ON THIS PAGE
Features and Limitations — Release wise (Notes)
Starting from SBR 8.6.0R2 Release, the following are the features and limitation
- Before installing Signalware on RHEL 7.5, you must disable kernel address space layout randomization (KASLR), which is enabled by default on RHEL 7.5. Signalware is incompatible with KASLR and requires the kernel memory address space to be consistent.
To disable KASLR:
- Edit the GRUB_CMDLINE_LINUX key in the
/etc/default/grubfile to add the new parameter nokaslr. Example: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel_bng-lnx-perf6/root rd.lvm.lv=rhel_bng-lnx-perf6/swap rhgb quiet nokaslr".
- Run grub2-mkconfig -o /boot/grub2/grub.cfg.
- Reboot the server.
This disables the KASLR feature on Linux Kernel.
- Install Signalware.
- Start Signalware.
- Edit the GRUB_CMDLINE_LINUX key in the
- To know more about KASLR, refer to the RHEL 7.5 kernel release notes.
- SBR does not log the Grouped AVP's like Vendor-Specific-Application-ID in
Diameter Messagedue to design constraint.
Starting from SBR 8.6.0R3 Release, the following features are supported
- The following error code and reject reason will be logged
rejects_YYYYMMDD.csvunder radius_installed/authreports directory for Invalid Password scenario in proxy directed realm case, instead of printing Tunneled authentication reject for TTLS.
Two error codes and reject reasons are added to reject logging:
- AUTH_ERR_044 and ldap auth user not authenticated for TTLS with LDAP.
- AUTH_ERR_043 and user found, but password validation failed for TTLS with SQL.
A new parameter "RejectMalformedPacket" is introduced in
radius_installed/radius.inifile to check whether to reject malformed packet or not.
RejectMalformedPacket - When this Parameter is enabled, SBR will reject if any malformed packet is received.
Default value is 0.
If RejectMalformedPacket is set to 1, SBR will reject the malformed request received.
If set to 0, SBR will skip the malformed attribute and continue parsing.
If the packet is so severely malformed that it is not usable, then it would be dropped.
Starting from SBR 8.6.0R4 Release, the following features are supported
- A new configuration parameter has been introduced as part
of fix for PR 1465028 in
radius.inifor cases where bothFramed-Interface-Id and Framed-IP-Address attributes are present in an accounting request. Setting ExcludeFramedInterfaceId=1 in radius.ini will prevent SBR from recording the Framed-Interface-Id value to the
Ipv4AddressCST field. By default the parameter ExcludeFramedInterfaceId = 0 is disabled. A new setting will be created in a future patch to store Framed-Interface-Id separately.
The following error code and reject reason will be logged in “rejects_YYYYMMDD.csv” under
radius_installed/authreportsdirectory for invalid username and no username scenario in proxy directed realm case, instead of printing Tunneled authentication reject for TTLS.
- Invalid Username—"AUTH_ERR_004" and "Unable to find user with matching password".
- No Username—"AUTH_ERR_019" and "Missing User Name attribute in request".
The following are known issues related to retaining the backward compatibility, which is planned to be fixed in the future patch releases.
- PR 1474738-1: SBR auth reject report logs error code AUTH_ERR_004 instead of error code AUTH_ERR_048 when configured max-concurrent value is exceeded.
- PR 1475213-1: SBR logs error code "AUTH_ERR_004" instead of error code "AUTH_ERR_048" for EAP NAK received.
- PR 1475534-1: SBR logs AUTH_ERR_004", "Unable to find user with matching password" instead of "AUTH_ERR_048","Unavailable" when DHCP pool IP-Addresses are unavailable.
- SBR is supported on the Linux RHEL 7.7 variant.
Starting from SBR 8.6.0R5 Release, the following features are supported
- Starting from 8.6.0R5, the “expect” package
needs to be pre-installed on RHEL and Solaris version before executing
SBR “configure” script from
The “expect” package versions validated for SBR variants are:
expect 5.44 for RHEL6
expect 5.45 for RHEL7
The expect package for Solaris 11 is available along with the OS.
expect 5.45 for Solaris 10 with Generic_147147-26 sun4u sparc SUNW
The expect package for Solaris 10 can be downloaded from the following URLs:
- Starting from 8.6.0R5, the below mentioned steps have
to be followed before applying the patch. The below steps are for
the manual renewal of expiration time stamp.
- Stop the SBR using the command ./sbrd stop radius from
radius_install_path.bash-3.00# cd /opt/JNPRsbr/radius/bash-3.00# ./sbrd stop radius
- Execute the following commands from
radius_install_path.bash-3.00# cd /opt/JNPRsbr/radius/bash-3.00# mv root root_bkpbash-3.00# mv my my_bkp
After the execution of these steps apply the patch and start SBR.
- Stop the SBR using the command ./sbrd stop radius from
Starting from SBR 8.6.0R6 release, the following features are supported
- As part of PR 1219412, Enhanced EAP Logging support is provided only for TLS version 1.2. Logging for TLS version 1.1 still remains unsupported.
Starting from SBR 8.6.0R7 and 8.6.0R8 release, the following features are supported
- The following weak cipher suites are now optionally available
to support legacy clients.
[0x2f] AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA
[0x35] AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA
[0x3c] AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
[0x3d] AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
- If the above cipher suites are needed to support legacy
devices, they may be added.
By default, SBR is configured to use the following cipher suites for TLS and TTLS 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013.
If needed, the weak cipher suites mentioned above can be configured in the Web GUI under RADIUS Configuration > Authentication Policies > EAP Methods > EAP-TLS/EAP-TTLS > Advanced Server Settings tab
Starting from SBR 8.6.0R9 release, the following features are supported
The Parameter “DisableMetaData” is added in the following files
Enable this Parameter while using MYSQL driver to avoid errors while using the integer as the data type argument.
Default Value is 0.
Consider an input variable MaxSessions of type varchar(20) which holds an integer value. It can be converted to its corresponding type by using the following:DECLARE maxSess DECIMAL;set maxSess=(SELECT CAST(MaxSessions as DECIMAL));
If DisableMetaData is set to 0 (disabled), the value “maxSess” will be NULL and an error (CDataAccessorClassObject::getOutputVariable(): failed to get variable (result) from container will be logged.
To avoid this error and to set the proper value for “maxSess”, set DisableMetaData set to 1 (enabled).
Starting from SBR 8.6.0R10 release, the following features are supported
- To discard accounting requests if one or more target realms marked as “Primary” fail to respond, you must set the parameter SuppressResponseIfStaticAcctFails = yes in the Configuration section of the proxy.ini file.
Starting from SBR 8.6.0R11 release, the following features are supported
- SBR Carrier has been qualified on Sparc Solaris 126.96.36.199.0.
- Testing of SBR Carrier 8.6.0:R11 full build versions has been performed successfully on the Red Hat Enterprise Linux 7.3 - 7.7 and Solaris 188.8.131.52.0, 184.108.40.206.0 operating systems in the Juniper standard laboratory environment.
- For performance improvement, Solaris install packages now include OpenLDAP 2.4.50.
Starting from SBR 8.6.0R12 release, the following features are supported
- Starting from SBR 8.6.0R12 release, SBR Carrier has been qualified with RHEL 7.8.
The following third-party package upgrades have been made in the SBR 8.6.0R12 full build versions.
OpenSSL has been upgraded to OpenSSL 1.1.1g.
Expat has been upgraded to Expat 2.2.9.
Starting from SBR 8.6.0R13 release, the following are Features and Limitation
- UserConcurrency—A new parameter has been introduced
to configure an active session limit for users authenticated by the
proxy authentication method.
To configure a session limit, uncomment UserConcurrency in the proxy configuration (.pro) file, and provide a value for the number of active sessions allowed for users authenticated by this method.[Auth]UserConcurrency = 2
Default value is 0, which means there is no session limit.
The following SNMP traps have been added for static proxy accounting timeouts and failures, supporting smart static accounting and static accounting configured in realm files.
- The default value of "JSEngineRuntimeMemory" is changed
from 32 to 8.
- The default value of "WorkerThreadStackSize" in
<radius_installed_path>/JNPRsbr/radius/radius.iniis changed from 512KB to 1MB, to prevent stack corruption.
Consider the following points, if your planning for to Install or upgrade Signalware version to 9s6C on RHEL 7.6 or later version.
- Before installing Signalware on RHEL 7.6 or later version, you must disable the Hardened User-copy feature, which is enabled by default on RHEL 7.6 or later versions.
- Signalware is incompatible with Hardened User-copy feature, and the feature MUST be disabled to ensure the Omnimon debugger is 100% safe to run in production network.
- Please refer https://support.mavenir.com/sites/croc/TechPub/SWAR/Documentation/LINUX%20Installation%20Manual%20Version%2020.0.pdf for detailed information of system perquisites and installing procedure for Signalware installation or upgrade.
The generic plug-in Ids are updated and the following two new parameters are introduced.
PR:1468996 fix is available starting from SBR 8.6.0R13 full builds.
SBR 8.6.0R13 addresses the following limitation in previous builds.
If we consider the generic custom plug-ins like LDAP, TLS, TTLS, PEAP, SQL-JDBC, and ORACLE, the same Prefix ID ("200") is used.
New Plug-In ID
The updated behavior will function only when the parameter LegacyPluginConcurrency is set to
LegacyPluginConcurrency—If this parameter is set to "False" the latest plug-in’s ID will be used, else the SBR behavior will be similar to prior releases. Default Value of "LegacyPluginConcurrency" is "False".
SerialNum—The parameter is added to "[Bootstrap]" section of *.aut file of the generic plug-ins. Range: 1 through 99. By Default the parameter "SerialNumber" is commented.
In case of multiple plug-ins of the same type, the Ids
can be differentiated by adding "SerialNumber" is configured in each
corresponding "aut" file.
The Final Value of "Id" in the ./ShowUserConc -a calculation is done as below.
Id = New Plug-In ID value + SerialNum configured in the
*.aut file of the plug-in.
If the above mentioned scenario of limitation is considered,
with the latest patch full build, we may notice the below out put
hadm@<host_name>:~> ./ShowUserConc.sh -a
Table 4: UserConcurrency
Different values of <serialnum> should be used to differentiate different instances of the same generic plug-in. For example, ldapauth1.aut and ldapauth2.aut. However, if different instances are used in the same backend, <serialnum> should be the same to properly support concurrency limitations.
SBR 8.6.0R14 Release—Features and Limitations
- SBR Carrier has been qualified with RHEL 8.1.
- SBR Carrier support MySQL and NDB version 8.0.22 for RHEL 8.1.
The following is the naming convention introduced for differentiating the RHEL 8.1 of SBR:8.6.0R14 Full build:
Cluster Variant Full build: sbr-cl-8.6.0.R-14.el8.x86_64.rpm
Standalone Variant Full Build: sbr-sa-8.6.0.R-14.el8.x86_64.rpm
el8is present in the name of RHEL 8.1 build of SBR to differentiate between RHEL7.x build which will have
el7tag within the name.
Prerequisite for SBR 8.6.0R14 Installation on RHEL 8.1
In Addition to the required packages for RHEL 7.x the following packages MUST be installed on the RHEL 8.1 machine, where SBR 8.6.0R14 installation is planned.
The OpenLDAP-2.4.46-15 is NOT supported on RHEL 8.1 due to bug “case ID: 02838485“ in RHEL 8.1. Please ensure OpenLDAP-2.4.46-11 is only present on the RHEL 8.1 machine, where SBR8.60R14 installation is planned.
In case if the legacy cipher suits is required as mentioned in the section (Starting from SBR 8.6.0R7 and 8.6.0R8 release, the following features are supported), run the command update-crypto-policies --set LEGACY to set the RHEL 8.1 to use legacy cipher suites.
RHEL 8.1 by default doesn’t support the legacy cipher. Kindly, refer the RHEL 8.1 documentation for more detailed information.
- The Signalware communication stack is not supported on RHEL 8.1 and the SIM authentication module cannot be used on the RHEL 8.1 platform to communicate with an HLR to process RADIUS requests. However, the module can be used with an HSS by using the RADIUS to Diameter conversion feature.
- SBR Carrier has been qualified with Solaris 220.127.116.11.1.75.3 version.
- SBR Carrier support MySQL and NDB version 8.0.22 for Solaris 18.104.22.168.1.75.3 version.
The following is the naming convention introduced for differentiating the Solaris 11.4 Full build for SBR:8.6.0R14
Cluster Variant Full build: sbr-cl-8.6.0.R-14.SPARCV9.tgz
Standalone Variant Full Build: sbr-sa-8.6.0.R-14.SPARCV9.tgz
The tag "SPARCV9" (*UPPER CASE*) is present in the name of Solaris 11.4 Full build of SBR to differentiate between the < 11.4 Solaris builds which will have "sparcv9" (*lower case*) in their name.
In Addition to the required packages lesser than Solaris 11.4 version, the following packages MUST be installed on the Solaris 11.4 machine, where SBR 8.6.0R14 installation is planned.
- developerstudio-126 runtime libraries
- The developerstudio-126 runtime libraries related six libraries MUST be installed successfully on the Solaris 11.4 machine where SBR8.6.0R14 installation is planned.
The following is the example command for installing the six libraries related to developerstudio-126 runtime libraries.
pkg install --accept developerstudio-126/library/c++-libs \
SBR 8.6.0R15 Release—Features and Limitations
36. The StaticTarget parameter is introduced to
*.pro files as part of fix for PR 1499704.
StaticTarget configures SBR to not revert to a previously down
target when it comes back up.
"0", (default) SBR reverts to previously down target when it comes back up.
“1”, SBR will not revert to the previously down target even after it comes back up.
37. Starting from SBR 8.6.0 R15 release onwards, the support
for following Diameter SWm interface attributes is provided on RHEL7.x
and RHEL 8.1 SBR variants.
38. The following third-party package upgrades have been made in the SBR 8.6.0R15 full build versions of SBR .
SBR:8.6.0 R15 supported Linux and SunOS:
OpenSSL has been upgraded to OpenSSL 1.1.1k for Linux and SunOS.
Jetty has been upgraded to 9.4.43.
OpenLDAP has been upgraded from 2.4.50 to 2.4.58 version.
39. Special Notes for RHEL 8.1 1024-bit RSA certificates:
Due to security considerations of RHEL 8.1 version OS, starting from SBR:8.6.0 R15 version lesser than 2047-bit RSA certificates are NOT supported. 1024-bit RSA certificates are considered too weak by RHEL 8 cryptographic policies.
According to RHEL 8 release notes, the default system-wide cryptographic policy accepts RSA keys and Diffie-Hellman parameters if larger than 2047 bits.
40. Special Notes for upgrade using SBR 8.6.0 R15
on RHEL 8.1 and Solaris 22.214.171.124.1.75.3.
In SBR 8.6.0 R15 RHEL 8.1 and Solaris 126.96.36.199.1.75.3 variants the size of "Name" column which represents the Pool Name present in the table "Sbr_IpPools" is modified from 24 varchar to 84 varchar.
To accommodate and synchronize this change between the existing and planned upgrade SBR version (SBR 8.6.0 R15 on RHEL 8.1), the following command MUST be executed only once on the first upgrade planned cluster node.
$ su - hadm
perl ./UpdateSchema.pl 8.6 ColumnUpdate:Name
This command should be executed from "hadm" mode after successful installation and configuration of the Node. Refer the installation guide for detailed procedure for the Rolling-Restart Upgrade.