TechLibrary

[+] Expand All

[-] Collapse All

Steel-Belted Radius Carrier 8.4.0 Reference Guide
- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- About This Guide
- Introduction
  - Introduction to Configuration Files
    - Configuration Files
    - Tips for Editing Configuration Files
- Steel-Belted Radius Carrier Core and Radius Front-End Files
  - Operations Files
    - access.ini File
      - [Settings] Section
      - [Users] and [Groups] Sections
    - admin.ini File
      - [AccessLevel] Section
      - [SNMPAgent] Section
    - events.ini File
      - [EventDilutions] Section
        Example
      - [Suppress] Section
        Example
      - [Thresholds] Section
        Example
    - events.xml File
    - radius.ini File
      - [Addresses] Section
        Example 1
        Example 2
      - [AuditLog] Section
      - [AuthRejectLog] Section
      - [Configuration] Section
      - [CurrentSessions] Section
      - [DynAuthProxy]
      - [LatencyLog]
      - [EmbedInClass] Section
      - [HiddenEAPIdentity] Section
      - [IPPoolSuffixes] Section
      - [IPv6] Section
      - [JavaScript] Section
      - [LDAP] Section
      - [LDAPAddresses] Section
      - [Logging] Section
        Log File Naming Conventions and Log Rollover
        Thread Identifiers
        Session Identifiers
        Example
        Enhanced Proxy Logging
      - [MsChapNameStripping] Section
      - [PurgeThreadLogging] Section
      - [Ports] Section
      - [Self] Section
      - [StaticAcctProxy] Section
      - [Status] Section
      - [Strip] Section
      - [StripPrefix] Section
      - [StripSuffix] Section
      - [UserNameTransform] Section
        Example
      - [ValidateAuth] and [ValidateAcct] Sections
    - sbrd.conf File
    - services File
    - servtype.ini File
    - update.ini File
      - [HUP] and [USR2] Sections
        Example
    - Auto-Restart Files
      - Perl SNMP Support
      - Perl System Log Support
      - sbrd.conf File
      - radiusd.conf File
        radiusd.conf Configuration File
  - Authentication Configuration Files
    - authlog.ini File
    - authReport.ini File
    - authReportAccept.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportBadSharedSecret.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportReject.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportUnknownClient.ini File
      - [Attributes] Section
      - [Settings] Section
    - blacklist.ini File
    - lockout.ini File
      - [ClientExclusionList] Section
      - [UserExclusionList] Section
    - redirect.ini File
      - [Settings] Section
      - [ClientExclusionList] Section
    - statlog.ini File
      - [Settings] Section
      - [Statistics] Section
  - Attribute Processing Files
    - Dictionary Files
      - .dct Files
        .dct File Location
        .dct File Records
        Editing .dct Dictionary Files
        Include Records
        Master Dictionary for .dct Files
        ATTRIBUTE Records
        Attribute Name and Identifier
        Syntax Type Identifier
        Compound Syntax Types
        Flag Characters
        VALUE Records
        Macro Records
        OPTION Records
      - .dic Files
        .dic File Location
        <?dict> Element
        <vendor> Element
        <attribute> Element
        Editing .dic Dictionary Files
    - Structured Attributes
      - Structured Attribute Dictionary Definitions
        XML Format of Dictionary Files
        <dictionary> Element
        <attribute> Element
        Subattribute Elements
        <constant>
      - Functional Areas That Use Subattributes
        Packet Parsing and Formatting
        Features that Support the Use of Structured and Subattributes
        Single Subattribute Insertion
        Attribute Filtering
        Proxy Attribute Mapping
        Structured Attributes in Return Lists and Check Lists
        Using Web GUI to Configure Subattributes in Return Lists and Checklists
        Using the LCI to Define Subattributes in Return Lists and Check Lists
        Javascript
        Converting Previous Attribute Flatteners with Subattributes
        Plug-in Attribute Access
      - Example of Configuration and Usage of a Structured Attribute
        3GPP2 Data Definition
        SBR Carrier XML Dictionary Definition
        Example Data
        LCI Encoding
    - classmap.ini File
      - [AttributeName] Section
    - filter.ini File
      - Filter Rules
      - Order of Filter Rules
        Examples
      - Values in Filter Rules
      - Referencing Attribute Filters
    - sample.rr File
    - spi.ini File
      - [Keys] Section
      - [Hosts] Section
    - vendor.ini File
      - [Vendor-Product Identification] Section
      - Product-Scan Settings
    - Adding NAS Location Information to Access-Request Messages
      - Location-Specific Configuration Files
      - locspec.ctrl File
        Example
        Example
        Example
        Example
      - proxy.ini File
        Example
      - realm.pro File
        Example realm.pro file:
      - Example Configuration for Adding NAS Location Attributes to Access-Request
        Example Overview
        Example Configuration
  - Address Assignment Files
    - dhcp.ini File
      - [Settings] Section
      - [Pools] Section
    - pool.dhc Files
  - Accounting Configuration Files
    - account.ini File
    - acctReport.ini File
    - sessionTable.ini File
      - [Settings] Section
  - Realm Configuration Files
    - Proxy Realm Configuration Files
    - Directed Realm Configuration Files
      - Sample proxy.ini File
      - Sample Directed Realm (.dir) File
    - proxy.ini File
    - Proxyrl.ini File
    - Proxy RADIUS Configuration (.pro) File
      - [Auth] Section
      - [Acct] Section
      - [AutoStop] Section
      - [Called-Station-ID] Section
      - [DynAuth] Section
      - Target Selection Rules
        Round-Robin Load Balancing
        Selecting a Backup Server
        Realm Retry Policy
      - [FastFail] Section
      - [ModifyUser] Section
      - [SpooledAccounting] Section
        Retry Sequence
    - Directed Realm Configuration (.dir) File
    - radius.ini Realm Settings
  - EAP Configuration Files
    - eap.ini File
    - peapauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request Filters] Section
      - [Response Filters] Section
      - [Session_Resumption] Section
    - tlsauth.aut File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.aut File
    - tlsauth.eap File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Secondary_Authorization] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.eap File
      - Configuring Secondary Authorization
        SQL Authentication
        LDAP Authentication
    - ttlsauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request_Filters] Section
      - [Response_Filters] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample ttlsauth.aut File
  - Session State Register (SSR) Configuration Files
    - Configuring the config.ini File
    - Configuring the dbclusterndb.gen File
      - [Bootstrap] Section
      - [NDB] Section
        [Database] Section
      - [IpAddressPools] Section
      - [IpAddressPools:PoolName] Section
    - Using the georedSess.ses File to Configure the Geo-Redundancy Feature
  - Local CST Configuration Files
    - dbclusterRPC.gen File
    - cstserver.ini File
      - [Configuration] Section
      - [HA-Settings] Section
- Back-End Authentication and Accounting
  - SQL Plug-Ins
    - Common Configuration Items
      - [Bootstrap] Section
      - [Settings] Section
        Limitations of Underlying Database APIs
        SQL Parameter
        ErrorMap
        mssql.ini File
        [SoftErrors] Section
        mysql.ini File
        [SoftErrors] Section
        oracle.ini File
        [SoftErrors] Section
        LogLevel
      - [Server] Section
      - [Server/name] Sections
        Last Resort Server
      - Load Balancing Example
      - JDBC Plug-ins
    - SQL Authentication
      - [Settings] Section
        PasswordFormat
        ClearTextBinary
        DefaultResults
        SuccessResult
        UpperCaseName
      - [Results] Section
        Default [Results] Parameters
      - [FailedSuccessResultAttributes] Section
      - [Failure] Section
      - [Strip] Sections
      - Example: SQL Authentication Configuration File
    - SQL Accounting
    - SQL Accessors
    - Detailed Use Cases
      - Working with Stored Procedures
      - SQL Database Data Retrieval Methods
        SQL=SELECT Method for Data Retrieval from SQL Databases
        SQL=SELECT Method: SELECT Statement
        SQL=SELECT Method: [Results] Section
        SQL=SELECT Method: Section Correlations Illustrated
        Stored Procedure Method for Data Retrieval from SQL Databases
        Stored Procedure Method: BEGIN Statement of sqlaccessor.gen
        Stored Procedure Method: [Results] Section of sqlaccessor.gen
        Stored Procedure Method: Database Schema
        Stored Procedure Method: Data Retrieval
        Stored Procedure Method: Example
  - LDAP Plug-Ins
    - Overview
    - Common Configurations
    - LDAP Authentication
    - LDAP Accessor Files
  - CDR Accounting Plug-Ins
    - CDR Process Overview
    - Types of Call Detail Records
    - Configuring Accounting Options with cdracct.acc
      - [Bootstrap] Section of cdracct.acc
        Example
      - [Settings] Section of cdracct.acc
        Example
    - Displaying CDR Information
    - CDR Fields
    - CDR Field Formats for Binary and ASN.1 CDR Files
      - Field Formats for Binary Version 1 and Binary Version 2 CDR Files
- SIM Authentication Module
  - Common Configurations
    - ss7db.gen File
      - [Bootstrap] Section
      - [Settings] Section
    - gsmmap.gen File
      - [Bootstrap] Section
      - [Settings] Section
      - [Realms] Section
      - Configuring Each Realm Section
        Example
        Relationship Between Sections
      - Network Equipment and Data Needed for Processing Access-Requests
        Example: Authorization String
        Disabling Authorization from EAP-SIM
      - Target Module Section
        Target Module Fields (General Case)
        MAP Gateway Target Module Fields
        Example of MAP Gateway Target Module Fields
        SQL Database Target Module Fields
        Example of SQL Database Target Module
        LDAP Database Target Module Fields
        Example of LDAP Database Target Module
    - Signalware MML Commands
  - SIM/AKA Authentication
    - Overview
    - Configuring the simauth.aut File
    - Authentication Gateway
      - Configuring the ulcmmg.conf File
      - Configuring the GWrelay.conf File
      - Starting and Stopping the GWrelay Process
      - Configuring the authGateway.conf File
        [Routing-Configuration] Section
        Authorization Options
        Example 1—authGateway.conf file [Routing-Configuration] Section
        Example 2—authGateway.conf file [Routing-Configuration] Section
        [Supported-MAP-Messages] Section
        [Common-AGW-Configurations] Section
        [Process<name>] Section
        Example
      - Configuring the authGateway Startup with MML Commands
        Example—Creating and Starting the authGateway Process
- Optional Mobility Module Configuration Files
  - WiMAX Mobility Module Configuration File
    - wimax.ini File
- SNMP Configuration Files
  - SNMP Configuration Overview
  - SNMP Traps and Statistics Overview
- Appendixes
  - Authentication Protocols
  - Vendor-Specific Attributes
  - Configuration Examples
    - Steel-Belted Radius Carrier: 3G-to-Wi-Fi Offload Solution Using the SBR MAP Gateway with EAP-SIM or EAP-AKA
  - Detailed Use Cases
    - Using SQL Accessors
      - Configuring gsmmap.gen for Key Field Identification
        Examples
      - Configuring sqlaccessor.gen or sqlaccessor_jdbc.gen for Key Field Identification
        Examples
    - Using LDAP Accessors
      - Configuring ldapaccessor.gen for Key Field Identification
    - Assigning IP Addresses Based on APN
    - Adding Attributes to an Access-Accept
      - Overview
      - Data Flow
      - Configuration Tasks
      - Configuring Files for Adding Attributes to Access-Accept
      - Example Configuration for Adding Attributes to Access-Accept
        Example Overview
        Example Notes
        Access-Request
        SIMAuth
        Radsql.aut
        Eap.ini
        SQL Database Table 1
        Access-Accept
      - Activate the Authentication Method
    - Interfacing with a Kineto IP Network Controller
      - Attribute Handling Methods
      - Access-Request Conversion
      - Access-Accept Conversion
      - Access-Reject Conversion
      - Configuring the SIM Authentication Module for Handling Kineto Attributes
        Configuring the kinetoUMAAttrHandler.ctrl File
        Example kinetoUMAAttrHandler.ctrl file
        Configuring the controlpoints.ini File
        Configuring Kineto Attribute Recognition
        Activating the Authentication Method
        Developing Applications for the S1 Interface
    - Using Managed IPv6 Address Pools
  - SIR.conf File
  - Glossary
    - Numerics
    - A
    - B
    - C
    - D
    - E
    - F
    - G
    - H
    - I
    - J
    - L
    - M
    - N
    - O
    - P
    - Q
    - R
    - S
    - T
    - U
    - V
    - W

Download This Guide

Download this guide: Steel-Belted Radius Carrier 8.4.0 Reference Guide

SQL Accessors

You can use an external SQL database to authorize subscribers. The sqlaccessor.gen file stores the settings needed by the SQLAccessor plug-in to authorize subscribers. SQLAccessor requires three items of information from the database:

IMSI
MSISDN
Authorization String

This section describes the configuration choices that you need to make to configure sqlaccessor.gen or sqlaccessor_jdbc.gen.

The sqlaccessor.gen file stores the settings used by the SQL data accessor plug-in. It is composed of several sections. Section names are enclosed in square brackets.

Note: For information about the configuration items that are common across all SQL plug-ins, see Common Configuration Items.

Note: The databases used must support stored procedures.

Note: Oracle front-end applications are not supported on a Linux platform. The sqlaccessor.so and sqlaccessor.gen files are specific to Oracle plug-ins and must not be installed on a Linux platform. You must instead use the sqlaccessor_jdbc.gen file.

[Settings] Section

The [Settings] section of the sqlaccessor.gen file defines parameters that control the database connection.

Table 159: [Settings] Section

Field	Description
MethodName	Identifies the name under which the data accessor registers itself with Steel-Belted Radius Carrier. Default value is SQL Accessor.
Driver	(JDBC only) Specifies the third-party JDBC driver to load for authentication. For example: Driver=com/mysql/jdbc/Driver Note: Third-party JDBC drivers must be installed in the <JRE-path>/lib/ext directory. Where, <JRE-path> indicates the path where the JRE (that is integrated with SBR Carrier) is installed in your system. Refer to the JDBC driver documentation for information about how to install the JDBC driver and supporting files.
ConnectDelimiter	Specifies the character used to separate fields (DSN, UID, PWD) in the connect string. Default value is ; (semicolon). If the connect string requires use of semicolons as part of a field value, you can use this parameter to specify a different delimiter, such as ^ (caret).

Field

Description

MethodName

Identifies the name under which the data accessor registers itself with Steel-Belted Radius Carrier.

Default value is SQL Accessor.

Driver

(JDBC only) Specifies the third-party JDBC driver to load for authentication.

For example: Driver=com/mysql/jdbc/Driver

Note: Third-party JDBC drivers must be installed in the <JRE-path>/lib/ext directory. Where, <JRE-path> indicates the path where the JRE (that is integrated with SBR Carrier) is installed in your system. Refer to the JDBC driver documentation for information about how to install the JDBC driver and supporting files.

ConnectDelimiter

Specifies the character used to separate fields (DSN, UID, PWD) in the connect string.

Default value is ; (semicolon). If the connect string requires use of semicolons as part of a field value, you can use this parameter to specify a different delimiter, such as ^ (caret).

[Query] Section

The [Query] section indicates the SQL statement that uses “select” or “update” information in the SQL database.

Table 160: [Query] Section

Setting	Description
n=DMUSelect	The value of n must match the value of SelectQueryNumber in the [DatabaseQueries] section of the dmu.aut file. Example: sqlaccessor.gen file [Query] 1=DMUSelect dmu.aut file [DatabaseQueries] SelectQueryNumber=1
m=DMUUpdate	The value of m must match the value of UpdateQueryNumber in the [DatabaseQueries] section of the dmu.aut file. Example: sqlaccessor.gen file [Query] 2=DMUUpdate dmu.aut file [DatabaseQueries] UpdateQueryNumber=2

Setting

Description

n=DMUSelect

The value of n must match the value of SelectQueryNumber in the [DatabaseQueries] section of the dmu.aut file.

Example: sqlaccessor.gen file [Query]
1=DMUSelect dmu.aut file [DatabaseQueries]
SelectQueryNumber=1

m=DMUUpdate

The value of m must match the value of UpdateQueryNumber in the [DatabaseQueries] section of the dmu.aut file.

Example:
sqlaccessor.gen file [Query]
2=DMUUpdate dmu.aut file [DatabaseQueries]
UpdateQueryNumber=2

[Query/DMUSelect] Section

The [Query/DMUSelect] section contains the SQL statement for the DMUSelect query used to retrieve information from the database.

The SQL statement in the [Query/DMUSelect] section has the following format:

SQL=SELECT MSID, MNAuthenticator, MN_HAAAKey, MN_HAKey, CHAPKey, KeysExpireTime, DMUState FROM databasename WHERE UserName = @NAI

where:

MSID—Column name of the SQL database column containing the MSID values.
MNAuthenticator—Column name of the SQL database column containing the MNAuthenticator values.
MN_HAAAKey—Column name of the SQL database column containing the MN_HAAA_Key values.
MN_HAKey—Column name of the SQL database column containing the MN_HA_Key values.
CHAPKey—Column name of the SQL database column containing the CHAP_Key values.
KeysExpireTime—Column name of the SQL database column containing the KeyUTCExpireTime values.
DMUState—Column name of the SQL database column containing the MIPUpdateState values.
databasename—database identifier
UserName—Column configuration of the SQL database column containing the NAI values

[Query/DMUUpdate] Section

The [Query/DMUUpdate] section contains the SQL statement used to write DMU information to the database.

The SQL statement in this section also maps the database column names to the corresponding variables.

The SQL statement in the [Query/DMUUpdate] section has the following format:

SQL=UPDATE databasename  SET MN_HAAAKey = @MN_HAAA_Key, MN_HAKey = @MN_HA_Key, CHAPKey = @CHAP_Key, KeysExpireTime = @KeyUTCExpireTime/n, DMUState = @MIPUpdateState/n WHERE UserName = @NAI

where:

databasename—database identifier
MN_HAAAKey—Column name of the SQL database column containing the MN_HAAA_Key values.
MN_HAKey—Column name of the SQL database column containing the MN_HA_Key values.
CHAPKey—Column name of the SQL database column containing the CHAP_Key values.
KeysExpireTime—Column name of the SQL database column containing the KeyUTCExpireTime values.
DMUState—Column name of the SQL database column containing the MIPUpdateState values.
UserName—Column name of the SQL database column containing the NAI values

[Results] Section

The [Results] section maps the position of a column name in the SELECT SQL statement with the data needed.

The [Results/DMUSelect] section maps the SQL database column names to the variable names specified in the [VariableTypes] section.

Table 161: [Results/DMUSelect] Section

Setting	Description
MSID = position_num/max_chars	Position_num represents the position in the SQL DMUSelect statement that corresponds to the MSID variable. Max_chars represents the maximum number of characters in the SQL database column that contains the MSID values.
MNAuthenticator =position_num/max_chars	Position_num represents the position in the SQL DMUSelect statement that corresponds to the MNAuthenticator variable. Max_chars represents the maximum number of characters in the SQL database column that contains the MNAuthenticator values.
MN_HAAA_Key =position_num/max_chars	Position_num represents the position in the SQL DMUSelect statement that corresponds to the MN_HAAA_Key variable. Max_chars represents the maximum number of characters in the SQL database column that contains the MN_HAAA_Key values.
MN_HA_Key =position_num/max_chars	Position_num represents the position in the SQL DMUSelect statement that corresponds to the MN_HA_Key variable. Max_chars represents the maximum number of characters in the SQL database column that contains the MN_HA_Key values.
CHAP_Key =position_num/max_chars	Position_num represents the position in the SQL DMUSelect statement that corresponds to the CHAP_Key variable. Max_chars represents the maximum number of characters in the SQL database column that contains the CHAP_Key values.
MIPUpdateState = position_num	Position_num represents the position in the SQL DMUSelect statement that corresponds to the MIPUpdateState variable.
KeyUTCExpireTime = position_num	Position_num represents the position in the SQL DMUSelect statement that corresponds to the KEYUTCExpireTime variable.

Note: The [Query/DMUUpdate] section does not need a corresponding [Results] section because the mapping between the variable names and the column headings takes place in the SQL statement itself.

[Failure] Section

The [Failure] section of the sqlaccessor.gen file can be used to determine the result of the authentication process (accept or reject) when connectivity to all of the configured SQL databases has failed.

Table 162: [Failure] Section

Setting	Description
Accept	If set to 1, Steel-Belted Radius Carrier returns an Access-Accept packet with the Profile and any combination of the FullName and Alias attributes specified in the corresponding [Failure] section parameters. If set to 0, the user is rejected.
Profile	Specifies the name of a Steel-Belted Radius Carrier profile whose check list and return list attributes are applied to the user's connection.
Fullname	By indicating a FullName, Steel-Belted Radius Carrier returns a value in the class attribute, allowing for all [Failure] connections to be accounted.

Example: SQL Accessor Configuration File

This section provides an example of an Oracle sqlaccessor.gen configuration file.

[Bootstrap]
LibraryName=radsql_accessor_ora.so
Enable=0

[Settings]
MethodName=SQLAccessor
MethodName=SQL Accessor
Connect=username/password@servicename
SQL=SELECT msisdn, imsi, auth_string FROM tablename WHERE subscriber_id=@KeytoRecord
ParameterMarker=?
MaxConcurrent=1
ConcurrentTimeout=30
WaitReconnect=2
MaxWaitReconnect=360
MaxHardErrorRetries=0

[Server]
s1=2
s2=2

[Server/s1]
Connect=admin1/passwd1@mydb1

[Server/s2]
Connect=admin2/passwd2@mydb2

[Server/s3]
Connect=admin3/passwd3@mydb3
LastResort = 1

[Query]
1=DMUSelect
2=DMUUpdate

[Query/DMUSelect]
SQL=SELECT MSID, MNAuthenticator, MN_HAAAKey, MN_HAKey, CHAPKey, KeysExpireTime, DMUState FROM databasename WHERE UserName = @NAI

[Query/DMUUpdate]
SQL=UPDATE databasename SET MN_HAAAKey = @MN_HAAA_Key, MN_HAKey = @MN_HA_Key, CHAPKey = @CHAP_Key, KeysExpireTime = @KeyUTCExpireTime/n, DMUState = @MIPUpdateState/n WHERE UserName = @NAI

[Results]

[Results/DMUSelect]
MSID = 1/48
MNAuthenticator = 2/48
MN_HAAA_Key = 3/48
MN_HA_Key = 4/48
CHAP_Key = 5/48
MIPUpdateState = 7
KeyUTCExpireTime = 6

[Results/DMUUpdate]

[Failure]
Accept=0
Profile=xyz
FullName=Remote User