This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Describes the settings and valid values of the Steel-Belted Radius Carrierconfiguration files.
Steel-Belted Radius Carrier Reference Guide
Provides tips, use cases, and tools you need to:
• Improve SBRC performance through planning, analysis, and configuration
• Increase SBRC throughput and reliability
• Analyze specific use cases, in the lab or in the production environment, toidentify areas of potential performance enhancement and to limit the impactof resource constraints and failure scenarios
Steel-Belted Radius Carrier Performance,Planning, and Tuning Guide
Contains the latest information about features, changes, known problems, andresolved problems in Release 7.6.0.
Steel-Belted Radius Carrier Release Notes
NOTE: If the information in the Release Notes differs from the informationin any guide, follow the Release Notes.
You can find these release notes in AdobeAcrobat (PDF) format on the JuniperNetworks
Technical PublicationsWeb page, which is located at:
TheSBRCarrier software supportsGeo-redundancy,whichallowsyou to replicate certain
fields of the Current Sessions Table (CST) across nodes of two remote Session State
Register (SSR) clusters located in different geographical locations. Geo-redundancy
provides a consolidated session store. That is, you can access data from all sessions in
geographically diverse systems from a single database at any time.
Geo-redundancyalsoprovides adisaster-recovery functionality that helps you to recover
data in case of a disaster or disruption in one of the geographical locations. With this
feature, you can restrict the amount of information replicated between the SSRs by
configuring only the selected fields of CST, thereby reducing the usage of disk space.
Information is replicated between nodes of two remote SSR clusters asynchronously so
that the performance of the SBR Carrier is minimally affected.
WithGeo-redundancy, you can increaseor decrease thebandwidthof data consumption
between clusters by replicating user-accounting information between clusters.
Geo-redundancy supports replication of session information frommultiple standalone
SBRs to a single SSR cluster. This feature also supports cross-endian cluster-to-cluster
replication so that data replication between Linux-based SSR and Solaris-based SSR is
possible.
You can configure the Geo-redundancy feature by using the parameters in the
georedSess.ses initialization file.
For more information about the Geo-redundancy feature, see the SBR Carrier
Administration and Configuration Guide and SBR Carrier Reference Guide.
Separate Session Database Process
In the standalone version of SBR, the CST is hosted as a separate executable process,
called the separate session database process, instead of being hosted as a shared library
within the SBR core RADIUS process. The separate session database process is
implemented as a 64-bit process, which enablesmanymore sessions to be hosted than
the 32-bit RADIUS process.
Hosting the CST as a separate session database process:
• Enhances the stability of the SBR core
• Prevents the SBRC server from crashing due to unexpected failures in the CST
• Increases the capability of handling several concurrent sessions in the CST
• Reduces the delay in SBR restart caused by the restoration of persistent sessions from
the radads.hst file
You can enable the separate session database process by using the new parameters
that are added to the sbrd.conf and radius.ini files. The separate session database andSBR core RADIUS processes can be further controlled by using the newly introduced
The separate session database process provides a high availability (HA) functionality
during idle and pending transactions. The separate session database process starts its
processing before starting theRADIUSprocess. If the separate session database process
is not starteddue toanerror, theRADIUSprocess starts its normalprocessingandpersists
the SSR in local mode when the FallbackLocal policy is applied.
NOTE: Hosting CST as a separate process in a standalone SBR is supportedonly on the 64-bit Linux platform.
For more information about the separate session database process, see the SBR Carrier
Administration and Configuration Guide and SBR Carrier Reference Guide.
Transaction-Based Licensing
To enable customers to transition smoothly to transaction-based licensing, Steel-Belted
Radius Carrier does not currently enforces rate limits. Steel-Belted Radius Carrier
generates SNMP traps and stores warning messages in the log file when the rate limit
of transactions per second (TPS) is exceeded in order to help customers become aware
of and comply with the licensing requirements. Rate limits may be enforced in future
releases as well as patches for Steel-Belted Radius Carrier 7.6.0 and earlier.
Formore informationabout transaction-based licensing, see theSBRCarrierAdministration
and Configuration Guide.
All VSAs in a Single Juniper Networks Client Dictionary
Steel-Belted Radius Carrier 7.6.0 delivers a single Juniper Networks client dictionary,
juniper.dct, insteadofproviding separatedictionaries for eachapplication. The juniper.dctfile lists all vendor-specific attributes (VSAs) that areused for fixedandmobile subscriber
management (ERX Series and MX Series router families, with enterprise ID 4874) and
router administration (enterprise ID 2636). The VSAs are updated based on attributes
in the unisphere.dct file of Junos OS 13.1.
For more information about the Juniper Networks client dictionary, see the SBR Carrier
Administration and Configuration Guide.
Additional RADIUS Status Information
The sbrd status command displays additional information about the RADIUS process
along with existing information such as the SBR package version, SBR process status,
and SBR process ID. The additional information that is displayed is:
This command also displays the separate session database process ID, if you have
enabled the separate session database process in your system.
Formore informationabout theRADIUSstatus information, see theSBRCarrier Installation
Guide.
Challenge Timeout Field on the Advanced Server Settings Tab
Steel-Belted Radius Carrier 7.6.0 allows you to configure the challenge timeout value
for TLS authentication, TLS EAP helper, and TTLS authentication methods through the
SBR Administrator. A Challenge Timeout field is newly added to the Advanced ServerSettings tab of the Edit TLS Authentication Method, Edit TLS EAP Helper Method, and
Edit TTLS Authentication Method dialog boxes. You can enter the timeout value (in
seconds) in this field for a particular challenge request.
Formore informationabout thechallenge timeout valueconfiguration, see theSBRCarrier
Administration and Configuration Guide.
Enhancement to the Reject Reason Code
In the [Attributes] section of the authReportReject.ini file, the purpose of theAUTH_ERR_044 reject reason code is extended to also indicate amismatch between
the username in the authentication request and the username configured in the regular
expression.
If the username in the authentication request does not match the configured username
in the regular expression, the SBRCarrier rejects the authentication request and displays
the AUTH_ERR_044 code in the authentication rejection report with the following
message: “Rejecting request username not matching regular exp.”
For more information about reject reason codes, see the SBR Carrier Reference Guide.
Virtualization Support
Steel-Belted Radius Carrier supports virtualization on a Red Hat virtual machine.
SystemRequirements
For complete details about the hardware and software requirements for running a
standalone Steel-Belted Radius Carrier server or the optional SBR Carrier Session State
Register (SSR), see “Meeting System Requirements” in the Steel-Belted Radius Carrier
Installation Guide.
Software
The Steel-Belted Radius Carrier server runs on both Oracle Solaris 10 and 11 and Red Hat
These issues have been identified in Steel-Belted Radius Carrier 7.6.0. The identifier in
parentheses is the Problem Report number in our bug database.
COA/DM
• Enabling the “COA” action event using the SBR Administrator bymodifyingdeviceModels.xmlmay result in an error. If you customize COA or DM bymodifying
the deviceModels.xml file, it is recommended that you obtain assistance from JTAC
to verify your configuration. Errors in deviceModels.xml—for example, missing,
misplaced, or misconfigured XML elements or referencing RADIUS attributes that are
not defined in the dictionaries, or both—could lead to undefined behavior ranging from
preventing the server from starting to invalid errors while using the SBR Administrator
to invoke COA or DM actions. Be sure to restart the server as well as the SBR
Administratorwhenever deviceModels.xml or dictionary, or both files aremodified. (PR
420928)
• WhenusingJavaScript toperformDynamicAuthorization(COA/DM), thescriptmayfail with themessage "no NAS-IP-Address or NAS-IPv6-Address attribute found intransaction".Workaround is toadd theNAS-Identifier andAcct-Session-Idparameters
manually. (PR 905584)
Filters
• Changing a rule in the SBR Administrator with Filter>Edit Rule from Exclude or Addto Replace has no effect. Instead of changing the rule type, delete the attribute andthen add a new attribute with the correct Replace type. (PR 298086)
• A filter with an index that is configured to replace a parent attribute withmultipleinstances of a single subattribute does not work correctly. To avoid this, set up theconfiguration so that it uses multiple separate attributes that each contain the same
subattribute. (PR 298631)
LDAP Authentication
• Setting theMaxConcurrentsetting in the ldapauthconfiguration file tohighervaluescan cause Steel-Belted Radius Carrier to run out ofmemory and crash. As aworkaround, use smaller valuesofMaxConcurrent. The recommendedmaximumvalue
is 1000. (PR 249953)
• Enteringmore than 124 characters for a native user results in an erroneous rejection.This problemwas introduced in SBRCarrier 7.3.1 andwill be resolved in future releases.
(PR 771505)
• In previous versions of SBR Carrier in Solaris, LDAP used the Mozilla libraries for LDAP
communication. When LDAP is used, this requires the Cert7.db and Key3.db files as
the certificate store for trusted root certificates. Starting 7.4.0 Linux and 7.5.0 Solaris,
• When you have a large number of LDAP connections configured, SBRCmay takeseveral minutes to shut down, and the SBRD script displays a shutdown failuremessage in the terminal. (PR 847961)
• LDAP authentication hangs against the attribute directory when the attribute list isempty. (PR 842475)
SBR Administrator
• In SBRHA, theStatisticsGUI panel for System -Authentication andAccounting hassome inconsistencies with the documentation. The System - Authentication and
Accounting GUI mentions “Retries Sent” but it is documented as “Retries Received.”
Similarly, the System - Accounting GUI mentions “Failed Authentication” instead of
“Failed Accounting.” The document lists “Invalid Client” and “Invalid Shared Secret,”
which are not available in the SBR Administrator. These inconsistencies must be
corrected inboth theSBRAdministrator aswell as in thedocumentation. (PR434065)
• In the SBR Administrator, when TLS Secondary Authorization option is disabled,the configuration parameters to use the RADIUS User-Name attribute andCalling-Station-id attribute continue to be available. (PR 728565)
• When you configure a profile in SBR Administrator, the value entered in a checklistcan exceed themaximum length for the value that is specified in the dictionary file.This may result in erroneous failed authentications. (PR 306944)
• The “Use different shared secret for accounting” check box remains selected.Configure a client through the SBR Administrator. Select the “Use different shared
secret for accounting” check box. Enter a different shared secret and click OK. Edit the
client and deselect the “Use different shared secret for accounting” check box and
click OK. Edit the client again and you notice that the “Use different shared secret for
accounting” check box remains selected, and the shared secrets for accounting and
authorization are different. Towork around this problem, delete the accounting shared
secret before deselecting the check box. (PR 581706)
• int4 attributes with a value greater than 2,147,483,648 are displayed as negativevalues in the SBR Administrator. This occurs when you create a profile with a replylist containing an int4 attribute whose value is greater than 2,147,483,648. Click Ok
andview the reply list. Theattributedisplaysanegative value.However, an int4attribute
is anunsigned integer and thisworksproperly through theLDAPconfiguration interface
(LCI). (PR 581771)
• When you edit attributes of the int1, int2, or int4 type in the SBR Administrator, youare unable to select values tomake sure that they are in a valid range. If you set avalue that is greater than themaximum range, the attribute is deletedwithout awarning. There is no workaround. (PR 582099)
• Signed integers are not supported. If you enter a value greater than 2,147,483,648(either through the SBR Administrator or through the LCI), it appears as a negative
number. (PR 582104)
• If you edit deviceModels.xml and create a duplicatemodel entry, the SBRAdministrator may hangwhen trying to display the Current Sessions tab. There is
no workaround other than correcting the error and restarting the Administrator. (PR
583037)
• After you rename a client, or delete and then add a clientwith a different name, youmust restart the SBR Administrator for the SCSmodule to recognize the client. Ifthe SBR Administrator is closed and restarted, then the form to enter the required
attributes works properly. (PR 583077)
• The value of Termination-Action for TLSandTTLSauthenticationmethods and theTLS helper cannot be set correctly through the SBR Administrator. The values must
be set manually by editing tlsauth.aut, ttlsauth.aut, or tlsauth.eap. (PR 583905)
• TheSBRAdministratordoesnotallowyoutoenteran IPv6address foranycheck-listor return-list attribute of the ipv6addr type—for example, Login-IPv6-Host. You canuse the LCI as a workaround. (PR 6673775)
• The SBR Administrator does not allow you to enter an IPv6 address for RADIUSClient Address or Proxy Target Address. You can use the LCI as a workaround. (PR610064)
• When youmake changes to the “Authentication Policies / Order of Methods” panelor the “Authentication Policies / Reject Messages” panel, the Audit Log does notprovide specific information about the actions performed but rather it reads themas “Add/Modify authentication realm 'default'” (PR 249434).
• SBR Administrator is unavailable after you enable SNMP. Sometimes, when you
enable SNMP, youmight notice problems with connections on the TCP port 1812.
Workaround is to disable Solaris sma and snmpdx. (PR 776705)
• When you view the IP address pools for a cluster with the SBR Administrator GUI,only the pool names appear and not the IP address range. The SBR Administrator
GUI lists only 0.0.0.0. Workaround is to use the provided scripts to view IP pool
configuration for a cluster. (PR 788982)
• SBR is not accessible when a significant amount of traffic results in approximately5million phantom sessions. (PR 810722)
• In the SBRAdministrator GUI, access to all details on the Statistics page, certificatedetails on the Authentication Policies page, and locked account details on theReports page are blocked. (PR 899270)
• SBR is reset automatically after importing a native userwith an oversized return listattribute from an XML file. PR (896673)
• Whenyouspecifyasubattributestringwitha lengthof244characters, theexpectedresponse is not returned. To avoid this situation, edit the string to reduce the number
of characters to fewer than 244. (PR 298055)
• If you enable user concurrency after user sessions have been established, thosesessions are not counted toward concurrency limits. (PR 431438)
• Ifyouusemultiround(challenge)authentication, theAddFunkClientGroupToRequestfeature adds the Funk-Radius-Client-Group attribute-value pair (AVP) to only thefirstaccess request.Subsequent challenge responsesdonothave this attributeadded,and, therefore, cannot use this attribute in checklist processing when EAP or other
challenge-based protocols are used. (PR 460109)
• The sbrd stop ssr command does not work on remote nodes. To ensure shutdownof ssr nodes, issue the command on each node. (PR 561992)
• Sessions are not handled correctly when the length of Acct-Session-Id is greaterthat 24 octets. Update /opt/JNPRhadm/CurrentSessions.sql and
/opt/JNPRhadm/UpdateSchema.pl to 48 or 64 and
SBR/dbcluster/common/scripts/UpdateSchema.pl to permit the argument of “7.2”
and “7.3”. Then in both cases, alter the table to update the length of the field. (PR
719218)
• When you are executing ./configure and ./sbrd, it is sometimes necessary for thesoftware to perform certain operations as the hadm user as opposed to the rootuser. When you switch between user accounts, the shell may emit messages suchas“Youhavenewmail.”Thesemessagesareannoyingbutharmless.Asaworkaround,
youmay create a zero-length file called .hushlogin in the hadm user’s home
directory—for example, execute as hadm: touch /opt/JNPRhadm/.hushlogin. The
.hushlogin file prevents the shell from emittingmessages when the hadm user logs in.
(PR 546477)
• When the Oracle server is restarted, the TCP connection in SBRmoves to theCLOSE_WAIT state and stays in the same state until the SBR process is restarted.This does not have any service impact, except that the number of stale connectionsincreases in proportion to the number of times the Oracle server is restarted. (PR813350)
• Profile name and response attributes are not returned by the SQLAUTH plug-in ifbinding order is not sequential. (PR 861700)
• The User Concurrency table does not display proxy realm names. (PR 857901)
• The Inbound-from-Proxy control point is called after the inbound filters are applied.(PR 889762)
• In the rfc4679.dct file, the names of the Agent-Circuit-Id and Agent-Remote-Idattributes are not defined asmentioned by the RFC 4679. Instead, the names arerespectivelymentioned as DSL-Agent-Circuit-Id and DSL-Agent-Remote-Id.
• The CreateDB.sh script fails during cluster initialization.While you run the
./CreateDB.sh script if you observe an error as shown in the following example, ensure
that the cluster is fully started, kill the mysqld andmysqld_safe processes manually,
and restart themusing “./sbrd start ssr” beforeattempting toexecute the ./CreateDB.sh
script again. (PR 755547)
hadm@sbr-blr-vm1:~> ./CreateDB.shCreating database "SteelBeltedRadius" (using ENGINE ndbcluster).Creatingmisc tables.Can't create database "SteelBeltedRadius" (or its tables).MySQL Error Message: ERROR 157 (HY000) at line 3: Could not connect to storageengineCleaning up (destroying fragments of database "SteelBeltedRadius").
hadm@sbr-blr-vm1:~> ./sbrd start ssrStarting ssr auxiliary processes
hadm@sbr-blr-vm1:~> ./CreateDB.sh
• When several IP pools are configured, the SBR service cannot be stopped using the./sbrdstop radiuscommand.Theworkaround is to kill theSBRservicebyusing “force”,“pkill”, or “kill <pid of SBR>” and then execute the MySQL commandmysql -D
• The stability of SBR is not guaranteed during amultinode failure of the cluster. Usethe watchdog process (radiusd) to mitigate such events. (PR 744690).
SIM Authentication
• The authGateway processmust be restarted whenever SBR restarts. This isapplicable only on a Linux platform.
Logging
• Binaryattributesmaybe interpretedasnull stringsandcausesubsequentattributesto be dropped. (PR 741942)
• Accounting records are too cryptic in the accounting log. Because Class attributesare presented in hexadecimal format and can be quite long, they are not logged by
default. If desired, they can be added to the log by removing the comment “;” from
“Class=” in the account.ini file. (PR 291646)
• SBRC truncates a line in the accounting log when a nonprintable character isencountered. (PR 898866)
• SBRC logsageneric errorwhen theauthGatewayapplicationdoesnot respondwithtriplets or quintets. (PR 868119)
Installation
• WhenyouupgradeSBR7.2.4orearlier to7.6.0, youneedanewexecutionofconfigure3onallMnodes(prior toSBR7.2.4, allMnodesneededaconfigure3onanupgrade);otherwise, mysqld fails to start. The workaround for this problem is to edit the
/opt/JNPRhadm/my.cnf file to add to the [mysqld_safe] section:
• Proxy spool filesmay be created even after a proxy realm is disabled and a HUPsignal is issued. (PR 901533)
Separate Session Database Process
• When you upgrade the SBR Carrier software from previous releases to the 7.6 .0release, youmust convert session store file (radads.hst) to a new format that iscompatible with the 7.6.0 release. This conversion delays the SBR startup for thefirst time after the upgrade. The approximate time taken for converting the 1-GBpersistent session store file (radads.hst) to a new format (radadscst.hst) is 8–10minutes.
• If the size of the persistent session store file is greater than 2 GB, SBR Carrier failswhile loading the .hst file during the SBR startup. SBRCarrier fails regardless of thesettingofSTANDALONEMODE(local or cstserver). If the size of the .hst file exceeds2GB(which ispossiblewhentheSTANDALONEMODEparameter is set tocstserver),youmust delete the file before you restart the SBR Carrier. This problemwill beaddressed in the next release.
Documentation Updates
Information in this section updates the published Steel-Belted Radius Carrier 7.6.0
documentation set. The identifier in parentheses is the Problem Report number in our
• The SBR SDK API call SbrWriteToLog() provides printf() functionality to customerplug-ins with certain vulnerabilities. When using SbrWriteToLog() function, youmust use a format string as the third parameter when logging variable data.
• If you start amanagement (Mor SM) nodewithout running the “configure 2 (createanewclusterdefinition)”option,asyouwould in thecaseofa rolling restartupgradefromRelease 7.2.x to Release 7.6.0, you will seemultiple warnings such as thefollowing:
WARNING: 2010-11-30 15:25:23 [MgmtSrvr]WARNING -- at line 68: [api]Id is deprecated, use NodeId instead
These warnings can be safely ignored.
To avoid these warnings, make the following change in the /opt/JNPRhadm/config.ini
file:
Change lines that read Id=<number> to NodeId=<number> on eachmanagement
node.
Resolved Issues
Release 7.6.0
• The new parameter SendAckOnProxyFailure is added to the RealmName.pro file tocheck whether the SBRC server sends an accounting acknowledgment to the NAD
when a proxy accounting request is not acknowledged. (PR 872748)
• Handling of response attributes by plug-ins is improved. (PR 886340)
• While running SBRC in Linux, an incorrect warning message is displayed as “sm nodes
require at least 2 GB physical memory” even if your server has enoughmemory. This
issue has been resolved. (PR 886886)
• The CST failure on exceeding user concurrency login limits when
AuthResponseOnCstFailure=Accept has been resolved. (PR 884402)
• IP addresses are reused unexpectedly within fewminutes for several IP pools. This
issue has been resolved. (PR 883576)
• The kinetoUMAAttrHandler.so file fails to load with the error condition “undefinedsymbol: _ZN11AttrFlatten12AttributeDefINS_17ResponseAttrTraitEEC1ERKSs”whenever
SBR restarts. This issue has been resolved. (PR 882792)
Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)
TitleRFC Number
Network Access Servers Requirements: Extended RADIUS Practices. D. Mitton. July 2000.RFC 2882
DHCP Relay Agent Information Option.M. Patrick. January 2001.RFC 3046
Authentication for DHCPMessages. R.Droms and others. June 2001.RFC 3118
RADIUS and IPv6. B. Aboba, G. Zorn, D. Mitton. August 2001.RFC 3162
IP Mobility Support for IPv4. C. Perkins. August 2002.RFC 3344
Authentication, Authorization, and Accounting (AAA) Transport Profile. B. Aboba, J. Wood. June2003.
RFC 3539
IANA Considerations for RADIUS (Remote Authentication Dial-In User Service). B. Aboba, July2003.
RFC 3575
RFC3576 - Dynamic Authorization Extensions to Remote to Remote Authentication Dial In UserService. NetworkWorking Group, 2003
RFC 3576
RADIUS (Remote Authentication Dial In User Service) Support For Extensible AuthenticationProtocol (EAP). B. Aboba, P. Calhoun, September 2003.
RFC 3579
IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines. P. Congdon,B. Aboba, A. Smith, G. Zorn, J. Roese, September 2003.
RFC 3580
Extensible Authentication Protocol. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz.June 2004.
RFC 3748
Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4. C. Perkinsand P. Calhoun. March 2005.
RFC 3957
Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs. D. Stanleyand others. March 2005.
RFC 4017
Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM)Subscriber Identity Modules (EAP-SIM). H. Haverinen, J. Salowey. January 2006.
RFC 4186
Extensible Authentication Protocol Method for Global System for 3rd Generation Authenticationand Key Agreement (EAP-AKA). J. Arkko, H. Haverinen. January 2006.
RFC 4187
The Network Access Identifier. B. Aboba and others. December 2005.RFC 4282
Identity Selection Hints for the Extensible Authentication Protocol (EAP). F. Adrangi, V. Lortz, F.Bari, P. Eronen. January 2006.
RFC 4284
Chargeable User Identity. F. Adrangi and others. January 2006.RFC 4372
Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)
TitleRFC Number
Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated ProtocolVersion 0 (EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.
RFC 5281
UseofStatus-Server Packets in theRemoteAuthenticationDial InUser Service (RADIUS)ProtocolA. DeKok. August 2010.
RFC 5997
WiMAX Technical Specifications
TheWiMAX Forum Networking Group (NWG)maintains a repository of technical
documents and specifications online at http://www.wimaxforum.org. You can also view
theWiMAX IEEE standards, 802.16e-2005 formobileWiMAX and 802.16-2004 for fixed
WiMAX, online at http://www.ieee.org.
Third-Party Products
For information about configuring your Ulticom software and hardware, or your access
servers and firewalls, consult the manufacturer’s documentation.
General Statement of Compliance
Table 4 on page 20 lists Steel-Belted Radius Carrier Release 7.6.0 compliance with
applicable RFCs.
Table 4: Compliance of Steel-Belted Radius Carrier Release 7.6.0 with Applicable RFCs
NotesNameRFC Number
—Structure and Identification of Management Informationfor TCP/IP-based Internets
1155
—Management Information Base for Network Managementof TCP/IP-based internets: MIB-II
1213
Obsoleted by RFC 2138Remote Authentication Dial In User Service2058
Obsoleted by RFC 2139RADIUS Accounting2059
—Ascend Tunnel Management Protocol2107
Obsoleted by RFC 2865Remote Authentication Dial In User Service2138
Obsoleted by RFC 2866RADIUS Accounting2139
Obsoleted by RFC 2571An Architecture for Describing SNMPManagementFrameworks
2271
Updated by RFC 2484PPP Extensible Authentication Protocol (EAP)2284
Table 4: Compliance of Steel-Belted Radius Carrier Release 7.6.0 with ApplicableRFCs (continued)
NotesNameRFC Number
—RADIUS and IPv63162
—IANA Considerations for RADIUS (Remote AuthenticationDial In User Service)
3575
—RADIUS (Remote Authentication Dial In User Service)Support For Extensible Authentication Protocol (EAP)
3579
—IEEE 802.1X Remote Authentication Dial In User Service(RADIUS) Usage Guidelines
3580
—Extensible Authentication Protocol (EAP)3748
—Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks
3770
—Remote Authentication Dial-In User Service (RADIUS)Attributes Suboption for the Dynamic Host ConfigurationProtocol (DHCP) Relay Agent Information Option
4014
—Extensible Authentication Protocol (EAP) MethodRequirements for Wireless LANs
4017
Not supportedDiameter Extensible Authentication Protocol (EAP)Application
4072
—State Machines for Extensible Authentication Protocol(EAP) Peer and Authenticator
4137
—Extensible Authentication Protocol Method for GlobalSystem for Mobile Communications (GSM) SubscriberIdentity Modules (EAP-SIM)
4186
—Extensible Authentication Protocol Method for 3rdGenerationAuthenticationandKeyAgreement (EAP-AKA)
4187
—Identity Selection Hints for the Extensible AuthenticationProtocol (EAP)
4284
—Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks (WLAN)
4334
—Chargeable User Identity4372
Obsoleted by RFC 5090RADIUS Extension for Digest Authentication4590
—Additional Values for the NAS-Port-Type Attribute4603
MIPv6 not supported3GPP2 X.S0011-D, Version: 1.0, Version Date: February,2006
—
—Extensible Authentication Protocol Tunneled TransportLayer Security Authenticated Protocol Version 0(EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.
5281
—UseofStatus-ServerPackets in theRemoteAuthenticationDial In User Service (RADIUS) Protocol. A. DeKok. August2010.
5997
Table 5 on page 24 lists the protocols supported in Steel-Belted Radius Carrier Release
7.65.0.
Table 5: Protocols Supported in SBR Carrier Release 7.6.0
When you are running SBRC Administrator, you can chooseWeb > Steel-Belted Radius
Carrier Home Page to access a special home page for Steel-Belted Radius Carrier users.
When you contact technical support, be ready to provide:
• Your Steel-Belted Radius Carrier release number (for example, Steel-Belted Radius
Carrier Release 7.6.0).
• Information about the server configuration and operating system, including any OS
patches that have been applied.
• For licensedproducts under a currentmaintenance agreement, your license or support
contract number.
• A detailed description of the problem.
• Any documentation that may help in resolving the problem, such as error messages,
core files, compiler listings, and error or RADIUS log files.
Revision History
August 2013—SBR Carrier Release 7.6.0
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Ulticom, Signalware, Programmable Network, Ultimate Call Control, and Nexworx are registered trademarks of Ulticom, Inc. Kineto andthe Kineto Logo are registered trademarks of KinetoWireless, Inc. Software Advancing Communications and SignalCare are trademarksandservicemarksofUlticom, Inc.CORBA(CommonObjectRequestBrokerArchitecture) is a registered trademarkof theObjectManagementGroup (OMG).Raima,RaimaDatabaseManager andRaimaObjectManager are trademarksofBirdstepTechnology. Sun, SunMicrosystems,the Sun logo, Java, Solaris, and all trademarks and logos that contain Sun, Solaris, or Java are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States and other countries. MySQL and the MySQL logo are registered trademarks of MySQL AB in theUnited States, the European Union, and other countries. All other trademarks, service marks, registered trademarks, or registered servicemarks are the property of their respective owners. All specifications are subject to change without notice.
Contains software copyright 2000–2010 by MySQL AB, distributed under license.
Portions of this software copyright 2003-2009 LevWalkin <[email protected]> All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions aremet:
1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.
THISSOFTWAREISPROVIDEDBYTHEAUTHORANDCONTRIBUTORS``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES, INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.IN NO EVENT SHALL THE AUTHOROR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT,STRICTOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVEN IFADVISEDOFTHEPOSSIBILITYOF SUCH DAMAGE.
Portions of this software copyright 1989, 1991, 1992 by Carnegie Mellon UniversityDerivativeWork–1996, 1998–2009 Copyright 1996, 1998–2009. The Regents of the University of California All Rights Reserved. Permissionto use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided thatthe above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supportingdocumentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertainingto distribution of the software without specific written permission.
CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALLWARRANTIESWITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMUOR THE REGENTS OF THEUNIVERSITYOFCALIFORNIABELIABLEFORANYSPECIAL, INDIRECTORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTING FROMTHE LOSSOF USE, DATAOR PROFITS,WHETHER IN AN ACTIONOF CONTRACT, NEGLIGENCE OROTHER TORTIOUSACTION, ARISING OUT OF OR IN CONNECTIONWITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.
3. Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.
THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERSANDCONTRIBUTORS“AS IS”ANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.
3. The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specificprior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER “AS IS” AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUTNOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1. The origin of this software must not bemisrepresented; youmust not claim that you wrote the original software. If you use this softwarein a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, andmust not bemisrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as publishedby the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANYWARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. For a copyof the GNU Lesser General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,USA.
Copyright (c) 2000–2009 The Legion Of The Bouncy Castle (http://www.bouncycastle.org)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the"Software"), to deal in theSoftwarewithout restriction, includingwithout limitation the rights to use, copy,modify,merge, publish, distribute,sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the followingconditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TOTHEWARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORSORCOPYRIGHTHOLDERSBELIABLEFORANYCLAIM,DAMAGESOROTHERLIABILITY,WHETHERINANACTIONOFCONTRACT,TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTIONWITH THE SOFTWARE OR THE USE OROTHER DEALINGS IN THESOFTWARE.
Contains software copyright 2000–2013 by Oracle America, Inc., distributed under license.
Steel-BeltedRadiususesThrift, licensedunder theApacheLicense,Version2.0 (the “License”); youmaynotuse this file except in compliancewith the License.
Youmay obtain a copy of the license at
http://www.apache.org/licenses/LICENSE-2.0
Unless requiredbyapplicable lawor agreed to inwriting, softwaredistributedunder the License is distributedonan “AS IS”BASIS,WITHOUTWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
Steel-Belted Radius uses Cyrus SASL under the following license:
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions aremet:
1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.
3. The name "CarnegieMellonUniversity"must not be used to endorse or promote products derived from this softwarewithout priorwrittenpermission. For permission or any legal details, please contact
Office of Technology TransferCarnegie Mellon University5000 Forbes AvenuePittsburgh, PA 15213-3890(412) 268-4387, fax: (412) [email protected]
4. Redistributions of any formwhatsoever must retain the following acknowledgment:
"This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/)."
CARNEGIEMELLONUNIVERSITYDISCLAIMSALLWARRANTIESWITHREGARDTOTHISSOFTWARE, INCLUDINGALL IMPLIEDWARRANTIESOFMERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECTOR CONSEQUENTIAL DAMAGES OR ANY DAMAGESWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER INAN ACTION OF CONTRACT, NEGLIGENCE OROTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTIONWITH THE USE ORPERFORMANCE OF THIS SOFTWARE.
Steel-Belted Radius uses OpenSSL versions 0.9.8h and 1.0.0-25, which have the following terms:
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions aremet:
1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this softwarewithout prior written permission. For written permission, please contact [email protected].
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior writtenpermission of the OpenSSL Project.
6. Redistributions of any formwhatsoever must retain the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ''AS IS'' AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUTNOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHERIN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCEOROTHERWISE) ARISING IN ANYWAYOUTOF THEUSEOF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.
2.Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.
3. Neither the name of Brush Technology nor the names of its contributors may be used to endorse or promote products derived from thissoftware without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY BRUSH TECHNOLOGY ''AS IS'' AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUT NOTLIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NOEVENT SHALL BRUSH TECHNOLOGY BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISEDOF THE POSSIBILITY OF SUCH DAMAGE.