Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

radius.ini File

 

The radius.ini initialization file is the main configuration file that determines the operation of Steel-Belted Radius Carrier. It contains information that controls a variety of Steel-Belted Radius Carrier functions and operations.

[Addresses] Section

[Addresses] Section

By default, the Steel-Belted Radius Carrier server tries to auto configure all IPv4 addresses that are reported by name services for the primary hostname of the server on which Steel-Belted Radius Carrier is running, so that it can listen for incoming RADIUS packets on all available network interfaces. If IPv6 is enabled, Steel-Belted Radius Carrier auto configures its IPv6 addresses and then listens on all interfaces using IPv6 addresses.

Explicitly configure the IP addresses that you want Steel-Belted Radius Carrier to use in the [Addresses] section of radius.ini if Steel-Belted Radius Carrier is running on a multi-homed (more than one network interface) server and if any of these statements apply to your network:

  • One or more network interfaces on the server are connected to networks that you do not want to carry RADIUS traffic.

  • The server has more than one hostname, and IP addresses exist for names other than the primary hostname.

  • The server has private IP addresses that are not published by name services.

Specifying IPv4 or IPv6 addresses causes the server to listen on only those addresses and ignore all other addresses.

Specifying AutoConfigureIPv4 or AutoConfigureIPv6 causes Steel-Belted Radius Carrier to attempt to discover and configure all IPv4 or IPv6 addresses that belong to the local host automatically.

Example 1

Example 1

This example configures Steel-Belted Radius Carrier to listen for RADIUS authentication and accounting requests on the IPv4 address 192.168.12.35 and on all local IPv6 interfaces. IPv6 functionality must be enabled (by setting Enable to 1 in the [IPv6] section of radius.ini) before IPv6 addresses can be used.

To route all of your proxy traffic through a single interface, set the value for ProxySource in the [Configuration] section of radius.ini to the appropriate IP address or addresses, which must be listed in the [Addresses] section.

Example 2

Example 2

This example routes all proxy traffic through the interface at 192.10.20.30:

The ProxySource setting in the [Configuration] section of radius.ini disables per-realm control of proxy outbound interfaces. If ProxySource is not set, sockets are opened and bound for each interface on the server. To route different proxy realms through specific interfaces using the proxy.ini file, refer to [Interfaces] Section.

[AuditLog] Section

[AuditLog] Section

The [AuditLog] section (Table 14) specifies whether Steel-Belted Radius Carrier maintains an audit log file (audityyyymmdd.xml) to record administrator activities and CCM events. Audit log records are stored in XML format in the radius/audit directory.

Administrator activities include:

  • Logging in and out by Steel-Belted Radius Carrier administrators

  • Creating, modifying, and deleting Steel-Belted Radius Carrier objects (RADIUS clients, users, profiles, proxy targets, proxy realms, tunnels, administrators, authentication policies, or CCM nodes)

  • Importing files

CCM events include publication, notification, and download of CCM files.

Note

The audit log does not track changes made through the LDAP configuration interface (LCI).

Table 14: radius.ini [AuditLog] Syntax

Parameter

Function

Enable

  • If set to 0, audit logging is disabled.

  • If set to 1, audit logging is enabled.

    Default value is 0.

LogfilePermissions

Specifies the owner and access permission setting for the audit log (audityyyymmdd.xml) file.

Enter a value for the LogFilePermissions setting in owner:group permissions format, where:

  • owner specifies the owner of the file in text or numeric format.

  • group specifies the group setting for the file in text or numeric format.

  • permissions specifies what privileges can be exercised by Owner/Group/Other with respect to the file in text or numeric format.

    For example, user:1007 rw-r- - - - - specifies that the file owner (user) can read and edit the audit log file, members of group 1007 can read (but not edit) the audit log file, and other users cannot access the audit log file.

DaysToKeep

Specifies the number of days the Steel-Belted Radius Carrier server retains each authentication acceptance report.

Default value is 30 days.

[AuthRejectLog] Section

[AuthRejectLog] Section

You configure the [AuthRejectLog] section (Table 15) of radius.ini to specify what types of authentication method rejection messages Steel-Belted Radius Carrier records in the server log file (yyyymmdd.log). You can specify that you want the server log file to record reject information generated by all authentication methods, reject information of one or more specific types, or the most relevant rejection information.

Processing an authentication request might result in multiple instances of an authentication method being given a chance to authenticate the user. If this occurs and at least one authentication method succeeds in authenticating the user, no messages are recorded to the server log file. If this occurs and all instances fail to authenticate the user, you can specify that only the most relevant reason for the authentication failure is recorded. For example, if one method resulted in an authentication error of type InvalidCredentials and another results in an authentication error of type SystemError, only the InvalidCredentials message is logged.

You can specify that more than one type of log message be recorded by entering more than one filter type value for the Filter parameter.

Table 15: radius.ini [AuthRejectLog] Syntax

Parameter

Function

Enable

  • If set to 0, authentication reject details are not recorded in the server log file.

  • If set to 1, authentication reject details of the specified types are recorded in the server log file.

Default value is 0.

Filter

Specifies the types of authentication reject messages to be recorded:

  • All—Record authentication rejection details from all authentication methods.

  • MostRelevant—When multiple authentication methods are tried and all fail, record the most relevant error messages (the messages with the greatest severity). If two messages have the same severity, both are listed.

These values are listed in order of greatest to least relevance:

  • PostProcessRejection—User was authenticated successfully but post processing caused rejection.

  • InvalidCredentialsOrUser—User was not authenticated because user was not found or credentials were invalid.

  • InvalidCredentials—User was not authenticated because user was known but the password or certificate was not correct.

  • UnsupportedCredentialType—User was not authenticated because the credentials presented were of the wrong type.

  • UserNotFound—User was not authenticated because user cannot be found in the authentication database.

  • AccessError—Authentication failed because a database or remote server was inaccessible.

  • InvalidRequest—User was not authenticated because the request appeared to be malformed.

  • BlacklistedUser—User was not authenticated because user is blocklisted.

  • SystemError—User was not authenticated because of a system error such as a resource allocation error.

This example causes authentication reject details from all authentication methods to be recorded to the server log file:

This example causes all authentication reject details of type SystemError to be recorded:

This example causes all authentication reject details of type SystemError, BlacklistedUser, or UserNotFound to be recorded:

[Configuration] Section

[Configuration] Section

The [Configuration] section (Table 16) of radius.ini contains parameters that control basic behavior of Steel-Belted Radius Carrier.

Table 16: radius.ini [Configuration] Syntax

Parameter

Function

AcctAutoStopEnable

The Proxy AutoStop feature forwards session termination information to downstream proxy RADIUS servers when a user session is closed, so that the resources associated with the user session can be freed.

You can set the AcctAutoStopEnable parameter value as Enabled, Disabled, or NoOnOff.

  • Enabled—Proxy AutoStop feature is enabled.

  • Disabled—Proxy AutoStop feature is disabled.

  • NoOnOff—Proxy AutoStop feature is enabled, but prevents Accounting-Stop packets from being sent in response to Accounting-On or Accounting-Off received from a NAS.

The default value is Disabled.

Acct-Flood-Queue-Shape

Type of queuing used for accounting requests. You can use one of the following values:

  • FIFO

  • LIFO

  • RAND

Default value is LIFO.

Acct-Receive-Realtime-Thread-Priority

Accounting requests (as well as proxy responses) are received on two separate threads. The priority of these threads can be set as follows:

  • TS (timeshare)—This is the default class for processes and their associated kernel threads. The actual priority number to be used within this class range from 0 through 59, and are dynamically adjusted in an attempt to allocate processor resources evenly.

  • RT (real-time)—Threads in the RT class are fixed-priority, with a fixed time quantum. The actual priority number to be used range from 100 through 159, so a RT thread will preempt a system thread.

SBR sets the priority to the lesser of the maximum possible RT priority and the configured value (0 = no change).

Note: For Linux, the smaller the numerical value, the higher the priority.

AckOnCookieFailure

When this parameter is set to yes, SBR Carrier sends an acknowledgement back for every accounting request it receives.

To configure an acknowledgment to be sent despite the error, set AckOnCookieFailure = WithoutSession (which will not create a new session for an Accounting_Start), or set AckOnCookieFailure = WithSession (which will create a new session).

Default value for AckOnCookieFailure = No, which will neither create a new session nor send an Accounting-Ack.

AddDestIPAddressAttrToRequest

  • If set to 0, Steel-Belted Radius Carrier does not add destination address information to RADIUS requests.

  • If set to 1, Steel-Belted Radius Carrier adds a Funk-Dest-IP-Address attribute identifying the IP address to which the RADIUS request was sent to the attributes in the packet. All processing that can be performed on an attribute included in the request packet, such as check list processing, can be performed on this attribute.

Default value is 0.

If you enable this attribute, the attribute is visible to the proxy module. If your environment proxies requests, you might want to configure Steel-Belted Radius Carrier to strip the attribute from the request before forwarding the request to a downstream server.

AddDestUDPPortAttrToRequest

  • If set to 0, Steel-Belted Radius Carrier does not add destination port information to RADIUS requests.

  • If set to 1, Steel-Belted Radius Carrier adds a Funk-Dest-UDP-Port attribute identifying the UDP port to which the RADIUS request was sent to the attributes in the packet. All processing that can be performed on an attribute included in the request packet, such as check list processing, can be performed on this attribute.

Default value is 0.

If you enable this attribute, the attribute is visible to the proxy module. If your environment proxies requests, you might want to configure Steel-Belted Radius Carrier to strip the attribute from the request before forwarding the request to a downstream server.

AddFunkClientGroupToRequest

  • If set to 0, Steel-Belted Radius Carrier does not add a Funk-Radius-Client-Group attribute to an incoming RADIUS request.

  • If set to 1, Steel-Belted Radius Carrier adds a Funk-Radius-Client-Group attribute to the RADIUS request. The value of the Funk-Radius-Client-Group attribute is set to the name of the client group.

Default value is 0.

Note: Enable this option only if you configure RADIUS client groups in Web GUI. For more information about RADIUS client groups, refer to the SBR Carrier Administration and Configuration Guide.

AddFunkLocationGroupIdToRequest

  • If set to 0, Steel-Belted Radius Carrier does not add a Funk-Location-Group-Id attribute to an incoming RADIUS request.

  • If set to 1, Steel-Belted Radius Carrier adds a Funk-Location-Group-Id attribute to an incoming RADIUS request if the request comes from a client in a configured location group. The value of the Funk-Location-Group-Id attribute is set to the name of the location group, which can be used for SQL, LDAP, and check list processing.

Default value is 0.

AddSourceIPAddressAttrToRequest

  • If set to 0, Steel-Belted Radius Carrier does not add source address information to RADIUS requests.

  • If set to 1, Steel-Belted Radius Carrier adds a Funk-Source-IP-Address attribute identifying the IP address from which the RADIUS request was received to the attributes in the packet. All processing that can be performed on an attribute included in the request packet, such as check list processing, can be performed on this attribute.

Default value is 0.

If you enable this attribute, the attribute is visible to the proxy module. If your environment proxies requests, you might want to configure Steel-Belted Radius Carrier to strip the attribute from the request before forwarding the request to a downstream server.

AllowNoUserName

  • If set to any value other than yes (case in-sensitive), any Access-Request without a User-Name attribute is rejected.

Note: The setting of this parameter, coupled with the setting of the CheckForEmptyUserName parameter, affects how the SBRC server processes RADIUS Access-Requests with no or empty User-Name attributes.

Apply-Login-Limits

  • If set to yes, the maximum number of concurrent connections for each user is enforced, and connection attempts above the limit are rejected.

  • If set to no, connections above the limit are allowed, but an event is noted in the server log file.

Default value is yes.

AttributeEdit

  • If set to 1, the attribute editing (filters) feature for proxy and directed realms, and plug-ins is enabled.

  • If set to 0, the feature is disabled.

Default value is 1.

AuthenticateOnly

  • If set to 1, no response attributes are included in the response packet to an AuthenticateOnly (Service-Type 8) request.

  • If set to 0, the normal response attributes are included in the response.

Default value is 1.

AuthorizeOnly

By default, SBR Carrier does not accept Authorize-Only requests. SBR Carrier may be configured to accept them by setting AuthorizeOnly=1, in which case, to accept them, the request must also satisfy all of these conditions:

  • The Access-Request contains the Service-Type attribute with a value=Authorize-Only

  • Message-Authenticator is present and valid

  • A session already exists in SBR Carrier for the AAA session ID (WiMAX)

  • At least one authentication method accepts the request. The authentication method (usually SQL or LDAP) must have the AcceptsAuthorizeOnly = 1 in the [Bootstrap] section.

Note: If set to 0, Authorize-Only requests are not accepted regardless of whether the authentication method (SQL, LDAP or other) has the AcceptsAuthorizeOnly = 1.

Note: It is not meaningful for an EAP method to accept Authorize-Only requests. Authorize-Only processing does not include authentication, and this setting is only applied to single-step methods which have been configured not to perform authentication (for example, SQL or LDAP authentication).

Note: SBR Carrier is only able to process Authorize-Only requests for WiMAX sessions because a session must be located in the current session table, indexed by a WiMAX session Id.

AutoPasswords

If set to yes, support for SHA and UNIXcrypt passwords for authentication against the native database are enabled.

This feature may be used to test the use of passwords created with various encryption algorithms which are normally used by plug-ins such as LDAP and SQL. The algorithm is indicated by a token string enclosed by curly braces prepended to the password, for example, {md4}47476919506799271480 for an MD4-encoded password.

Supported encryption algorithms and their token strings include message digest algorithm 4 (MD4) hash (md4), secure hash algorithm (SHA) 1 base 64 (sha), salted secure hash algorithm (SSHA) 1 base 64 (ssha), UNIX crypt (crypt), encmd5 (md5), and http digest md5 (http), as well as hex representation of ASCII password (hex).

Default value is no (disabled).

Auth-Flood-Queue-Shape

Type of queuing used for authentication requests. You can use one of the following values:

  • FIFO

  • LIFO

  • RAND

Default value is LIFO.

Auth-Receive-Realtime-Thread-Priority

Authentication requests (as well as proxy responses) are received on two separate threads. The priority of these threads can be set as follows:

  • TS (timeshare)—This is the default class for processes and their associated kernel threads. The actual priority number range from 0 through 59, and are dynamically adjusted in an attempt to allocate processor resources evenly.

  • RT (real-time)—Threads in the RT class are fixed-priority, with a fixed time quantum. The actual priority number range from 100 through 159, so a RT thread will preempt a system thread.

SBR sets the priority to the lesser of the maximum possible RT priority and the configured value (0 = no change).

Note: For Linux, the smaller the numerical value, the higher the priority.

AuthResponseOnCstFailure

Specifies how the SBRC server responds to requests when the session database cannot be contacted.

  • If set to Reject, the SBRC server sends an Access-Reject when there is a CST failure.

  • If set to Accept, the SBRC server sends an Access-Accept in spite of a CST failure.

  • If set to Discard, SBRC server does not send any response.

Default value is Reject.

Note: When the ShutdownOnCSTFailure parameter in the dbclusterRPC.gen file is set to 0, this setting determines how incoming packets are handled when the SSR cluster is down.

ChallengeCacheLimit

This parameter controls the number of outstanding challenge state objects.

Default value is 1000.

Note: Value of 0 through 999 is interpreted as the minimum value of 1000.

CheckTransactionIdInClass

If set to 1, when matching an accounting request to a session record using the class attribute, the parameter verifies that both TxnId and DbClusterSessionId match.

If set to 0, only DbClusterSessionId needs to match.

Default value is 0.

CheckForEmptyUserName

  • If set to any value other than 0, Access-Requests without a value in the User-Name attribute are rejected.

    The default is 1.

Note: The setting of this parameter, coupled with the setting of the AllowNoUserName parameter, affects how the SBRC server processes RADIUS Access-Requests with no or empty User-Name attributes.

CheckMessageAuthenticator

Specifies whether validation of Message-Authenticator occurs on receipt of an Access-Request from a network access server or on receipt of an Access-Accept, Access-Reject, or Access-Challenge from a proxy.

  • If set to 0, validation of received Message-Authenticator attributes is disabled.

  • If set to 1, validation is performed if the Message-Authenticator attributes are received. Message-Authenticator attributes must be present for EAP messages.

  • If set to 2, Message-Authenticator attributes are always required and always validated. If these attributes are not present, Steel-Belted Radius Carrier rejects the message.

For the WiMAX mobility module, set this to 1.

Default value is 0.

ClassAttributeStyle

  • If set to 1, Steel-Belted Radius Carrier uses unencrypted Class attributes with multiple ASCII keys in Access-Accept packets.

  • If set to 2, Steel-Belted Radius Carrier uses enhanced/encrypted Class attributes in Access-Accept packets.

Default value is 2.

Note: The ClassAttributeStyle parameter must be set to a value of 2 before you can use attribute embedding. For information about attribute embedding, see [EmbedInClass] Section.

ConvertCallingStationId

  • If set to 1, the Calling-Station-Id is interpreted as a hex string.

  • If set to 0, the Calling-Station-Id is interpreted as ASCII.

Default value is 0.

DelegatedIPv6PrefixPoolHint

Specifies whether to treat the Delegated-IPv6-Prefix-Pool attribute as a hint.

  • If set to Yes, the Delegated-IPv6-Prefix-Pool attribute is treated as a hint. If this attribute appears in both the Access-Request packet and the user's return list, the Delegated-IPv6-Prefix-Pool attribute values in both the Access-Request packet and the user's return list are returned. If this attribute does not appear in the Access-Request packet, the Delegated-IPv6-Prefix-Pool attribute value configured in the user's return list is returned.

  • If set to No, the Delegated-IPv6-Prefix-Pool attribute value configured in the user's return list is returned.

Default value is No.

DisablePromptAttribute

The Prompt attribute may be sent during an Access-Challenge. This parameter specifies whether or not to echo the user’s response to the Access-Challenge on the client.

  • 0 indicates the user’s response to the Access-Challenge is not echoed.

  • 1 indicates the user’s response to the Access-Challenge is echoed.

Default value is 0.

Steel-Belted Radius Carrier uses the Prompt attribute during authentications. However, some clients do not respond properly to the Prompt attribute, so this parameter provides a way to disable it.

DisableSecondaryMakeModelSelection

  • If set to 1, SBR Carrier sets the make/model field with make/model information of the NAD that is found using the NAS-IP-Address attribute, NAS-IPv6-Address attribute, NAS-Identifier attribute, or source address in the received request. SBR Carrier searches for the NAD entry by using the attributes or values in the following order of preference:

    1. NAS-IP-Address or NAS-IPv6-Address

    2. NAS-Identifier

    3. Source address

  • If set to 0, SBR Carrier sets the make/model field according to the proxy target that is being used for the RADIUS transaction.

    Note: This setting affects only proxied packets. For a description about proxied packets, refer to the chapter Administering Proxy RADIUS in the SBR Carrier Administration and Configuration Guide.

Default value is 0.

DiscardAccountingRequestOnCstFailure

By default, accounting requests are acknowledged even if the SSR database cannot be contacted. This parameter specifies whether or not accounting requests should be discarded when the session database cannot be contacted, which may be desirable when using load balancing equipment.

  • If set to 1, accounting requests (start, stop, on, off, and interim) are discarded when the session database cannot be contacted.

  • If set to 0, accounting requests (start, stop, on, off, and interim) are acknowledged when the session database cannot be contacted.

Note: When the ShutdownOnCSTFailure parameter in the dbclusterRPC.gen file is set to 0, this setting determines how incoming packets are handled when the SSR cluster is down.

DnsServerIPv6AddressHint

Specifies whether to treat the DNS-Server-IPv6-Address attribute as a hint.

  • If set to Yes, the DNS-Server-IPv6-Address attribute is treated as a hint. If this attribute appears in both the Access-Request packet and the user's return list, the DNS-Server-IPv6-Address attribute values in both the Access-Request packet and the user's return list are returned. If this attribute does not appear in the Access-Request packet, the DNS-Server-IPv6-Address attribute value configured in the user's return list is returned.

  • If set to No, the DNS-Server-IPv6-Address attribute value configured in the user's return list is returned.

Default value is No.

DynAuthProxySource

Specifies the IP address of the interface through which the outgoing proxy CoA/DM traffic is routed.

The default value is 0.0.0.0. In this case, the interface is variable, chosen appropriately by the Operating System depending on the destination address.

EnableWiMAXUniqueSessionIdFromNAI

This parameter provides improvements to WiMAX performance and scalability. The improvements include different logic for assigning primary keys to WiMAX tables and for generating the Class attribute in the Access-Accept response.

  • If set to 1, the EnableWiMAXUniqueSessionIdFromNAI parameter is enabled.

  • If set to 0, the EnableWiMAXUniqueSessionIdFromNAI parameter is disabled.

Note: When the EnableWiMAXUniqueSessionIdFromNAI parameter is enabled, new session records in the database and the Class attribute in Access-Accept messages are incompatible with the WiMAX logic in previous releases of SBR Carrier. For compatibility with SBR Carrier 7.2.1 and earlier, set EnableWiMAXUniqueSessionIdFromNAI = 0.

Default value is 1.

For details on migrating from existing SBRC WiMAX installations and new installations using WiMAX, see the section on Migration and New Installations of SBR Carrier with WiMAX in the Migrating from Previous SBR Releases section of the SBR Carrier Installation Guide.

EnhancedRateStats

Specifies whether support for calculating authentication, accounting, and proxy transaction rate statistics per NAD client and per Called-Station-ID is enabled or disabled.

  • If set to 1, Steel-Belted Radius Carrier enables the calculation of NAD client and Called-Station-ID specific rate statistics. In addition to the overall server specific rate statistics, you can view the rate statistics per NAD client and per Called-Station-ID through SNMP and LCI query.

  • If set to 0, Steel-Belted Radius Carrier disables the calculation of NAD client and Called-Station-ID specific rate statistics. You can view only the overall server specific rate statistics through SNMP and LCI query.

Default value is 0.

EnumAttrsWithoutMvpFlagUpdate

  • If set to 1, plug-ins can add attributes that are not flagged as reply-list attributes to an Access-Accept.

  • If set to 0, plug-ins cannot add attributes that are not flagged as reply-list attributes to an Access-Accept.

Default value is 1.

FallbackLocal

Specifies whether the session information is maintained in a local file on the SBR Carrier server when the working SSR cluster goes down or SBR Carrier fails to load the SSR cluster during startup.

  • If set to true, session information is maintained in a local file on the SBR Carrier server when the working SSR cluster goes down or SBR Carrier fails to load the SSR cluster during startup.

  • If set to false, session information is not maintained in a local file on the SBR Carrier server even when the working SSR cluster goes down or SBR Carrier fails to load the SSR cluster during startup.

Default value is false.

Note: This parameter is valid only if the PersistSessions parameter in the radius.ini file is set to 2 (NDB).

ForceUpdate

Enables Steel-Belted Radius Carrier to update the Current Session Table (CST) with additional attributes when an Accounting-Interim packet is received.

Note: The ForceUpdate parameter is valid only if the UpdateOnInterim parameter is set to 1.

Additional accounting attributes that can be updated include the following:

  • User-Name

  • Called-Station-Id

  • NAS-Port

  • Calling-Station-ID

  • NAS-Port-Type

Note: The accounting attributes specified with this parameter must be separated by a space.

For example, ForceUpdate= User-Name Calling-Station-ID

FramedIPAddressHint

  • If set to Yes, the attribute Framed-IP-Address is treated as a hint. If this attribute appears in the Access-Request and the user's return list is configured to allocate Framed-IP-Address from a pool, the IP address in the Access-Request is returned instead of a newly-allocated IP address.

  • If set to No, the address is taken from the configured pool of addresses for Framed-IP-Address. The next available address is used.

  • If set to Check-Pool, the requested address is checked for validity against the pool of addresses for Framed-IP-Address.

Default value is no.

Note: Hints are only applicable when SBR is configured to assign addresses from a pool.

FramedIPv6AddressHint

Specifies whether to treat the Framed-IPv6-Address attribute as a hint.

  • If set to Yes, the Framed-IPv6-Address attribute is treated as a hint. If this attribute appears in both the Access-Request packet and the user's return list, the IPv6 address in the Access-Request packet is returned in the Access-Accept. If this attribute does not appear in the Access-Request packet, the IPv6 address configured in the user's return list is returned.

  • If set to No, the IPv6 address configured in the user’s return list is returned.

Default value is No.

IncRoutedProxyUsageCount

  • If set to 1, the usage count is incremented both before the Access-Request is proxied, and when the proxy target responds with an Access-Accept. This is consistent with previous releases.

  • If set to 0, the usage count is incremented only when the proxy target responds with an Access-Accept, it is not incremented before the Access-Request is forwarded to the proxy.

Default value is 0.

IpAddrFromClassAttr

If set to Yes, SBR always adds the Framed-Ip-Address in the Access-Accept to the Class attribute, regardless of whether it is allocated from a pool.

Default value is No.

JvmMaxHeapSizeInMB

Specifies the maximum Java heap memory the Java Virtual Machine (JVM) can allocate for processing JDBC connections. An out of memory error occurs when the memory exceeds the value configured in this parameter.

Default value is 1024 MB.

JvmMinHeapSizeInMB

Specifies the minimum Java heap memory required for processing JDBC connections. If your system does not have the configured minimum memory, the JVM will not be initialized.

Default value is 64 MB.

JVMPath

Specifies the location of the JVM used by JDBC plug-ins.

Note: Do not edit this parameter manually. This parameter is automatically populated after running the SBR Carrier configuration script.

For this parameter to work, make sure that this parameter is uncommented.

SerialNum

and

LegacyPluginConcurrency

Note: PR:1468996 fix is available starting from SBR 8.6.0R13, full builds only.

SBR 8.6.0R13 addresses the following limitation in previous builds.

Limitation Description—If we consider the generic custom plug-ins like LDAP, TLS, TTLS, PEAP, SQL-JDBC, and ORACLE, the same Prefix ID ("200") is used.

Let us consider a scenario, where same User-Name "test" is authenticated by SBR via both LDAP and ORACLE plug-ins. In the previous builds(with out fix)the same Prefix ID "200" will be shown in the "./ShowUserConc -a" output.

To overcome this issue SBR should maintain unique ID's for each plug-in. The following are the updated Prefix IDs for each generic plug-in.

Component

New Plug-In ID

LDAP

400

TLS

500

TTLS

600

PEAP

700

SQL-JDBC

800

ORACLE

900

Note: The updated behavior will function only when the parameter "LegacyPluginConcurrency" is set to "False" .

LegacyPluginConcurrency-If this parameter is set to "False" the latest plug-ins IDs will be used, else the SBR behavior will be similar to prior releases.

Default Value of "LegacyPluginConcurrency" is "False".

SerialNum-The parameter is added to "[Bootstrap]" section of *.aut file of the generic plug-ins.

  • The range are limited to 1 through 99.

  • By Default the parameter "SerialNumber" is commented.

  • [Bootstrap]; SerialNumber=0

Note: In case of multiple plug-ins of the same type, the Ids can be differentiated by adding "SerialNumber" is configured in each corresponding "aut" file listed below.

The Final Value of "Id" in the "./ShowUserConc -a" calculation is done like this:.

Id = "New Plug-In ID" value + "SerialNum" configured in the *.aut file of the plug-in.

If the above mentioned scenario of Limitation is considered, with the latest patch full build, we shall notice the listed output in the "./ShowUserConc.sh -a" .
Id value for ORACLE in "./ShowUserConc -a" = 900 (ORACLE ID ) + 1 (SerialNum configured in *.aut file of ORACLE) = 901
Id value for LDAP in "./ShowUserConc -a" = 400 (LDAP ID ) + 1 (SerialNum configured in *.aut file of LDAP) = 401

Table 17: hadm@<host_name>:~> ./ShowUserConc.sh -a UserConcurrency:

ID

Counr

901-Test

3

401-Test

4

Note: Different values of <serialnum> should be used to differentiate different instances of the same generic plug-in, for example ldapauth1.aut and ldapauth2.aut.

However, if the different instances use the same backend, <serialnum> should be the same to properly support concurrency limitations.

LookupClientByIPRange

If set to 1, this parameter enables enumeration of NAS clients within IP ranges; set this to support Service-Type mapping of range-defined NAS clients.

Default value is 0.

Login-Limit-Key

Login-Limit-Key is valid only in a Session State Register cluster environment, and only then if the Optional Concurrency and Wholesale Module is installed. If both those conditions are met, the setting controls what user attribute or attributes are counted to determine concurrent session limit compliance.

There is no default value. The setting may contain any user attribute string. Multiple attributes may be specified, separated by spaces, up to the 84-character limit of the field.

MainThreadStackSize

Stack size of the main thread. This value specifies the number of bytes that is allocated to a main thread.

Main threads are maintenance threads that perform such functions as stale session purging, signal handling, and statistics logging.

Default value is 786432 KB.

The MainThreadStackSize value must be greater than or equal to the default value.

Max-Auth-Floods

Maximum number of requests that can be stored in the authentication flood queue. You can enter the value in the range 0 to 10,000 * Max-Auth-Threads.

Default value is 25.

Max-Auth-Threads

The maximum number of threads available to handle authentication requests. Minimum is 1, maximum is 1,000,000 (limited by memory).

Default value is 100.

Max-Auth-Threads-In-Flood

Maximum number of threads from the authentication thread pool that can support the flood queue concurrently. If this value equals the maximum number of threads in the authentication thread pool, all threads are available to serve new requests or queued requests. If this value is less than the maximum number of threads in the authentication thread pool, the difference represents the number of threads reserved for servicing only new authentication requests.

When a specific value is not configured for this parameter, then by default this parameter is assigned with half the value of the maximum number of threads (Max-Auth-Threads) available to handle in the authentication requests.

Default value is 50.

Note: This default value is valid only if the default value of Max-Auth-Threads is unchanged.

Max-Acct-Floods

Maximum number of requests that can be stored in the accounting flood queue. You can enter the value in the range 0 through 10,000.

Default value is 25.

Max-Acct-Threads

Maximum number of threads available to handle accounting requests. Minimum is 1; maximum is 1,000,000 (limited by memory).

Default value is 200.

Max-Acct-Threads-In-Flood

Maximum number of threads from the accounting thread pool that can support the flood queue concurrently. If this value equals the maximum number of threads in the accounting thread pool, all threads are available to serve new requests or queued requests. If this value is less than the maximum number of threads in the accounting thread pool, the difference represents the number of threads reserved for servicing only new accounting requests.

When a specific value is not configured for this parameter, then by default this parameter is assigned with half the value of the maximum number of threads (Max-Acct-Threads) available to handle in the accounting requests.

Default value is 100.

Note: This default value is valid only if the default value of Max-Acct-Threads is unchanged.

MaxEngines

The MaxEngines parameter limits the number of Javascript host allocations that can be attempted. When set, worker threads wait for a host to become available. The optimum setting for this parameter may vary depending on the machine configuration and RADIUS traffic.

The default is 0, and there is no limit.

Max-Proxy-Floods

Maximum number of requests that can be stored in the proxy flood queue. You can enter the value in the range 0 through 10,000.

Default value is 25.

Max-Proxy-Threads

Maximum number of threads available to handle proxied accounting requests when Block=0 is set in the [Acct] section of the RealmName.pro file. Minimum is 1; maximum is 1,000,000 (limited by memory).

Default value is 100.

Max-Proxy-Threads-In-Flood

Maximum number of threads from the proxy thread pool that can support the flood queue concurrently. If this value equals the maximum number of threads in the proxy thread pool, all threads are available to serve new requests or queued requests. If this value is less than the maximum number of threads in the proxy thread pool, the difference represents the number of threads reserved for servicing only new proxy requests.

When a specific value is not configured for this parameter, then by default this parameter is assigned with half the value of the maximum number of threads (Max-Proxy-Threads) available to handle in the proxy requests.

Default value is 50.

Note: This default value is valid only if the default value of Max-Proxy-Threads is unchanged.

NasClearRecordsBatchCount

Specifies the number of sessions to be deleted per batch when an Accounting-On or Accounting-Off request is received from the NAD.

Default value is 10,000.

NoNullTermination

  • If set to 0, RADIUS reply attributes of type string are sent with a null character at the end of the string (null terminated string).

  • If set to 1, RADIUS reply attributes of type string are sent without the null character at the end of the string. Entering a value of 1 for this setting is the equivalent of changing all reply attributes of type string to type stringnz.

Default value is 0.

OverwriteCstDataOnFailure

  • If set to 1, SBR overwrites the existing session record (based on IP address) on CST constraint violation.

  • If set to 0, SBR continues processing on CST constraint violation.

Default value is 0.

PersistSessions

Specifies how session persistence is maintained.

  • If set to 0 (none), session information is not maintained when SBRC is restarted. This setting applies only to SBRC servers running in standalone mode.

  • If set to 1 (local), session information is maintained in a local file on the SBRC server, and is available after restarting the server. This setting applies only to SBRC servers running in standalone mode.

  • If set to 2 (NDB), session information is maintained in the SSR cluster database. This setting is applicable only when the server is running in a SBRC SSR cluster.

Default value is NDB.

Note: You must set the PersistSessions parameter to 2 or NDB to use the Steel-Belted Radius Carrier high availability SSR cluster.

PhantomTimeout

Specifies the maximum number of seconds for a phantom session record. When a phantom session is created, its expiration timestamp (Sbr_ExpirationTime) is set to its creation timestamp (Sbr_CreationTime) plus the PhantomTimeout value. If a corresponding Accounting-Start or an interim accounting packet is received before the expiration timestamp, the phantom record is upgraded to active status, and its expiration timestamp is upgraded according to the StaleSessionTimeoutSecs setting. If no Accounting-Start or interim accounting packet is received before the expiration timestamp, the phantom record is purged according to settings for stale session purge threads. This highlights the importance of synchronizing clocks amongst SBR Carrier servers in a Session State Register cluster.

Note: This parameter is applicable to standalone servers and servers running in a Session State Register cluster.

ProcessRealmBeforeTunnel

  • If set to 0, Steel-Belted Radius Carrier checks whether a request matches the criteria established for tunnels before it tests whether a request matches the criteria for proxy and directed realms.

  • If set to 1, Steel-Belted Radius Carrier checks whether a request matches the criteria established for proxy and directed realms before it tests whether a request matches the criteria established for tunnels.

Default value is 0.

ProxyFastFail

Specifies the number of seconds a Steel-Belted Radius Carrier server continues to forward packets to a proxy RADIUS target that appears to be down.

A value of 0 disables the feature.

Default value is 300.

Note: This parameter applies only to proxy targets that are used but not assigned to a realm.

ProxySource

Specifies the IP address of the interface through which all outgoing proxy traffic is routed. The IP address specified for ProxySource must be listed in the [Addresses] section of radius.ini.

If a ProxySource address is not specified and per-realm control of proxy interfaces is not enabled, Steel-Belted Radius Carrier uses the first interface it finds on the server.

ProxyStripRealm

  • If set to 1, the proxy realm decoration is stripped before sending the request downstream.

  • If set to 0, no realm name stripping is performed.

Default value is 1.

Note: This parameter applies only to proxy targets that are used but not assigned to a realm.

Proxy-Flood-Queue-Shape

Type of queuing used for proxy requests. You can use one of the following values:

  • FIFO

  • LIFO

  • RAND

Default value is LIFO.

RejectMalformedPacket

Specifies whether to reject the RADIUS request if a malformed attribute is received in the request.

  • If set to 1, SBR Carrier rejects the RADIUS request when a malformed attribute is received in the request.

  • If set to 0, SBR Carrier skips the malformed attribute and continues processing the RADIUS request when a malformed attribute is received in the request. However, if a packet is severely malformed, then the packet will be dropped.

Default value is 0.

RouteIPv6InfoHint

Specifies whether to treat the Route-IPv6-Information attribute as a hint.

  • If set to Yes, the Route-IPv6-Information attribute is treated as a hint. If this attribute appears in both the Access-Request packet and the user's return list, the Route-IPv6-Information attribute values in both the Access-Request packet and the user's return list are returned. If this attribute does not appear in the Access-Request packet, the Route-IPv6-Information attribute value configured in the user's return list is returned.

  • If set to No, the Route-IPv6-Information attribute value configured in the user's return list is returned.

Default value is No.

SelectIPPoolNameByNasAVPs

  • If set to 0, the IP address pool for a RADIUS client is based on the source IP address in the UDP packet containing the access request.

  • If set to 1, the IP address pool for a RADIUS client is based on the value of the NAS-IP-Address or NAS-Identifier attribute included in the access request. If the NAS-IP-Address or NAS-Identifier attribute is not present, or if a RADIUS client matching the IP address or identifier cannot be found, the IP address pool for a RADIUS client is based on the source IP address in the UDP packet containing the access request.

Default value is 0.

SendOnlyOneClassAttribute

When a user’s identity information is encrypted during authentication, Steel-Belted Radius Carrier uses a special Class attribute to pass the user’s encrypted identity to an accounting server. Because this typically requires more than one Class attribute to be included in the Accept response, and because some Access Points do not support echoing more than one Class attribute, you can use the SendOnlyOneClassAttribute parameter to specify how you want Steel-Belted Radius Carrier to forward encrypted user identity information.

  • If set to 1, Steel-Belted Radius Carrier creates a Class attribute containing a Class attribute flag, a server identifier, and a transaction identifier. The user identification data that is normally stored in the Class attributes is stored in the current sessions table. When Steel-Belted Radius Carrier receives an accounting request, it looks up the Class information in the current sessions table and uses it as if it had arrived in the accounting request packet.

  • If set to 0, Steel-Belted Radius Carrier creates one or more Class attributes to return a user’s encrypted identity to the Access Point, with the assumption that the AP forwards the Class attribute(s) containing the encrypted user identification information to the accounting server.

Default value is 0.

For the optional WiMAX mobility module, set this to 1.

Note: This feature works only if accounting requests go to the same server or cluster that performs authentication. Accounting requests that go to servers other than the authenticating server fail.

StaleSessionPurgeThreadChunkSize

Specifies the number of stale sessions a SBR Carrier server purges at a time.

Default value is 100 sessions.

Note: This parameter is applicable to standalone servers and servers running in a Session State Register cluster.

StaleSessionPurgeThreadSleepMax

Specifies the maximum number of seconds the SBR Carrier server waits before purging stale sessions.

Default value is 20 seconds.

Note: In cluster configurations, each SBR Carrier server periodically purges stale sessions from the session database. To avoid having multiple servers in a cluster try to purge the same stale sessions simultaneously, the StaleSessionPurgeThreadSleepMin and StaleSessionPurgeThreadSleepMax settings provide a short random sleep interval for the stale session purge process.

Note: This parameter is applicable to standalone servers and servers running in a Session State Register cluster.

StaleSessionPurgeThreadSleepMin

Specifies the minimum number of seconds SBR Carrier waits before purging stale sessions.

Default value is 10 seconds.

Note: In cluster configurations, each SBR Carrier server periodically purges stale sessions from the Session State Register database cluster. To avoid having multiple servers in a cluster try to purge the same stale sessions simultaneously, the StaleSessionPurgeThreadSleepMin and StaleSessionPurgeThreadSleepMax settings provide a short random sleep interval for the stale session purge process.

Note: This parameter is applicable to standalone servers and servers running in a Session State Register cluster.

StaleSessionTimeoutSecs

Specifies the lifetime for a session (phantom record for which a corresponding accounting start packet is received) in the Current Sessions Table before the session expiration timestamp runs out and the session resources are released.

  • If set to 0, the upgraded phantom record never expires.

  • If set to a number greater than 0, specifies the number of seconds in the phantom record lifetime.

Default value is 86,400 seconds (one day).

Note: This parameter is applicable to standalone servers and servers running in a Session State Register cluster.

StartupTimeout

Specifies the number of seconds Steel-Belted Radius Carrier waits for its startup sequence to finish before timing out.

Default value is 600 seconds.

Note: You must set this parameter based on the size of the HST file. If the HST file size is in the range 1.3–2.5 GB, set this parameter to 1600 seconds. If the HST file size is greater than 2.5 GB, set this parameter to 1800 seconds.

StatefulIPv6AddressPoolHint

Specifies whether to treat the Stateful-IPv6-Address-Pool attribute as a hint.

  • If set to Yes, the Stateful-IPv6-Address-Pool attribute is treated as a hint. If this attribute appears in both the Access-Request packet and the user's return list, the Stateful-IPv6-Address-Pool attribute values in both the Access-Request packet and the user's return list are returned. If this attribute does not appear in the Access-Request packet, the Stateful-IPv6-Address-Pool attribute value configured in the user's return list is returned.

  • If set to No, the Stateful-IPv6-Address-Pool attribute value configured in the user's return list is returned.

Default value is No.

StoreClassInSession

  • If set to always, the class attribute will always be stored in the CST.

  • If set to default, the class attribute will be stored in the CST depending on other attributes and configuration such as WiMAX mode.

Default value is default.

TreatAddressPoolsAsDisjoint

  • If set to 1, Steel-Belted Radius Carrier treats each IP address pool as though it operates off its own disjoint address space. This disables the normal checks to ensure that an IP address is allocated only to a single address pool.

  • If set to 0, a single IP address can be allocated only to a single session and from a single IP address pool.

Default value is 0.

Note: To track allocated resources, Steel-Belted Radius Carrier uses the Class attribute to track IP addresses. This attribute contains the IP pool name and IP address.

This parameter is applicable only to standalone servers.

UpdateOnInterim

Specifies whether or not to update the session from phantom to active when the SBRC server receives an accounting packet with the Acct-Status-Type attribute set to a value of Interim-Update.

  • If set to 1, the server changes the state of the session from phantom to active when it receives an interim update.

  • If set to 0, the server does not change the state of the session from phantom to active when an interim update is received.

  • If set to Update, the server changes the state of the session from phantom to active when it receives an interim update. The behavior is similar to setting the value as 1.

  • If set to Add, the server changes the state of the session from phantom to active when it receives an interim update. If a phantom session is not found, then a new session is created based on the values in the interim update.

The default value is 0.

UDP-Receive-Buffer-Kbytes

Sets the buffer size of the UDP socket. This value specifies the number of bytes allocated to the UDP socket to process the incoming RADIUS requests.

You can enter the value in the range from 256 KB through 16 MB. Default value is 512 KB.

Caution: In some high load scenarios (more than 500 concurrent transactions per second), the default socket size is not sufficient to process the incoming requests, resulting in packets being dropped from the socket. In this case, you need to increase the buffer size to the maximum value to prevent the packets from being dropped from the socket.

UseProfileCache

  • If set to 0, user profile results are not cached.

  • If set to 1, user profile results are cached, improving performance when using profiles.

Default value is 0.

UseUserCache

  • If set to 0, native users entries are not cached.

  • If set to 1, native user are cached, improving performance when using Native Users.

Default value is 0.

When caching is enabled, SBRC’s memory usage grows until all the user records are cached in memory. The storage space for all native user data (names, passwords, and Attribute Value Pairs) should fit well within the SBRC process memory. Enabling this is most suitable for Native User entries which represent device types, virtual devices, or are otherwise limited in number. Enabling it will increase throughput significantly.

WorkerThreadStackSize

Sets the worker thread stack size. The value reflects the number of bytes that will be allocated for each worker thread.

Worker threads are created to support authentication, accounting, and proxy operations.

Default worker thread stack size value is 1 MB.

Note: The required memory may be increased if there are thousands of threads configured.

ZombieSessionTimeout

Specifies the number of seconds that a deleted session (a session for which SBR Carrier has received an Accounting-Stop RADIUS message) remains in the Current Sessions Table.

Default value is 0 seconds (no grace period).

Note: This parameter is applicable to standalone servers and servers running in a Session State Register cluster.

[CurrentSessions] Section

[CurrentSessions] Section

The [CurrentSessions] section (Table 18) of radius.ini controls the current sessions table.

Table 18: radius.ini [CurrentSessions] Syntax

Parameter

Function

Enable

If set to 0, the current sessions processing is disabled.

This is applicable to standalone servers.

CaseSensitiveUsernameCompare

  • If set to 1, when the server searches its Current Sessions Table for sessions that have the same username, it uses case-sensitive lookups.

  • If set to 0, the server ignores case.

Default value is 0.

Note: This parameter is applicable only to standalone servers.

For a standalone server, the CST is in local memory, and is configured with the dbclusterlocal.gen file when you run the configuration script.

In addition, the setting of the PersistSessions parameter in the radius.ini file determines whether sessions are restored or not restored when SBR Carrier is restarted.

You cannot configure field names in the local CST (dbclusterlocal.gen). However, there are three predefined fields and seven generic fields you can configure using the sessionTable.ini file. See Juniper Networks Steel-Belted Radius Carrier Installation Guide for information about configuring sessionTable.ini file.

[DynAuthProxy]

[DynAuthProxy]

The [DynAuthProxy] section in the radius.ini file controls some global Dynamic Authorization proxy features.

Table 19: [DynAuthProxy] Section

Parameter

Function

Enable

  • If set to 1, this parameter enables the Dynamic Authorization Proxy functionality.

  • If set to 0, the Dynamic Authorization Proxy functionality is disabled.

The default setting is 0.

RequestTimeoutMills

This setting can be used to set the retransmission time (in milliseconds) when forwarding Proxy CoA/DM requests to a NAS client.

The default value is 3000, or 3 seconds.

NumAttempts

This setting controls the number of retries before discarding the proxy CoA/DM forwarding requests.

The default value is 3.

CheckReversePath

This setting controls whether Reverse Path Forwarding checking is done on received Proxy CoA/DM requests.

  • If set to yes, the checking for Reverse Path Forwarding on received proxy CoA/DM requests is enabled.

  • If set to no, the checking for Reverse Path Forwarding on received proxy CoA/DM requests is disabled.

The default is yes.

MessageAuthenticator

The MessageAuthenticator setting, if set to “yes,” causes the Message-Authenticator attribute to be added to every Proxy CoA/DM request forwarded by SBRC. If set to “no,” no Message-Authenticator attribute is forwarded in any Proxy CoA/DM request.

ForwardMethod

This setting determines the method used in finding a NAS target when a CoA/DM proxy request is received.

  • If set to session-table, the setting looks for a matching session in the current sessions table.

  • If set to direct, the setting tries to match attributes with a configured client.

  • If set to both, the setting first looks for a matching session in the current sessions table, and then falls back to the direct method if no matching session is found.

The default setting is session-table.

[LatencyLog]

[LatencyLog]

The [LatencyLog] section in the radius.ini file logs the latency related to authentication or accounting requests received by SBR. A separate file, latency_<timestamp>.csv, is created, where timestamp is in the format yyyymmdd_hhmm.

Table 20: [LatencyLog] Section

Parameter

Function

Enable

  • If set to 1, this parameter enables the latency log and creates the latency_<timestamp>.csv file.

  • If set to 0, the latency log functionality is disabled.

The default setting is 0.

RollOver

Specifies how often the current latency log file is closed and a new file is opened (a rollover), up to one rollover per minute. Nonzero values indicate the number of minutes until the next rollover.

If set to 0, the latency log file rolls over once every 24 hours, at midnight local time.

The default value is 0.

RollOverOnStartup

  • If set to 1, each time SBR is started, it closes the current latency log file and opens a new one. A sequence number _nnnn is appended to the log file name, just as when the maximum size is reached.

  • If set to 0, each time SBR is started, it appends entries to the previously open latency log file.

The default value is 0.

Note

When latency log is enabled, the “Enable,” “RollOver,” and “RollOverOnStartup” parameters are read whenever the server receives a SIGHUP (1) signal.

The latency log file contains the following parameters:

Table 21: Latencylog Parameters

Parameter

Description

Date and Time

Logs the date and time of the request.

Thread-Id

Logs the thread-id of the request that is handled.

Type

Logs the type of the request. The type could be one of the following values:

  • auth

  • acct-start

  • acct-stop

  • acct-interim

  • acct-on

  • acct-off

Id

In case of authentication and accounting requests, this parameter logs the value of Transaction-id.

Module

Logs the module name where the authentication request is processed. If the latency logger is called from the plug-in module, then this parameter logs the name of the plug-in module. For example, SQL_ORACLE, SBR, or realm name.

In case of accounting requests, this parameter logs as None.

Status

Logs the status of the request.

In case of authentication requests, this parameter may be “Accept,” “Reject,” “Challenge,” “Ack,” or “Discard.”

In case of accounting requests, this parameter sets the value as “Ack.”

Latency

Logs the execution time of the request within the module in milliseconds.

NAS-IP-Address

Logs the source address of the request, which may be IPv4 or IPv6 address.

UDP-Port

Logs the port on which the request has been received.

UserName

Logs the username specified in the request.

Target-Address

Logs the address of the external or local database where the authentication request is validated.

In case of accounting requests, this parameter logs the address of the external database.

The following is an example of a sample latency_<time-stamp>.cvs file:

[EmbedInClass] Section

[EmbedInClass] Section

The [EmbedInClass] section (Table 22) of radius.ini identifies attributes that are available during authentication processing which must be made available in accounting requests. Attribute embedding allows billing information to be embedded in a Class attribute returned to Steel-Belted Radius Carrier by a network access server. When Steel-Belted Radius Carrier receives an embedded attribute, it decodes the attribute and places it in the Accounting-Request according to the settings specified in the classmap.ini file (described on classmap.ini File).

Note

The ClassAttributeStyle parameter in the [Configuration] section of radius.ini must be set to a value of 2 before you can use attribute embedding.

The syntax for embedding attributes is:

Table 22: radius.ini [EmbedInClass] Syntax

Parameter

Function

  responseAttribute

Identifies the response attribute to be embedded in the RADIUS Class attribute.

Clear

Specifies that the retrieved information is included in the Class attribute in cleartext format.

Encrypt

Specifies that the retrieved information is encrypted before it is included in the Class attribute.

Remove

Optional parameter that removes the embedded attribute from the Accept-Response packet.

[HiddenEAPIdentity] Section

[HiddenEAPIdentity] Section

The [HiddenEAPIdentity] section (Table 23) of radius.ini allows the known inner identity of EAP/TTLS and EAP/SIM protocols to be included in the Access-Accept message returned in response to an authentication request.

The syntax is:

Table 23: radius.ini [HiddenEAPIdentity] Syntax

Parameter

Function

IncludeInAcceptResponse

  • If set to 0, inclusion of the inner identity in Access-Accept responses is disabled.

  • If set to 1, Steel-Belted Radius Carrier includes the inner identity in the specified attribute of an Access-Accept response.

Default value is 0.

attributeName

Identifies the attribute in which to include the inner identity in an Access-Accept message. If this value is omitted, the User-Name attribute is used. The attributeName value can be any string attribute, including a VSA, that is defined in an attribute dictionary.

[, replaceAttribute]

Identifies the Access-Accept attribute that retains the original value of the attribute specified in the attributeName argument.

If a replacement value is not specified, the value of the original attribute is lost.

[IPPoolSuffixes] Section

[IPPoolSuffixes] Section

The [IPPoolSuffixes] section of radius.ini lets you define suffixes that can be used to split the IP address pools reserved for a network access server into smaller subcategories.

Note

This section is applicable only to standalone servers.

The syntax is:

For example, to create three categories that append -Bronze, -Silver, and -Gold to IP Address Pool names, this section is defined:

[IPv6] Section

[IPv6] Section

[IPv6]

The [IPv6] section (Table 24) of radius.ini controls IPv6 network transport features.

Table 24: radius.ini [IPv6] Syntax

Parameter

Function

Enable

Determines whether IPv6 networking is enabled in Steel-Belted Radius Carrier.

  • If set to 0, IPv6 networking is disabled, and other values in the IPv6 section of radius.ini are ignored.

  • If set to 1, IPv6 networking is enabled.

Default value is 1.

Note: IPv4 networking is always enabled in Steel-Belted Radius Carrier.

DynamicNameResolution

Determines whether the Steel-Belted Radius Carrier server tries to use IPv6 name services (DNSv6) to resolve hostnames.

  • 0—Do not use IPv6 name services. IPv4 name services are not affected by this setting.

  • 1—Use only IPv6 name services. IPv4 name services are disabled by this setting.

  • 2—Use IPv6 name services first; use IPv4 name services in case of failure.

Default value is 2.

IPv6LinkLocalUnicastScopeId

Specifies an interface name (such as hme0) or index (4) for Solaris hosts.

If set to 0, Steel-Belted Radius Carrier does not use link local addresses.

Default value is 0.

Note: The use of IPv6LinkLocalUnicastScopeId parameter has been deprecated.

IPv6SiteLocalUnicastScopeId

Specifies an interface name (such as hme0) or index (4).

If set to 0, Steel-Belted Radius Carrier selects the site local scope ID automatically.

Default value is 0.

UsePools

This setting indicates whether the value of the returned Framed-IPv6-Prefix attribute is calculated using the IPv4 address pools.

If set to IPv4, the IPv4 pools are used as the basis for creating the value of the returned Framed-IPv6-Prefix attribute.

If set to No, managed IPv6 address pools are not supported.

The default value is No.

Pools-IPv6-Prefix-Offset

When UsePools=IPv4, this setting indicates the offset in the Framed-IPv6-Prefix to embed the dynamically assigned IPv4 address. The offset is specified in bits and ranges from 0 through 96. The offset must be a multiple of 8.

The default is the last 32 bits of Framed-IPv6-Prefix.

For more information about the usage of Framed-IPv6-Prefix, see Using Managed IPv6 Address Pools.

[JavaScript] Section

[JavaScript] Section

The [JavaScript] section Table 25 of radius.ini contains the configuration parameters for the JavaScript engine.

The syntax is:

Table 25: radius.ini [JavaScript] Syntax

Parameter

Function

JSEngineRuntimeMemory

Sets the size of the runtime memory arena from which new instances of JavaScript engines are allocated for the core SBR Carrier.

Note: LDAP and core SBR Carrier use independent instances of JavaScript engines.

Default value is 8 MB.

Note: Increasing the value of JSEngineRuntimeMemory will decrease the frequency of garbage collection but negatively affect performance.

[LDAP] Section

[LDAP] Section

The [LDAP] section (Table 26) of radius.ini sets the TCP port number that you want to use for communication between Steel-Belted Radius Carrier and LDAP clients.

The syntax is:

Table 26: radius.ini [LDAP] Syntax

Parameter

Function

Enable

  • If set to 0, the LDAP Configuration Interface is disabled.

  • If set to 1, the LDAP Configuration Interface is enabled.

Default value is 0.

Note: This parameter is set from your input to the Steel-Belted Radius Carrier configuration script.

Note: Enabling LCI without changing the access password might leave your Steel-Belted Radius Carrier database vulnerable to access by any LDAP client. For information about using the LDAP configuration interface, see the SBR Carrier Administration and Configuration Guide before you enable this feature.

TCPPort

Specifies the TCP port number that you want to use for communication between Steel-Belted Radius Carrier and LDAP clients.

Default value is 667.

Note: This parameter is set from your input to the Steel-Belted Radius Carrier configuration script, only if you answer "Yes" to the question: "Do you want to enable LCI? [n]:".

[LDAPAddresses] Section

[LDAPAddresses] Section

The [LDAPAddresses] section of radius.ini lets you specify the interfaces on which Steel-Belted Radius Carrier listens for LDAP Configuration Interface (LCI) requests. If you want to provide these settings, you must add a section called [LDAPAddresses] to the radius.ini file. This section contains a list of IP addresses, one per line:

If the [LDAPAddresses] section is omitted or empty, Steel-Belted Radius Carrier listens for LCI requests on all bound IP interfaces.

Note

This parameter is set from your input to the Steel-Belted Radius Carrier configuration script, only if you answer "Yes" to the question: "Do you want to enable LCI? [n]:".

[Logging] Section

[Logging] Section

The [Logging] section (Table 28) of the radius.ini file specifies logging functions for Steel-Belted Radius Carrier.

Log File Naming Conventions and Log Rollover

Log File Naming Conventions and Log Rollover

Steel-Belted Radius Carrier writes to the current server log file until that log file is closed. After closing the file, Steel-Belted Radius Carrier opens a new one and begins writing to it. You can configure how often this rollover of the server log file occurs by setting the Rollover parameter.

The naming conventions for server log files permit more than one file to be generated during a day. Table 27 lists the file naming conventions used for different rollover periods. In Table 27, y= four digit year, M= two digit month, d= two digit day, h= hours digits, and m= minutes digits. When more than one file is generated during a day, the sequence number _nnnnn starts at _00000 each day.

Table 27: Server Log File Naming

File Generation Method

File Naming Convention

Default (24 hours)

yyyyMMdd.log

Non-24-hour rollover

yyyyMMdd_hhmm.log

Rollover based on size only

yyyyMMdd_nnnnn.log

Rollover based on both time and size

yyyyMMdd_hhmm_nnnnn.log

For example, if rollover is based on size and multiple rollovers occur on November 21, 2008, they are denoted as:

Nov 21 08:15 20081121_00001.log

Nov 21 08:19 20081121_00002.log

The date matches the system date, and is denoted in a four digit year, two digit month, two digit day, underscore "_", five digit counter which increments per rollover in a given day.

Note

If rollover is based only on the size of the log file, the file name format is yyyyMMdd_nnnn.log, where n is an integer that is incremented each time the file rolls over. Rollover occurs as soon as the current log line causes the file to be longer than the rollover limit (LogfileMaxMBytes).

If rollover is on the basis of size (LogfileMaxMBytes is > 0) and also time (Rollover > 0), then the log file name format is yyyyMMdd_HHmm_nnnnn.log.

The time HHmm is the time at which the log was supposed to roll over, even if there no message was logged at that exact time. For example, if you configure the log to roll over every 3 hours, then your log files are called yyyyMMdd_0300_nnnnn.log, yyyyMMdd_0600_nnnnn.log, and so on. Even if you configure the server at 1:43, and the first message is logged at 4:33, Steel-Belted Radius Carrier bases the rollover starting from midnight every day, so that the times are consistent each day.

Thread Identifiers

Thread Identifiers

The Log-Thread-ID parameter helps debug problems with Steel-Belted Radius Carrier operations by incorporating thread identifiers in log messages for all log levels. Thread identifiers help you parse the diagnostic log when messages about different RADIUS requests are interleaved.

The syntax for including thread identifiers in log messages is:

When multiple requests are processed simultaneously, log entries for different requests might appear consecutively in the log file. Configuring the radius.ini file to include a thread identification number with log entries correlates the log entries produced while processing each RADIUS request.

The thread identifier appears in parentheses immediately after the date and time. In this example, the Log-Thread-ID of 98 is assigned to one request and 73 is assigned to another.

Session Identifiers

Session Identifiers

The session identifier (LogSessionID) further helps with debugging by enabling you to search for log entries associated with a particular user’s session. By setting the LogSessionID parameter to yes, a session identifier is included in log entries. The session identifier is used throughout authentication and accounting.

The syntax for including session identifiers in log messages is:

Note

The ClassAttributeStyle parameter must be set to a value of 2 before you can use session identifiers.

Use simple search commands or scripts to find a particular user’s logged activity. First, find a log entry with data matching that user’s identity and note the session identifier. A second search with that identifier yields all messages relating to that user’s history in the log file.

The session identifier appears immediately after the thread identifier and is denoted by TxId. The format is:

TIMESTAMP (Thread Id) TxId 0x0000000000000000:00000000: LOG-MESSAGE

Example

11/05/2008 09:51:52 (0056) TxId 0x485c5f8a4911b1fa00000002: Unable to find user test with matching password

Note

It is possible that some messages will not include a valid session identifier. Messages logged before the session identifier is learned (before the packet is processed) will have a session identifier of all zeroes. Once the packet is processed, the session identifier is correct.

Enhanced Proxy Logging

Enhanced Proxy Logging

Steel-Belted Radius Carrier includes enhanced logging capabilities for troubleshooting proxy target issues. These include presenting transactions between Steel-Belted Radius Carrier and proxy targets in human readable format when the TraceLevel parameter is set to 2. In addition, proxy error messages now include the target or realm name. This helps in troubleshooting proxy target issues when multiple proxy targets exist.

Table 28: radius.ini [Logging] Syntax

Parameter

Function

EnhancedDiagnosticLogging

  • If set to no, standard diagnostic logging messages are written to the server log file.

  • If set to yes, messages relating to proxy retries, proxy timeouts, and LDAP timeouts, as well as standard diagnostic logging messages, are written to the server log file (yyyymmdd.log).

Default value is no.

EnhancedEAPLogging

  • If set to no, standard EAP logging messages are written to the server log file in hexadecimal format.

  • If set to yes, detailed EAP-Message attribute values of EAP-SIM, EAP-AKA, EAP-TLS, and EAP-TTLS authentication protocols along with protocol alerts and error codes are written to the server log file.

Note: EnhancedEAPLogging=yes is valid only if the TraceLevel parameter in the radius.ini file is set to 2.

Default value is yes.

Note:

  • SBR does not log properly for the Grouped AVP's like Vendor-Specific-Application-ID in Diameter Message.

  • Enhanced EAP Logging support is provided only for TLS version 1.2. Logging for TLS version 1.1 still remains unsupported.

LogAccept

  • If set to 1, specifies that messages associated with Accepts that meet the current LogLevel are recorded in the server log file.

  • If set to 0, messages associated with Accepts are ignored.

Default value is 1.

The LogAccept setting is re-read whenever the server receives a SIGHUP (1) signal.

LogDir

Sets the destination directory on the local host where server log files are stored.

Default value is the Steel-Belted Radius Carrier directory.

Note: If you specify an alternate destination directory other than the default, ensure that the directory exists before starting the SBR. Otherwise, SBR may fail to function correctly.

Note: You cannot write server log files to a linked drive.

LogFileMaxMBytes

  • If set to 0 (or if setting is absent), the server log file size is ignored and log file names are date-stamped to identify when they were opened (YYYYMMDD.log).

  • If set to a value in the range 1–2047, the current server log file is closed when it reaches the specified number of megabytes (1024 x 1024 bytes), and a new server log file is opened using the file format (YYYYMMDD_NNNNN.log), where NNNNN is a sequence number.

Default value is 0.

Note: The size of the log file is checked each time a message is logged. The log file might exceed the size specified in LogFileMaxMBytes, because it does not roll over until the next log size check occurs.

Note: If both LogFileMaxMBytes and MaxSize are present, MaxSize is ignored and the log file size is based on LogFileMaxMBytes (MBytes). If you want to configure the maximum file size in bytes, do not include the LogFileMaxMBytes parameter in this file.

Note: If LogfileMaxMBytes is set, a new server log file is created whenever the server restarts, even if the log file has not reached the specified number of megabytes. This is an expected behavior.

LogFilePermissions

Specifies the owner and access permission setting for the system log (yyyymmdd.log) file.

Enter a value for the LogFilePermissions setting in owner:group permissions format, where:

  • owner specifies the owner of the file in text or numeric format.

  • group specifies the group setting for the file in text or numeric format.

  • permissions specifies what privileges can be exercised by Owner/Group/Other with respect to the file in text or numeric format.

For example, user:1007 rw-r- - - - - specifies that the file owner (user) can read and edit the log file, members of group 1007 can read (but not edit) the log file, and other users cannot access the log file.

Log-Flush-To-System

  • If set to no, log flushing is disabled, and log data is queued in a buffer and written to the log at a later time.

  • If set to yes, log flushing is enabled and log data is written to the log file immediately without being queued. This can impact performance.

Default value is no, disabled.

LogGroup

Specifies the type of server functionality for which you want to log details in the server log file. You can specify the numbers from 0 through 4.

  • 0—All. Includes logs from all the log groups.

  • 1—Administration. Logs details related to the GUI configuration (both RADIUS and Diameter configurations) and SNMP traps.

  • 2—SessionControlSuccess and SessionControlFailure. Logs COA/DM messages during session success and failure scenarios.

  • 3—Diameter Peer State. Logs IP address, port, event, and transition state of the Diameter peer when the Device-Watchdog-Request message is received from the Diameter peer.

  • 4—Others. Logs the following details:

    • System related information such as system start, system stop, resource failures, and so on.

    • Error messages during configuring EAP methods and filters by using the Web GUI.

    • Access-Accept messages including details such as username, policy, authentication method, realm, protocol, Calling-Station-Id, Called-Station-Id, NAD, and so on, during RADIUS to Diameter translation scenarios.

    • Access-Reject messages with the reason for the reject during RADIUS to Diameter translation scenarios.

You can specify more than one number in this parameter; the numbers must be comma separated.

Default value is 0.

The LogGroup setting is re-read whenever the server receives a SIGHUP (1) signal.

Note: Configuration logs cannot be disabled. For an example of using log levels with log groups, see SBR Carrier Administration and Configuration Guide.

LogHighResolutionTime

  • If set to no, the timestamp for entries in the Steel-Belted Radius Carrier log file (yyyymmdd.log) are recorded as MM/DD/YYYY/hh:mm:ss(month/date/year/hour:minutes:seconds).

  • If set to yes, the timestamp for entries in the Steel-Belted Radius Carrier log file (yyyymmdd.log) are recorded as MM/DD/YYYY/hh:mm:ss.xxx, where xxx represents the number of elapsed milliseconds since the ss value changed.

Default value is no.

Note: If the value for LogLevel is set as 2, then the entries to the server log file will contain both the thread ID (Log-Thread-ID) and timestamps with millisecond (LogHighResolutionTime) details, unless they are explicitly disabled.

LogLevel

Sets the rate at which Steel-Belted Radius Carrier writes entries to the server log file (yyyymmdd.log):

  • 0—Default, errors.

  • 1—Log errors and warnings

  • 2—Debugging messages including info, warnings, and errors

Default value is 0.

Note: If the value for LogLevel is set as 2, then the entries to the server log file will contain both the thread ID (Log-Thread-ID) and timestamps with millisecond (LogHighResolutionTime) details, unless they are explicitly disabled.

The LogLevel setting is re-read whenever the server receives a SIGHUP (1) signal.

LogReject

  • If set to 0, messages associated with Rejects are ignored.

  • If set to 1, messages associated with Rejects that meet the current LogLevel are recorded in the server log file.

Default value is 1.

The LogReject setting is re-read whenever the server receives a SIGHUP (1) signal.

LogSessionID

  • If set to yes, session identifiers are included in Steel-Belted Radius Carrier log messages.

  • If set to no, session identifiers are omitted from Steel-Belted Radius Carrier log messages.

Default value is no.

Log-Thread-ID

  • If set to yes, thread identifiers are included in Steel-Belted Radius Carrier log messages.

  • If set to no, thread identifiers are omitted from Steel-Belted Radius Carrier log messages.

Default value is no.

Note: If the value for LogLevel is set as 2, then the entries to the server log file will contain both the thread ID (Log-Thread-ID) and timestamps with millisecond (LogHighResolutionTime) details, unless they are explicitly disabled.

LogUsesUtc

  • If set to no (disabled), the time used to timestamp messages in the log file is the local time zone. Use of local time causes timestamps to be automatically adjusted for seasonal adjustments, such as Daylight Saving Time in the United States, if applicable.

  • If set to yes (enabled), the time used to timestamp messages in the log file is the Coordinated Universal Time (UTC, formerly known as Greenwich Mean Time or GMT) time zone 0.

Default value is no (disabled).

MaxSize

The maximum size of a server log file, in bytes.

If the server log file reaches or exceeds this size when it is checked, the log file is closed and a new file is started. A value of 0 (the default) means unlimited size.

Note: If both LogFileMaxMBytes and MaxSize are present, MaxSize is ignored and the log file size is based on LogFileMaxMBytes (MBytes). If you want to configure the maximum file size in bytes, do not include the LogFileMaxMBytes parameter in this file.

ReplaceUnprintables

Specifies a printable character which is used instead of non-printing characters when SBR Carrier writes messages to the accounting log file. You can define a printable character of ASCII decimal code 32 through 126 (or ASCII hex code 20 through 7E).

You can disable the replacement by setting this parameter to no. Setting this parameter to no truncates a line in the accounting log when a non-printing character is encountered.

Default value is no.

Note: Characters of ASCII decimal code 0 through 31 (ASCII hex code 0 through 1F) and 127 through 255 (ASCII hex code 7F through FF) are considered as non-printing characters.

Rollover

Specifies how often the current server log file is closed and a new file opened (a rollover), up to one rollover per minute. Nonzero values indicate the number of minutes until the next rollover.

If set to 0, the server log file rolls over once every 24 hours, at midnight local time.

Default value is 0.

Note: Rollover based on time or size, or both only is checked once a minute. Therefore, neither sizes nor times is exact.

TraceLevel

Specifies the RADIUS packet tracing level:

  • 0—Default, no packet tracing

  • 1—Trace standard packet content

  • 2—Trace standard and raw packet content

Default value is 0.

Note: Packet traces are written to the server log file and can be a useful tool for troubleshooting interoperability problems.

[MsChapNameStripping] Section

[MsChapNameStripping] Section

The [MsChapNameStripping] section (Table 29) of radius.ini specifies whether you want Steel-Belted Radius Carrier to try to strip domain information from usernames when it tries to match its user entry to the username/password hash forwarded by the end user. This feature is useful in situations where the username in the Steel-Belted Radius Carrier database includes characters the end-user host considers domain information, which it deletes before computing its hash of the user’s credentials.

If this feature is enabled:

  1. Steel-Belted Radius Carrier scans the username in its database looking for delimiter characters that might indicate a domain is prefixed to the username. If a prefix delimiter character is found, the server strips that character (and all characters to the left of the delimiter), generates its own hash of the user’s credentials, and compares the result to the hashed credentials forwarded by the end user to determine if a match is found.

  2. If a prefix delimiter is not found (or if the hashed credentials do not match after the prefix is stripped), Steel-Belted Radius Carrier scans the username looking for delimiter characters that might indicate a domain is suffixed to the username. If a suffix delimiter character is found, the server strips that character (and all characters to the right of the delimiter), generates its own hash of the user’s credentials, and compares the result to the hashed credentials forwarded by the end user to determine if a match is found.

  3. If neither a prefix delimiter nor a suffix delimiter is found (or if a delimiter was found but the hashed credentials did not match), the server uses the entire username string to generate the hashed credentials and compares the result to the hashed credentials forwarded by the end user to determine if a match is found.

The syntax for the [MsChapNameStripping] section is:

Table 29: radius.ini [MsChapNameStripping] Syntax

Parameter

Function

Enable

  • If set to 0 (or omitted), MS-CHAP v2 name stripping is disabled.

  • If set to 1, MS-CHAP v2 name stripping is enabled.

Default value is 0.

Prefix

A list of as many as five ASCII characters to strip from the prefix. If a space character appears in the list, the entire list must be surrounded by quotation marks.

Enter a double backslash (\\) to indicate you want to strip the backslash character. A double backslash counts as one character in the list.

Default value is \\.

Suffix

A list of as many as five ASCII characters to strip from the suffix. If a space character appears in the list, the entire list must be surrounded by quotation marks.

Enter a double backslash (\\) to indicate you want to strip the backslash character. A double backslash counts as one character in the list.

Default value is /@.

[PurgeThreadLogging] Section

[PurgeThreadLogging] Section

You can use the [PurgeThreadLogging] section (Table 30) of the radius.ini file to specify the attributes to be included in the purged stale session log messages.

The syntax is:

Table 30: radius.ini [PurgeThreadLogging] Syntax

Parameter

Function

PurgeThreadLogging_attributes

Specifies the attributes to be included in the purged stale session log messages printed in the SBR log even if the LogLevel parameter in the radius.ini file is set to 0. You can specify the following attributes in this parameter.

  • Unique-Session-ID—SBR Carrier includes the unique identifier of the purged stale session in the purged stale session log messages.

  • User-Name—SBR Carrier includes the RADIUS username of the purged stale session in the purged stale session log messages.

  • NasName—SBR Carrier includes the NAD name of the purged stale session in the purged stale session log messages.

  • Acct-Session-ID—SBR Carrier includes the accounting session identifier of the purged stale session in the purged stale session log messages.

  • Calling-Station-ID—SBR Carrier includes the station identifier of the purged stale session in the purged stale session log messages.

The attributes specified in this parameter must be separated by a space. For example, PurgeThreadLogging_attributes= User-Name Calling-Station-ID. You can also set the PurgeThreadLogging_attributes parameter to all to include all the preceding attributes in the purged stale session log messages.

By default, no attribute is configured in this parameter. In this case, the User-Name and NasName attributes are included in the purged stale session log messages.

Note: If you have left this parameter empty or misspelled an attribute, only the User-Name and NasName attributes are included in the purged stale session log messages.

[Ports] Section

[Ports] Section

The [Ports] section (Table 31) of radius.ini provides a method for setting the UDP ports used by Steel-Belted Radius Carrier.

  • If one or more UDPAuthPort settings are specified in the [Ports] section of radius.ini, the port numbers in this section are the only ones on which the server listens for authentication requests. Similarly, if one or more UDPAcctPort settings are specified, they are the only ones on which the server listens for accounting requests.

    You can specify as many as 4096 ports on a Solaris server. If this limit is exceeded, the RADIUS authentication subcomponent fails to initialize.

  • If no UDPAuthPort or UDPAcctPort settings are present in the [Ports] section, the server attempts to read the port numbers associated with radius service (authentication) and radacct (accounting) in /etc/services. If successful, the server listens on these port numbers. No more than one port can be specified for the radius service or for the radacct service.

  • If no UDPAuthPort settings are present in the [Ports] section and no radius service or radacct is listed in the /etc/services file, the server listens for authentication requests on UDP ports 1645 and 1812 for authentication and UDP ports 1646 and 1813 for accounting.

    Note

    Any failure to bind to one of the selected UDP ports causes the affected subcomponent (authentication or accounting) to fail to initialize.

If you want the server to function as a proxy forwarding server, you can specify a block of UDP port numbers from which the proxy RADIUS ports are allocated. Proxy RADIUS allocates port numbers in sets of eight. Port numbers in an allocated block do not have to be contiguous: if a UDP port number that falls in the proxy RADIUS range is in use, proxy RADIUS skips over it.

Table 31: radius.ini [Ports] Syntax

Parameter

Function

ProxyPortCount

The ProxyPortCount parameter is used to configure SBR Carrier for load when proxies are being used. The setting of ProxyPortCount instructs SBR Carrier how many ports to use from within the number of possible ports defined within UDPProxyPortBlockLength starting with the port value set at UDPProxyPortBlockStart.

DynAuthProxyPortCount

The DynAuthProxyPortCount parameter determines the number of ports that is actually allocated for CoA/DM functionality. The setting of DynAuthProxyPortCount instructs SBR Carrier on how many ports to use from within the number of possible ports defined within UDPDynAuthProxyPortBlockLength starting with the port value set at UDPDynAuthProxyPortBlockStart.

SecureTcpAdminAddress

Specifies the IP address of the administrative interface used for communication between Web GUI and the Steel-Belted Radius Carrier server.

If not specified, any network interface on the Steel-Belted Radius Carrier server accepts a connection from Web GUI.

SecureTcpAdminPort

Specifies the TCP port used for communication between Web GUI and the Steel-Belted Radius Carrier server.

Default value is 1813.

Note: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between Web GUI and the Steel-Belted Radius Carrier server.

TCPControlAddress

Specifies the IP address of the administrative interface on the Steel-Belted Radius Carrier server used for SNMP and CCM/ replication communication.

If not specified, any network interface on the Steel-Belted Radius Carrier server can be used for SNMP and CCM traffic.

TCPControlPort

Specifies the TCP port used for SNMP and CCM/replication communication.

Default value is 1812.

Note: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between Web GUI and the Steel-Belted Radius Carrier server.

UDPAcctPort

Specifies the UDP port(s) used for accounting. If you use more than one port, specify each port number on a separate line.

Default values are 1646 and 1813.

Note: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between Web GUI and the Steel-Belted Radius Carrier server.

UDPAuthPort

Specifies the UDP port(s) used for authentication. If you use more than one port, specify each port number on a separate line.

Default values are 1645 and 1812.

Note: Consult Juniper Networks Technical Support before changing the port number. Using a non-default port may cause communication problems between Web GUI and the Steel-Belted Radius Carrier server.

UDPDynAuthPort

This parameter indicates the ports that SBRC listens on for proxy CoA/DM messages.

Default value is 3799.

UDPProxyPortBlockLength

Specifies the number of addresses in the port number range used for proxy RADIUS communication.

Default value is 64.

UDPProxyPortBlockStart

Specifies the starting port number in the port number range used for proxy RADIUS communication.

Default value is 28000.

Note: If you change the default value, select a number range that does not overlap with well-known UDP ports and proprietary UDP ports on your network.

Note: You might need to configure network firewalls to allow ports in the specified number range to pass.

UDPDynAuthProxyPortBlockStart

Specifies the starting port-number in the port number range used for proxy CoA/DM requests.

Default value is 30,000.

Note: If you change the default value, select a number range that does not overlap with well-known UDP ports and proprietary UDP ports on your network.

Note: You might need to configure network firewalls to allow ports in the specified number range to pass.

UDPDynAuthProxyPortBlockLength

Specifies the number of addresses in the port-number range used for proxy CoA/DM requests.

Default value is 64.

For example:

The UDP port assignments entered in the [Ports] section of the radius.ini file override the UDP port assignments specified in the /etc/services file. For more information, see services File.

[Self] Section

[Self] Section

The [Self] section of radius.ini lists all the realm names that the Steel-Belted Radius Carrier server handles locally. The syntax is:

You can use the [Self] section to map a realm name to the Steel-Belted Radius Carrier server. If you acquire a batch of new user accounts, users do not have to change how they enter usernames. They can enter the name User<Delimiter>RealmName or RealmName<Delimiter>User as usual.

When a username comes into Steel-Belted Radius Carrier, if the [Self] section lists RealmName, Steel-Belted Radius Carrier recognizes it as the target, and handles the request locally instead of directing the request elsewhere.

[StaticAcctProxy] Section

[StaticAcctProxy] Section

The [StaticAcctProxy] section of radius.ini controls the delivery of accounting messages to additional RADIUS accounting-enabled devices on the network, even when the initial RADIUS transaction is not a proxy RADIUS transaction. The syntax is:

Where proxy identifies the name of the RADIUS accounting-enabled device.

[Status] Section

[Status] Section

The [Status] section specifies whether authentication, accounting, and proxy thread and flood information is added to the server log.

Table 32: radius.ini [Status] Syntax

Parameter

Function

Status-Period

Specifies the frequency (in seconds) that the status report is written to the log.

Default value is 60 seconds.

Auth-Thread-Flood-Info

  • If set to yes, an authentication or authorization thread and flood information are included in the status report.

  • If set to no, an authentication or authorization thread and flood information are not included in the status report.

Default value is no.

Acct-Thread-Flood-Info

  • If set to yes, an accounting thread and flood information are included in the status report.

  • If set to no, an accounting thread and flood information are not included in the status report.

Default value is no.

Proxy-Thread-Flood-Info

  • If set to yes, a proxy thread and flood information are included in the status report.

  • If set to no, a proxy thread and flood information are not included in the status report.

Default value is no.

DynAuth-Thread-Flood-Info

  • If set to yes, a dynamic authentication or authorization thread and flood information are included in the status report.

  • If set to no, a dynamic authentication or authorization thread and flood information are not included in the status report.

Default value is no.

Cache-Report

  • If set to yes, cache information is included in the status report.

  • If set to no, cache information is not included in the status report.

Default value is no.

Cache-Report-Details

  • If set to yes, detailed cache information is included in the status report.

  • If set to no, detailed cache information is not included in the status report.

Default value is no.

Accounting-Report

  • If set to yes, accounting statistics are included in the status report.

  • If set to no, accounting statistics are not included in the status report.

Default value is no.

Thread-Count

  • If set to yes, thread counts are included in the status report.

  • If set to no, thread counts are not included in the status report.

Default value is no.

Following is an example of the log entries if all of the [Status] report parameters are set to yes.

[Strip] Section

[Strip] Section

The [Strip] section (Table 33) specifies how Steel-Belted Radius Carrier manipulates the username by stripping the incoming User-Name attribute value of realm names and other decorations.

The [Strip] section (and accompanying [StripPrefix] and [StripSuffix] sections) look like this:

Table 33: radius.ini [Strip] Syntax

Parameter

Function

Authentication

If set to yes, the [StripPrefix] and [StripSuffix] rules are used to strip the username before an authentication request is processed.

Default value is no.

Accounting

If set to yes, the [StripPrefix] and [StripSuffix] rules are used to strip the username before an accounting request is processed.

Default value is no.

StripPrefixCharacters

A list of ASCII characters to strip from the prefix. If a space character appears in the list, the entire list must be surrounded by quotation marks.

StripSuffixCharacters

A list of ASCII characters to strip from the suffix. If a space character appears in the list, the entire list must be surrounded by quotation marks.

[StripPrefix] Section

[StripPrefix] Section

The [StripPrefix] section lists prefixes you want removed from the beginning of usernames, including the delimiter. If a space character appears in the list, the entire list must be surrounded by quotation marks.

In this example, Steel-Belted Radius Carrier strips the prefixes isp.com\ and att.net] from usernames in authentication and accounting requests.

[StripSuffix] Section

[StripSuffix] Section

The [StripSuffix] section lists suffixes you want removed from the end of usernames, including the delimiter.

For example:

In this example, Steel-Belted Radius Carrier strips the suffixes @myrealm.com and @yahoo.com from usernames in authentication and accounting requests.

[UserNameTransform] Section

[UserNameTransform] Section

The [UserNameTransform] section (Table 34) lets you specify a rule for transforming usernames in RADIUS requests from the form in which they are received to a form in which they can be processed. This can be useful when the form in which users supply their names to the network access server is not compatible with the form in which the RADIUS server applies its rules for proxy forwarding or with the form that the authentication system requires.

The username transformation rule used to convert input strings to output strings is based on an input format and an output format. The username transformation rule is applied to usernames appearing in RADIUS requests. The username from the RADIUS request is parsed based on the input format.

  • If the username does not conform to the input format, the rule does not apply and the username is unchanged.

  • If the rule does apply, the parsed elements of the username are formatted based on the output format to construct the transformed username:

  1. The User-Name from the Access-Request (or Acct-Start/Acct-Stop) is compared to the input format rule.

  2. If the User-Name matches the rule, it is modified into the output format, and authentication continues.

  3. If the User-Name does not match the input format, no modification occurs, and authentication continues.

The transformed username replaces the original username in RADIUS processing, just as if the transformed username had been included in the request. The decision to proxy-forward the packet is based on the transformed username, and all authentications are based on the transformed username.

Format strings can be any sequence of characters, and can contain embedded variables enclosed in angle brackets (< >). The backslash (\) is an escape character within text, used to represent literal characters. Within variable names, a backslash is treated as a character, not as an escape; and therefore, variable names may not include right angle brackets (>).

Compose the literal text with characters you do not expect to be found in the variable elements. Use punctuation characters such as a slash (/) or an at-sign (@), rather than letters or numbers.

The username transformation rule can be applied to authentication packets, accounting packets, or both.

Example

Example

Table 34: radius.ini [UserNameTransform] Syntax

Parameter

Function

In

A format string identifying the input format for usernames. For example, <user>@<realm>.

Out

A format string identifying the output format for usernames. For example, <user>.

Authentication

Set to Yes to enable the transform for authentication requests.

Default value is Yes.

Accounting

Set to Yes to enable the transform for accounting requests.

Default value is Yes.

Proxy

Set to Yes to enable the transform for proxied requests.

Default value is Yes.

For example, these settings transform george@acme.com to george:

These settings transform abc/martha@bigco.com to bigco.com::abc/martha:

[ValidateAuth] and [ValidateAcct] Sections

[ValidateAuth] and [ValidateAcct] Sections

The [ValidateAuth] and [ValidateAcct] sections (Table 35) of radius.ini specify how Steel-Belted Radius Carrier validates usernames in authentication and accounting requests. These sections enable SBR Carrier to examine the User-Name attribute in the incoming packet to determine whether it employs a valid character set.

Table 35: radius.ini [ValidateAuth] and [ValidateAcct] Syntax

Parameter

Function

[ValidateAuth]

This section applies only to authentication servers.

[ValidateAcct]

This section applies only to accounting servers.

User-Name

Names the regular expression against which the User-Name attribute is validated. If the User-Name entry is absent from the section or the regular expression is blank, no validation occurs.

RegularExpression

The regular expression lists each valid character or range of characters.

A dash (-) indicates a range of alphanumeric characters. For example, A-Z indicates every uppercase alphabetic character.

A backslash (\) followed by a non-alphanumeric character indicates that character literally, for example \? indicates the question mark.

\ is used as an escape character:

\a bell (7)

\b backspace (8)

\t tab (0x09)

\n newline (10)

\v vertical tab (11)

\f formfeed (12)

\r return (13)

\xnn hex value, where nn is a two-digit hexadecimal number

\nnn decimal value, where nnn is a three-digit decimal number

This example permits a string composed only of uppercase and lowercase characters, digits, periods, and commas:

This example permits uppercase and lowercase characters: