The spi.ini initialization file defines encryption keys and identifies the servers from which Steel-Belted Radius Carrier processes encrypted Class attributes in accounting requests. The spi.ini file allows one Steel-Belted Radius Carrier server to decode accounting requests for sessions that were authenticated on a different Steel-Belted Radius Carrier server. Class attributes received from servers not specified in spi.ini are ignored.
If you are using the optional SSR (high availability) module and distributing authentication and accounting requests between different SBR Carrier servers sharing the same SSR cluster, you must configure spi.ini file.
All Steel-Belted Radius Carrier servers that may receive authentication and accounting requests from a common network access server must be configured with similar spi.ini files, which must list the IP addresses of all the servers in that cluster. This allows one server to authenticate a user and generate an encrypted Class attribute that can be decrypted and processed by any other server in the cluster.
The [Keys] section (Table 69) of spi.ini specifies the list of encryption keys used to encode subattributes encapsulated within Class attributes.
Table 69: spi.ini [Keys] Syntax
Specifies the encryption key that is currently active, where n is 0 or the number of a key listed in the [Keys] section:
Default value is 0.
n = value
Specifies the number and value of the encryption key.
In the following example, the Steel-Belted Radius Carrier server generates a unique random key to encrypt Class attributes.
[Keys] CurrentKey = 0
In the following example, the second key (swordfish) is currently active and used to encrypt Class attributes. The other keys in this section can be used to decrypt Class attributes received from other servers in the same cluster.
[Keys] CurrentKey = 2 1 = firstkey 2 = swordfish 3 = mypassword
The [Hosts] section of spi.ini identifies the IP address of servers from which received Class attributes are parsed for encapsulated/encrypted subattributes. Class attributes from servers not identified in the [Hosts] section of spi.ini are passed without special processing.
The information in the [Hosts] section is used to compute the server’s identifier, which is included in the Class attribute. If one of a host’s interfaces is included in the [Hosts] section, that interface is used to compute the server identifier. If more than one interface for a host is listed, the IP address of the last interface listed is used. If no matching address is found, the host’s primary IP address is used. Addresses not corresponding to a host interface are used to configure the collection of other servers whose Class attributes are accepted.
In the following example, three servers are identified as belonging to a cluster.
[Hosts] 192.168.15.21 192.168.23.121 192.168.23.205