TechLibrary

[+] Expand All

[-] Collapse All

Steel-Belted Radius Carrier 8.4.1 Reference Guide
- Copyright and Trademark Information
- Table of Contents
- List of Figures
- List of Tables
- About This Guide
- Introduction
  - Introduction to Configuration Files
    - Configuration Files
    - Tips for Editing Configuration Files
- Steel-Belted Radius Carrier Core and Radius Front-End Files
  - Operations Files
    - access.ini File
      - [Settings] Section
      - [Users] and [Groups] Sections
    - admin.ini File
      - [AccessLevel] Section
      - [SNMPAgent] Section
    - events.ini File
      - [EventDilutions] Section
        Example
      - [Suppress] Section
        Example
      - [Thresholds] Section
        Example
    - events.xml File
    - radius.ini File
      - [Addresses] Section
        Example 1
        Example 2
      - [AuditLog] Section
      - [AuthRejectLog] Section
      - [Configuration] Section
      - [CurrentSessions] Section
      - [DynAuthProxy]
      - [LatencyLog]
      - [EmbedInClass] Section
      - [HiddenEAPIdentity] Section
      - [IPPoolSuffixes] Section
      - [IPv6] Section
      - [JavaScript] Section
      - [LDAP] Section
      - [LDAPAddresses] Section
      - [Logging] Section
        Log File Naming Conventions and Log Rollover
        Thread Identifiers
        Session Identifiers
        Example
        Enhanced Proxy Logging
      - [MsChapNameStripping] Section
      - [PurgeThreadLogging] Section
      - [Ports] Section
      - [Self] Section
      - [StaticAcctProxy] Section
      - [Status] Section
      - [Strip] Section
      - [StripPrefix] Section
      - [StripSuffix] Section
      - [UserNameTransform] Section
        Example
      - [ValidateAuth] and [ValidateAcct] Sections
    - sbrd.conf File
    - services File
    - servtype.ini File
    - update.ini File
      - [HUP] and [USR2] Sections
        Example
    - Auto-Restart Files
      - Perl SNMP Support
      - Perl System Log Support
      - sbrd.conf File
      - radiusd.conf File
        radiusd.conf Configuration File
  - Authentication Configuration Files
    - authlog.ini File
    - authReport.ini File
    - authReportAccept.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportBadSharedSecret.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportReject.ini File
      - [Attributes] Section
      - [Settings] Section
    - authReportUnknownClient.ini File
      - [Attributes] Section
      - [Settings] Section
    - blacklist.ini File
    - lockout.ini File
      - [ClientExclusionList] Section
      - [UserExclusionList] Section
    - redirect.ini File
      - [Settings] Section
      - [ClientExclusionList] Section
    - statlog.ini File
      - [Settings] Section
      - [Statistics] Section
  - Attribute Processing Files
    - Dictionary Files
      - .dct Files
        .dct File Location
        .dct File Records
        Editing .dct Dictionary Files
        Include Records
        Master Dictionary for .dct Files
        ATTRIBUTE Records
        Attribute Name and Identifier
        Syntax Type Identifier
        Compound Syntax Types
        Flag Characters
        VALUE Records
        Macro Records
        OPTION Records
      - .dic Files
        .dic File Location
        <?dict> Element
        <vendor> Element
        <attribute> Element
        Editing .dic Dictionary Files
    - Structured Attributes
      - Structured Attribute Dictionary Definitions
        XML Format of Dictionary Files
        <dictionary> Element
        <attribute> Element
        Subattribute Elements
        <constant>
      - Functional Areas That Use Subattributes
        Packet Parsing and Formatting
        Features that Support the Use of Structured and Subattributes
        Single Subattribute Insertion
        Attribute Filtering
        Proxy Attribute Mapping
        Structured Attributes in Return Lists and Check Lists
        Using Web GUI to Configure Subattributes in Return Lists and Checklists
        Using the LCI to Define Subattributes in Return Lists and Check Lists
        Javascript
        Converting Previous Attribute Flatteners with Subattributes
        Plug-in Attribute Access
      - Example of Configuration and Usage of a Structured Attribute
        3GPP2 Data Definition
        SBR Carrier XML Dictionary Definition
        Example Data
        LCI Encoding
    - classmap.ini File
      - [AttributeName] Section
    - filter.ini File
      - Filter Rules
      - Order of Filter Rules
        Examples
      - Values in Filter Rules
      - Referencing Attribute Filters
    - sample.rr File
    - spi.ini File
      - [Keys] Section
      - [Hosts] Section
    - vendor.ini File
      - [Vendor-Product Identification] Section
      - Product-Scan Settings
    - Adding NAS Location Information to Access-Request Messages
      - Location-Specific Configuration Files
      - locspec.ctrl File
        Example
        Example
        Example
        Example
      - proxy.ini File
        Example
      - realm.pro File
        Example realm.pro file:
      - Example Configuration for Adding NAS Location Attributes to Access-Request
        Example Overview
        Example Configuration
  - Address Assignment Files
    - dhcp.ini File
      - [Settings] Section
      - [Pools] Section
    - pool.dhc Files
  - Accounting Configuration Files
    - account.ini File
    - acctReport.ini File
    - sessionTable.ini File
      - [Settings] Section
  - Realm Configuration Files
    - Proxy Realm Configuration Files
    - Directed Realm Configuration Files
      - Sample proxy.ini File
      - Sample Directed Realm (.dir) File
    - proxy.ini File
    - Proxyrl.ini File
    - Proxy RADIUS Configuration (.pro) File
      - [Auth] Section
      - [Acct] Section
      - [AutoStop] Section
      - [Called-Station-ID] Section
      - [DynAuth] Section
      - Target Selection Rules
        Round-Robin Load Balancing
        Selecting a Backup Server
        Realm Retry Policy
      - [FastFail] Section
      - [ModifyUser] Section
      - [SpooledAccounting] Section
        Retry Sequence
    - Directed Realm Configuration (.dir) File
    - radius.ini Realm Settings
  - EAP Configuration Files
    - eap.ini File
    - peapauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request Filters] Section
      - [Response Filters] Section
      - [Session_Resumption] Section
    - tlsauth.aut File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.aut File
    - tlsauth.eap File
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Secondary_Authorization] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample tlsauth.eap File
      - Configuring Secondary Authorization
        SQL Authentication
        LDAP Authentication
    - ttlsauth.aut File
      - [Bootstrap] Section
      - [Server_Settings] Section
        Cipher_Suites Parameter
        Example 1
        Example 2
      - [Inner_Authentication] Section
      - [Request_Filters] Section
      - [Response_Filters] Section
      - [CRL_Checking] Section
      - [Session_Resumption] Section
      - Sample ttlsauth.aut File
  - Session State Register (SSR) Configuration Files
    - Configuring the config.ini File
    - Configuring the dbclusterndb.gen File
      - [Bootstrap] Section
      - [NDB] Section
        [Database] Section
      - [IpAddressPools] Section
      - [IpAddressPools:PoolName] Section
    - Using the georedSess.ses File to Configure the Geo-Redundancy Feature
  - Local CST Configuration Files
    - dbclusterRPC.gen File
    - cstserver.ini File
      - [Configuration] Section
      - [HA-Settings] Section
- Back-End Authentication and Accounting
  - SQL Plug-Ins
    - Common Configuration Items
      - [Bootstrap] Section
      - [Settings] Section
        Limitations of Underlying Database APIs
        SQL Parameter
        ErrorMap
        mssql.ini File
        [SoftErrors] Section
        mysql.ini File
        [SoftErrors] Section
        oracle.ini File
        [SoftErrors] Section
        LogLevel
      - [Server] Section
      - [Server/name] Sections
        Last Resort Server
      - Load Balancing Example
      - JDBC Plug-ins
    - SQL Authentication
      - [Settings] Section
        PasswordFormat
        ClearTextBinary
        DefaultResults
        SuccessResult
        UpperCaseName
      - [Results] Section
        Default [Results] Parameters
      - [FailedSuccessResultAttributes] Section
      - [Failure] Section
      - [Strip] Sections
      - Example: SQL Authentication Configuration File
    - SQL Accounting
    - SQL Accessors
    - Detailed Use Cases
      - Working with Stored Procedures
      - SQL Database Data Retrieval Methods
        SQL=SELECT Method for Data Retrieval from SQL Databases
        SQL=SELECT Method: SELECT Statement
        SQL=SELECT Method: [Results] Section
        SQL=SELECT Method: Section Correlations Illustrated
        Stored Procedure Method for Data Retrieval from SQL Databases
        Stored Procedure Method: BEGIN Statement of sqlaccessor.gen
        Stored Procedure Method: [Results] Section of sqlaccessor.gen
        Stored Procedure Method: Database Schema
        Stored Procedure Method: Data Retrieval
        Stored Procedure Method: Example
  - LDAP Plug-Ins
    - Overview
    - Common Configurations
    - LDAP Authentication
    - LDAP Accessor Files
  - CDR Accounting Plug-Ins
    - CDR Process Overview
    - Types of Call Detail Records
    - Configuring Accounting Options with cdracct.acc
      - [Bootstrap] Section of cdracct.acc
        Example
      - [Settings] Section of cdracct.acc
        Example
    - Displaying CDR Information
    - CDR Fields
    - CDR Field Formats for Binary and ASN.1 CDR Files
      - Field Formats for Binary Version 1 and Binary Version 2 CDR Files
- SIM Authentication Module
  - Common Configurations
    - ss7db.gen File
      - [Bootstrap] Section
      - [Settings] Section
    - gsmmap.gen File
      - [Bootstrap] Section
      - [Settings] Section
      - [Realms] Section
      - Configuring Each Realm Section
        Example
        Relationship Between Sections
      - Network Equipment and Data Needed for Processing Access-Requests
        Example: Authorization String
        Disabling Authorization from EAP-SIM
      - Target Module Section
        Target Module Fields (General Case)
        MAP Gateway Target Module Fields
        Example of MAP Gateway Target Module Fields
        SQL Database Target Module Fields
        Example of SQL Database Target Module
        LDAP Database Target Module Fields
        Example of LDAP Database Target Module
    - Signalware MML Commands
  - SIM/AKA Authentication
    - Overview
    - Configuring the simauth.aut File
    - Authentication Gateway
      - Configuring the ulcmmg.conf File
      - Configuring the GWrelay.conf File
      - Starting and Stopping the GWrelay Process
      - Configuring the authGateway.conf File
        [Routing-Configuration] Section
        Authorization Options
        Example 1—authGateway.conf file [Routing-Configuration] Section
        Example 2—authGateway.conf file [Routing-Configuration] Section
        [Supported-MAP-Messages] Section
        [Common-AGW-Configurations] Section
        [Process<name>] Section
        Example
      - Configuring the authGateway Startup with MML Commands
        Example—Creating and Starting the authGateway Process
- Optional Mobility Module Configuration Files
  - WiMAX Mobility Module Configuration File
    - wimax.ini File
- SNMP Configuration Files
  - SNMP Configuration Overview
  - SNMP Traps and Statistics Overview
- Appendixes
  - Authentication Protocols
  - Vendor-Specific Attributes
  - Configuration Examples
    - Steel-Belted Radius Carrier: 3G-to-Wi-Fi Offload Solution Using the SBR MAP Gateway with EAP-SIM or EAP-AKA
  - Detailed Use Cases
    - Using SQL Accessors
      - Configuring gsmmap.gen for Key Field Identification
        Examples
      - Configuring sqlaccessor.gen or sqlaccessor_jdbc.gen for Key Field Identification
        Examples
    - Using LDAP Accessors
      - Configuring ldapaccessor.gen for Key Field Identification
    - Assigning IP Addresses Based on APN
    - Adding Attributes to an Access-Accept
      - Overview
      - Data Flow
      - Configuration Tasks
      - Configuring Files for Adding Attributes to Access-Accept
      - Example Configuration for Adding Attributes to Access-Accept
        Example Overview
        Example Notes
        Access-Request
        SIMAuth
        Radsql.aut
        Eap.ini
        SQL Database Table 1
        Access-Accept
      - Activate the Authentication Method
    - Interfacing with a Kineto IP Network Controller
      - Attribute Handling Methods
      - Access-Request Conversion
      - Access-Accept Conversion
      - Access-Reject Conversion
      - Configuring the SIM Authentication Module for Handling Kineto Attributes
        Configuring the kinetoUMAAttrHandler.ctrl File
        Example kinetoUMAAttrHandler.ctrl file
        Configuring the controlpoints.ini File
        Configuring Kineto Attribute Recognition
        Activating the Authentication Method
        Developing Applications for the S1 Interface
    - Using Managed IPv6 Address Pools
  - SIR.conf File
  - Glossary
    - Numerics
    - A
    - B
    - C
    - D
    - E
    - F
    - G
    - H
    - I
    - J
    - L
    - M
    - N
    - O
    - P
    - Q
    - R
    - S
    - T
    - U
    - V
    - W

Download This Guide

Download this guide: Steel-Belted Radius Carrier 8.4.1 Reference Guide

Configuring the simauth.aut File

The SIM authentication module handles EAP-SIM authentication for clients using SIM cards and EAP-AKA authentication for clients using USIM cards. The settings for EAP-SIM and EAP-AKA authentication are stored in the simauth.aut file in the Steel-Belted Radius Carrier installation directory.

Note: Authenticating subscribers requires communication with the HLR. To establish connection with the HLR, follow the directions for installing and configuring the SIGTRAN protocol stack and configuring the authGateway and GWrelay applications described in the SBR Carrier Installation Guide.

simauth.aut [Bootstrap] Section

The [Bootstrap] section (Table 188) of the simauth.aut file specifies information that Steel-Belted Radius Carrier uses to load and start the SIMauth module.

Table 188: simauth.aut [Bootstrap] Fields

Field	Description
LibraryName	Specifies the name of the binary that implements the SIM authentication method. Default value is simauth.so.
Enable	If set to 1, the simauth authentication method is enabled. If set to 0, the simauth authentication method is disabled. Default value is 0.
InitializationString	Specifies the name of a server cookie used by the simauth authentication method. The value must be set to simauth.

Field

Description

LibraryName

Specifies the name of the binary that implements the SIM authentication method.

Default value is simauth.so.

Enable

If set to 1, the simauth authentication method is enabled.

If set to 0, the simauth authentication method is disabled.

Default value is 0.

InitializationString

Specifies the name of a server cookie used by the simauth authentication method. The value must be set to simauth.

simauth.aut [Settings] Section

The [Settings] section (Table 189) of the simauth.aut file contains these settings:

Note: For an overview of EAP-SIM and EAP-AKA pseudonyms and reauthentication identities, see the information about the SIM Authentication Module in the SBR Carrier Administration and Configuration Guide.

SBRC always tries protocols in a fixed order (EAP-SIM, EAP-AKA), skipping any protocols that are not enabled. It is possible for the NAS client to select whether a particular protocol is preferred. If the NAS client prefers to use a particular protocol, then SBRC accepts the protocol in its fixed order list. If the preferred protocol does not work for some reason (for example, the protocol is disabled), then SBRC continues with the next protocol in its fixed order list. This is a known limitation in the NAS client that it prefers a particular protocol but sends a NAK when SBRC accepts it. For example, it is not possible for SBRC to try EAP-SIM after a NAS client prefers EAP-AKA, but it is possible for SBRC to try EAP-AKA after the NAS client uses EAP-SIM.

Table 189: simauth.aut [Settings] Fields

Field	Description
ConfigLog	Specifies where simauth configuration information is logged. Options are: None= Configuration information is not captured. ConsoleAndLog= Log information is sent to both the console and the log. Console= Log information is sent to the console only. Log= Log information is sent to the log file only. Default is ConsoleAndLog.
EnableEAPSIM	If set to 1, EAP-SIM authentication with GSM SIM cards is enabled. If set to 0, EAP-SIM authentication is disabled. Default value is 1 (enabled). This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
EnableEAPAKA	If set to 1, EAP-AKA authentication with 3G USIM cards is enabled. If set to 0, EAP-AKA authentication is disabled. Default value is 1 (enabled). This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
EnforceEAPHint	If set to 1, and the leading digit of the IMSI is 0 or 1, the server determines the type of authentication (0 for EAP-AKA, 1 for EAP-SIM) and will be enforced. If set to 0, the type of authentication is determined through negotiation with the client. Default value is 0.
NumberOfTriplets	The number of triplets required for each authentication. The allowable values are 2 or 3. The higher the number of triplets, the more keying material is available and, consequently, the more the authentication is resistant to attacks. The default value is 3. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
ReauthenticationRealm	The realm returned with a Reauthentication Identity that indicates where the return responses to reauthentication requests are directed. The default uses the realm from the Permanent Identity (if any exists) of the client. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
ReauthenticationCount Limit	The number of allowed reauthentications before requesting fresh triplets and performing a complete authentication. The range is 0–65535. The default is 65535. If you enter 0, Reauthentication Identities are not generated. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
ReauthenticationLifetimeSec	The duration (in seconds) of an identity that is generated by Steel-Belted Radius Carrier for the purpose of reauthentication. The default is 3600 (1 hour). The client must reauthenticate within this time or use a Pseudonym or Permanent Identity. Set to 0 to prevent reauthentication identities from being generated. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
ProfileIsUser	Specifies whether the authorization policy specifiers listed in the [ProfileMap] section of simauth.aut represent Steel-Belted Radius Carrier native users or profiles. If set to 0 (default) the profiles listed in the ProfileMap section represent profiles configured in SBR Carrier. If set to 1 the profiles in the ProfileMap section represent users. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
PseudonymSecret	A secret used to encrypt Pseudonyms. You can use any text string up to 32 characters. There is no default. If you do not specify a secret, pseudonyms are not generated. When you change this value, all pseudonyms assigned to currently authenticated clients are invalidated, requiring reauthentication. Note: If running the SIM authentication option in an SBR Carrier cluster, all pseudonym passwords should be the same throughout the cluster. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
PseudonymLifetimeDays	The lifetime of a Pseudonym in days. The default is 1 (day). The actual lifetime varies from the specified time, to twice the specified time. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
UseEAPResponseIdentity	Set to 1 when the EAP-Response/Identity message is not altered by a proxy RADIUS server. If you set this to 1 and such changes do take place, then authentication fails. Set to 0 when the client EAP Identity is modified by a proxy RADIUS server. The default is 0.
EnableFailover	Specifies whether to enable or disable RADIUS failover. The RADIUS failover occurs when the HLR is inaccessible. The authentication requests are silently discarded until the HLR becomes available. If set to 1, enables RADIUS failover. If set to 0, disables RADIUS failover. Default value is 0. This parameter is reloaded every time when SBR Carrier receives a SIGHUP (1) signal.
FailoverTimeoutSec	If failover is enabled, the HLR is presumed to be accessible after the specified number of seconds, and the next request is not silently discarded. Default is 60 seconds. Setting this value to 0 causes EAP-SIM/EAP-AKA authentication requests to be discarded if the HLR is down.
ChargeableUserIdIn Response	Specifies which identifier is used as the CUID and returned in the Chargeable-User-Id (CUID) attribute in the RADIUS Access-Accept message. This field can be set to: None (default) IMSI—The attribute format is 01:imsi, where imsi is the subscriber’s IMSI. NAI—The attribute format is 02:nai, where nai is the subscriber’s NAI. MSISDN—The attribute format is 03:msisdn, where msisdn is the subscriber’s MSISDN. You can specify more than one CUID identifier. The identifiers must be comma separated. The identifier returned by the NAS is used as the CUID. This identifier is usually the first identifier in the list. In the following example, the CUID in the CDR is the IMSI. ChargeableUserIdInResponse=IMSI,NAI The IMSI and NAI values returned in the Access-Accept are derived from the User-Name attribute in the initial Access-Request. The MSISDN value returned in the Access-Accept is derived from the target module specified in the gsmmap.gen file. See Configuring Each Realm Section and Target Module Section. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
ChargeableUserId Attribute	Specifies the attribute that contains the CUID in the Access-Accept. This field can be set to either of these settings: Chargeable-User-Identity—The CUID is returned in the Chargeable-User-Identity attribute. This setting complies with RFC 4372 available at http://www.ietf.org. TeliaSonera-Chargeable-UserId—The CUID is returned in the TeliaSonera-Chargeable-UserId attribute. This setting complies with GSM Association document IR6.1 available at http://www.gsmworld.com. Note: The following call detail record (CDR) fields carry CUID information. See CDR Fields for a list of all CDR types. Charging ID Domain Index Charging Identifier This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.
SendCUIDOnlyIf Received	Used only if ChargeableUserIdAttribute is set to Chargeable-User-Identity. This field may be set to: 0—The CUID attribute is attached to the Access-Accept regardless of whether the CUID attribute was received in the Access-Request. 1—The CUID attribute is attached to the Access-Accept only if the CUID was received in the Access-Request. This parameter is reloaded every time that SBRC receives a SIGHUP (1) signal.

simauth.aut [ProfileMap] Section

Your HLR includes a database of subscribers. The database maps subscribers to one or more classes of service to which they are subscribed. You can configure the MAP Gateway to return strings that indicate a subscriber’s service authorization. The service authorization strings returned by the MAP Gateway correspond to selected TS, BS, or ODB settings in the subscriber’s profile on the HLR. For information about defining service authorization strings, see the Authorization Options section of the authGateway.conf file in the SBR Carrier Installation Guide.

Alternatively, you can configure Steel-Belted Radius Carrier to request service authorization strings from an external SQL or LDAP database instead of from an HLR. For information about requesting authorization information from an SQL database, see SQL Database Data Retrieval Methods. For information about requesting authorization information from an LDAP directory, see the [Response] Section of the ldapaccessor.gen file.

You can create two types of Steel-Belted Radius Carrier entities that are used for specifying authorization policies:

Profiles
Native user

You can use Steel-Belted Radius Carrier profiles or native users to define classes of subscribers who are authorized for service. Refer to the SBR Carrier Administration and Configuration Guide for information about creating profiles and native users.

Note: If you configure native users for use with EAP-SIM or EAP-AKA authentication, then you must modify ProfileIsUser in simauth.aut.

You can use the [ProfileMap] section of the simauth.aut file to assign one or more service authorization strings to these Steel-Belted Radius Carrier profiles (or native users). By doing so, each time that a subscriber requests an account, the service that is specified by the HLR is checked against the strings that you assign to a profile or native user in the [ProfileMap] section of the simauth.aut:

If the set of service authorization strings do not match those of any profile or native user who you list, the provisioning request is denied.
The profile map entries are checked in order. When the set of service strings match those of a profile or native user who you list, the subscriber is assigned that Steel-Belted Radius Carrier profile or native user.
Although the authorization string values must match those in authGateway.conf, you can include authorization strings that are valid for multiple HLRs in a given line corresponding to a profile or native user in the [ProfileMap] section of simauth.aut.

You can use each line in the [ProfileMap] section of simauth.aut to provide a set of HLR authorization strings (from authGateway.conf) that specify an authorization policy defined by a Steel-Belted Radius Carrier profile or native user.

The format for each line is:

ProfileName1=auth1:auth2:auth3

where ProfileName1 is the name of a Steel-Belted Radius Carrier profile or native user, and auth1, auth2, and auth3 are the HLR authorization strings configured in the MAP Gateway authGateway.conf file. The sequence and capitalization of the authorization strings are ignored. You can specify up to 128 authorization strings.

To use a particular profile or native user to define an authorization policy, make sure all the listed authorization strings exactly match the authorization strings returned from the MAP Gateway. You can also use a wildcard * to match any otherwise unmatched strings. For example, you can have the following:

ProfileName1=auth1:auth2:*

This matches any set of authorization strings as long as they include auth1 and auth2.

You can specify combinations of authorization strings for which authorization is denied by entering one or more DENY lines. A DENY line is of the form:

<DENY>=auth1:auth2:auth3

where the profile name is not specified and where auth1, auth2, and auth3 are the HLR authorization strings configured in the MAP Gateway authGateway.conf file. The same matching and wildcard rules apply as with PROFILE lines. For example, the following statement denies authorization if the authorization strings returned are auth1, auth2, and auth3.

<DENY>=auth1:auth2:auth3

The following statement denies authorization if the authorization strings returned include both auth1 and auth2 and any other strings.

<DENY>=auth1:auth2:*

Similarly, the following statements deny authorization if the authorization strings returned include auth1 or auth2.

<DENY>=auth1:*

<DENY>=auth2:*

Finally, the following statement denies authorization if no authorization strings are returned:

<DENY>=

We recommend you place DENY statements at the top of the list because a subscriber is assigned the policy associated with the first match in the list of profiles (or native users) that you include in the profile map. Place PROFILE statements with specific criteria in the middle of the list and PROFILE statements with wildcards at the bottom of the list.

Note: If the set of service authorization strings do not match those of any profile or native user who you list, the provisioning request is denied.

All settings are reloaded every time when SBRC receives a SIGHUP (1) signal.