Authentication Gateway
This section explains the configurations of ulcmmg.conf, GWrelay.conf, and authGateway.conf files.
Configuring the ulcmmg.conf File
Configuring the ulcmmg.conf File
The ulcmmg.conf file establishes the connection between the GWrelay application and SBR Carrier.
The ulcmmg.conf file contains lines of the following form (the angle brackets <> indicate required parameters and should not be included in the actual configuration):
LOCAL_HOST <host-name>: <port>
REMOTE_HOST <host-name>:<port><ip-address>
NUMBER_OF_RETRIES <retry_value>
DELAY_BETWEEN_RETRIES
<delay_time>
DEBUG
LOG_FILE <file-name>
The LOCAL_HOST line is required. The required host-name parameter specifies the name of the local host, for example, the machine on which the SBRC is executing. The required port parameter specifies the outbound socket port number (2001 by default) that is used by the SBRC to transmit messages to the GWrelay process.
The REMOTE_HOST line is required. The required host-name parameter specifies the name of the host on which the GWrelay process is executing. The required port parameter specifies the inbound socket port number (2000 by default) that is used by the GWrelay process to listen for messages from SBRC. The required ip-address parameter specifies the IP address corresponding to the host-name parameter.
The NUMBER_OF_RETRIES line is optional. The retry_value parameter specifies the number of retry attempts to be performed by SBR Carrier when attempting to connect to the authGateway instance through the GWrelay application. Default value is 3.
The DELAY_BETWEEN_RETRIES line is optional. The delay_time parameter specifies the number of seconds SBR Carrier must wait between retry attempts. Default value is 3 seconds.
The DEBUG line is optional. When present, it enables debug messages to be emitted on the Signalware console device. Enabling debug messages degrades the performance and should be avoided in production environments.
The LOG_FILE line is optional. When present it enables diagnostic messages, including debug messages if enabled, to be written to the log file that is specified by the required file-name parameter. The file-name parameter should specify an absolute path-name for the log file.
For more information, see the SBR Carrier Installation Guide.
Configuring the GWrelay.conf File
Configuring the GWrelay.conf File
The GWrelay.conf file is used to define the source and destination ports through which an SCTP connection is established between the GWrelay application and authGateway instances.
The GWrelay.conf file contains lines of the following form (the angle brackets <> indicate required parameters and should not be included in the actual configuration):
LOCAL_HOST <host-name>: <portA>
REMOTE_HOST <host-name>:<porta><ip-address>
LOCAL_HOST <host-name>: <portB>
REMOTE_HOST <host-name>:<portb><ip-address>
...
LOCAL_HOST <host-name>: <portZ>
REMOTE_HOST <host-name>:<portz><ip-address>
RELAY_SERVER <host-name>: <port>
NumberofRetries <retry_value>
DelayBetweenRetries
<delay_time>
LogLevel <level>
LogPath
<file-path>
LogSize <file-size>
The LOCAL_HOST line is required. The required host-name parameter specifies the name of the local host on which the GWrelay process is executing. The required port parameter specifies the outbound socket port number that is used by the GWrelay application to listen for responses from the authGateway instances.
The REMOTE_HOST line is required. The required host-name parameter specifies the name of the host on which the authGateway process is executing. The host-name parameter value must match the value set in the -host option in the MML CREATE-PROCESS statement that is used to start the authGateway process. The host-name parameter value should also match the value in the LOCAL_HOST line, that is, the authGateway process is intended to execute on the same host as SBR Carrier. The required port parameter specifies the inbound socket port number that is used by the authGateway instances to listen for messages from the GWrelay application. The port parameter value must match the value set in the -port option in the MML CREATE-PROCESS statement. The required ip-address parameter specifies the IP address corresponding to the host-name parameter.
RELAY_SERVER line is required. The required host-name parameter specifies the name of the local host on which the GWrelay process is executing. The required port parameter specifies the inbound socket port number that is used by the GWrelay application to listen for messages from SBR Carrier.
The NumberofRetries is optional. The retry_value parameter specifies the number of retry attempts to be performed by the SCTP socket when attempting to connect to the authGateway instance. Default value is 3.
The DelayBetweenRetries line is optional. The delay_time parameter specifies the number of seconds the SCTP socket must wait between retry attempts. Default value is 2 seconds.
The LogLevel line is optional. The level parameter activates logging for the GWrelay process and sets the level of details of the message. If the level parameter is set to 0, the entries in the GWrelay log file contain default information. If this parameter is set to 1, the entries in the GWrelay log file contain debug information. Default value is 0.
The LogPath line is optional. The file-path parameter specifies the path of the GWrelay log file. You can specify any valid path that exists in the SBR machine. Default path is /opt/JNPRsbr/radius.
The LogSize line is optional. The file-size parameter specifies the rollover size limit (in bytes) for the GWrelay log file. After the file size exceeds this limit, the current log file is closed and a new one is created. Default value is 2,147,483,647 bytes.
For more information, see the SBR Carrier Installation Guide.
Starting and Stopping the GWrelay Process
Starting and Stopping the GWrelay Process
You can use the sbrd script to start, stop, or restart the GWrelay process. All sbrd commands can be executed only by the root user. The syntax for the sbrd usage is:
sbrd <start|stop|restart> <GWrelay> [force] sbrd <status> <GWrelay>
You can use the start, stop, and restart arguments with the GWrelay option to start, stop, and restart the GWrelay process. The status argument displays information about the status of the GWrelay process. The force argument makes sbrd attempt to disregard or overcome any errors that occur when processing the command. The sbrd script halts if any error occurs, when executed without the force argument. For example, the sbrd start command does not attempt to start the software that is already running, but the sbrd start force command ignores a running process. This may produce unintended results, so use the force argument with great care.
The GWrelay application gets terminated automatically when all the configured authGateway instances are down. So, you must manually start the GWrelay application when the authGateway instances are restarted.
If you have set the GWRELAYENABLE parameter in the sbrd.conf file to 1 or answered Yes to the question Do you want to enable "GWrelay" Process? [n]: while running the SBR Carrier configuration script, then the GWrelay process will be started, stopped, or restarted when you execute the ./sbrd start, ./sbrd stop, or ./sbrd restart script respectively.
Configuring the authGateway.conf File
Configuring the authGateway.conf File
The authGateway.conf file configures the following authGateway options:
Remote routing options control how the remote HLR is addressed based on the incoming IMSI.
Authorization options control whether or not a subscriber requesting an account is authorized for WLAN access, and which Steel-Belted Radius Carrier profile or native user is used.
The FetchMSISDNRoutingInfoLCS parameter specifies the type of message that is used to request MSISDN information from an HLR or HSS, and the CamelSupportedPhases parameter specifies which CAMEL phase services are supported in the network.
Common configurations of the authGateway process.
Process-specific options specify settings related to the authGateway process.
[Routing-Configuration] Section
[Routing-Configuration] Section
Each line in the authGateway.conf file represents a target HLR, where each HLR has its own routing options and authorization options. Indicate each HLR listed in this file with the initial digits of the subscriber password, specified by the odigits option.
Table 185 lists the remote routing options for the authGateway.conf file.
Table 185: authGateway.conf [Routing-Configuration] Syntax
Option | Purpose |
---|---|
bs | Bearer Service. See Authorization Options. |
msisdn | The msisdn option can be used in place of ndigits and odigits when no translation is required. See Example 2—authGateway.conf file [Routing-Configuration] Section. |
ndigits | Replacement digits for numbering plan translation (hybrid IMSI). |
odb | Operator-Determined Barring. See Authorization Options. |
odigits | Initial digits of IMSI or password for this HLR. For each request, the first digits of the IMSI are compared with odigits. The first line of the configuration file that matches is selected for the current request. If the routing indicator (rri) is 0 (Global Title), the leading digits are replaced with the new digits (ndigits) to perform the numbering plan translation. Example of direct replacement: If the rule is “odigits 12345 ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 987656789012345. Example of wildcard replacement: If the rule is “odigits 12345* ndigits 98765” and the IMSI is 123456789012345, the resulting digits are 98765. |
rgti | (Global Title only) GTI value. 4 for C7; 2 for A7. (Usually 4.) |
rnai | (Global Title only) Nature of Address Indicator. |
rnp | (Global Title only) Numbering Plan. Acceptable values are: 1—ISDN/Telephony 3—DATA 4—TELEX 5—Maritime Mobile 6—Land/Mobile 7—ISDN/Mobile 10—British Telecom special 1 11—British Telecom special 2 14—Private Network |
rpc | Remote Point Code. Point Code of HLR or MSC. |
rri | Routing indicator - 0 for GT (Global Title), 1 for PC/SSN (Point Code/Subsystem Number). |
rssn | Subsystem Number of HLR. |
rtt | (Global Title only) Translation Type (usually 0). |
ts | Teleservice. See Authorization Options. |
Authorization Options
The HLR database includes authorization information that is assigned to each subscriber. Three authorization designations are relevant to Steel-Belted Radius Carrier with the SIMauthentication module:
BS (Bearer Service)
TS (Teleservice)
ODB (Operator-Determined Barring)
You can specify subscriber HLR authorization (and barred service) designations in the MAP Gateway authGateway.conf file.
You can disable authorization completely from EAP-SIM (not fetch subscriber profile information from the HLR and not perform a SQL/LDAP query). For instructions about disabling authorization, see “Disabling Authorization from EAP-SIM” in the section on Configuring the gsmmap.gen File for the SIM Authentication Module, in the SBR Carrier Reference Guide.
Each line in the authGateway.conf file corresponds to an HLR in your network. Each line also specifies all potential authorization (and barred service) settings for any subscribers on this HLR.
Steel-Belted Radius Carrier with the SIM authentication module uses the service authorization information that you list for each HLR in authGateway.conf:
When a TS or BS designation is assigned to a subscriber entry in the HLR database, Steel-Belted Radius Carrier with the SIM authentication module allows the subscriber the designated class of WLAN service upon authorization request.
When an ODB designation is assigned to a subscriber, Steel-Belted Radius Carrier with the SIM authentication module denies the subscriber WLAN service upon authorization request.
When you do not specify service designations for a HLR listed in authGateway.conf, then all subscribers on that HLR are authorized for WLAN service.
You can specify up to six authorization strings of each type (TS, BS, or ODB) on any given line of authGateway.conf.
You can specify the service designations in authGateway.conf:
bs n1:auth1
ts n2:auth2
odb n3:auth3
Here, ni (i=1,2,3) is a decimal integer that specifies the setting, and authi (i=1,2,3) is the string returned from the MAP Gateway to Steel-Belted Radius Carrier with the SIM authentication module.
For example, you might specify the potential subscriber designations on one HLR with the following text in authGateway.conf:
bs 26:B1A ts 33:TS21 odb 128:bar
If you require any HLR authorization strings to define different classes of service for your subscribers, you must also specify those TS, BS, and ODB authorization strings in certain files associated with the SIM authentication module. For information about how to match these strings to Steel-Belted Radius Carrier variables, see the “simauth.aut [ProfileMap] Section” of Configuring EAP-SIM and EAP-AKA for the SIM Authentication Module in the SBR Carrier Reference Guide.
Example 1—authGateway.conf file [Routing-Configuration] Section
(Lines are wrapped.)
odigits 2310 ndigits 2324 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua
odigits 31026 ndigits 32476 rnai 4 rnp 7 rgti 4 rtt 0 rri 1 rpc 3003 rssn 253 bs 23:morning bs 24:afternoon ts 1:night
Example 2—authGateway.conf file [Routing-Configuration] Section
In this global title example, odigits and ndigits are the same and do not require translation. You can use the msisdn option in place of ndigits and odigits when no translation is required.
(Lines are wrapped.)
msisdn 31026 rnai 4 rnp 7 rgti 4 rtt 0 rri 0 rpc 3003 rssn 251 bs 12:gold bs 23:silver ts 91:bronze ts 92:red ts 93:green odb 1:black aqua
[Supported-MAP-Messages] Section
[Supported-MAP-Messages] Section
The [Supported-MAP-Messages] section (Table 186) of the authGateway.conf file specifies the method of fetching MSISDN and which CAMEL phase services are supported in the network.
Table 186: authGateway.conf [Supported-MAP-Messages] Syntax
Parameter | Description |
---|---|
FetchMSISDNRoutingInfoLCS | Specifies the type of message that is used to fetch MSISDN information from an HLR or HSS. MSISDN information is usually fetched from an HLR through the d interface using the RestoreData message. Setting the FetchMSISDNRoutingInfoLCS parameter to 0 configures the authGateway process to interact with the HLR through the RestoreData message. The default SSN configured when the authGateway process starts is used as the originating SSN in the RestoreData message. MSISDN information is usually fetched from an HLR or HSS through the SLh or Lh interface using the SendRoutingInfoForLCS message. Setting the FetchMSISDNRoutingInfoLCS parameter to 1 configures the authGateway process to interact with the HLR or HSS through the SendRoutingInfoForLCS message. Because SBR Carrier acts as a GMLC in this case, the GMLC SSN (i.e. 145) is used as the originating SSN. By default, this parameter is set to 0. |
CamelSupportedPhases | Specifies which CAMEL phase services are supported in the network.
By default, this parameter is set to 0. |
[Common-AGW-Configurations] Section
[Common-AGW-Configurations] Section
The [Common-AGW-Configurations] section (Table 187) of the authGateway.conf file specifies common configurations for the authGateway process.
Table 187: authGateway.conf [Common-AGW-Configurations] Syntax
Option | Description |
---|---|
appctx | Specifies the MAP protocol revision (2 or 3). Only MAPv3 retrieves quintets, so it must be used to support EAP-AKA. Default value is 2. |
connretry | Specifies the number of connection attempts. Default value is 10. |
conntimeout | Specifies the connection timeout in minutes. Default value is 0 minute. |
host | Specifies the local hostname. You must use the hostname associated with the IP address that the authGateway listen on. Also, you must ensure that the entry is coordinated with the radius/GWrelay.conf file (if authGateway is running as multiple instances) and radius/conf/ulcmmg.conf (if authGateway is running as a single instance) files. If a hostname is not specified, 0.0.0.0 is used. |
invkretry | Specifies the number of invoke retries. Default value is 1. |
invktimeout | Specifies the duration of invoke timeout in seconds. Default value is 30 seconds. |
lgti | (Global Title only) Specifies the local GTI value, usually 4 for C7 and 2 for A7. Default value is 4. |
lmsisdn | (Global Title only) Specifies the MSISDN value of the local node. Default value is 0. |
lnai | (Global Title only) Specifies the scope of the address value, such as whether it is an international number (includes country code) or a national number (no country code).
Default value is 4. |
lnp | (Global Title only) Specifies the local numbering plan. Acceptable values are:
Default value is 1. |
lpc | Specifies the Local Point Code (PC). Default value is 0. |
lri | Specifies the routing indicator used to address messages to the local node.
Default value is 1. |
ltt | (Global Title only) Specifies local translation type. Default value is 0. |
max_requests | Specifies the maximum number of concurrent requests that can be handled by the authGateway process. Default value is 1000. |
monitor | Activates the message activity monitor. |
no_rst | Disables automatic restart of the authGateway process. |
node | Specifies the node name. |
[Process<name>] Section
[Process<name>] Section
The [Process<name>] section (Table 188) of the authGateway.conf file contains the parameters that control authGateway process specific behavior.
Table 188: authGateway.conf [Process<name>] Syntax
Option | Description |
---|---|
debug | Specifies a debug level. Default value is 0. Note: This parameter is reloaded whenever SBR Carrier receives a SIGHUP (1) signal. |
lssn | Specifies the local subsystem number. Default value is 7. |
port | Specifies the port number used by the SCTP association with the client. |
prot | Specifies the variant used (C7, A7, or CH7). |
trace | Enables debug tracing and displays the trace information about the console. (Consists of a trace of all MAP messages that are formatted and sent down the stack.) Note: We recommend setting this parameter to 0. Note: This parameter is reloaded whenever SBR Carrier receives a SIGHUP (1) signal. |
tracefile | Captures the trace information to a file. The filename follows the -tracefile switch. Include the directory in the filename. Note: This parameter is reloaded whenever SBR Carrier receives a SIGHUP (1) signal. |
Example
If you are using two authGateway processes—for example, GMT1 and GMT2, then two sections [ProcessGMT1] and [ProcessGMT2] must be added to the authGateway.conf file for the authGateway processes to startup. The following example explains this configuration:
[ProcessGMT1] #Remote port specified in ulcmmg.conf #Port number used by the SCTP association with the client port=2003 #Variant used (C7, A7 or CH7) prot=C7 #Enables Signalware library debug logging. Sets a debug level. debug=1 #This enables debug tracing and displays the trace information about the console. #Consists of a trace of all MAP messages that are formatted and sent down the stack. #Use the tracefile option to capture the trace information to a file trace=1 #Captures the trace information to a file. The filename follows the tracefile #switch. Include the directory in the filename tracefile=/opt/JNPRsbr/radius/conf/Trace1.out [ProcessGMT2] #Remote port specified in ulcmmg.conf #Port number used by the SCTP association with the client port=2005 #Variant used (C7, A7 or CH7) prot=C7 #Enables Signalware library debug logging. Sets a debug level. debug=1 #This enables debug tracing and displays the trace information about the console. #Consists of a trace of all MAP messages that are formatted and sent down the stack. #Use the tracefile option to capture the trace information to a file trace=1 #Captures the trace information to a file. The filename follows the tracefile #switch. Include the directory in the filename tracefile=/opt/JNPRsbr/radius/conf/Trace2.out
Configuring the authGateway Startup with MML Commands
Configuring the authGateway Startup with MML Commands
The CREATE-PROCESS and START-PROCESS MML commands start the authGateway (by calling authGatway.conf), using options that you specify.
Table 189 describes the MML commands needed to configure and start authGateway.
Table 189: MML Commands for Configuring the Start of authGateway
MML Command | Description |
---|---|
CREATE-PROCESS | Identify the authGateway configuration file and the authGateway options. |
START-PROCESS | Start the process. |
For more information about the syntax and usage of the MML commands, see Signalware MML Commands. See SBR Carrier Installation Guide for information about executing the MML commands.
Table 190 lists the mandatory MML options to be used with the CREATE-PROCESS command.
Table 190: authGateway Process Options Used with CREATE-PROCESS
Option | Description |
---|---|
conf | Path and name of the authGateway configuration file. The default file is $RADIUSDIR/conf/authGateway.conf. |
name | Name of the authGateway process. |
The MML options listed in Table 191 are still supported for backward compatibility.
Starting from SBR Carrier 8.4.0 release, the authGateway.conf file configuration takes precedence over any existing MML CREATE-PROCESS options. While upgrading to SBR Carrier Release 8.4.0, the authGateway.conf file will be imported from older versions of SBR Carrier. If there is no specified configuration present in the imported authGateway.conf file, SBR Carrier uses the existing MML configurations. If no MML configurations are present, the authGateway.conf defaults are used. If any mandatory parameters (port, host, and node) are missing, then error messages are logged.
Table 191: authGateway Process Options Supported for Backward-Compatibility
Option | Description |
---|---|
appctx | MAP protocol revision (2 or 3). Only MAPv3 retrieves quintets, so it must used to support EAP-AKA. |
debug | Sets a debug level. Use the following: -debug 0xff |
host | Local hostname. Use the hostname associated with the IP address that the authGateway listen on, and ensure that the entry is coordinated with the radius/GWrelay.conf file. If a hostname is not specified, 0.0.0.0 is used. |
invkretry | Number of invoke retry. |
invktimeout | Duration of invoke timeout in seconds. |
lgti | (Global Title only) Local GTI value, usually 4 for C7 and 2 for A7. |
lmsisdn | (Global Title only) MSISDN of this local node. |
lnai | (GT only) Nature of Address Indicator. Indicates the scope of the address value, such as whether it is an international number (includes country code) or a national number (no country code). 1 Subscriber Number—no area code (example: 5551234 2 unused 3 National Significant Number—no country code (example: 2015551234) 4 International Number—includes country code (example: 12015551234) |
lnp | (Global Title only) Local Numbering Plan. Acceptable values are: 1—ISDN/Telephony 3—DATA 4—TELEX 5—Maritime Mobile 6—Land/Mobile 7—ISDN/Mobile 10—British Telecom special 1 11—British Telecom special 2 14—Private Network |
lpc | Local Point Code (PC). |
lri | Routing indicator - 0 for GT (Global Title), 1 for PC/SSN. |
lssn | Local Subsystem Number (SSN) (required). |
ltt | (Global Title only) Local Translation Type. Generally in a live network TT is always 0. |
max_requests | The maximum number of simultaneous MAP dialogs. |
monitor | Activates Message Activity Monitor. |
no rst | Disables automatic restart of process. |
node | Node name. |
port | Port number used by the SCTP association with the client. |
prot | Variant used (C7, A7, or CH7). |
rssn | Subsystem number of HLR. |
trace | We recommend setting this to 0xff; this enables debug tracing and displays the trace information about the console. (Consists of a trace of all MAP messages that are formatted and sent down the stack.) Use the tracefile option to capture the trace information to a file. |
tracefile | Captures the trace information to a file. The filename follows the -tracefile switch. Include the directory in the filename. |
Example—Creating and Starting the authGateway Process
Example—Creating and Starting the authGateway Process
We recommend that you specify an absolute (full) path in the EXEC command. The following configuration example explains how to create and start three authGateway instances:
(Lines are wrapped.)
CREATE-PROCESS:NAME="GMT", CE="sbr-lnx-perf", EXEC="/opt/JNPRsbr/radius/authGateway -name GMT -conf /opt/JNPRsbr/radius/conf/authGateway.conf -port 2003" START-PROCESS:NAME="GMT",CE="sbr-lnx-perf"; CREATE-PROCESS:NAME="GMT1", CE="sbr-lnx-perf", EXEC="/opt/JNPRsbr/radius/authGateway -name GMT1 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -port 2005" START-PROCESS:NAME="GMT1",CE="sbr-lnx-perf"; CREATE-PROCESS:NAME="GMT2", CE="sbr-lnx-perf", EXEC="/opt/JNPRsbr/radius/authGateway -name GMT2 -conf /opt/JNPRsbr/radius/conf/authGateway.conf -port 2007" START-PROCESS:NAME="GMT2",CE="sbr-lnx-perf";
MML commands are saved in MML files that can be loaded into Signalware. See the SBR Carrier Installation Guide for more information.