Glossary

Third generation Partnership Project (GSM).

Third generation Partnership Project 2 (CDMA).

IEEE standard 802.1X. Standard for Local and Metropolitan Area Networks-Port-Based Network Access Control. Defines a mechanism that allows a supplicant (client) to connect to a wireless access point or wired switch so that the supplicant can provide authentication credentials that can be verified by an authentication server.

Authentication, Authorization, and Accounting.

Access Controller.

The process of recording and aggregating resource use statistics and log files for a user, connection session, or function for billing, system diagnosis, and usage planning.

Access Control List.

SNMP module on a managed device that responds to requests from a management station and sends traps to one or more recipients (trap sinks) to inform administrators of potential problems.

Authentication and Key Agreement. An extension to the EAP protocol that enables authentication and session key distribution using a mechanism based on symmetric keys and usually runs on a USIM.

Access Point.

Access Point Name.

RADIUS attributes that carry specific authentication, authorization, and accounting messages.

Authentication Center. The network element that provides the triplets for authenticating the subscriber.

The process of verifying the identity of a device and its user. This process is accomplished through transmission of identifying data at the time of connection.

See AKA.

A back-end server that verifies, from the credentials provided by an access client, whether the access client is authorized to use network resources.

The process of controlling the access settings, such as privileges and time limits, that the user can exercise on a protected network.

A Steel-Belted Radius Carrier server that does not use centralized configuration management.

Attribute Value Pair. An attribute and its corresponding value; for example, User-Name = admin.

Balanced/unbalanced converter. A device used to match impedance between balanced and unbalanced lines, usually twisted-pair and coaxial cable.

Barring of All Outgoing Calls.

A profile of checklist attributes that cause Steel-Belted Radius Carrier to reject an authentication request. For example, a blacklist profile might specify calling station phone numbers or IP addresses that are blocked by Steel-Belted Radius Carrier.

Base Station.

Certificate Authority. A trusted entity that registers the digital identity of a site or individual and issues a digital certificate that guarantees the binding between the identity and the data items in a certificate.

Customer Care and Billing system.

Centralized Configuration Management. The process by which configuration information is shared between a primary RADIUS server and one or more replica RADIUS servers so that all machines operate in a similar way.

Charging Data Function.

Call Detail Record. Call transaction record created by an MSC to track the network resources used by subscribers in making and receiving calls, so that billing systems can compute charges based on usage.

A digital file signed by a CA that guarantees the binding between an identity and the contents of the certificate.

Charging Gateway. Device that collects, validates, and consolidates CDRs from other network components for processing by the network billing system.

See CoA.

Challenge Handshake Authentication Protocol. An authentication protocol where a server sends a challenge to a requestor after a link has been established. The requestor responds with a value obtained by executing a hash function. The server verifies the response by calculating its own hash value. If the two hash values match, the authentication is acknowledged.

A list of attributes that must accompany a request for connection before the connection request can be authenticated.

Change of Authorization. Refers to RADIUS Change of Authorization, which is the dynamic change of the state of a previously authorized session by use of a RADIUS request sent towards the access equipment.

A group of devices and management stations running SNMP. An SNMP device or agent may belong to more than one SNMP community.

Character string included in SNMP messages to identify valid sources for SNMP requests and to limit access to authorized devices. The read community string allows an SNMP management station to issue Get and GetNext messages. The write community string allows an SNMP management station to issue Set messages.

Data that is verified when presented to an authenticator, such as a password or a digital certificate.

Certificate Revocation List. A data structure that identifies the digital certificates that have been invalidated by the certificates’ issuing CA before their expiration date.

Call Session Control Function.

A program on a UNIX or Linux host that runs continuously to handle service requests.

Dynamic Host Configuration Protocol. Protocol by which a server automatically assigns (leases) a network address and other configuration settings to a client temporarily or permanently.

Text file that maps the attribute/value pairs supported by third-party RADIUS vendors.

See DM.

Disconnect Message. Refers to RADIUS Disconnect, which is the dynamic termination of a previously authorized session by use of a RADIUS request sent towards the access equipment.

Dialed Number Identification Service. A telephone service that identifies what number was dialed by a caller.

Domain Name Service. Internet protocol for mapping hostnames, domain names, and aliases to IP addresses.

Extensible Authentication Protocol. An industry-standard authentication protocol for network access that acts as a transport for multiple authentication methods or types. Defined by RFC 2284. The base protocol used for a variety of authentication methods with Radius and 802.1X.

EAP method that allows authentication with a mobile subscriber USIM card.

EAP method that allows authentication with a mobile subscriber SIM card.

Authentication method that uses EAP (Extensible Authentication Protocol) and TLS (Transport Layer Security).

Authentication method that uses EAP (Extensible Authentication Protocol) and TTLS (Tunneled Transport Layer Security).

See EAP.

Fixed/Mobile Convergence.

Fully Qualified Domain Name.

File Transfer Protocol.

(Specific to IMS) Any one of the identified (and named) separable components of the IMS, which communicates with other functions exclusively using reference points.

See GPRS.

Gateway GPRS Support Node.

See GSM.

General Packet Radio Service. Packet-based wireless communication service for wireless phones and mobile computer users.

Global System for Mobile Communications. A mobile telephone system that uses a SIM for subscriber identification.

Graphical User Interface.

Home Agent. Maintains connection information about the mobile station (MS) and manages a persistent IP connection on the network for the MS. (In the SBR/HA 5.5 release, HA meant “High Availability,” but that term has been deprecated in favor of Session State Register, or SSR.)

Home Authentication, Authorization and Accounting server. AAA server on the subscribers home network.

Home Location Register. Contains the primary subscriber database in a GSM network using SIM or USIM credentials.

See HA.

See HPLMN.

See HSS.

A WLAN that interworks with the HPLMN without using a VPLMN.

A WLAN Access Point offering network connectivity to the public.

Home Public Land Mobile Network. The mobile network that has a billing relationship with the mobile subscriber, and usually the one that authenticates the user and authorizes access.

Home Subscriber Server. The IMS function that contains the primary subscriber database in IMS networks that satisfy Release 6 of the IMS reference (IMS R6).

Prevention of an eavesdropper from discovering the identity of a user being authenticated.

IP Multimedia Subsystem. An IP multimedia and telephony core network that is defined by 3GPP and 3GPP2 standards and organizations based on IETF Internet protocols. IMS is access independent as it supports IP to IP sessions over wireline IP, 802.11, and 802.15 packet data along with GSM/EDGE/UMTS and other packet data applications. IMS is a standard reference architecture that consists of session control, connection control, and an applications services framework along with subscriber and services data.

International Mobile Subscriber Identity. A unique subscriber identifier consisting of a three-digit Mobile Country Code (MCC), a two- or three-digit Mobile Network Code (MNC), and 10-digits-or-fewer Mobile Subscriber Identification Number (MSIN).

See IMSI.

Internet Protocol.

See IMS.

Implementation of the TCP/IP suite that uses a 32-bit addressing structure.

Implementation of the TCP/IP suite that uses a 128-bit addressing structure.

Internet Service Provider.

Programming language designed for use in distributed environments such as the Internet.

Java Database Connectivity. Application programming interface for accessing a database from programs written in Java.

LDAP configuration interface.

Light-weight directory access protocol. An IETF standard protocol for updating and searching directories over TCP/IP networks.

LDAP Data Interchange Format. The format used to represent directory server entries in text form.

A device that runs an SNMP agent.

Host that monitors and controls managed devices running SNMP agents.

Mobile Access Part. The SS7 protocol standard that addresses registration of roaming users and the intersystem handoff procedure in wireless mobile telephony.

Mobile Country Code. The MCC, together with the MNC, uniquely identify an operator and help identify the authentication center from which subscriber information should be retrieved.

Media Gateway.

Management Information Base. A database of objects, such as alarm status or statistics counters, that can be monitored or overwritten by an SNMP management station.

Mobile Network Code. The MNC, together with the MCC, uniquely identify an operator and help identify the authentication center from which to retrieve subscriber information.

See MAP.

See MCC.

SeeMNC.

See MSSC.

See MS.

See MSISDN.

Microsoft Point-to-Point Encryption. A means of representing point-to-point packets in an RC4 encrypted format. Defined in RFC 3078.

Mobile Station. Device used to attach to a mobile network.

Microsoft CHAP. Proprietary version of CHAP.

Mobile Services Switching Center. Responsible for connecting calls together by switching packets from one network path to another. MSCs also provide information to support mobile service subscribers, including user registration, authentication, and location updating.

Mobile Subscriber ISDN. Telephone number of the mobile user, which conforms to the dialed number formats in the subscriber’s country.

Message Transfer Part.

Network Access Device. Network device that accepts connection requests from remote users, authenticates users via RADIUS, and routes users onto the network.

Network Access Identifier.

Network Address Translation.

A user authenticated by Steel-Belted Radius Carrier using its internal authentication database.

An addressable node or cluster of nodes in an IMS network, which may host any number of IMS functions.

Next Generation Network.

Network Interface Card.

A node is a logical element of a Session State Register cluster, which includes SBR Carrier nodes, management nodes, and data nodes.

Random value included in data exchanges to guarantee uniqueness and protect against replay attacks.

Network Service Provider.

Interpretation of the digits of an IMSI.

Operator-Determined Barring. An HLR authorization of service designation that specifies that a subscriber is barred from service.

Mechanism for collecting and forwarding charging information concerning I-WLAN and core network resource usage without affecting the service rendered in real-time.

Password Authentication Protocol. An authentication protocol where a requestor sends an identifier and password to a server after a link has been established. If the identifier and password match an entry in the server’s database, the authentication is acknowledged.

Personal Digital Assistant.

Packet Data Serving Node. The attachment point between the RADIUS network and the IP network. May also be known as the foreign agent (FA) when Mobile IP is used.

Protected Extensible Authentication Protocol. A two-phase authentication protocol where (1) an authentication server is authenticated to a supplicant using a digital certificate and a secure channel is established; and (2) the supplicant is authenticated to the authentication server via the secure channel.

The permanent identifier of a peer, including an NAI realm portion in environments where a realm is used. The permanent identity is usually based on the IMSI. Used on full authentication only.

Public Land Mobile Network. Refers to a mobile network.

The unique identifier for each node in an SS7 network.

Point-to-Point Protocol. Network protocol defined in RFC 1661 that provides a standard method for transporting multiprotocol datagrams over point-to-point links.

A process, possibly requiring multiple steps, that enables customers to obtain services.

Process of authenticating users whose profiles are on other RADIUS servers by forwarding access-request packets received from a RADIUS client to a remote RADIUS server (the proxy target), and then forwarding the response from the remote server back to the RADIUS client.

The remote RADIUS server that actually performs authentication in a proxy RADIUS sequence.

A pseudonym identifier of a peer, including a NAI realm portion in environments where a realm is used. Used on full authentication only.

See PLMN.

The authentication data formed by the UMTS values: RAND (random number), XRES (expected response), CK (cipher key), IK (integrity key), and AUTN (authentication).

Remote Authentication Dial-In User Service. A client/server security administration standard that functions as an information clearinghouse, storing authentication information about users and administering multiple security systems across complex networks.

The reauthentication identifier for a peer, including a NAI realm portion in environments where a realm is used. Used on reauthentication only.

See RADIUS.

A list of attributes that Steel-Belted Radius Carrier must return to a RADIUS client after authentication of a user succeeds. The return list usually provides additional parameters that the RADIUS client needs to complete the connection.

The ability to move from one Access Point coverage area to another without interruption of service or loss of connectivity.

Session Border Controller.

Steel-Belted Radius, the product family that includes Steel-Belted Radius Carrier.

Stream Control Transmission Protocol. An Internet Protocol used by the SIGTRAN protocol stack to transport SS7 signaling commands. See IETF RFC 4166.

In a Session State Register cluster, a computer that hosts one or more nodes.

Authorization allowing a subscriber to access the requested service based on subscription.

Session Identifier. A string of characters uniquely identifying the session.

See SSR.

Secure Hash Algorithm-1. A one-way cryptographic function that takes a message of any length and produces a 160-bit message digest.

See SS7.

The Mavenir SIGTRAN protocol stack provided with Steel-Belted Radius Carrier.

Protocol stack supporting SS7 signaling using the SCTP Internet Protocol. See IETF RFC 4166.

The process of discarding a packet without further processing and without notification to the sender.

Subscriber Identity Module.

A SIM-based hardware SmartCard that contains the authentication keys for a GSM mobile telephone subscriber.

Session Initiation Protocol.

A small card containing a computer chip that can store information, including authentication information and algorithms.

Simple Network Management Protocol.

Signaling System 7. The network and protocols used to provide out-of-band signaling (control) for telephone services to support call establishment, billing, routing, and information exchange for the public switched telephone network.

Service Set Identifier.

Secure Sockets Layer. Program layer that manages the security of messages on a network.

Session State Register, an optional module for Steel-Belted Radius Carrier that implements a multi-computer cluster to support shared databases that multiple SBR Carrier servers can access to ensure that a single set of data is used for all transactions and to implement a high-availability environment.

Signaling Transfer Point.

The client in an 802.1X-authenticated network.

Telecoms & Internet converged Services & Protocols for Advanced Networks (standardization body of ETSI).

Transport Layer Security.

Type-Length-Value. A synonym for AVP; named because the raw encoding of such a value is a type field (for example, 1 for User-Name) followed by a length value (for example, 6) followed by the value of the attribute (for example, test).

An SNMP message that reports a significant event, such as a problem, error, or change in state, that occurred within a managed device.

The destination for trap messages sent by an SNMP agent on a managed device.

Teleservice. HLR authorization of service designation.

Tunneled Transport Layer Security.

User Equipment.

Universal Integrated Circuit Card. The chip card used in mobile terminals in GSM and UMTS networks. The UICC ensures the integrity and security of all kinds of personal data, and typically holds a few hundred kilobytes.

Unlicensed Mobile Access.

Universal Mobile Telecommunications System. Type of mobile network (next generation after GSM) that uses the USIM card for authentication.

See UMTS.

A database where a RADIUS server keeps information about users, such as authentication information and network access permissions.

Identifier of a user that may be used, for example, in charging functionality for billing purposes.

A record in the user database that describes how to configure a particular user or class of users during authentication and authorization.

UMTS Subscriber Identity Module.

A SIM-based hardware SmartCard that contains the authentication keys for a 3G mobile telephone subscriber.

Visited Authentication, Authorization and Accounting server. AAA server on the visited access network, responsible for routing authentication and accounting requests to home network.

See VPLMN.

Virtual Local Area Network.

Visitors Location Register.

Voice over IP.

Visited Public Land Mobile Network. The mobile network that is providing connectivity to a roaming user.

Virtual Private Network.

Vendor-Specific Attributes. Usually refers to a vendor-specific attribute and its associated value. VSA may be used to indicate a vendor-specific attribute or vendor-specific AVP. In RADIUS, VSAs are special attributes that contain an IANA-assigned enterprise code followed by TLVs (Type Length Value) that can be defined by the vendor who owns the enterprise code. As a result, vendors can define their own RADIUS VSAs without fear of colliding with another vendor’s VSA assignments.

Wideband Code Division Multiple Access.

Wireless LAN type of CDR.

Wired Equivalent Privacy. An encryption method designed to encrypt traffic between a WLAN client and an access point.

Wireless local area network that uses the IEEE 802.11a, b, or g radio protocols.

Worldwide Interoperability for Microwave Access.

Wireless Internet Service Provider.

Wireless Local Area Network.