Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Features and Limitations — Release wise (Notes)

 

Starting from SBR 8.6.0R2 Release, the following are the features and limitation

Features

  1. Before installing Signalware on RHEL 7.5, you must disable kernel address space layout randomization (KASLR), which is enabled by default on RHEL 7.5. Signalware is incompatible with KASLR and requires the kernel memory address space to be consistent.
  2. To disable KASLR:

    1. Edit the GRUB_CMDLINE_LINUX key in the /etc/default/grub file to add the new parameter nokaslr. Example: GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=rhel_bng-lnx-perf6/root rd.lvm.lv=rhel_bng-lnx-perf6/swap rhgb quiet nokaslr".
    2. Run grub2-mkconfig -o /boot/grub2/grub.cfg.
    3. Reboot the server.

      This disables the KASLR feature on Linux Kernel.

    4. Install Signalware.
    5. Start Signalware.
  3. To know more about KASLR, refer to the RHEL 7.5 kernel release notes.

Limitation

  1. SBR does not log the Grouped AVP's like Vendor-Specific-Application-ID in Diameter Message due to design constraint.

Starting from SBR 8.6.0R3 Release, the following features are supported

  1. The following error code and reject reason will be logged inrejects_YYYYMMDD.csv under radius_installed/authreports directory for Invalid Password scenario in proxy directed realm case, instead of printing Tunneled authentication reject for TTLS.

    Two error codes and reject reasons are added to reject logging:

    1. AUTH_ERR_044 and ldap auth user not authenticated for TTLS with LDAP.
    2. AUTH_ERR_043 and user found, but password validation failed for TTLS with SQL.
  2. A new parameter "RejectMalformedPacket" is introduced in radius_installed/radius.ini file to check whether to reject malformed packet or not.

    • RejectMalformedPacket - When this Parameter is enabled, SBR will reject if any malformed packet is received.

    • Default value is 0.

    • If RejectMalformedPacket is set to 1, SBR will reject the malformed request received.

    • If set to 0, SBR will skip the malformed attribute and continue parsing.

      Note

      If the packet is so severely malformed that it is not usable, then it would be dropped.

Starting from SBR 8.6.0R4 Release, the following features are supported

Features

  1. A new configuration parameter has been introduced as part of fix for PR 1465028 in radius.ini for cases where bothFramed-Interface-Id and Framed-IP-Address attributes are present in an accounting request. Setting ExcludeFramedInterfaceId=1 in radius.ini will prevent SBR from recording the Framed-Interface-Id value to the Ipv4Address CST field. By default the parameter ExcludeFramedInterfaceId = 0 is disabled. A new setting will be created in a future patch to store Framed-Interface-Id separately.
  2. The following error code and reject reason will be logged in “rejects_YYYYMMDD.csv” under radius_installed/authreports directory for invalid username and no username scenario in proxy directed realm case, instead of printing Tunneled authentication reject for TTLS.

    1. Invalid Username—"AUTH_ERR_004" and "Unable to find user with matching password".
    2. No Username—"AUTH_ERR_019" and "Missing User Name attribute in request".

    Known Issues

    The following are known issues related to retaining the backward compatibility, which is planned to be fixed in the future patch releases.

    1. PR 1474738-1: SBR auth reject report logs error code AUTH_ERR_004 instead of error code AUTH_ERR_048 when configured max-concurrent value is exceeded.
    2. PR 1475213-1: SBR logs error code "AUTH_ERR_004" instead of error code "AUTH_ERR_048" for EAP NAK received.
    3. PR 1475534-1: SBR logs AUTH_ERR_004", "Unable to find user with matching password" instead of "AUTH_ERR_048","Unavailable" when DHCP pool IP-Addresses are unavailable.
  3. SBR is supported on the Linux RHEL 7.7 variant.

Starting from SBR 8.6.0R5 Release, the following features are supported

  1. Starting from 8.6.0R5, the “expect” package needs to be pre-installed on RHEL and Solaris version before executing SBR “configure” script from <radius_installed>/install/ path.

    The “expect” package versions validated for SBR variants are:

  2. Starting from 8.6.0R5, the below mentioned steps have to be followed before applying the patch. The below steps are for the manual renewal of expiration time stamp.
    1. Stop the SBR using the command ./sbrd stop radius from radius_install_path.
    2. Execute the following commands from radius_install_path.
      Note

      After the execution of these steps apply the patch and start SBR.

Starting from SBR 8.6.0R6 release, the following features are supported

  1. As part of PR 1219412, Enhanced EAP Logging support is provided only for TLS version 1.2. Logging for TLS version 1.1 still remains unsupported.

Starting from SBR 8.6.0R7 and 8.6.0R8 release, the following features are supported

  1. The following weak cipher suites are now optionally available to support legacy clients.
    • [0x2f] AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA

    • [0x35] AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA

    • [0x3c] AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256

    • [0x3d] AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256

  2. If the above cipher suites are needed to support legacy devices, they may be added.

    By default, SBR is configured to use the following cipher suites for TLS and TTLS 0x0067,0x006B,0xC030,0xC028,0xC014,0xC013.

    If needed, the weak cipher suites mentioned above can be configured in the Web GUI under RADIUS Configuration > Authentication Policies > EAP Methods > EAP-TLS/EAP-TTLS > Advanced Server Settings tab

Starting from SBR 8.6.0R9 release, the following features are supported

  1. The Parameter “DisableMetaData” is added in the following files

    • sqlaccessor_jdbc.gen

    • radsqljdbc.aut

    • radsqljdbc.acc

  2. DisableMetaData

    • Set this parameter to avoid data type conversion in the input container between JavaScript and MySQL when using the generic string type in the container (*.gen) file and varchar in the MySQL DB function, and then converting the received varchar value in the DB to its corresponding type using the 'cast' function.

    • Enable this Parameter while using MYSQL driver to avoid errors while using the integer as the data type argument.

    • Default Value is 0.

    Consider an input variable MaxSessions of type varchar(20) which holds an integer value. It can be converted to its corresponding type by using the following:

    Note

    If DisableMetaData is set to 0 (disabled), the value “maxSess” will be NULL and an error (CDataAccessorClassObject::getOutputVariable(): failed to get variable (result) from container will be logged.

    To avoid this error and to set the proper value for “maxSess”, set DisableMetaData set to 1 (enabled).

Starting from SBR 8.6.0R10 release, the following features are supported

  1. To discard accounting requests if one or more target realms marked as “Primary” fail to respond, you must set the parameter SuppressResponseIfStaticAcctFails = yes in the Configuration section of the proxy.ini file.

Starting from SBR 8.6.0R11 release, the following features are supported

  1. SBR Carrier has been qualified on Sparc Solaris 11.3.36.20.0.
  2. Testing of SBR Carrier 8.6.0:R11 full build versions has been performed successfully on the Red Hat Enterprise Linux 7.3 - 7.7 and Solaris 11.3.36.10.0, 11.3.36.20.0 operating systems in the Juniper standard laboratory environment.
  3. For performance improvement, Solaris install packages now include OpenLDAP 2.4.50.

Starting from SBR 8.6.0R12 release, the following features are supported

  1. Starting from SBR 8.6.0R12 release, SBR Carrier has been qualified with RHEL 7.8.
    • The following third-party package upgrades have been made in the SBR 8.6.0R12 full build versions.

      • OpenSSL has been upgraded to OpenSSL 1.1.1g.

      • Expat has been upgraded to Expat 2.2.9.

Starting from SBR 8.6.0R13 release, the following are Features and Limitation

  1. UserConcurrency—A new parameter has been introduced to configure an active session limit for users authenticated by the proxy authentication method.

    To configure a session limit, uncomment UserConcurrency in the proxy configuration (.pro) file, and provide a value for the number of active sessions allowed for users authenticated by this method.

    Note

    Default value is 0, which means there is no session limit.

  2. The following SNMP traps have been added for static proxy accounting timeouts and failures, supporting smart static accounting and static accounting configured in realm files.

    • RADMSG_STATIC_ACCT_PROXY_TIMEOUT

    • RADMSG_STATIC_ACCT_PROXY_FAILURE

  3. The default value of "JSEngineRuntimeMemory" is changed from 32 to 8.

    Increasing the value of JSEngineRuntimeMemory will decrease the frequency of garbage collection but negatively affect performance.

  4. The default value of "WorkerThreadStackSize" in <radius_installed_path>/JNPRsbr/radius/radius.ini is changed from 512KB to 1MB, to prevent stack corruption.
  5. Consider the following points, if your planning for to Install or upgrade Signalware version to 9s6C on RHEL 7.6 or later version.

    1. Before installing Signalware on RHEL 7.6 or later version, you must disable the Hardened User-copy feature, which is enabled by default on RHEL 7.6 or later versions.
    2. Signalware is incompatible with Hardened User-copy feature, and the feature MUST be disabled to ensure the Omnimon debugger is 100% safe to run in production network.
    3. Please refer https://support.mavenir.com/sites/croc/TechPub/SWAR/Documentation/LINUX%20Installation%20Manual%20Version%2020.0.pdf for detailed information of system perquisites and installing procedure for Signalware installation or upgrade.
  6. The generic plug-in Ids are updated and the following two new parameters are introduced.

    1. SerialNum
    2. LegacyPluginConcurrency
    Note

    PR:1468996 fix is available starting from SBR 8.6.0R13 full builds.

SBR 8.6.0R13 addresses the following limitation in previous builds.

If we consider the generic custom plug-ins like LDAP, TLS, TTLS, PEAP, SQL-JDBC, and ORACLE, the same Prefix ID ("200") is used.

Component

New Plug-In ID

LDAP

400

TLS

500

TTLS

600

PEAP

700

SQL-JDBC

800

ORACLE

900

Note

The updated behavior will function only when the parameter LegacyPluginConcurrency is set to False.

LegacyPluginConcurrency—If this parameter is set to "False" the latest plug-in’s ID will be used, else the SBR behavior will be similar to prior releases. Default Value of "LegacyPluginConcurrency" is "False".

SerialNum—The parameter is added to "[Bootstrap]" section of *.aut file of the generic plug-ins. Range: 1 through 99. By Default the parameter "SerialNumber" is commented.

Note

In case of multiple plug-ins of the same type, the Ids can be differentiated by adding "SerialNumber" is configured in each corresponding "aut" file.

The Final Value of "Id" in the ./ShowUserConc -a calculation is done as below.



Id = New Plug-In ID value + SerialNum configured in the *.aut file of the plug-in.

If the above mentioned scenario of limitation is considered, with the latest patch full build, we may notice the below out put in the ./ShowUserConc.sh -a.

hadm@<host_name>:~> ./ShowUserConc.sh -a

Table 4: UserConcurrency

Id

Count

901-Test

3

401-Test

4

Note

Different values of <serialnum> should be used to differentiate different instances of the same generic plug-in. For example, ldapauth1.aut and ldapauth2.aut. However, if different instances are used in the same backend, <serialnum> should be the same to properly support concurrency limitations.

SBR 8.6.0R14 Release—Features and Limitations

LINUX

  1. SBR Carrier has been qualified with RHEL 8.1.
  2. SBR Carrier support MySQL and NDB version 8.0.22 for RHEL 8.1.
  3. The following is the naming convention introduced for differentiating the RHEL 8.1 of SBR:8.6.0R14 Full build:

    • Cluster Variant Full build: sbr-cl-8.6.0.R-14.el8.x86_64.rpm

    • Standalone Variant Full Build: sbr-sa-8.6.0.R-14.el8.x86_64.rpm

    Note

    The tag el8is present in the name of RHEL 8.1 build of SBR to differentiate between RHEL7.x build which will have el7 tag within the name.

  4. Prerequisite for SBR 8.6.0R14 Installation on RHEL 8.1

    In Addition to the required packages for RHEL 7.x the following packages MUST be installed on the RHEL 8.1 machine, where SBR 8.6.0R14 installation is planned.

    • expect

    • ncurses-compat-libs

    • OpenLDAP-2.4.46-11

    Note

Limitation

  1. The Signalware communication stack is not supported on RHEL 8.1 and the SIM authentication module cannot be used on the RHEL 8.1 platform to communicate with an HLR to process RADIUS requests. However, the module can be used with an HSS by using the RADIUS to Diameter conversion feature.

SOLARIS

  1. SBR Carrier has been qualified with Solaris 11.4.25.0.1.75.3 version.
  2. SBR Carrier support MySQL and NDB version 8.0.22 for Solaris 11.4.25.0.1.75.3 version.
  3. The following is the naming convention introduced for differentiating the Solaris 11.4 Full build for SBR:8.6.0R14

    • Cluster Variant Full build: sbr-cl-8.6.0.R-14.SPARCV9.tgz

    • Standalone Variant Full Build: sbr-sa-8.6.0.R-14.SPARCV9.tgz

    Note

    The tag "SPARCV9" (*UPPER CASE*) is present in the name of Solaris 11.4 Full build of SBR to differentiate between the < 11.4 Solaris builds which will have "sparcv9" (*lower case*) in their name.

  4. In Addition to the required packages lesser than Solaris 11.4 version, the following packages MUST be installed on the Solaris 11.4 machine, where SBR 8.6.0R14 installation is planned.

    1. expect
    2. ncurses-compat-libs
    3. developerstudio-126 runtime libraries
    Note
    1. The developerstudio-126 runtime libraries related six libraries MUST be installed successfully on the Solaris 11.4 machine where SBR8.6.0R14 installation is planned.
    2. The following is the example command for installing the six libraries related to developerstudio-126 runtime libraries.

      • pkg install --accept developerstudio-126/library/c++-libs \

      • developerstudio-126/library/c-libs \

      • developerstudio-126/library/f90-libs \

      • developerstudio-126/library/math-libs \

      • developerstudio-126/library/perflib \

      • developerstudio-126/library/studio-gccrt

SBR 8.6.0R15 Release—Features and Limitations

36. The StaticTarget parameter is introduced to *.pro files as part of fix for PR 1499704.

StaticTarget configures SBR to not revert to a previously down target when it comes back up.

"0", (default) SBR reverts to previously down target when it comes back up.

“1”, SBR will not revert to the previously down target even after it comes back up.

37. Starting from SBR 8.6.0 R15 release onwards, the support for following Diameter SWm interface attributes is provided on RHEL7.x and RHEL 8.1 SBR variants.

Core-Network-Restrictions (1704)

UE-Usage-Type (1680)

Interworking-5GS-Indicator (1706)

38. The following third-party package upgrades have been made in the SBR 8.6.0R15 full build versions of SBR .

SBR:8.6.0 R15 supported Linux and SunOS:

  • OpenSSL has been upgraded to OpenSSL 1.1.1k for Linux and SunOS.

  • Jetty has been upgraded to 9.4.43.

  • OpenLDAP has been upgraded from 2.4.50 to 2.4.58 version.

39. Special Notes for RHEL 8.1 1024-bit RSA certificates:

Due to security considerations of RHEL 8.1 version OS, starting from SBR:8.6.0 R15 version lesser than 2047-bit RSA certificates are NOT supported. 1024-bit RSA certificates are considered too weak by RHEL 8 cryptographic policies.

According to RHEL 8 release notes, the default system-wide cryptographic policy accepts RSA keys and Diffie-Hellman parameters if larger than 2047 bits.

40. Special Notes for upgrade using SBR 8.6.0 R15 on RHEL 8.1 and Solaris 11.4.25.0.1.75.3.

In SBR 8.6.0 R15 RHEL 8.1 and Solaris 11.4.25.0.1.75.3 variants the size of "Name" column which represents the Pool Name present in the table "Sbr_IpPools" is modified from 24 varchar to 84 varchar.

To accommodate and synchronize this change between the existing and planned upgrade SBR version (SBR 8.6.0 R15 on RHEL 8.1), the following command MUST be executed only once on the first upgrade planned cluster node.

$ su - hadm

perl ./UpdateSchema.pl 8.6 ColumnUpdate:Name


This command should be executed from "hadm" mode after successful installation and configuration of the Node. Refer the installation guide for detailed procedure for the Rolling-Restart Upgrade.