Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Table of Contents

 
About This Guide
Objective
Audience
Documentation Conventions
Related Documentation
Obtaining Documentation
Documentation Feedback
Requesting Technical Support
Product Overview
Steel-Belted Radius Carrier Overview
Introduction to Steel-Belted Radius Carrier
SBR Carrier Core Features
3rd Generation Partnership Project (3GPP) Support
Native Support for Structured Attributes
Adding NAS Location Information to Access-Requests
Support for Additional EAP Authentication Protocols
Statistics and Reporting Capabilities
Management Interfaces
Web GUI
LDAP Configuration Interface (LCI)
Command Line Utility
XML/HTTPS Interface
SNMP
Optional SIM Authentication Module
Optional WiMAX Mobility Module Features
Optional Session Control Module
Optional Scripting Module
Optional Session State Register (High Availability) Module
Optional Concurrency Module
Optional 3GPP AAA Module
Licensing
Web GUI Overview
Using Web GUI
Running the Web GUI
Tested Browsers
Navigating in the Web GUI
Web GUI Menus
Home Menu
RADIUS Configuration Menu
Diameter Configuration Menu
Tools Menu
Help Menu
Logout Menu
Web GUI Pages
Adding an Entry
Editing an Entry
Cloning an Entry
Resizing Columns
Changing Column Sequence
Sorting Information
Searching Entries
Hiding or Restoring Columns
Adding License Keys
Displaying Version Information
Closing the Web GUI
RADIUS Operations
RADIUS Basics
RADIUS Overview
RADIUS Packets
RADIUS Ports
RADIUS Configuration
RADIUS Server Configuration
RADIUS Client Configuration
Multiple RADIUS Servers
Shared Secrets
RADIUS Secret
Replication Secret
Accounting
Attributes
Dictionaries
Vendor-Specific Attributes
Dictionaries and the Make/Model Field
Updating Attribute Information
Structured Attributes
User Attribute Lists
Check List Attributes
Return List Attributes
Structured Attributes in Check Lists and Return Lists
Attribute Values
Single- and Multi-Valued Attributes
Orderable Multi-Valued Attributes
System Assigned Values
Echo Property
Default Values
Wildcard Support
Attribute Filtering
Adding NAS Location Attributes to Access-Requests
Specifying IPv4 Address Classes
Centralized Configuration Management
Proxy RADIUS
Proxy RADIUS Authentication
Proxy RADIUS Accounting
Authentication
Authentication Methods
Native User Authentication
Pass-Through Authentication
Proxy RADIUS Authentication
External Authentication
Directed Authentication
Authenticate-Only Requests
Configuring the Authentication Sequence
Configuring Authentication Methods
Advanced Options
Account Lockout
Account Redirection
Blacklisting
Allowed Access Hours
Two-Factor Authentication
Password Protocols
Password Authentication Protocol
Challenge Handshake Authentication Protocol
MS-CHAP v2
Accounting
Accounting Sequence
Comma-Delimited Log Files
Proxy RADIUS Accounting
External Accounting
Tunneled Accounting
Directed Accounting
Accounting Spooling
Request Routing
Match Rules
User-Names with a Single Delimiter
User-Names with a Single Tunnel Delimiter
User-Names with a Single Realm Delimiter
User-Names with Multiple Suffix Delimiters
User-Names with Multiple Prefix Delimiters
Undecorated User-Names
Configuring Undecorated User-Name Support
Example
Request Routing by DNIS
Request Routing by Any Attribute
Local Services
Control over Routing Methods
Radius Client Groups
IP Address Assignment
Address Pools and Replication
Hints
Resource Management
Network Address Assignment
How Address Assignment Works
Setting Return List Attributes
Handling Address Leaks
Address Leakage upon Stopping and Starting the Server
Overlapping Address Ranges
Order of Address Assignment
Concurrent Network Connections
Concurrent User Connections
Concurrent Tunnel Connections
Attribute Value Pooling
Phantom Records
IPv6 Support
IPv6 and Steel-Belted Radius Carrier
IPv6 Features
IPv6 Addressing
Address Notation
Address Prefixes
Address Interface IDs
IPv6 Network Numbers
IPv6 Support in Steel-Belted Radius Carrier
RADIUS IPv6 Attributes
NAS-IPv6-Address
Example
Framed-Interface-Id
Example
Framed-IPv6-Prefix
Example
Login-IPv6-Host
Example
Framed-IPv6-Pool
Example
Framed-IPv6-Route
Example
Framed-IPv6-Address
Example
DNS-Server-IPv6-Address
Example
Route-IPv6-Information
Example
Delegated-IPv6-Prefix-Pool
Example
Stateful-IPv6-Address-Pool
Example
Enabling IPv6 Networking
Configuring IPv6 Scope IDs
Configuring IPv6 Addresses for RADIUS Client Connections
Configuring DNSv6 Support
Administering RADIUS Clients and Client Groups
Overview
Adding a RADIUS Client or Client Group
Editing a RADIUS Client or Client Group
Deleting a RADIUS Client or Client Group
Administering RADIUS Location Groups
About RADIUS Location Groups
Adding a Location Group
Editing a Location Group
Deleting a Location Group
Administering Users
Users Overview
Allowed Access Hours
User Files
Setting Up Native Users
Adding a Native User
Adding Subattributes to a Structured Attribute
Editing a Native User
Deleting a Native User
Setting Up UNIX Users or Groups
Adding a UNIX User or Group
Editing a UNIX User or Group
Deleting a UNIX User or Group
Administering Profiles
About Profiles
Adding a Check List or Return List Attribute to a Profile
Resolving Profile and User Attributes
Adding a Profile
Editing a Profile
Removing a Profile
Administering Proxy RADIUS
Proxy RADIUS Overview
Proxy RADIUS Authentication
Proxy RADIUS Accounting
Proxy RADIUS Realms
Target Selection within a Realm
Message-Authenticator Support
Proxy Fast-Fail
Static Proxy Accounting
Proxy AutoStop Feature
Routed Proxy Authentication
Operation
Adding a Proxy Target
Editing a Proxy Target
Deleting a Proxy Target
Steel-Belted Radius Carrier as a Target
Dictionaries When Steel-Belted Radius Carrier is the Target
Accepting Packets from Any Proxy
Administering RADIUS Tunnels
About RADIUS Tunnels
Tunnel Authentication Sequence
Configuring Tunnel Support
Called Station ID
Dictionaries for Tunnel Support
Concurrent Tunnel Connections
Configuring RADIUS Tunnels
Adding a Tunnel
Editing a Tunnel
Deleting a Tunnel
Configuring Tunnel Name Parsing
Administering Address Pools
Address Pools for Standalone Servers versus Servers in a SSR Cluster
Address Pool Files
Adding an IPv4 Address Pool
Editing an IPv4 Address Pool
Deleting an IPv4 Address Pool
Specifying an IP Address Pool for User/Profile Records
NAD-Specific IP Address Pools
Service-Level IP Address Pools
Specifying IP Address Assignment from a DHCP Server
Address Allocation
Address Renewal
Address Release
DHCP Option Mapping
Using Multiple Servers
Setting Up Administrator Accounts
Local Administrator or Group Overview
Adding a Local Administrator or Group
Deleting a Local Administrator or Group
Administrator Configuration Files
Configuring Realm Support
Realm Configuration Files
Stage One of Realm Configuration
Configuring a Proxy RADIUS Realm
Configuring a Directed Realm
Editing the proxy.ini File
Setting Up Smart Static Accounting
Setting Up Proxy RADIUS Realms
Configuration Tasks
Setting Up Directed Realms
How to Update Realm Configuration
Setting Up Filters
Overview
Order of Filter Rules
Values in Filter Rules
Referencing Attribute Filters
Adding a Filter
Searching the Filter List
Editing a Filter
Deleting a Filter
Setting Up Authentication Policies
Authentication Policy Overview
Order of Authentication Methods
Adding EAP Methods to an Authentication Policy
Enabling EAP Methods
Activating an EAP Method
Certificates
Certificate Chains
Certificate Revocation Lists
Configuring Server Certificates
Creating a Certificate
Adding a Certificate
Deleting a Certificate
Trusted Root Certificates
Adding a Trusted Root Certificate
Configuring a CRL Distribution Point Web Proxy
Configuring Authentication Rejection Messages
Configuring the Server
Configuring External Databases
Setting Up EAP Methods
About the Extensible Authentication Protocol
Handling EAP Requests
Automatic EAP Helpers
Authentication Request Routing
EAP-Only Setting
First-Handle-Via-Auto-EAP Setting
EAP-NAK Notifications
Reauthenticating Connections
Certificates
Certificate Chains
Certificate Revocation Lists
EAP-TLS Authentication Protocol
Configuring EAP-TLS as an EAP Authentication Method
Configuring Client Certificate Validation—EAP-TLS
Configuring Session Resumption—EAP-TLS
Configuring Advanced Server Settings—EAP-TLS
Configuring EAP-TLS as an Automatic EAP Helper
Configuring Client Certificate Validation—EAP-TLS Helper
Configuring Secondary Authentication—EAP-TLS Helper
Configuring Session Resumption—EAP-TLS Helper
Configuring Advanced Server Settings—EAP-TLS Helper
EAP-TTLS Authentication Protocol
Configuring EAP-TTLS as an EAP Authentication Method
Configuring Client Certificate Validation—EAP-TTLS
Configuring Request Filters—EAP-TTLS
Configuring Response Filters—EAP-TTLS
Configuring Session Resumption—EAP-TTLS
Configuring Inner Authentication Settings—EAP-TTLS
Configuring Advanced Server Settings—EAP-TTLS
EAP-PEAP Authentication Protocol
Configuring EAP-PEAP as an EAP Authentication Method
Configuring Request Filters—EAP-PEAP
Configuring Response Filters—EAP-PEAP
Configuring Session Resumption—EAP-PEAP
Configuring Inner Authentication Settings—EAP-PEAP
Configuring Advanced Server Settings—EAP-PEAP
EAP-MD5-Challenge Authentication Protocol
EAP-MS-CHAP-V2 Authentication Protocol
EAP-SIM and EAP-AKA Authentication Protocols
Configuring Replication
Overview of Replication
Replication Requirements
Adding a Replica Server
Enabling a Replica Server
Editing a Replica Server
Deleting a Replica Server
Publishing Server Configuration Information
Notifying Replica RADIUS Servers
Designating a New Primary Server
Making a Standalone Server the Primary Server
Making a Standalone Server a Replica Server
Verifying the Primary and Replica Servers Are Enabled
Demote a Primary or Replica Server to a Standalone Server
Recovering a Replica After a Failed Configuration Package Download
Changing the Name or IP Address of a Server
Replication Error Messages
Error Messages on Replica Servers
Error Messages on Primary Servers
3GPP Support
Overview
Data Connection Process
Accounting Process
3GPP Configuration
Diameter Operations
Diameter Basics
Diameter Overview
Diameter Application
Communication between SBR Carrier Server and the Elements in LTE Network
Communication with Trusted Non-3GPP Network
Communication with Untrusted Non-3GPP Network
Communication with HSS
Communication with Proxy Servers
Communication with ePDG
Communication with PDG or PGW
Diameter Authentication Process
Diameter Authorization Process
RADIUS to Diameter Translation
Administering the Local Network Element
Local Network Element Overview
Configuring SBR Carrier Server Identification
Setting Up the Local Identity for SBR Carrier
Configuring Local Addresses for the SBR Carrier Server
Configuring Local Realm for the SBR Carrier Server
Configuring the Diameter Message Transport
Adding a Diameter Message Transport Entry
Editing a Diameter Message Transport Entry
Deleting a Diameter Message Transport Entry
Administering Diameter Remote Network Elements
Remote Network Element Overview
Creating and Configuring a New Diameter Remote Network Element
Adding Diameter Connections to the Diameter Remote Network Element
Assigning Functions to the Diameter Remote Network Element
Configuring Implicit Routing Rules
Configuring IMSI Routing Rules
Configuring Realm Routing Rules
Editing a Diameter Remote Network Element
Deleting a Diameter Remote Network Element
Administering the Diameter Policy
Policy Overview
Configuring a Local Profile
Creating a Local Profile
Configuring Authorization Attributes
Adding Periodic Reauthorization Attributes
Adding a Return or Copy List
Configuring a Non-3GPP Interworking Policy for SWa or STa Reference Point
Configuring Global Non-3GPP Network Access Policy
Configuring Global WLAN Direct IP Access Policy
Configuring a Non-3GPP Interworking Policy for SWm Reference Point
Configuring Non-3GPP Interworking Allowed Visited Networks Policy
Configuring Global Non-3GPP Network IP Access Policy
Configuring Global APN Configuration Policy-SWm Interface
Configuring Global AMBR Configuration Policy
Configuring a Non-3GPP Interworking Policy for S6b Reference Point
Configuring Global APN Configuration Policy-S6b Interface
Configuring Global MIP6 Feature Vector Configuration Policy
Editing a Local Profile
Deleting a Local Profile
Configuring Local Profile Selection
Creating a New Profile Selection Rule Set
Creating New Matching Rules
Configuring User Defined Attribute Matching Rules
Editing Profile Selection Rule Sets
Deleting Profile Selection Rule Sets
Administering Request Routing Rules
Request Routing Rules Overview
Routing Rule Evaluation and Rule Priorities
Configuring Request Routing Rules
Defining Explicit Routing Rules
Defining Conditions for the Explicit Routing Rule
Defining Standard Application Identifier Conditions
Defining Customized Application Identifier Conditions
Defining User Identity Conditions
Defining Realm Name Conditions
Defining Dictionary Attribute Conditions
Displaying Diameter Statistics
Statistics Overview
Diameter Statistics
Local Diameter Host Statistics
Diameter Peer Statistics
Routing Rule Statistics
Back-End Authentication and Accounting Methods
Configuring SQL Authentication
Overview of SQL Authentication
SQL Authentication Process
Stored Procedures
Connectivity Issues
Configuring SQL Authentication
Files
Using the SQL Authentication Configuration File
Using Multiple SQL Authentication Methods
Connecting to the SQL Database
SQL Statement Construction
Overlapped Execution of SQL Statements
%result Parameter
SQL Authentication and Password Format
Hashed Passwords
Automatic Parsing
Working with Stored Procedures in Oracle
Working with Stored Procedures in MS-SQL
Example 1
Example 2
Tips on Using SQL Stored Procedures
Calling Stored Procedures
Using the Insert Function
Example:
Configuring SQL Accounting
SQL Accounting Overview
Stored Procedures
Connectivity Issues
Configuring SQL Accounting
Files
Using the SQL Accounting Configuration File
Using Multiple SQL Databases
Connecting to the SQL Database
SQL Statement Construction
INSERT Statement and VALUES Section
Using Multiple SQL Statements
Overlapped Execution of SQL Statements
SQL Accounting Return Values
Accounting Stored Procedure Example
Configuring LDAP Authentication
LDAP Authentication Overview
LDAP Variable Table
Types of LDAP Authentication
BindName Authentication
Bind Authentication
Attributes and LDAP Authentication
Configuring LDAP Authentication
Supporting Secure Sockets Layer
Files
LDAP Database Schema
LDAP Authentication and Password Format
Hashed Passwords
Automatic Parsing
LDAP Authentication Sequence
LDAP Authentication Examples
Bind Authentication with Default Profile
BindName Authentication with Callback Number Returned
LDAP Bind with Profile Based on Network Access Server
Signalware SIGTRAN Gateway Support
Overview of Signalware SIGTRAN Protocol Stacks
Proxy RADIUS Authentication and Accounting
Proxy RADIUS Accounting
HSS-Subscriber Database
Management Interfaces
Simple Network Management Protocol
SNMP and Steel-Belted Radius Carrier Overview
The SBR Carrier SNMP Package
Supported MIBs
Configuring the SNMP Agent
Running the SNMP Agent
Starting the SNMP Agent
Stopping the SNMP Agent
Rereading the jnprsnmpd.conf File
Logging Behavior of the SNMP Agent
Verifying SNMP Agent Operation
Running the testagent.sh Script
Using the snmpget Command
Using the snmpwalk Command
Resetting Rate Statistics
Troubleshooting
Using the LDAP Configuration Interface
LDAP Configuration Interface File
LDAP Configuration Interface Overview
LDAP Utilities
LDAP Requests
Downloading the LDAP Utilities
LDAP Version Compliance
Configuring the LDAP TCP Port
Example
Configuring the LCI Password
LDAP Virtual Schema
LDAP Rules and Limitations
Using the LCI to Define Structured Attributes in Check Lists and Return Lists
LCI XML Format
LDAP Command Examples
Searching for Records
Modifying Records
Importing Records from Another LDAP Database
Deleting Records
Searching for Active Sessions
LDIF File Examples
Adding RADIUS Clients with LDIF
Adding Users with LDIF
Adding Proxy Targets with LDIF
Adding Tunnels with LDIF
Adding IP Address Pools with LDIF
Configuring a RADIUS Server with LDIF
Statistics Variables
Counter Statistics
stattype: server
stattype: authentication
stattype: accounting
stattype: proxy
Rate Statistics
Optional Authentication Modules
SIM Authentication Module
SIM Authentication Module Component Overview
SIMAuth
Signalware SIGTRAN Protocol Stacks
MAP Gateway (authGateway) Application
GWrelay Application
CDR Accounting
Data Accessors
Operation Overview
SIM Card-Based Authentication
EAP-SIM/EAP-AKA Authorization/Service Delivery
EAP-SIM/EAP-AKA Identities
EAP-SIM/EAP-AKA Fast Reauthentication
SIM Authentication Module Configuration
Special Attribute Handling Features
Assigning IP Addresses Based on Access Point Name (APN)
Overview
Configuration Tasks for Assigning IP Address Based on Access Point Name
Adding Attributes to an Access-Accept
Overview
Data Flow
Configuration Tasks for Adding Attributes to Access-Accept
Files to Configure for Adding Attributes to Access-Accept
Activating the Authentication Method
Kineto S1 Support
Summary of Configuration Tasks for the SIM Authentication Module
Summary of Configuration Tasks for the SIM Authentication Module
SIM Authentication Module Configuration with a SIGHUP (1) Signal
Overview of the WiMAX Mobility Module
Supported Features of the WiMAX Mobility Module
WiMAX Network Reference Model
Home Network Communication Flow Example
AAA-Generated Cryptographic Keys
Home Agent Root Key (HA-RK)
Allowing the VAAA to Assign the HA-RK
DHCP Server Root Key (DHCP-RK)
EAP Authentication Methods and EAP-Derived Cryptographic Keys
Master Session Key (MSK)
Extended Master Session Key (EMSK)
EMSK-Derived Key Generation and Identification
MSK and EMSK-Derived Key Lifetime and Deprecation
EMSK-Derived Key Storage and Retrieval
WiMAX Vendor Specific Attribute (VSA) Format
Structured Attributes
WiMAX Capabilities Negotiation
WiMAX-Capability Attribute
WiMAX-Capability Structured Attribute
WiMAX-Release Attribute
WiMAX-Accounting-Capabilities Attribute
Hotlining-Capabilities Attribute
Idle-Mode-Notification-Capabilities Attribute
Enabling WiMAX Capabilities Negotiation
Home Agent and DHCP Server Assignment
Assignment Using Return List Attributes
Assignment Using Statically Weighted Round-Robin Groups
Assignment Using the Smart Dynamic Home Agent Assignment Feature
WiMAX Post-Paid (Offline) Accounting
Flow-Based Accounting
IP-Session-Based Accounting
WiMAX Prepaid Accounting
Prepaid Scenarios
Single-Service Prepaid Solution
Multi-Service Prepaid Solution
PPS Controlled Prepaid Model
AAA Proxy Model
Direct PPS Connection
Data Flow for Prepaid Accounting in SBR Carrier
Data Flow for Single-Service Prepaid Accounting Model
Data Flow for Multi-Service Prepaid Accounting Models
PPS Controlled Prepaid Model
AAA Proxy Model
Direct PPS Connection Model
Categorizing Access-Requests from Different Devices
Access-Request from the ASN-GW
Access-Request from the Home Agent
Access-Request from the DHCP Server
Categorization Rules
Configuring the WiMAX Mobility Module
Before You Begin
Configuring the radius.ini File for WiMAX
Configuring Support for Authorize-Only Requests
Enabling the WiMAX Module and Configuring What Request Types Are Supported
Configuring the Home Agent and DHCP Server Assignment
Define the List of Home Agents and DHCP Servers
Configuring Return List Attributes to Assign the Home Agent and DHCP Server
Assignment When Acting as the HAAA Server
Assignment When Acting as the VAAA Server
Configuring the VAAA
Configuring the HAAA
Configuring Statically Weighted Round-Robin Groups to Assign the Home Agent and DHCP Server
Configuring the Smart Dynamic Home Agent Assignment Feature
Smart Dynamic Home Agent Assignment Configuration Overview
dynamic_ha.ini File
Customer-Written Dynamically Updated File
[HAs] Section of the wimax.ini File
Operation of the Smart Dynamic Home Agent Assignment Feature
Processing on Startup
Processing on a Signal
Access-Request Processing
Access-Request Processing When Acting as the VAAA
Access-Request Processing When Acting as the HAAA
Configuring WiMAX Clients
Configuring WiMAX Users and Profiles
Configuring the WiMAX-Capabilities Negotiation
Example Configuration for New Session Hotlining
Configuring the Filters
Configuring the LDAP Authentication File
Configuring the EAP Methods for WiMAX
EAP-TTLS Secondary Authentication Support
Optional Session State Register (High Availability) Module for a Clustered Environment
Session State Register Overview
SSR Cluster Overview
Data Replication Between Two Different or Remote SSR Clusters
Configuring the Client Component and Server Component
List of CST Fields That Can Be Replicated Across SSR Clusters
Possible Uses and Limitations of the Geo-redundancy Feature
SSR Cluster Concepts and Terminology
Session State Register Servers
Session State Register Nodes
SSR Data Entities
Cluster Configurations
Session State Register Scaling
Adding a Data Node Expansion Kit
Adding a Third Management Node
Adding More SBR Carrier Front End Servers
Cluster Network Requirements
Supported SBR Carrier SSR Cluster Configurations
Failover Overview
Failover Examples
Possible Failure Scenarios
Session State Register Database Tables
IP Address Pools
Subscriber Session Data Controls
Application Support
Session State Register Administration
SSR Administration Overview
Overview of Starting and Stopping a Session State Register Cluster
Starting the Cluster
Stopping the Cluster
Stopping a Single Node
Starting a Single Node
sbrd
Running sbrd on Session State Register Nodes
Syntax
Options
Examples
When to Stop, Start, or Restart SBR Carrier Nodes
Administration Scripts Overview
SSR Database Management Scripts
Using the Monitor Script
Monitor.sh
Syntax
Options
Example
Creating and Destroying the SSR Database
CreateDB.sh
Syntax
Options
Example
Usage Notes
Auxiliary SQL Files Used by CreateDB.sh
DestroyDB.sh
Syntax
Options
Example
Creating a Demonstration Database
DemoSetup.sh
Syntax
Options
Example
Steel-Belted Radius Carrier Node Administration Scripts
Using IP Address and IP Address Pool Scripts
Using Management Mode
Placing a SBR Carrier Server into Management Mode
Removing a SBR Carrier Server from Management Mode
ClearCache.sh
Syntax
Options
Example
Usage Notes
ShowCaches.sh
Syntax
Options
Example
AddPool.sh
Syntax
Options
Example
Usage Notes
RenamePool.sh
Syntax
Options
Example
DelPool.sh
Syntax
Options
Example
Usage Notes
ShowPools.sh
Syntax
Options
Example
Usage Notes
AddRange.sh
Syntax
Options
Example
Usage Notes
DelRange.sh
Syntax
Options
Example
Usage Notes
ShowRanges.sh
Syntax
Options
Example
Usage Notes
KillZombieAddrs.sh
Syntax
Options
Example
ShowAddrs.sh
Syntax
Options
Example
Output Notes
Usage Notes
BackupIP.sh
Syntax
Options
Example
Usage Notes
RestoreIP.sh
Syntax
Options
Example
Usage Notes
SSR Session Management
Session Management Scripts
ShowSessions.sh
Syntax
Options
Example
DelSession.sh
Syntax
Options
Example
Usage Notes
User Concurrency Scripts
ShowUserConc.sh
Syntax
Options
Example
DelUserConc.sh
Syntax
Options
Administration Script Control Files
Optional Concurrency Module
Managing User Concurrency with Session State Register
Overview
How User Concurrency Works
UserConcurrencyID Construction
Username
Authentication Method
Enumerated Authentication Methods
Proxy Authentication Methods
Authentication Method Consistency
Retrospective Dynamicity
Consequences of the No-Retrospective-Dynamicity Model
Benefits of the No-Retrospective-Dynamicity Model
Managing Concurrency with Attributes in Session State Register
Overview
How Attribute-Based Concurrency Works
Configuring Attribute-Based Concurrency
Setting the Size of the ID Field in the User Concurrency Table
Specifying the User Attribute
Distributing the Files
Managing and Controlling Sessions
Introduction to Managing and Controlling Sessions in SBR Carrier
Overview of Managing and Controlling Sessions in SBR Carrier
Introduction
Storing Sessions in the CST in a Standalone Server versus the SSR Cluster
Storing Sessions in the CST of a Standalone Server
Storing Sessions in the CST of the SSR Cluster
Persisting Sessions When SSR Cluster Is Down
Session Management and Control Capabilities
Viewing and Deleting Sessions
Disconnecting or Changing the State of Active Sessions
Available User Interfaces for Managing and Controlling Sessions
Web GUI
Command Line Utility
XML over HTTPS Interface
Administrative Scripts
Overview of the Optional Session Control Module
Change of Authorization/Disconnect Messages Overview
How Disconnect Messages Work
How Change of Authorization Messages Work
How Steel-Belted Radius Carrier Processes CoA/DM Messages
Current Sessions Table
Formatting and Sending CoA/DM Requests with the Correct Attributes
Converting .dct Files to .dic Files
Controlled Devices and Actions
Sequence and Flow of CoA/DM Requests Through Steel-Belted Radius Carrier
Implementing CoA/DM Support
Step 1: Develop a Deployment Plan
Step 2: Consult Your NAS-Specific Documentation
Step 3: Configure Each NAS as a Client in Steel-Belted Radius Carrier
Step 4: Configure the deviceModels.xml File
Step 5: Configure the Current Sessions Table (CST) for Your Environment
Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Server
Attributes and CoA/DM Forwarding Methods
Processing Dynamic Authorization (CoA/DM) Messages as a Proxy Target
Settings to Support the Proxy CoA/DM Functionality
Using Web GUI to Manage and Control Sessions
Current Sessions Overview
Searching for Sessions Using Web GUI
Session Query Fields and Searchable Attributes
Viewing Session Detail
Deleting Sessions
Setting Session Limits with Web GUI
Factors Affecting the Number of Sessions Returned
Number of Sessions Returned
Executing CoA and Disconnect Requests Using Web GUI
Example of Executing a Disconnect Action
Using the Command Line Utility to Manage and Control Sessions
Command Line Utility Overview
Starting the Command Line Utility
Example
Using Command Line Arguments
Access Control Arguments
Syntax
Arguments
Example
Action Arguments
Syntax
Arguments
IP Address Ranges
Unique Session IDs
Setting Session Limits Using the Command Line Utility
Factors Affecting the Number of Sessions Returned
Number of Sessions Returned
Examples of Limiting the Number of Sessions Returned Using the Command Line Utility
Examples of Issuing CoA/DM Requests Using the Command Line Utility
Query Example Using Wildcard
Disconnect Example
Lawful Intercept Example
Shortcut Arguments
Syntax
Arguments
Disconnect Example with Shortcut
Finding All Sessions Using the Command Line Utility
Example of Finding All Sessions
Configuring the deviceModels.xml File
Summary of Allowed Elements in the deviceModels.xml File
Element: action
XML Instance Representation
Schema Component Representation
Element: actions
XML Instance Representation
Schema Component Representation
Element: attributes
XML Instance Representation
Schema Component Representation
Element: controlledDeviceModel
XML Instance Representation
Schema Component Representation
Element: controlledDeviceModels
XML Instance Representation
Schema Component Representation
Element: defaultAttribute
XML Instance Representation
Schema Component Representation
Element: localSessionQuery
XML Instance Representation
Schema Component Representation
Element: onFailure
XML Instance Representation
Schema Component Representation
Element: onSuccess
XML Instance Representation
Schema Component Representation
Element: onTimeout
XML Instance Representation
Schema Component Representation
Element: overrideAttribute
XML Instance Representation
Schema Component Representation
Element: radiusPort
XML Instance Representation
Schema Component Representation
Element: radiusPorts
XML Instance Representation
Schema Component Representation
Element: radiusRequest
XML Instance Representation
Schema Component Representation
Element: requiredAttribute
XML Instance Representation
Schema Component Representation
Element: sessionStop
XML Instance Representation
Schema Component Representation
XML over HTTPS Interface
XML over HTTPS Interface Overview
Transport Protocol
XML Statement Construction
Client Request Schema Example
Client Request Elements
Element: attribute
XML Instance Representation
Schema Component Representation
Element: attributes
XML Instance Representation
Schema Component Representation
Element: body
XML Instance Representation
Schema Component Representation
Element: envelope
XML Instance Representation
Schema Component Representation
Element: header
XML Instance Representation
Schema Component Representation
Element: request
XML Instance Representation
Schema Component Representation
Client Request Examples
Example: Query
Example: Query
Example: RADIUS Disconnect
Example: RADIUS Disconnect
Example: RADIUS Disconnect
Example: (CoA) Action Called Intercept
Client Response Schema Example
Client Response Elements
Element: attribute
XML Instance Representation
Schema Component Representation
Element: attributes
XML Instance Representation
Schema Component Representation
Element: body
XML Instance Representation
Schema Component Representation
Element: clientRequest
XML Instance Representation
Schema Component Representation
Element: clientResponse
XML Instance Representation
Schema Component Representation
Element: clientResult
XML Instance Representation
Schema Component Representation
Element: clientResults
XML Instance Representation
Schema Component Representation
Element: defaultAttribute
XML Instance Representation
Schema Component Representation
Element: deviceRequest
XML Instance Representation
Schema Component Representation
Element: deviceRequestSpec
XML Instance Representation
Schema Component Representation
Element: deviceResponse
XML Instance Representation
Schema Component Representation
Element: deviceResult
XML Instance Representation
Schema Component Representation
Element: deviceResults
XML Instance Representation
Schema Component Representation
Element: envelope
XML Instance Representation
Schema Component Representation
Element: header
XML Instance Representation
Schema Component Representation
Element: optionalAttribute
XML Instance Representation
Schema Component Representation
Element: overrideAttribute
XML Instance Representation
Schema Component Representation
Element: requiredAttribute
XML Instance Representation
Schema Component Representation
Element: sessionData
XML Instance Representation
Schema Component Representation
Element: sessionRequest
XML Instance Representation
Schema Component Representation
Element: sessionResponse
XML Instance Representation
Schema Component Representation
Element: sessionResult
XML Instance Representation
Schema Component Representation
Element: sessionResults
XML Instance Representation
Schema Component Representation
Client Response Examples
Example: Client Response to Query for Username ‘bob’
Example: Client Response to Query for Any Username Using Wildcard
Example: Client Response to Request for Action Called “foo” on Username TestUser9
Example: Client Response to Request for Action Called “foo” on Username TestUser99
Example: Client Response to RADIUS Disconnect
Example: Client Response to Action Intercept
Example: Client Response to Action Intercept
Example: Client Response to Action Intercept
Example CoA/DM Configuration
Requirements of the CoA/DM Requests
Requirements for the Disconnect Message Request
Requirements for the CoA (Hotline) Request
Requirements for Supporting the Attributes in CoA/DM Requests
Dictionaries
deviceModels.xml
Configuring the Attribute Handling Parameters
radius.ini
classmap.ini
Example Result
Configuring Lawful-Intercept between SBR Carrier and ERX Device
Statistics and Reporting
Displaying Statistics
Displaying Authentication Statistics
Displaying Accounting Statistics
Displaying Proxied Request Statistics
Displaying RADIUS Client Statistics
Displaying RADIUS Proxy Targets Statistics
Displaying IP Address Pool Statistics
Logging and Reporting
Logging Files
Displaying Authentication Log Files
File Permissions for Log Files
Security Groups and Permissions
Using the User File Creation Mode Mask
Implementing Default File Permissions in SBR Carrier
Implementing Override File Permissions in SBR Carrier
Enabling or Disabling the Authentication Log Files
Viewing the Authentication Log Files
Saving the Log Files
Searching the Log Files
Using the Locked Accounts List
Configuring Locked Account Settings
Unlocking a Locked Account
Configuring the Log Retention Period
Cluster Management Nodes
SSR Data Nodes
Using the Server Log File
Level of Logging Detail
Using the Authentication Log File
Authentication Log File Format
First Line Headings
Comma Placeholders
Using the Accounting Log File
Accounting Log File Format
First Line Headings
Comma Placeholders
Standard RADIUS Accounting Attributes
Optional Scripting Module
Introduction to Scripting
Scripting Overview
Script Types
LDAP Authentication
Realm Selection
Attribute Filter
About JavaScript
Creating Scripts
Script Development Steps
JavaScript Initialization Files
[Settings] Section
[Script] Section
[ScriptTrace] Section
[Failure] Section
Writing Steel-Belted Radius Carrier Scripts in JavaScript
Programming in JavaScript
Hidden Wrapper Function
Script Return Values
Initializing Reusable Data Objects
General Recommendations
Saving the Script File
Sample Script
Debugging Scripts
SbrWriteToLog()
SbrTrace and ScriptTraceLevel
scriptcheck
Unpacking the scriptcheck Utility
Running the scriptcheck Utility
Creating LDAP Scripts
LDAP Basics
LDAP Request Life Cycle
Unscripted LDAP Searches
LDAP Script Basics
Working with the Variable Table
Invoking LDAP Queries
Writing to the Steel-Belted Radius Carrier Log
Choosing the Return Code
Script Return Codes
SCRIPT_RET_SUCCESS
SCRIPT_RET_DO_NOT_AUTHENTICATE
SCRIPT_RET_TRY_NEXT_AUTH_METHOD
SCRIPT_RET_NOT_AUTHENTICATED
SCRIPT_RET_FAILURE
SCRIPT_RET_INVALID_CODE
LDAP Script Return Codes
LDAP Script Examples
Example 1: Simple Authentication
Example 2: Profile Assignment
Example 3: Received Attribute Normalization
Example 4: Conditional Profile Assignment from User Attribute
Creating Realm Selection Scripts
Realm Selection Script Functions
Enabling Built-In Realm Selection Methods
Choosing the Return Code
Configuring Realm Selection Scripts
Core Realm Selection Scripts
[Processing] Section
Tunneled Authentication Plug-in Realm Selection Scripts
Realm Selection Script Examples
Example 1: Querying Multiple SQL Databases
Example 2: Using JavaScript to Manipulate Request Attributes
Creating Attribute Filter Scripts
Using Attribute Filter Scripts
Attribute Filter Script Functions
Choosing the Return Code
Configuring Attribute Filter Scripts
Defining Scripted Filters
Attribute Filter Script Examples
Example 1: Using an LDAP Query to Select a Static Filter to Execute
Example 2: Adding Values to Multi-Valued Attributes
Working with Data Accessors
Data Accessor Overview
Variable Containers
Internal Variable Table (LDAP Only)
Data Accessor Configuration
SQL Data Accessor Configuration
[Bootstrap] Section
[Results] Section
[Settings] Section
[VariableTypes] Section
LDAP Data Accessor Configuration
[Bootstrap] Section
[Attributes/name] Sections
[Response] Section
[Search/name] Sections
[Request] Section
[Defaults] Section
[Server/name] Sections
[Server] Section
[Settings] Section
[VariableTypes] Section
Data Conversion Rules
Output Container
Input Container
Examples
Example 1
Example 2
Example 3
Example 4
Supported Data Types and Conversions
Data Accessor Configuration File Examples
Example: LDAP Data Accessor Configuration File
Example: SQL Data Accessor Configuration File
Script Reference
JavaScript Types
API Method Support by Script Type
Local and Global Variable Declarations
Global Object
Logging and Diagnostic Methods
SbrWriteToLog()
Purpose
Syntax
Parameters
Returns
Example
SbrWriteToLogEx()
Purpose
Syntax
Parameters
Returns
Example
SbrTrace()
Purpose
Syntax
Parameters
Returns
Example
Ldap Object
Ldap Methods
Ldap.Search()
Purpose
Syntax
Parameters
Returns
Example
LdapVariables Object
LdapVariables Methods
LdapVariables.Get()
Purpose
Syntax
Parameters
Returns
Examples
LdapVariables.Add()
Purpose
Syntax
Parameters
Returns
Example
LdapVariables.Reset()
Purpose
Syntax
Parameters
Returns
Example
RealmSelector Object
Constructor
new RealmSelector()
Purpose
Syntax
Parameters
Returns
Example
new CSTAccessor()
Purpose
Syntax
Parameters
Returns
Example
new SessionControl()
Purpose
Syntax
Parameters
Returns
Example
RealmSelector Methods
Execute()
Purpose
Syntax
Parameters
Returns
Example
SetAuthUserName()
Purpose
Syntax
Parameters
Returns
Example
SetAuthProfile()
Purpose
Syntax
Parameters
Returns
Example
SetLocationGroupProfile()
Purpose
Syntax
Parameters
Returns
Example
CSTAccessor Methods
Get()
Purpose
Syntax
Parameters
Returns
Example
SetAuthUserName()
Purpose
Syntax
Parameters
Returns
Example
SetAuthProfile()
Purpose
Syntax
Parameters
Returns
Example
SetLocationGroupProfile()
Purpose
Syntax
Parameters
Returns
Example
SessionControl Object
Properties
SUCCESS
Example
FAILURE
Example
TIME_OUT
Example
MISSING_INFO
Example
SessionControl Methods
AddAttribute()
Purpose
Syntax
Parameters
Returns
Example
Execute()
Purpose
Syntax
Parameters
Returns
Example
AttributeFilter Object
Constructor
new AttributeFilter()
Purpose
Syntax
Parameters
Returns
Example
AttributeFilter Methods
Get()
Purpose
Syntax
Parameters
Returns
Example
Add()
Purpose
Syntax
Parameters
Returns
Example
Reset()
Purpose
Syntax
Parameters
Returns
Example
Replace()
Purpose
Syntax
Parameters
Returns
Example
Execute()
Purpose
Syntax
Parameters
Returns
Example
AttributeFilter API
DataAccessor Object
Properties
FOUND
Purpose
Example
NOTFOUND
Purpose
Example
FAILED
Purpose
Example
PASSWORDFAILED
Purpose
Example
Constructor
new DataAccessor()
Purpose
Syntax
Parameters
Returns
Example
Methods
SetInputVariable()
Purpose
Syntax
Parameters
Returns
Example
GetOutputVariable()
Purpose
Syntax
Parameters
Returns
Example
Execute()
Purpose
Syntax
Parameters
Returns
Example
Clear()
Purpose
Syntax
Parameters
Returns
Example
Appendixes
When and How to Stop and Restart Steel-Belted Radius Carrier
Stopping the Steel-Belted Radius Carrier Server
Starting the Steel-Belted Radius Carrier Server
Authentication Protocols
Importing and Exporting Data
Importing Information from an XML File
Exporting Information to an XML File
Technical Bulletins
Service Type Mapping
Configuration
Local User Database Entries
servtype.ini File
Ascend Filter Translation
Configuration
Syntax
Changing IP Addresses in an SSR Cluster Without Redefining the Cluster
SIR.sh Script
Syntax
Options
Example
Thread and Flood Control Mechanism
Thread Control Settings
Flood Control Settings
SNMP Trap
Logging Information
Glossary
Numerics
A
B
C
D
E
F
G
H
I
J
L
M
N
O
P
Q
R
S
T
U
V
W