TechLibrary

[+] Expand All

[-] Collapse All

Steel-Belted Radius Carrier 8.4.1 Reference Guide
- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- About This Guide
- Introduction
  - Introduction to Configuration Files
    - Configuration Files
    - Tips for Editing Configuration Files
- Steel-Belted Radius Carrier Core and Radius Front-End Files
  - Operations Files
    - access.ini File
      - [Settings] Section
      - [Users] and [Groups] Sections
    - admin.ini File
      - [AccessLevel] Section
      - [SNMPAgent] Section
    - events.ini File
      - [EventDilutions] Section
        Example
      - [Suppress] Section
        Example
      - [Thresholds] Section
        Example
    - events.xml File
    - radius.ini File
      - [Addresses] Section
        Example 1
        Example 2
      - [AuditLog] Section
      - [AuthRejectLog] Section
      - [Configuration] Section
      - [CurrentSessions] Section
      - [DynAuthProxy]
      - [LatencyLog]
      - [EmbedInClass] Section
      - [HiddenEAPIdentity] Section
      - [IPPoolSuffixes] Section
      - [IPv6] Section
      - [JavaScript] Section
      - [LDAP] Section
      - [LDAPAddresses] Section
      - [Logging] Section
        Log File Naming Conventions and Log Rollover
        Thread Identifiers
        Session Identifiers
        Example
        Enhanced Proxy Logging
      - [MsChapNameStripping] Section
      - [PurgeThreadLogging] Section
      - [Ports] Section
      - [Self] Section
      - [StaticAcctProxy] Section
      - [Status] Section
      - [Strip] Section
      - [StripPrefix] Section
      - [StripSuffix] Section
      - [UserNameTransform] Section
        Example
      - [ValidateAuth] and [ValidateAcct] Sections
    - sbrd.conf File
    - services File
    - servtype.ini File
    - update.ini File
      - [HUP] and [USR2] Sections
        Example
    - Auto-Restart Files
      - Perl SNMP Support
      - Perl System Log Support
      - sbrd.conf File
      - radiusd.conf File
        radiusd.conf Configuration File
  - Authentication Configuration Files
    - authlog.ini File
    - authReport.ini File
    - authReportAccept.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportBadSharedSecret.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportReject.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportUnknownClient.ini File
      - [Attributes] Section
      - [Settings] Section
    - blacklist.ini File
    - lockout.ini File
      - [ClientExclusionList] Section
      - [UserExclusionList] Section
    - redirect.ini File
      - [Settings] Section
      - [ClientExclusionList] Section
    - statlog.ini File
      - [Settings] Section
      - [Statistics] Section
  - Attribute Processing Files
    - Dictionary Files
      - .dct Files
        .dct File Location
        .dct File Records
        Editing .dct Dictionary Files
        Include Records
        Master Dictionary for .dct Files
        ATTRIBUTE Records
        Attribute Name and Identifier
        Syntax Type Identifier
        Compound Syntax Types
        Flag Characters
        VALUE Records
        Macro Records
        OPTION Records
      - .dic Files
        .dic File Location
        <?dict> Element
        <vendor> Element
        <attribute> Element
        Editing .dic Dictionary Files
    - Structured Attributes
      - Structured Attribute Dictionary Definitions
        XML Format of Dictionary Files
        <dictionary> Element
        <attribute> Element
        Subattribute Elements
        <constant>
      - Functional Areas That Use Subattributes
        Packet Parsing and Formatting
        Features that Support the Use of Structured and Subattributes
        Single Subattribute Insertion
        Attribute Filtering
        Proxy Attribute Mapping
        Structured Attributes in Return Lists and Check Lists
        Using Web GUI to Configure Subattributes in Return Lists and Checklists
        Using the LCI to Define Subattributes in Return Lists and Check Lists
        Javascript
        Converting Previous Attribute Flatteners with Subattributes
        Plug-in Attribute Access
      - Example of Configuration and Usage of a Structured Attribute
        3GPP2 Data Definition
        SBR Carrier XML Dictionary Definition
        Example Data
        LCI Encoding
    - classmap.ini File
      - [AttributeName] Section
    - filter.ini File
      - Filter Rules
      - Order of Filter Rules
        Examples
      - Values in Filter Rules
      - Referencing Attribute Filters
    - sample.rr File
    - spi.ini File
      - [Keys] Section
      - [Hosts] Section
    - vendor.ini File
      - [Vendor-Product Identification] Section
      - Product-Scan Settings
    - Adding NAS Location Information to Access-Request Messages
      - Location-Specific Configuration Files
      - locspec.ctrl File
        Example
        Example
        Example
        Example
      - proxy.ini File
        Example
      - realm.pro File
        Example realm.pro file:
      - Example Configuration for Adding NAS Location Attributes to Access-Request
        Example Overview
        Example Configuration
  - Address Assignment Files
    - dhcp.ini File
      - [Settings] Section
      - [Pools] Section
    - pool.dhc Files
  - Accounting Configuration Files
    - account.ini File
    - acctReport.ini File
    - sessionTable.ini File
      - [Settings] Section
  - Realm Configuration Files
    - Proxy Realm Configuration Files
    - Directed Realm Configuration Files
      - Sample proxy.ini File
      - Sample Directed Realm (.dir) File
    - proxy.ini File
    - Proxyrl.ini File
    - Proxy RADIUS Configuration (.pro) File
      - [Auth] Section
      - [Acct] Section
      - [AutoStop] Section
      - [Called-Station-ID] Section
      - [DynAuth] Section
      - Target Selection Rules
        Round-Robin Load Balancing
        Selecting a Backup Server
        Realm Retry Policy
      - [FastFail] Section
      - [ModifyUser] Section
      - [SpooledAccounting] Section
        Retry Sequence
    - Directed Realm Configuration (.dir) File
    - radius.ini Realm Settings
  - EAP Configuration Files
    - eap.ini File
    - peapauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request Filters] Section
      - [Response Filters] Section
      - [Session_Resumption] Section
    - tlsauth.aut File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.aut File
    - tlsauth.eap File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Secondary_Authorization] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.eap File
      - Configuring Secondary Authorization
        SQL Authentication
        LDAP Authentication
    - ttlsauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request_Filters] Section
      - [Response_Filters] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample ttlsauth.aut File
  - Session State Register (SSR) Configuration Files
    - Configuring the config.ini File
    - Configuring the dbclusterndb.gen File
      - [Bootstrap] Section
      - [NDB] Section
        [Database] Section
      - [IpAddressPools] Section
      - [IpAddressPools:PoolName] Section
    - Using the georedSess.ses File to Configure the Geo-Redundancy Feature
  - Local CST Configuration Files
    - dbclusterRPC.gen File
    - cstserver.ini File
      - [Configuration] Section
      - [HA-Settings] Section
- Back-End Authentication and Accounting
  - SQL Plug-Ins
    - Common Configuration Items
      - [Bootstrap] Section
      - [Settings] Section
        Limitations of Underlying Database APIs
        SQL Parameter
        ErrorMap
        mssql.ini File
        [SoftErrors] Section
        mysql.ini File
        [SoftErrors] Section
        oracle.ini File
        [SoftErrors] Section
        LogLevel
      - [Server] Section
      - [Server/name] Sections
        Last Resort Server
      - Load Balancing Example
      - JDBC Plug-ins
    - SQL Authentication
      - [Settings] Section
        PasswordFormat
        ClearTextBinary
        DefaultResults
        SuccessResult
        UpperCaseName
      - [Results] Section
        Default [Results] Parameters
      - [FailedSuccessResultAttributes] Section
      - [Failure] Section
      - [Strip] Sections
      - Example: SQL Authentication Configuration File
    - SQL Accounting
    - SQL Accessors
    - Detailed Use Cases
      - Working with Stored Procedures
      - SQL Database Data Retrieval Methods
        SQL=SELECT Method for Data Retrieval from SQL Databases
        SQL=SELECT Method: SELECT Statement
        SQL=SELECT Method: [Results] Section
        SQL=SELECT Method: Section Correlations Illustrated
        Stored Procedure Method for Data Retrieval from SQL Databases
        Stored Procedure Method: BEGIN Statement of sqlaccessor.gen
        Stored Procedure Method: [Results] Section of sqlaccessor.gen
        Stored Procedure Method: Database Schema
        Stored Procedure Method: Data Retrieval
        Stored Procedure Method: Example
  - LDAP Plug-Ins
    - Overview
    - Common Configurations
    - LDAP Authentication
    - LDAP Accessor Files
  - CDR Accounting Plug-Ins
    - CDR Process Overview
    - Types of Call Detail Records
    - Configuring Accounting Options with cdracct.acc
      - [Bootstrap] Section of cdracct.acc
        Example
      - [Settings] Section of cdracct.acc
        Example
    - Displaying CDR Information
    - CDR Fields
    - CDR Field Formats for Binary and ASN.1 CDR Files
      - Field Formats for Binary Version 1 and Binary Version 2 CDR Files
- SIM Authentication Module
  - Common Configurations
    - ss7db.gen File
      - [Bootstrap] Section
      - [Settings] Section
    - gsmmap.gen File
      - [Bootstrap] Section
      - [Settings] Section
      - [Realms] Section
      - Configuring Each Realm Section
        Example
        Relationship Between Sections
      - Network Equipment and Data Needed for Processing Access-Requests
        Example: Authorization String
        Disabling Authorization from EAP-SIM
      - Target Module Section
        Target Module Fields (General Case)
        MAP Gateway Target Module Fields
        Example of MAP Gateway Target Module Fields
        SQL Database Target Module Fields
        Example of SQL Database Target Module
        LDAP Database Target Module Fields
        Example of LDAP Database Target Module
    - Signalware MML Commands
  - SIM/AKA Authentication
    - Overview
    - Configuring the simauth.aut File
    - Authentication Gateway
      - Configuring the ulcmmg.conf File
      - Configuring the GWrelay.conf File
      - Starting and Stopping the GWrelay Process
      - Configuring the authGateway.conf File
        [Routing-Configuration] Section
        Authorization Options
        Example 1—authGateway.conf file [Routing-Configuration] Section
        Example 2—authGateway.conf file [Routing-Configuration] Section
        [Supported-MAP-Messages] Section
        [Common-AGW-Configurations] Section
        [Process<name>] Section
        Example
      - Configuring the authGateway Startup with MML Commands
        Example—Creating and Starting the authGateway Process
- Optional Mobility Module Configuration Files
  - WiMAX Mobility Module Configuration File
    - wimax.ini File
- SNMP Configuration Files
  - SNMP Configuration Overview
  - SNMP Traps and Statistics Overview
- Appendixes
  - Authentication Protocols
  - Vendor-Specific Attributes
  - Configuration Examples
    - Steel-Belted Radius Carrier: 3G-to-Wi-Fi Offload Solution Using the SBR MAP Gateway with EAP-SIM or EAP-AKA
  - Detailed Use Cases
    - Using SQL Accessors
      - Configuring gsmmap.gen for Key Field Identification
        Examples
      - Configuring sqlaccessor.gen or sqlaccessor_jdbc.gen for Key Field Identification
        Examples
    - Using LDAP Accessors
      - Configuring ldapaccessor.gen for Key Field Identification
    - Assigning IP Addresses Based on APN
    - Adding Attributes to an Access-Accept
      - Overview
      - Data Flow
      - Configuration Tasks
      - Configuring Files for Adding Attributes to Access-Accept
      - Example Configuration for Adding Attributes to Access-Accept
        Example Overview
        Example Notes
        Access-Request
        SIMAuth
        Radsql.aut
        Eap.ini
        SQL Database Table 1
        Access-Accept
      - Activate the Authentication Method
    - Interfacing with a Kineto IP Network Controller
      - Attribute Handling Methods
      - Access-Request Conversion
      - Access-Accept Conversion
      - Access-Reject Conversion
      - Configuring the SIM Authentication Module for Handling Kineto Attributes
        Configuring the kinetoUMAAttrHandler.ctrl File
        Example kinetoUMAAttrHandler.ctrl file
        Configuring the controlpoints.ini File
        Configuring Kineto Attribute Recognition
        Activating the Authentication Method
        Developing Applications for the S1 Interface
    - Using Managed IPv6 Address Pools
  - SIR.conf File
  - Glossary
    - Numerics
    - A
    - B
    - C
    - D
    - E
    - F
    - G
    - H
    - I
    - J
    - L
    - M
    - N
    - O
    - P
    - Q
    - R
    - S
    - T
    - U
    - V
    - W

Download This Guide

Download this guide: Steel-Belted Radius Carrier 8.4.1 Reference Guide

Adding Attributes to an Access-Accept

This feature allows you to add attribute values retrieved from an external subscriber database to Access-Accept message. For example, you might want to include the subscriber’s level of service in the Access-Accept as the value of the attribute Reply-Message. Another example might be retrieving the IP address to be assigned to a mobile node and returning it in the Access-Accept as the value of the attribute Framed-IP-Address.

Overview

You can add additional attributes to Access-Accept messages from an external subscriber database. Two authentication plug-ins are used to accomplish the tasks of authentication and adding attributes to an Access-Accept. The authentication plug-ins are:

The SIMAuth application (acting as the EAP helper)
This authenticator provides EAP authentication for the SIM authentication module.
Helped authenticator (usually the SQL plug-in: radsql.aut or radsqljdbc.aut). This authenticator accesses the database, retrieves the specified attributes, and attaches them to the Access-Accept message. The helped authenticator does not perform any authentication tasks and its password-checking is suppressed. All authentication is performed by the SIMAuth application (the EAP helper).

Data Flow

Authentication of the Access-Request and the addition of attributes to the Access-Accept is handled according to the following flow of data:

The mobile device sends an Access-Request to Steel-Belted Radius Carrier.
SIMAuth manages the EAP negotiation (challenge, and response).
If SIMAuth authenticates the request, it attaches the IMSI and MSISDN of the mobile device, and sends the request to the SQL plug-in: radsql.aut or radsqljdbc.aut.
radsql.aut or radsqljdbc.aut can use the IMSI or MSISDN as a key to query the database and request attribute values (as a separate step from the SIMAuth authentication).

The helped authenticator (usually the SQL authentication plug-in: radsql.aut or radsqljdbc.aut), returns the Access-Accept with attribute values attached.

Note: SIMAuth is known as a Steel-Belted Radius Carrier EAP helper because it performs the EAP authentication for the helped authentication method (usually the SQL authentication plug-ins: radsql.aut or radsqljdbc.aut). Although these SQL plug-ins are usually used for authentication, in this case their function is to access the subscriber database, retrieve attributes, and return them with the Access-Accept.

For complete information about EAP helpers, see the SBR Carrier Administration and Configuration Guide.

Figure 21 shows an example data flow in which Steel-Belted Radius Carrier, SIMAuth, and the SQL plug-ins (either radsql.aut or radsqljdbc.aut) work together to perform the following tasks:

Access authentication (performed by SIMAuth)
Addition of MSISDN and IMSI to the request (performed by SIMAuth)
Database access and attribute retrieval (performed by radsql.aut in this example called SQLAuthenticator)
Addition of retrieved attributes to the Access-Accept (performed by the SQL plug-in: radsql.aut)
Figure 21: Example Data Flow for Addition of Attribute to Access-Accept

Configuration Tasks

To add attributes to the Access-Accept, perform the following tasks:

Configure the related files, as described in Configuring Files for Adding Attributes to Access-Accept.
Activate authentication as described in Activate the Authentication Method.

Configuring Files for Adding Attributes to Access-Accept

The following files require special configuration to allow the addition of attributes to the Access-Accept:

simauth.aut
simauth.eap
radsql.aut, radsqljdbc.aut, or ldapauth.aut
eap.ini

To configure files for adding attributes to Access-Accept:

In the [Bootstrap] section of simauth.aut (for Oracle databases), set Enable=0.
Setting Enable=0 ensures that these files are disabled.
Example:
[Bootstrap]
Enable=0
Create a copy of simauth.aut and name it simauth.eap.
This renaming causes SIMAuth to become the EAP helper.
In the [Bootstrap] section of simauth.eap, ensure that Enable=1.
Open the relevant database access configuration file. This file is one of:
- radsql.aut
- radsqljdbc.aut
- ldapauth.aut
Check the [Bootstrap] section of radsql.aut, radsqljdbc.aut, or ldapauth.aut for the name of the specified authentication method. In the following example, the name of the specified authentication method is “SQLAuthenticator”.
Example:
[Bootstrap]
Initializationstring=SQLAuthenticator
For more information about how to configure the radsql.aut and radsqljdbc.aut files, see SQL Authentication in this guide. For more information about configuring SQL authentication, see the SBR Carrier Administration and Configuration Guide.
For more information about how to configure the ldapauth.aut file, see LDAP Authentication in this guide. For more information about configuring LDAP authentication, see the SBR Carrier Administration and Configuration Guide.
Ensure that there is a section in the eap.ini file that includes the name of the helped authentication method you specified in Step 5. In this example the name is “SQLAuthenticator”.
Example:
[SQLAuthenticator]

Ensure that the following lines are included in the helped authentication method section in eap.ini that you created in Step 6.

[SQLAuthenticator]
EAP-Only=1
First-Handle-Via-Auto-EAP=1
EAP-Type=SIM,AKA
Available-EAP-Only-Values=1
Available-Auto-EAP-Values=1
Available-EAP-Types=SIM|AKA

Note: The lines added in Step 7 configure the specified authentication method (in this case the SQL plug-in: radsql.autwe named: SQLAuthenticator), and also prevent it from being used without the EAP helper (SIMAuth.aut). The use of the helped authentication method (radsql.aut or radsqljdbc.aut) without the EAP helper must be prevented because password checking is suppressed and the EAP helper (SIMAuth.aut) is needed to perform authentication.

Suppress database password checking in the helped authentication method as described for Oracle, JDBC, and LDAP databases.
- Oracle or JDBC: Do not provide a password in the SQL=SELECT statement in the [Settings] section of radsql.aut or radsqljdbc.aut. In the [Results] section of these files, include a PASSWORD= statement, leaving the password blank.
  
  Example:
  [Results]
  Password=
- LDAP: Remove the %password= setting from the [Response] section.

Insert a query into radsql.aut, radsqljdbc.aut, or ldapauth.aut to select the attributes to be added to the Access-Accept.

The selection of attributes from the database can be based on the database key values for IMSI or MSISDN. The values for IMSI or MSISDN are added to the request by SIMAuth in the attributes 3GPP-IMSI or Funk-SS7-MSISDN so that they can be used in the database query.

Example:

SQL=SELECT subscriber-level FROM table 1 WHERE IMSI=@3GPP-IMSI

Note: To have the 3GPP-IMSI attribute set by Steel-Belted Radius Carrier in the request, the 3GPP dictionary must be selected in the Make or model field in the RADIUS Clients List page of Web GUI, or you must import the attribute using the @ character which indicates the dictionary file contents are to be included (see Include Records). You can also use the %username or %user variables in the database query. However, they do not contain the expected values if pseudonyms are active.

Activate the helped authentication method. For more information about setting up authentication policies and defining the order of authentication methods, see the SBR Carrier Administration and Configuration Guide.

Example Configuration for Adding Attributes to Access-Accept

Figure 22 shows a sample configuration. The purpose of this configuration is to query the database for a subscriber-level value and return the subscriber-level value along with the Access-Accept.

Example Overview

In this example, an Access-Request is sent for a mobile device with IMSI 123456789. The value of the subscriber-level for this device is retrieved from the database, assigned to the attribute Reply-Message, and attached to the Access-Accept.

The configuration lines and syntax (shown in Figure 22) associate all the configuration files together to attach an attribute to the Access-Accept.

Figure 22: Example Configuration for Adding Attributes to an Access-Accept

Example Notes

The sample configuration shown in Figure 22 configures the data flow in the following way:

Access-Request

An Access-Request is sent to Steel-Belted Radius Carrier for the user with an IMSI value of 123456789.

SIMAuth

simauth.eap file is enabled
simauth.aut file is disabled.

Radsql.aut

The [Bootstrap] section contains the name of the specified authentication method (“SQLAuthenticator”). You later add a [SQLAuthenticator] section to the eap.ini file.

Enter a SQL=SELECT statement to retrieve data from the database based on the value of the IMSI in the Access-Request. Do not include a password in the SQL SELECT statement.

The @Password= statement suppresses password checking of the database.

The @Reply-Message=1/40 field indicates the following:

The Reply-Message attribute is added to the Access-Accept and carry the value retrieved from the database.
The 1 in @Reply-Message=1/40 indicates that the first item in the SQL=SELECT statement (subscriber-level) is the column name of the SQL database from which the value is selected.
The 40 in @Reply-Message=1/40 indicates that the width of the subscriber-level column is 40 characters.

Eap.ini

The eap.ini file must contain a section corresponding to the name of the helped authentication method named in the Initializationstring statement in the radsql.aut file. In this example the helped authentication method is called “SQLAuthenticator”, so the eap.ini must contain a section called [SQLAuthenticator].

The eap.ini file must contain the lines shown in Figure 22 to configure the SQL plug-in (either radsql.aut or radsqljdbc.aut). These lines, prevent either radsql.aut or radsqljdbc.aut from acting without SIMAuth.aut. This is necessary because password-checking by radsql.aut or radsqljdbc.aut is suppressed and the only authentication being performed would be by the EAP helper (SIMAuth.aut).

SQL Database Table 1

In this example, the SQL database is queried by the SQL plug-in: radsql.aut, and the subscriber-level for IMSI 123456789 is found to be basic.

Access-Accept

The value of basic is assigned to the attribute Reply-Message and included in the Access-Accept.

Activate the Authentication Method

For information about activating and setting up authentication policies, and defining the order of authentication methods, see the SBR Carrier Administration and Configuration Guide.