Navigation
Back up to About Overview
[+] Expand All
[-] Collapse All
- Steel-Belted Radius Carrier 8.4.1 Administration
and Configuration Guide
- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- About This Guide
- Product Overview
- Steel-Belted Radius Carrier Overview
- Introduction to Steel-Belted Radius Carrier
- SBR Carrier Core Features
- Management Interfaces
- Optional SIM Authentication Module
- Optional WiMAX Mobility Module Features
- Optional Session Control Module
- Optional Scripting Module
- Optional Session State Register (High Availability) Module
- Optional Concurrency Module
- Optional 3GPP AAA Module
- Licensing
- Steel-Belted Radius Carrier Overview
- Web GUI Overview
- Using Web GUI
- Running the Web GUI
- Navigating in the Web GUI
- Adding License Keys
- Displaying Version Information
- Closing the Web GUI
- Using Web GUI
- RADIUS Operations
- RADIUS Basics
- RADIUS Overview
- RADIUS Packets
- RADIUS Ports
- RADIUS Configuration
- Multiple RADIUS Servers
- Shared Secrets
- Accounting
- Attributes
- Dictionaries
- Structured Attributes
- User Attribute Lists
- Attribute Values
- Default Values
- Wildcard Support
- Attribute Filtering
- Adding NAS Location Attributes to Access-Requests
- Specifying IPv4 Address Classes
- Centralized Configuration Management
- Proxy RADIUS
- Authentication
- Authentication Methods
- Configuring the Authentication Sequence
- Configuring Authentication Methods
- Advanced Options
- Two-Factor Authentication
- Password Protocols
- Accounting
- Request Routing
- Match Rules
- User-Names with a Single Delimiter
- User-Names with Multiple Suffix Delimiters
- User-Names with Multiple Prefix Delimiters
- Undecorated User-Names
- Request Routing by DNIS
- Request Routing by Any Attribute
- Local Services
- Control over Routing Methods
- Radius Client Groups
- IP Address Assignment
- Resource Management
- Network Address Assignment
- Concurrent Network Connections
- Attribute Value Pooling
- Phantom Records
- IPv6 Support
- IPv6 and Steel-Belted Radius Carrier
- IPv6 Features
- IPv6 Addressing
- IPv6 Support in Steel-Belted Radius Carrier
- RADIUS IPv6 Attributes
- NAS-IPv6-Address
- Framed-Interface-Id
- Framed-IPv6-Prefix
- Login-IPv6-Host
- Framed-IPv6-Pool
- Framed-IPv6-Route
- Framed-IPv6-Address
- DNS-Server-IPv6-Address
- Route-IPv6-Information
- Delegated-IPv6-Prefix-Pool
- Stateful-IPv6-Address-Pool
- Enabling IPv6 Networking
- Configuring IPv6 Scope IDs
- Configuring IPv6 Addresses for RADIUS Client Connections
- Configuring DNSv6 Support
- RADIUS Overview
- Administering RADIUS Clients and Client Groups
- Administering RADIUS Location Groups
- Administering Users
- Users Overview
- User Files
- Setting Up Native Users
- Setting Up UNIX Users or Groups
- Administering Profiles
- Administering Proxy RADIUS
- Proxy RADIUS Overview
- Adding a Proxy Target
- Editing a Proxy Target
- Deleting a Proxy Target
- Steel-Belted Radius Carrier as a Target
- Administering RADIUS Tunnels
- About RADIUS Tunnels
- Tunnel Authentication Sequence
- Configuring Tunnel Support
- Concurrent Tunnel Connections
- Configuring RADIUS Tunnels
- Configuring Tunnel Name Parsing
- About RADIUS Tunnels
- Administering Address Pools
- Address Pools for Standalone Servers versus Servers in a SSR Cluster
- Address Pool Files
- Adding an IPv4 Address Pool
- Editing an IPv4 Address Pool
- Deleting an IPv4 Address Pool
- Specifying an IP Address Pool for User/Profile Records
- NAD-Specific IP Address Pools
- Service-Level IP Address Pools
- Specifying IP Address Assignment from a DHCP Server
- Setting Up Administrator Accounts
- Configuring Realm Support
- Setting Up Filters
- Setting Up Authentication Policies
- Authentication Policy Overview
- Order of Authentication Methods
- Adding EAP Methods to an Authentication Policy
- Certificates
- Certificate Chains
- Certificate Revocation Lists
- Configuring Server Certificates
- Trusted Root Certificates
- Configuring a CRL Distribution Point Web Proxy
- Configuring Authentication Rejection Messages
- Configuring the Server
- Setting Up EAP Methods
- About the Extensible Authentication Protocol
- EAP-TLS Authentication Protocol
- Configuring EAP-TLS as an EAP Authentication Method
- Configuring EAP-TLS as an Automatic EAP Helper
- EAP-TTLS Authentication Protocol
- Configuring EAP-TTLS as an EAP Authentication Method
- EAP-PEAP Authentication Protocol
- Configuring EAP-PEAP as an EAP Authentication Method
- EAP-MD5-Challenge Authentication Protocol
- EAP-MS-CHAP-V2 Authentication Protocol
- EAP-SIM and EAP-AKA Authentication Protocols
- Configuring Replication
- Overview of Replication
- Replication Requirements
- Adding a Replica Server
- Enabling a Replica Server
- Editing a Replica Server
- Deleting a Replica Server
- Publishing Server Configuration Information
- Notifying Replica RADIUS Servers
- Designating a New Primary Server
- Making a Standalone Server the Primary Server
- Making a Standalone Server a Replica Server
- Verifying the Primary and Replica Servers Are Enabled
- Demote a Primary or Replica Server to a Standalone Server
- Recovering a Replica After a Failed Configuration Package Download
- Changing the Name or IP Address of a Server
- Replication Error Messages
- 3GPP Support
- RADIUS Basics
- Diameter Operations
- Diameter Basics
- Diameter Overview
- Communication between SBR Carrier Server and the Elements in LTE Network
- Diameter Authentication Process
- Diameter Authorization Process
- RADIUS to Diameter Translation
- Administering the Local Network Element
- Local Network Element Overview
- Configuring SBR Carrier Server Identification
- Configuring the Diameter Message Transport
- Administering Diameter Remote Network Elements
- Remote Network Element Overview
- Creating and Configuring a New Diameter Remote Network Element
- Adding Diameter Connections to the Diameter Remote Network Element
- Assigning Functions to the Diameter Remote Network Element
- Configuring Implicit Routing Rules
- Editing a Diameter Remote Network Element
- Deleting a Diameter Remote Network Element
- Administering the Diameter Policy
- Policy Overview
- Configuring a Local Profile
- Creating a Local Profile
- Configuring Authorization Attributes
- Configuring a Non-3GPP Interworking Policy for SWa or STa Reference Point
- Configuring a Non-3GPP Interworking Policy for SWm Reference Point
- Configuring a Non-3GPP Interworking Policy for S6b Reference Point
- Editing a Local Profile
- Deleting a Local Profile
- Creating a Local Profile
- Configuring Local Profile Selection
- Creating a New Profile Selection Rule Set
- Creating New Matching Rules
- Editing Profile Selection Rule Sets
- Deleting Profile Selection Rule Sets
- Creating a New Profile Selection Rule Set
- Administering Request Routing Rules
- Request Routing Rules Overview
- Configuring Request Routing Rules
- Defining Explicit Routing Rules
- Displaying Diameter Statistics
- Diameter Basics
- Back-End Authentication and Accounting Methods
- Configuring SQL Authentication
- Overview of SQL Authentication
- Configuring SQL Authentication
- Connecting to the SQL Database
- SQL Statement Construction
- Overlapped Execution of SQL Statements
- %result Parameter
- SQL Authentication and Password Format
- Working with Stored Procedures in Oracle
- Working with Stored Procedures in MS-SQL
- Example 1
- Example 2
- Tips on Using SQL Stored Procedures
- Calling Stored Procedures
- Using the Insert Function
- Configuring
SQL Accounting
- SQL Accounting Overview
- Configuring SQL Accounting
- Connecting to the SQL Database
- SQL Statement Construction
- SQL Accounting Return Values
- Accounting Stored Procedure Example
- Configuring LDAP Authentication
- LDAP Authentication Overview
- LDAP Variable Table
- Types of LDAP Authentication
- Configuring LDAP Authentication
- Supporting Secure Sockets Layer
- Files
- LDAP Database Schema
- LDAP Authentication and Password Format
- LDAP Authentication Sequence
- LDAP Authentication Examples
- LDAP Authentication Overview
- SS7 and SIGTRAN Gateway Support
- Proxy RADIUS Authentication and Accounting
- HSS-Subscriber Database
- Configuring SQL Authentication
- Management Interfaces
- Simple Network Management Protocol
- SNMP and Steel-Belted Radius Carrier Overview
- Configuring the SNMP Agent
- Running the SNMP Agent
- Logging Behavior of the SNMP Agent
- Verifying SNMP Agent Operation
- Resetting Rate Statistics
- Troubleshooting
- Using the LDAP Configuration Interface
- LDAP Configuration Interface File
- LDAP Configuration Interface Overview
- LDAP Utilities
- LDAP Requests
- Downloading the LDAP Utilities
- LDAP Version Compliance
- Configuring the LDAP TCP Port
- Configuring the LCI Password
- LDAP Virtual Schema
- LDAP Rules and Limitations
- Using the LCI to Define Structured Attributes in Check Lists and Return Lists
- LDAP Command Examples
- LDIF File Examples
- Statistics Variables
- Simple Network Management Protocol
- Optional Authentication Modules
- SIM Authentication Module
- SIM Authentication Module Component Overview
- Operation Overview
- SIM Authentication Module Configuration
- Special Attribute Handling Features
- Assigning IP Addresses Based on Access Point Name (APN)
- Adding Attributes to an Access-Accept
- Configuration Tasks for Adding Attributes to Access-Accept
- Kineto S1 Support
- Summary of Configuration Tasks for the SIM Authentication Module
- SIM Authentication Module Configuration with a SIGHUP (1) Signal
- Overview of the WiMAX Mobility Module
- Supported Features of the WiMAX Mobility Module
- WiMAX Network Reference Model
- AAA-Generated Cryptographic Keys
- Home Agent Root Key (HA-RK)
- DHCP Server Root Key (DHCP-RK)
- EAP Authentication Methods and EAP-Derived Cryptographic Keys
- WiMAX Vendor Specific Attribute (VSA) Format
- WiMAX Capabilities Negotiation
- WiMAX-Capability Attribute
- WiMAX-Capability Structured Attribute
- Enabling WiMAX Capabilities Negotiation
- WiMAX-Capability Attribute
- Home Agent and DHCP Server Assignment
- WiMAX Post-Paid (Offline) Accounting
- WiMAX Prepaid Accounting
- Prepaid Scenarios
- Single-Service Prepaid Solution
- Multi-Service Prepaid Solution
- Data Flow for Prepaid Accounting in SBR Carrier
- Data Flow for Single-Service Prepaid Accounting Model
- Data Flow for Multi-Service Prepaid Accounting Models
- Prepaid Scenarios
- Categorizing Access-Requests from Different Devices
- Configuring the WiMAX Mobility Module
- Before You Begin
- Configuring the radius.ini File for WiMAX
- Configuring the Home Agent and DHCP Server Assignment
- Define the List of Home Agents and DHCP Servers
- Configuring Return List Attributes to Assign the Home Agent
and DHCP Server
- Assignment When Acting as the HAAA Server
- Assignment When Acting as the VAAA Server
- Configuring Statically Weighted Round-Robin Groups to Assign the Home Agent and DHCP Server
- Configuring the Smart Dynamic Home Agent Assignment Feature
- Smart Dynamic Home Agent Assignment Configuration Overview
- Operation of the Smart Dynamic Home Agent Assignment Feature
- Access-Request Processing
- Configuring WiMAX Clients
- Configuring WiMAX Users and Profiles
- Configuring the WiMAX-Capabilities Negotiation
- Example Configuration for New Session Hotlining
- Configuring the WiMAX-Capabilities Negotiation
- Configuring the EAP Methods for WiMAX
- SIM Authentication Module
- Optional Session State Register (High Availability) Module
for a Clustered Environment
- Session State Register Overview
- SSR Cluster Overview
- Data Replication Between Two Different or Remote SSR Clusters
- SSR Cluster Concepts and Terminology
- Supported SBR Carrier SSR Cluster Configurations
- Failover Overview
- Failover Examples
- Failover Overview
- Session State Register Database Tables
- Session State Register Administration
- SSR Administration Overview
- Overview of Starting and Stopping a Session State Register Cluster
- Administration Scripts Overview
- SSR Database Management Scripts
- Steel-Belted Radius Carrier Node Administration Scripts
- Using IP Address and IP Address Pool Scripts
- Using Management Mode
- ClearCache.sh
- ShowCaches.sh
- AddPool.sh
- RenamePool.sh
- DelPool.sh
- ShowPools.sh
- AddRange.sh
- DelRange.sh
- ShowRanges.sh
- KillZombieAddrs.sh
- ShowAddrs.sh
- BackupIP.sh
- RestoreIP.sh
- Using IP Address and IP Address Pool Scripts
- SSR Session Management
- Administration Script Control Files
- Session State Register Overview
- Optional Concurrency Module
- Managing User Concurrency with Session State Register
- Overview
- How User Concurrency Works
- UserConcurrencyID Construction
- Retrospective Dynamicity
- Managing
Concurrency with Attributes in Session State Register
- Overview
- How Attribute-Based Concurrency Works
- Configuring Attribute-Based Concurrency
- Managing User Concurrency with Session State Register
- Managing and Controlling Sessions
- Introduction to Managing and Controlling Sessions in SBR Carrier
- Overview of Managing and Controlling Sessions in SBR Carrier
- Introduction
- Storing Sessions in the CST in a Standalone Server versus the
SSR Cluster
- Storing Sessions in the CST of a Standalone Server
- Storing Sessions in the CST of the SSR Cluster
- Session Management and Control Capabilities
- Available User Interfaces for Managing and Controlling Sessions
- Overview of Managing and Controlling Sessions in SBR Carrier
- Hosting CST As a Separate Executable Process
- Separate Session Database Process Overview
- Starting the RADIUS Process and Separate Session Database Process
- Stopping the RADIUS Process and Separate Session Database Process
- High Availability Functionality of the RADIUS and Separate Session Database Processes
- Overview of the Optional Session Control Module
- Change of Authorization/Disconnect Messages Overview
- How Steel-Belted Radius Carrier Processes CoA/DM Messages
- Current Sessions Table
- Formatting and Sending CoA/DM Requests with the Correct Attributes
- Controlled Devices and Actions
- Sequence and Flow of CoA/DM Requests Through Steel-Belted Radius Carrier
- Implementing CoA/DM Support
- Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Server
- Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Target
- Settings to Support the Proxy CoA/DM Functionality
- Using Web GUI to Manage and Control Sessions
- Current Sessions Overview
- Searching for Sessions Using Web GUI
- Setting Session Limits with Web GUI
- Executing CoA and Disconnect Requests Using Web GUI
- Using the Command Line Utility to Manage and Control Sessions
- Command Line Utility Overview
- Starting the Command Line Utility
- Using Command Line Arguments
- Access Control Arguments
- Action Arguments
- Setting Session Limits Using the Command Line Utility
- Examples of Issuing CoA/DM Requests Using the Command Line Utility
- Shortcut Arguments
- Finding All Sessions Using the Command Line Utility
- Command Line Utility Overview
- Configuring the deviceModels.xml File
- Summary of Allowed Elements in the deviceModels.xml File
- Element: action
- Element: actions
- Element: attributes
- Element: controlledDeviceModel
- Element: controlledDeviceModels
- Element: defaultAttribute
- Element: localSessionQuery
- Element: onFailure
- Element: onSuccess
- Element: onTimeout
- Element: overrideAttribute
- Element: radiusPort
- Element: radiusPorts
- Element: radiusRequest
- Element: requiredAttribute
- Element: sessionStop
- XML over HTTPS Interface
- XML over HTTPS Interface Overview
- XML Statement Construction
- Client Request Schema Example
- Client Request Elements
- Element: attribute
- Element: attributes
- Element: body
- Element: envelope
- Element: header
- Element: request
- Client Request Examples
- Client Response Schema Example
- Client Response Elements
- Element: attribute
- Element: attributes
- Element: body
- Element: clientRequest
- Element: clientResponse
- Element: clientResult
- Element: clientResults
- Element: defaultAttribute
- Element: deviceRequest
- Element: deviceRequestSpec
- Element: deviceResponse
- Element: deviceResult
- Element: deviceResults
- Element: envelope
- Element: header
- Element: optionalAttribute
- Element: overrideAttribute
- Element: requiredAttribute
- Element: sessionData
- Element: sessionRequest
- Element: sessionResponse
- Element: sessionResult
- Element: sessionResults
- Client Response Examples
- Example: Client Response to Query for Username ‘bob’
- Example: Client Response to Query for Any Username Using Wildcard
- Example: Client Response to Request for Action Called “foo” on Username TestUser9
- Example: Client Response to Request for Action Called “foo” on Username TestUser99
- Example: Client Response to RADIUS Disconnect
- Example: Client Response to Action Intercept
- Example: Client Response to Action Intercept
- Example: Client Response to Action Intercept
- Example CoA/DM Configuration
- Requirements of the CoA/DM Requests
- Requirements for Supporting the Attributes in CoA/DM Requests
- Configuring the Attribute Handling Parameters
- Example Result
- Configuring Lawful-Intercept between SBR Carrier and ERX Device
- Introduction to Managing and Controlling Sessions in SBR Carrier
- Statistics and Reporting
- Displaying Statistics
- Logging and Reporting
- Logging Files
- Displaying Authentication Log Files
- Using the Locked Accounts List
- Configuring the Log Retention Period
- Using the Server Log File
- Using the Authentication Log File
- Using the Accounting Log File
- Optional Scripting Module
- Introduction to Scripting
- Creating
Scripts
- Script Development Steps
- JavaScript Initialization Files
- Writing Steel-Belted Radius Carrier Scripts in JavaScript
- Saving the Script File
- Sample Script
- Debugging Scripts
- Creating LDAP Scripts
- LDAP Basics
- LDAP Request Life Cycle
- Unscripted LDAP Searches
- LDAP Script Basics
- Choosing the Return Code
- LDAP Script Return Codes
- LDAP Script Examples
- Creating Realm Selection Scripts
- Realm Selection Script Functions
- Enabling Built-In Realm Selection Methods
- Choosing the Return Code
- Configuring Realm Selection Scripts
- Core Realm Selection Scripts
- Tunneled Authentication Plug-in Realm Selection Scripts
- Realm Selection Script Examples
- Creating Attribute Filter Scripts
- Using Attribute Filter Scripts
- Attribute Filter Script Functions
- Choosing the Return Code
- Configuring Attribute Filter Scripts
- Attribute Filter Script Examples
- Working with Data Accessors
- Data Accessor Overview
- Variable Containers
- Internal Variable Table (LDAP Only)
- Data Accessor Configuration
- SQL Data Accessor Configuration
- LDAP Data Accessor Configuration
- Data Conversion Rules
- Data Accessor Configuration File Examples
- Script Reference
- JavaScript Types
- API Method Support by Script Type
- Local and Global Variable Declarations
- Global Object
- Logging and Diagnostic Methods
- SbrWriteToLog()
- SbrWriteToLogEx()
- SbrTrace()
- Logging and Diagnostic Methods
- Ldap Object
- Ldap Methods
- Ldap.Search()
- Ldap Methods
- LdapVariables Object
- LdapVariables Methods
- LdapVariables.Get()
- LdapVariables.Add()
- LdapVariables.Reset()
- LdapVariables Methods
- RealmSelector Object
- Constructor
- new RealmSelector()
- new CSTAccessor()
- new SessionControl()
- RealmSelector Methods
- Execute()
- SetAuthUserName()
- SetAuthProfile()
- SetLocationGroupProfile()
- CSTAccessor Methods
- Get()
- SetAuthUserName()
- SetAuthProfile()
- SetLocationGroupProfile()
- Constructor
- SessionControl Object
- AttributeFilter Object
- Constructor
- new AttributeFilter()
- AttributeFilter Methods
- AttributeFilter API
- Constructor
- DataAccessor Object
- Properties
- Constructor
- new DataAccessor()
- Methods
- SetInputVariable()
- GetOutputVariable()
- Execute()
- Clear()
- Appendixes
- When and How to Stop and Restart Steel-Belted Radius Carrier
- Authentication Protocols
- Importing and Exporting Data
- Technical Bulletins
- Service Type Mapping
- Configuration
- servtype.ini File
- Ascend Filter Translation
- Changing IP Addresses in an SSR Cluster Without Redefining the Cluster
- Service Type Mapping
- SIR.sh Script
- Thread and Flood Control Mechanism
- Glossary
Implementing CoA/DM Support
Step 1: Develop a Deployment Plan
As a mobile or wire-line operator, you can configure the CoA/DM functionality to offer dynamic service changes to reinforce your current service offerings. Before you begin to customize the CoA/DM settings, develop a comprehensive deployment plan based on the solution your company offers to its customers. Have your network architect or someone who has detailed knowledge of your network access servers and service offerings develop this plan.
Depending on the complexity of the services you want to provide, you may need to customize other aspects of your network. For example, if you want to offer a prepaid service, then include in the deployment plan all of the different types of disconnect messages and change of authorization messages that are required to support control of data services where usage is metered by time or traffic volume. When users exhausts their prepaid service quota, the CoA/DM feature can disconnect the users, or redirect them to a subscriber page to ensure that subscribers do not exceed their purchased limit and allow them to purchase more time or data in mid-session.
 | Note: This type of service interacts with other devices in your network that may require customization beyond the scope of this guide. Make sure your deployment plans take into consideration all aspects of the services you want to provide. |
Step 2: Consult Your NAS-Specific Documentation
The information required to identify a session and to process CoA/DM requests depends on the NAS devices in your network. To determine a NAS’s capabilities, you must consult the documentation for each NAS, find its make and model, and determine the appropriate attribute packing list (containing the list of attribute-value pairs). What actions is the NAS capable of supporting? What attributes does the NAS require in the request? What attributes does the NAS include in the response? You need to know what type of information the NAS supports because if the list of AVPs cannot satisfy a request, then the request cannot be sent.
You must configure the deviceModels.xml file to support your specific NAS according the NAS capabilities, and the specific actions you want to support.
Step 3: Configure Each NAS as a Client in Steel-Belted Radius Carrier
Each device in your network sending requests to the server must be defined as a client in Steel-Belted Radius Carrier. To support RFC 3576 Change of Authorization (CoA), Disconnect Message (DM), or the Cisco proprietary Packet of Disconnect (PoD), you need to configure the following parameters for the client:
- RFC 3576 CoA/DM port and RFC 3576 CoA/DM Shared secret
- POD port and POD
Shared secret
Note: For CoA/DM or PoD ports, you must specify the shared secret for the CoA/DM functionality to work. If you do not specify port numbers, Steel-Belted Radius Carrier uses the defaults from the
deviceModels.xmlfile.Note: If a NAS client is configured without saving the shared secret, you are prompted to enter the shared secret when the client is subsequently viewed. If unexpected results such as invalid signatures occur, ensure that the shared secret is set correctly.
Note: CoA/DM and POD messages do not work for the <ANY> RADIUS client.
For complete details on configuring clients in Steel-Belted Radius Carrier, see Administering RADIUS Clients and Client Groups.
Step 4: Configure the deviceModels.xml File
The deviceModels.xml file contains a list of device models for each controlled device object associated with your NAS clients, and defines the actions supported by each NAS. The actions supported by each NAS can vary. For example, some devices may use different AVPs as keys when referring to a session, such as Acct-Session-Id, NAS-Port, and NAS-Port-Type. As a result, you need to customize the deviceModels.xml file to support the specific NAS and their associated CoA/DM capabilities.
For information about configuring the deviceModels.xml file, see Configuring the deviceModels.xml File.
Step 5: Configure the Current Sessions Table (CST) for Your Environment
To ensure that CoA/DM requests get processed properly, you need to customize the current sessions table (CST) for your network environment. The CST must be customized to include the attributes in session queries that your NAS devices require in a CoA/DM (action) request, and for what SBR Carrier requires in the NAS response. Customizing the CST to include the proper attributes ensures that the session data, returned from a Query, includes the appropriate attributes your NAS device requires to process CoA/DM requests.
If you do not customize the CST, then you need to ensure that each DM-Request or CoA-Request includes the appropriate attribute packing list for the request.
For details on customizing the CST, see the SBR Carrier Installation Guide.
