There is no interaction between the settings in the Authentication Methods page and in RealmName.dir files, or between different RealmName.dir files. For example, if you disable the UNIX User method in the Authentication Methods page while it is enabled in a RealmName.dir file, it remains enabled in RealmName.dir.

[Acct] Section

Directed accounting is enabled in a realm by setting the Enable parameter in the [Acct] section (Table 107) of the corresponding RealmName.dir file, where RealmName is the name of the realm. The syntax is:

[Acct]
Enable = 1
StripRealm = 0
RecordLocally = 0
UseMasterDictionary = yes

Table 107: RealmName.dir [Acct] Syntax

Parameter	Function
Enable	If set to 1 in the [Acct] section of a RealmName.dir file, the directed accounting realm called *RealmName* is enabled. If set to 0, the realm is disabled. By enabling a directed accounting realm, you make it possible for Steel-Belted Radius Carrier to override the normally configured accounting methods on the local server by providing an alternate list - for requests addressed to this realm only. Details of this list are provided in the [AcctMethods] section of the same RealmName.dir file. Default value is 0.
RecordLocally	If set to 1, Steel-Belted Radius Carrier writes accounting records to its main accounting log file in addition to the accounting destinations specified in [AcctMethods]. If set to 0, this feature is disabled. Default value is 0.
StaticAcctRealms	If a value is supplied for this parameter, accounting packets are forwarded to a list of realms. The setting given must be a section name defined in the proxyrl.ini file that lists the realms to which the accounting packets are forwarded. See Proxyrl.ini File.
StripRealm	If set to 1, Steel-Belted Radius Carrier strips the realm name from the username before attempting to authenticate the user's request. If set to 0, realm name stripping is disabled. Note: For directed realms, username stripping is enabled (StripRealm = 1) by default. If you want to disable it, you must explicitly set StripRealm to 0.
UseMasterDictionary	If set to yes, inbound proxy responses for this realm use the master Steel-Belted Radius Carrier dictionary when accounting attributes are filtered in. If set to no, proxy responses for this realm use the client-specific dictionary when accounting attributes are filtered in. Default value is yes. The default value is the global setting configured in the UseMasterDictionary parameter in the proxy.ini file. Note: This value overrides the global setting configured in the UseMasterDictionary parameter in the proxy.ini file.

[AcctMethods] Section

If directed accounting is enabled, the [AcctMethods] section of a RealmName.dir file lists one or more accounting methods to be used. The syntax is:

[AcctMethods]DescriptionDescription...

where Description is the official name of a directed accounting method configured in the proxy.ini file.

[Called-Station-ID] Section

The [Called-Station-ID] section of a RealmName.dir file allows Steel-Belted Radius Carrier to select a realm to be used for directed authentication and accounting based on DNIS information supplied in an incoming RADIUS packet. The [CalledStationID] section lists each DNIS string that identifies the realm. If this string is found in the CalledStationId attribute of an incoming request, the directed authentication and accounting rules found in the corresponding RealmName.dir file are applied to the request.

The syntax is:

[Called-Station-ID]String.String...

where String is a DNIS string.

[ModifyUser] Section

The [ModifyUser] section (Table 108) of a realm directed file permits you to decorate a realm, where the realm is determined by other means, such as DNIS or attribute mapping.

This is used mainly to enhance directed realms. For example, the following two users are in the database: george@gm and george@ford. Either user can log in as george, because Steel-Belted Radius Carrier determines the realm, for example, by DNIS. Based on the realm, Steel-Belted Radius Carrier appends either @gm or @ford to the username, and then uses the Native User directed method to authenticate.

Table 108: RealmName.dir [ModifyUser] Syntax

Parameter	Function
AddPrefix=prefix AddSuffix=suffix	These parameters define the User-Name prefix and suffix.

Parameter

Function

AddPrefix=prefix

AddSuffix=suffix

These parameters define the User-Name prefix and suffix.