Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Settings to Support the Proxy CoA/DM Functionality

 

This section explains the settings and the parameters to support the Proxy CoA/DM functionality.

The [DynAuthProxy] section in the radius.ini file controls some global Proxy CoA/DM features. For information about [DynAuthProxy] section parameters of the radius.ini file, see the SBR Carrier Reference Guide.

Note

The Proxy CoA/DM functionality is disabled if the Session Control feature license is not set.

In the radius.ini file, the UDPDynAuthPort parameter in the [Ports] section indicates the ports that SBRC listens on for Proxy CoA/DM messages. This defaults to port 3799. For information about [Ports] section parameters of the radius.ini file, see the SBR Carrier Reference Guide.

In the [Configuration] section of the radius.ini file, a complete set of dynamic authentication thread and flood queue configuration for dynamic authentication works in the same way as the authorization, accounting, and proxy thread and flood queue configuration. The variables added to the [Configuration] section are Dynamic-Auth-Receive-Realtime-Thread-Priority, Max-Dyn-Auth-Threads, Max-Dyn-Auth-Floods, Max-Dyn-Auth-Threads-In-Flood, and Dyn-Auth-Flood-Queue-Shape. Another parameter in the [Configuration] section, DynAuthProxySource, configures the source interface address used to forward Proxy CoA/DM requests, similar to the ProxySource setting. The default setting for this value is 0.0.0.0 (IPv4 unspecified). The thread pool reports in the server log include reports for dynamic authorization threads.

You can change the proxy target configuration to include optional configuration of a CoA/DM secret if it is different from the authorization shared secret.

Note

The master dictionary is used when parsing incoming CoA/DM requests.

The [DynAuth] section in each realm.pro file controls the proxy CoA/DM configuration for each proxy realm. The FilterOut parameter in this section, if set to a valid attribute filter name, causes SBRC to apply that filter (and optional JavaScript) when forwarding a CoA/DM request to a NAS client. The IncludeDeviceModel parameter can be set to “yes” or “no.” If set to “yes,” then the Funk-Device-Model attribute with the appropriate device name is added to every forwarded proxy request sent to this realm. The RequireMessageAuthenticator setting defaults to 0, or no check. If set to a non-zero value, SBRC requires a Message-Authenticator attribute in incoming CoA/DM requests, and the request is discarded if this attribute is not present.

To prevent performance degradation, if this feature is enabled, the CST fields (Sbr_NasClientName, Sbr_NasDeviceModel, Sbr_ProxyRealm, and Sbr_ProxyState) need to be configured. This can be done by modifying the CurrentSessions.sql file for the cluster version, or the IncludeDynAuth parameter in the [Configuration] section of dbclusterlocal.gen for the standalone version. The CurrentSessions.sql file has the fields for Proxy CoA/DM included but commented out, to make it easier to configure these fields in the cluster version.

ShowSessions.sh does not display the Sbr_NasClientName, Sbr_NasDeviceModel, Sbr_ProxyRealm, and Sbr_ProxyState fields, unless you modify the script to do so.

You need to modify the dbc_mapping.xml file to add the new Funk-NAS-Identifier, Funk-Device-Model, and Funk-Proxy-State fields to query results. A new version of dbc_mapping.xml includes these new fields in the lines that are commented out.

The DynAuth-Thread-Flood-Info parameter in the [Status] section of the radius.ini file controls whether the DynAuth thread and flood information is printed in the status log during status reports. It defaults to “no.”

For information about configuring the radius.ini file to support the CoA/DM functionality, see the SBR Carrier Reference Guide.