Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Authentication Gateway

This section explains the configurations of ulcmmg.conf, GWrelay.conf, and authGateway.conf files.

Configuring the ulcmmg.conf File

The ulcmmg.conf file establishes the connection between the GWrelay application and SBR Carrier.

The ulcmmg.conf file contains lines of the following form (the angle brackets <> indicate required parameters and should not be included in the actual configuration):

LOCAL_HOST <host-name>: <port>
REMOTE_HOST <host-name>:<port><ip-address>
DEBUG
LOG_FILE <file-name>

The LOCAL_HOST line is required. The required host-name parameter specifies the name of the local host, for example, the machine on which the SBRC is executing. The required port parameter specifies the outbound socket port number (2001 by default) that is used by the SBRC to transmit messages to the GWrelay process.

The REMOTE_HOST line is required. The required host-name parameter specifies the name of the host on which the GWrelay process is executing. The required port parameter specifies the inbound socket port number (2000 by default) that is used by the GWrelay process to listen for messages from SBRC. The required ip-address parameter specifies the IP address corresponding to the host-name parameter.

The DEBUG line is optional. When present, it enables debug messages to be emitted on the Signalware console device. Enabling debug messages degrades the performance and should be avoided in production environments.

The LOG_FILE line is optional. When present it enables diagnostic messages, including debug messages if enabled, to be written to the log file that is specified by the required file-name parameter. The file-name parameter should specify an absolute path-name for the log file.

For more information, see the SBR Carrier Installation Guide.

Configuring the GWrelay.conf File

The GWrelay.conf file is used to define the source and destination ports through which an SCTP connection is established between the GWrelay application and authGateway instances.

The GWrelay.conf file contains lines of the following form (the angle brackets <> indicate required parameters and should not be included in the actual configuration):

LOCAL_HOST <host-name>: <portA>
REMOTE_HOST <host-name>:<porta><ip-address>

LOCAL_HOST <host-name>: <portB>
REMOTE_HOST <host-name>:<portb><ip-address>

...

LOCAL_HOST <host-name>: <portZ>
REMOTE_HOST <host-name>:<portz><ip-address>

RELAY_SERVER <host-name>: <port>
NumberofRetries <retry_value>
DelayBetweenRetries <delay_time>
LogLevel <level>
LogPath <file-path>
LogSize <file-size>

The LOCAL_HOST line is required. The required host-name parameter specifies the name of the local host on which the GWrelay process is executing. The required port parameter specifies the outbound socket port number that is used by the GWrelay application to listen for responses from the authGateway instances.

The REMOTE_HOST line is required. The required host-name parameter specifies the name of the host on which the authGateway process is executing. The host-name parameter value must match the value set in the -host option in the MML CREATE-PROCESS statement that is used to start the authGateway process. The host-name parameter value should also match the value in the LOCAL_HOST line, that is, the authGateway process is intended to execute on the same host as SBR Carrier. The required port parameter specifies the inbound socket port number that is used by the authGateway instances to listen for messages from the GWrelay application. The port parameter value must match the value set in the -port option in the MML CREATE-PROCESS statement. The required ip-address parameter specifies the IP address corresponding to the host-name parameter.

RELAY_SERVER line is required. The required host-name parameter specifies the name of the local host on which the GWrelay process is executing. The required port parameter specifies the inbound socket port number that is used by the GWrelay application to listen for messages from SBR Carrier.

The NumberofRetries is optional. The retry_value parameter specifies the number of retry attempts to be performed by the SCTP socket when attempting to connect to the authGateway instance. Default value is 3.

The DelayBetweenRetries line is optional. The delay_time parameter specifies the number of seconds the SCTP socket must wait between retry attempts. Default value is 2 seconds.

The LogLevel line is optional. The level parameter activates logging for the GWrelay process and sets the level of details of the message. If the level parameter is set to 0, the entries in the GWrelay log file contain default information. If this parameter is set to 1, the entries in the GWrelay log file contain debug information. Default value is 0.

The LogPath line is optional. The file-path parameter specifies the path of the GWrelay log file. You can specify any valid path that exists in the SBR machine. Default path is /opt/JNPRsbr/radius.

The LogSize line is optional. The file-size parameter specifies the rollover size limit (in bytes) for the GWrelay log file. After the file size exceeds this limit, the current log file is closed and a new one is created. Default value is 2,147,483,647 bytes.

For more information, see the SBR Carrier Installation Guide.

Starting and Stopping the GWrelay Process

You can use the sbrd script to start, stop, or restart the GWrelay process. All sbrd commands can be executed only by the root user. The syntax for the sbrd usage is:

sbrd <start|stop|restart> <GWrelay> [force]
sbrd <status> <GWrelay>

You can use the start, stop, and restart arguments with the GWrelay option to start, stop, and restart the GWrelay process. The status argument displays information about the status of the GWrelay process. The force argument makes sbrd attempt to disregard or overcome any errors that occur when processing the command. The sbrd script halts if any error occurs, when executed without the force argument. For example, the sbrd start command does not attempt to start the software that is already running, but the sbrd start force command ignores a running process. This may produce unintended results, so use the force argument with great care.

Note: The GWrelay application gets terminated automatically when all the configured authGateway instances are down. So, you must manually start the GWrelay application when the authGateway instances are restarted.

If you have set the GWRELAYENABLE parameter in the sbrd.conf file to 1 or answered Yes to the question Do you want to enable "GWrelay" Process? [n]: while running the SBR Carrier configuration script, then the GWrelay process will be started, stopped, or restarted when you execute the ./sbrd start, ./sbrd stop, or ./sbrd restart script respectively.

Configuring the authGateway.conf File

The authGateway.conf file configures the following authGateway options:

  • Remote routing options control how the remote HLR is addressed based on the incoming IMSI.
  • Authorization options control whether or not a subscriber requesting an account is authorized for WLAN access, and which Steel-Belted Radius Carrier profile or native user is used.
  • The FetchMSISDNRoutingInfoLCS parameter specifies the type of message that is used to request MSISDN information from an HLR or HSS, and the CamelSupportedPhases parameter specifies which CAMEL phase services are supported in the network.
  • Common configurations of the authGateway process.
  • Process-specific options specify settings related to the authGateway process.

[Routing-Configuration] Section

Each line in the authGateway.conf file represents a target HLR, where each HLR has its own routing options and authorization options. Indicate each HLR listed in this file with the initial digits of the subscriber password, specified by the odigits option.

Table 192 lists the remote routing options for the authGateway.conf file.

Table 192: authGateway.conf [Routing-Configuration] Syntax

Option

Purpose

bs

Bearer Service. See Authorization Options.

msisdn

The msisdn option can be used in place of ndigits and odigits when no translation is required. See Example 2—authGateway.conf file [Routing-Configuration] Section.

ndigits

Replacement digits for numbering plan translation (hybrid IMSI).

odb

Operator-Determined Barring. See Authorization Options.

odigits

Initial digits of IMSI or password for this HLR. For each request, the first digits of the IMSI are compared with odigits. The first line of the configuration file that matches is selected for the current request.

If the routing indicator (rri) is 0 (Global Title), the leading digits are replaced with the new digits (ndigits) to perform the numbering plan translation.

Example of direct replacement:

If the rule is “odigits 12345 ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 987656789012345.

Example of wildcard replacement:

If the rule is “odigits 12345* ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 98765.

rgti

(Global Title only) GTI value. 4 for C7; 2 for A7. (Usually 4.)

rnai

(Global Title only) Nature of Address Indicator.

rnp

(Global Title only) Numbering Plan.

Acceptable values are:

1—ISDN/Telephony

3—DATA

4—TELEX

5—Maritime Mobile

6—Land/Mobile

7—ISDN/Mobile

10—British Telecom special 1

11—British Telecom special 2

14—Private Network

rpc

Remote Point Code. Point Code of HLR or MSC.

rri

Routing indicator - 0 for GT (Global Title), 1 for PC/SSN (Point Code/Subsystem Number).

rssn

Subsystem Number of HLR.

rtt

(Global Title only) Translation Type (usually 0).

ts

Teleservice. See Authorization Options.

Authorization Options

The HLR database includes authorization information that is assigned to each subscriber. Three authorization designations are relevant to Steel-Belted Radius Carrier with the SIMauthentication module:

  • BS (Bearer Service)
  • TS (Teleservice)
  • ODB (Operator-Determined Barring)

You can specify subscriber HLR authorization (and barred service) designations in the MAP Gateway authGateway.conf file.

Note: You can disable authorization completely from EAP-SIM (not fetch subscriber profile information from the HLR and not perform a SQL/LDAP query). For instructions about disabling authorization, see “Disabling Authorization from EAP-SIM” in the section on Configuring the gsmmap.gen File for the SIM Authentication Module, in the SBR Carrier Reference Guide.

Each line in the authGateway.conf file corresponds to an HLR in your network. Each line also specifies all potential authorization (and barred service) settings for any subscribers on this HLR.

Steel-Belted Radius Carrier with the SIM authentication module uses the service authorization information that you list for each HLR in authGateway.conf:

  • When a TS or BS designation is assigned to a subscriber entry in the HLR database, Steel-Belted Radius Carrier with the SIM authentication module allows the subscriber the designated class of WLAN service upon authorization request.
  • When an ODB designation is assigned to a subscriber, Steel-Belted Radius Carrier with the SIM authentication module denies the subscriber WLAN service upon authorization request.
  • When you do not specify service designations for a HLR listed in authGateway.conf, then all subscribers on that HLR are authorized for WLAN service.
  • You can specify up to six authorization strings of each type (TS, BS, or ODB) on any given line of authGateway.conf.

You can specify the service designations in authGateway.conf:

bs n1:auth1
ts n2:auth2
odb n3:auth3

Here, ni (i=1,2,3) is a decimal integer that specifies the setting, and authi (i=1,2,3) is the string returned from the MAP Gateway to Steel-Belted Radius Carrier with the SIM authentication module.

For example, you might specify the potential subscriber designations on one HLR with the following text in authGateway.conf:

bs 26:B1A ts 33:TS21 odb 128:bar

Note: If you require any HLR authorization strings to define different classes of service for your subscribers, you must also specify those TS, BS, and ODB authorization strings in certain files associated with the SIM authentication module. For information about how to match these strings to Steel-Belted Radius Carrier variables, see the “simauth.aut [ProfileMap] Section” of Configuring EAP-SIM and EAP-AKA for the SIM Authentication Module in the SBR Carrier Reference Guide.

Example 1—authGateway.conf file [Routing-Configuration] Section

(Lines are wrapped.)

odigits 2310 ndigits 2324 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua

odigits 31026 ndigits 32476 rnai 4 rnp 7 rgti 4 rtt 0 rri 1 rpc 3003 rssn 253 bs 23:morning bs 24:afternoon ts 1:night

Example 2—authGateway.conf file [Routing-Configuration] Section

In this global title example, odigits and ndigits are the same and do not require translation. You can use the msisdn option in place of ndigits and odigits when no translation is required.

(Lines are wrapped.)

msisdn 31026 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua

[Supported-MAP-Messages] Section

The [Supported-MAP-Messages] section (Table 193) of the authGateway.conf file specifies the method of fetching MSISDN and which CAMEL phase services are supported in the network.

Table 193: authGateway.conf [Supported-MAP-Messages] Syntax

Parameter

Description

FetchMSISDNRoutingInfoLCS

Specifies the type of message that is used to fetch MSISDN information from an HLR or HSS.

MSISDN information is usually fetched from an HLR through the d interface using the RestoreData message. Setting the FetchMSISDNRoutingInfoLCS parameter to 0 configures the authGateway process to interact with the HLR through the RestoreData message. The default SSN configured when the authGateway process starts is used as the originating SSN in the RestoreData message.

MSISDN information is usually fetched from an HLR or HSS through the SLh or Lh interface using the SendRoutingInfoForLCS message. Setting the FetchMSISDNRoutingInfoLCS parameter to 1 configures the authGateway process to interact with the HLR or HSS through the SendRoutingInfoForLCS message. Because SBR Carrier acts as a GMLC in this case, the GMLC SSN (i.e. 145) is used as the originating SSN.

By default, this parameter is set to 0.

CamelSupportedPhases

Specifies which CAMEL phase services are supported in the network.

  • If set to 0 or commented out, the RestoreData message populates only the mandatory parameter IMSI.
  • If set to 1, the network supports CAMEL phase 1 services.
  • If set to 2, the network supports CAMEL phase 2 services.
  • If set to 3, the network supports CAMEL phase 3 services.
  • If set to 4, the network supports CAMEL phase 4 services.

By default, this parameter is set to 0.

[Common-AGW-Configurations] Section

The [Common-AGW-Configurations] section (Table 194) of the authGateway.conf file specifies common configurations for the authGateway process.

Table 194: authGateway.conf [Common-AGW-Configurations] Syntax

Option

Description

appctx

Specifies the MAP protocol revision (2 or 3). Only MAPv3 retrieves quintets, so it must be used to support EAP-AKA.

Default value is 2.

connretry

Specifies the number of connection attempts.

Default value is 10.

conntimeout

Specifies the connection timeout in minutes.

Default value is 0 minute.

host

Specifies the local hostname. You must use the hostname associated with the IP address that the authGateway listen on. Also, you must ensure that the entry is coordinated with the radius/GWrelay.conf file (if authGateway is running as multiple instances) and radius/conf/ulcmmg.conf (if authGateway is running as a single instance) files. If a hostname is not specified, 0.0.0.0 is used.

invkretry

Specifies the number of invoke retries.

Default value is 1.

invktimeout

Specifies the duration of invoke timeout in seconds.

Default value is 30 seconds.

lgti

(Global Title only) Specifies the local GTI value, usually 4 for C7 and 2 for A7.

Default value is 4.

lmsisdn

(Global Title only) Specifies the MSISDN value of the local node.

Default value is 0.

lnai

(Global Title only) Specifies the scope of the address value, such as whether it is an international number (includes country code) or a national number (no country code).

  • 1—Subscriber number with no area code (example: 5551234)
  • 2—Unused
  • 3—National significant number with no country code (example: 2015551234)
  • 4—International number with country code (example: 12015551234)

Default value is 4.

lnp

(Global Title only) Specifies the local numbering plan. Acceptable values are:

  • 1—ISDN/Telephony
  • 3—DATA
  • 4—TELEX
  • 5—Maritime Mobile
  • 6—Land/Mobile
  • 7—ISDN/Mobile
  • 10—British Telecom special 1
  • 11—British Telecom special 2
  • 14—Private Network

Default value is 1.

lpc

Specifies the Local Point Code (PC).

Default value is 0.

lri

Specifies the routing indicator used to address messages to the local node.

  • 0—Global Title
  • 1—PC/SSN

Default value is 1.

lssn

Specifies the local subsystem number.

Default value is 7.

ltt

(Global Title only) Specifies local translation type.

Default value is 0.

max_requests

Specifies the maximum number of concurrent requests that can be handled by the authGateway process.

Default value is 1000.

monitor

Activates the message activity monitor.

no_rst

Disables automatic restart of the authGateway process.

node

Specifies the node name.

[Process<name>] Section

The [Process<name>] section (Table 195) of the authGateway.conf file contains the parameters that control authGateway process specific behavior.

Table 195: authGateway.conf [Process<name>] Syntax

Option

Description

debug

Specifies a debug level. Default value is 0.

Note: This parameter is reloaded whenever SBR Carrier receives a SIGHUP (1) signal.

port

Specifies the port number used by the SCTP association with the client.

prot

Specifies the variant used (C7, A7, or CH7).

trace

Enables debug tracing and displays the trace information about the console. (Consists of a trace of all MAP messages that are formatted and sent down the stack.)

Note: We recommend setting this parameter to 0.

Note: This parameter is reloaded whenever SBR Carrier receives a SIGHUP (1) signal.

tracefile

Captures the trace information to a file. The filename follows the -tracefile switch. Include the directory in the filename.

Note: This parameter is reloaded whenever SBR Carrier receives a SIGHUP (1) signal.

Example

If you are using two authGateway processes—for example, GMT1 and GMT2, then two sections [ProcessGMT1] and [ProcessGMT2] must be added to the authGateway.conf file for the authGateway processes to startup. The following example explains this configuration:

[ProcessGMT1]

#Remote port specified in ulcmmg.conf
#Port number used by the SCTP association with the client
port=2003

#Variant used (C7, A7 or CH7)
prot=C7

#Enables Signalware library debug logging. Sets a debug level.
debug=1

#This enables debug tracing and displays the trace information about the console.
#Consists of a trace of all MAP messages that are formatted and sent down the stack.
#Use the tracefile option to capture the trace information to a file
trace=1

#Captures the trace information to a file. The filename follows the tracefile
#switch. Include the directory in the filename
tracefile=/opt/JNPRsbr/radius/conf/Trace1.out

[ProcessGMT2]

#Remote port specified in ulcmmg.conf
#Port number used by the SCTP association with the client
port=2005

#Variant used (C7, A7 or CH7)
prot=C7

#Enables Signalware library debug logging. Sets a debug level.
debug=1

#This enables debug tracing and displays the trace information about the console.
#Consists of a trace of all MAP messages that are formatted and sent down the stack.
#Use the tracefile option to capture the trace information to a file
trace=1

#Captures the trace information to a file. The filename follows the tracefile
#switch. Include the directory in the filename
tracefile=/opt/JNPRsbr/radius/conf/Trace2.out

Configuring the authGateway Startup with MML Commands

The CREATE-PROCESS and START-PROCESS MML commands start the authGateway (by calling authGatway.conf), using options that you specify.

Table 196 describes the MML commands needed to configure and start authGateway.

Table 196: MML Commands for Configuring the Start of authGateway

MML Command

Description

CREATE-PROCESS

Identify the authGateway configuration file and the authGateway options.

START-PROCESS

Start the process.

For more information about the syntax and usage of the MML commands, see Signalware MML Commands. See SBR Carrier Installation Guide for information about executing the MML commands.

Table 197 lists the mandatory MML options to be used with the CREATE-PROCESS command.

Table 197: authGateway Process Options Used with CREATE-PROCESS

Option

Description

conf

Path and name of the authGateway configuration file. The default file is $RADIUSDIR/conf/authGateway.conf.

name

Name of the authGateway process.

The MML options listed in Table 198 are still supported for backward compatibility.

Note: Starting from SBR Carrier 8.4.0 release, the authGateway.conf file configuration takes precedence over any existing MML CREATE-PROCESS options. While upgrading to SBR Carrier Release 8.4.0, the authGateway.conf file will be imported from older versions of SBR Carrier. If there is no specified configuration present in the imported authGateway.conf file, SBR Carrier uses the existing MML configurations. If no MML configurations are present, the authGateway.conf defaults are used. If any mandatory parameters (port, host, and node) are missing, then error messages are logged.

Table 198: authGateway Process Options Supported for Backward-Compatibility

Option

Description

appctx

MAP protocol revision (2 or 3). Only MAPv3 retrieves quintets, so it must used to support EAP-AKA.

debug

Sets a debug level. Use the following:

-debug 0xff

host

Local hostname. Use the hostname associated with the IP address that the authGateway listen on, and ensure that the entry is coordinated with the radius/GWrelay.conf file. If a hostname is not specified, 0.0.0.0 is used.

invkretry

Number of invoke retry.

invktimeout

Duration of invoke timeout in seconds.

lgti

(Global Title only) Local GTI value, usually 4 for C7 and 2 for A7.

lmsisdn

(Global Title only) MSISDN of this local node.

lnai

(GT only) Nature of Address Indicator. Indicates the scope of the address value, such as whether it is an international number (includes country code) or a national number (no country code).

1 Subscriber Number—no area code (example: 5551234

2 unused

3 National Significant Number—no country code (example: 2015551234)

4 International Number—includes country code (example: 12015551234)

lnp

(Global Title only) Local Numbering Plan.

Acceptable values are:

1—ISDN/Telephony

3—DATA

4—TELEX

5—Maritime Mobile

6—Land/Mobile

7—ISDN/Mobile

10—British Telecom special 1

11—British Telecom special 2

14—Private Network

lpc

Local Point Code (PC).

lri

Routing indicator - 0 for GT (Global Title), 1 for PC/SSN.

lssn

Local Subsystem Number (SSN) (required).

ltt

(Global Title only) Local Translation Type. Generally in a live network TT is always 0.

max_requests

The maximum number of simultaneous MAP dialogs.

monitor

Activates Message Activity Monitor.

no rst

Disables automatic restart of process.

node

Node name.

port

Port number used by the SCTP association with the client.

prot

Variant used (C7, A7, or CH7).

rssn

Subsystem number of HLR.

trace

We recommend setting this to 0xff; this enables debug tracing and displays the trace information about the console. (Consists of a trace of all MAP messages that are formatted and sent down the stack.)

Use the tracefile option to capture the trace information to a file.

tracefile

Captures the trace information to a file. The filename follows the -tracefile switch. Include the directory in the filename.

Example—Creating and Starting the authGateway Process

We recommend that you specify an absolute (full) path in the EXEC command. The following configuration example explains how to create and start three authGateway instances:

(Lines are wrapped.)

CREATE-PROCESS:NAME="GMT", CE="sbr-lnx-perf", EXEC="/opt/JNPRsbr/radius/authGateway 
-name GMT -conf /opt/JNPRsbr/radius/conf/authGateway.conf -port 2003" 

START-PROCESS:NAME="GMT",CE="sbr-lnx-perf";

CREATE-PROCESS:NAME="GMT1", CE="sbr-lnx-perf", EXEC="/opt/JNPRsbr/radius/authGateway 
-name GMT1 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -port 2005" 

START-PROCESS:NAME="GMT1",CE="sbr-lnx-perf";

CREATE-PROCESS:NAME="GMT2", CE="sbr-lnx-perf", EXEC="/opt/JNPRsbr/radius/authGateway 
-name GMT2 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -port 2007" 

START-PROCESS:NAME="GMT2",CE="sbr-lnx-perf";

Note: MML commands are saved in MML files that can be loaded into Signalware. See the SBR Carrier Installation Guide for more information.

Modified: 2017-09-27