Steel-Belted Radius® Carrier Release Notes -

Steel-Belted Radius®Carrier Release

Notes

Release 7.6.0August 2013Revision 2

TheseReleaseNotessupportRelease7.6.0ofSteel-BeltedRadiusCarrier (SBRC).Before

you install or use your new software, read theseReleaseNotes in their entirety, especially

“Known Problems and Limitations” on page 9.

Contents Release Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Release Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Geo-Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Separate Session Database Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Transaction-Based Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

All VSAs in a Single Juniper Networks Client Dictionary . . . . . . . . . . . . . . . . . . 5

Additional RADIUS Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Challenge Timeout Field on the Advanced Server Settings Tab . . . . . . . . . . . . 6

Enhancement to the Reject Reason Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Virtualization Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

LDAP Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

External Database Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Signalware and SS7 Interface Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Modified Open-Source Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Migrating from Earlier SBR Carrier Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Migrating from Earlier SBR Carrier Standalone Server Products . . . . . . . . . . . 8

Known Problems and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

COA/DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

SBR Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1Copyright © 2014, Juniper Networks, Inc.

SBRC Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

SSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

SIM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Proxy Spooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Separate Session Database Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Session State Register Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Release 7.6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Requests for Comments (RFCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

WiMAX Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Third-Party Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

General Statement of Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

SBR Carrier Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Copyright © 2014, Juniper Networks, Inc.2

Steel-Belted Radius Carrier Release 7.6.0 Release Notes

Release Overview

These release notes cover Release 7.6.0 of the Juniper Networks Steel-Belted Radius

Carrier product.

Before You Start

Before you use your new software, read these Release Notes in their entirety, especially

the section Known Problems and Limitations.

Documentation

Table 1 on page 3 lists and describes the Steel-Belted Radius Carrier documentation

set:

Table 1: Steel-Belted Radius Carrier Documentation

DescriptionDocument

Describes how to install the Steel-Belted Radius Carrier software on the serverand the SBRC Administrator application on a client workstation.

Steel-Belted Radius Carrier Installation Guide

Describes how to configure and operate the Steel-Belted Radius Carrier and itsseparately licensedmodules.

Steel-Belted Radius Carrier Administrationand Configuration Guide

Describes the settings and valid values of the Steel-Belted Radius Carrierconfiguration files.

Steel-Belted Radius Carrier Reference Guide

Provides tips, use cases, and tools you need to:

• Improve SBRC performance through planning, analysis, and configuration

• Increase SBRC throughput and reliability

• Analyze specific use cases, in the lab or in the production environment, toidentify areas of potential performance enhancement and to limit the impactof resource constraints and failure scenarios

Steel-Belted Radius Carrier Performance,Planning, and Tuning Guide

Contains the latest information about features, changes, known problems, andresolved problems in Release 7.6.0.

Steel-Belted Radius Carrier Release Notes

NOTE: If the information in the Release Notes differs from the informationin any guide, follow the Release Notes.

You can find these release notes in AdobeAcrobat (PDF) format on the JuniperNetworks

Technical PublicationsWeb page, which is located at:

http://www.juniper.net/support/products/carrier/carrier/

Release Highlights

Highlights include the following product enhancements:


Release Overview


Geo-Redundancy

TheSBRCarrier software supportsGeo-redundancy,whichallowsyou to replicate certain

fields of the Current Sessions Table (CST) across nodes of two remote Session State

Register (SSR) clusters located in different geographical locations. Geo-redundancy

provides a consolidated session store. That is, you can access data from all sessions in

geographically diverse systems from a single database at any time.

Geo-redundancyalsoprovides adisaster-recovery functionality that helps you to recover

data in case of a disaster or disruption in one of the geographical locations. With this

feature, you can restrict the amount of information replicated between the SSRs by

configuring only the selected fields of CST, thereby reducing the usage of disk space.

Information is replicated between nodes of two remote SSR clusters asynchronously so

that the performance of the SBR Carrier is minimally affected.

WithGeo-redundancy, you can increaseor decrease thebandwidthof data consumption

between clusters by replicating user-accounting information between clusters.

Geo-redundancy supports replication of session information frommultiple standalone

SBRs to a single SSR cluster. This feature also supports cross-endian cluster-to-cluster

replication so that data replication between Linux-based SSR and Solaris-based SSR is

possible.

You can configure the Geo-redundancy feature by using the parameters in the

georedSess.ses initialization file.

For more information about the Geo-redundancy feature, see the SBR Carrier

Administration and Configuration Guide and SBR Carrier Reference Guide.

Separate Session Database Process

In the standalone version of SBR, the CST is hosted as a separate executable process,

called the separate session database process, instead of being hosted as a shared library

within the SBR core RADIUS process. The separate session database process is

implemented as a 64-bit process, which enablesmanymore sessions to be hosted than

the 32-bit RADIUS process.

Hosting the CST as a separate session database process:

• Enhances the stability of the SBR core

• Prevents the SBRC server from crashing due to unexpected failures in the CST

• Increases the capability of handling several concurrent sessions in the CST

• Reduces the delay in SBR restart caused by the restoration of persistent sessions from

the radads.hst file

You can enable the separate session database process by using the new parameters

that are added to the sbrd.conf and radius.ini files. The separate session database andSBR core RADIUS processes can be further controlled by using the newly introduced

dbclusterRPC.genandcstserver.ini files.The inter-processcommunication(IPC)between

the RADIUS process and the separate session database process is performed using the

Apache Thrift software framework.



The separate session database process provides a high availability (HA) functionality

during idle and pending transactions. The separate session database process starts its

processing before starting theRADIUSprocess. If the separate session database process

is not starteddue toanerror, theRADIUSprocess starts its normalprocessingandpersists

the SSR in local mode when the FallbackLocal policy is applied.

NOTE: Hosting CST as a separate process in a standalone SBR is supportedonly on the 64-bit Linux platform.

For more information about the separate session database process, see the SBR Carrier

Administration and Configuration Guide and SBR Carrier Reference Guide.

Transaction-Based Licensing

To enable customers to transition smoothly to transaction-based licensing, Steel-Belted

Radius Carrier does not currently enforces rate limits. Steel-Belted Radius Carrier

generates SNMP traps and stores warning messages in the log file when the rate limit

of transactions per second (TPS) is exceeded in order to help customers become aware

of and comply with the licensing requirements. Rate limits may be enforced in future

releases as well as patches for Steel-Belted Radius Carrier 7.6.0 and earlier.

Formore informationabout transaction-based licensing, see theSBRCarrierAdministration

and Configuration Guide.

All VSAs in a Single Juniper Networks Client Dictionary

Steel-Belted Radius Carrier 7.6.0 delivers a single Juniper Networks client dictionary,

juniper.dct, insteadofproviding separatedictionaries for eachapplication. The juniper.dctfile lists all vendor-specific attributes (VSAs) that areused for fixedandmobile subscriber

management (ERX Series and MX Series router families, with enterprise ID 4874) and

router administration (enterprise ID 2636). The VSAs are updated based on attributes

in the unisphere.dct file of Junos OS 13.1.

For more information about the Juniper Networks client dictionary, see the SBR Carrier

Administration and Configuration Guide.

Additional RADIUS Status Information

The sbrd status command displays additional information about the RADIUS process

along with existing information such as the SBR package version, SBR process status,

and SBR process ID. The additional information that is displayed is:

• Plug-in status with version information

• License status

• IP pool and cache range

• Transaction rate

• Current session count

• Current rate


Release Highlights

• Listening port and proxy address information

• SBR running time

This command also displays the separate session database process ID, if you have

enabled the separate session database process in your system.

Formore informationabout theRADIUSstatus information, see theSBRCarrier Installation

Guide.

Challenge Timeout Field on the Advanced Server Settings Tab

Steel-Belted Radius Carrier 7.6.0 allows you to configure the challenge timeout value

for TLS authentication, TLS EAP helper, and TTLS authentication methods through the

SBR Administrator. A Challenge Timeout field is newly added to the Advanced ServerSettings tab of the Edit TLS Authentication Method, Edit TLS EAP Helper Method, and

Edit TTLS Authentication Method dialog boxes. You can enter the timeout value (in

seconds) in this field for a particular challenge request.

Formore informationabout thechallenge timeout valueconfiguration, see theSBRCarrier

Administration and Configuration Guide.

Enhancement to the Reject Reason Code

In the [Attributes] section of the authReportReject.ini file, the purpose of theAUTH_ERR_044 reject reason code is extended to also indicate amismatch between

the username in the authentication request and the username configured in the regular

expression.

If the username in the authentication request does not match the configured username

in the regular expression, the SBRCarrier rejects the authentication request and displays

the AUTH_ERR_044 code in the authentication rejection report with the following

message: “Rejecting request username not matching regular exp.”

For more information about reject reason codes, see the SBR Carrier Reference Guide.

Virtualization Support

Steel-Belted Radius Carrier supports virtualization on a Red Hat virtual machine.

SystemRequirements

For complete details about the hardware and software requirements for running a

standalone Steel-Belted Radius Carrier server or the optional SBR Carrier Session State

Register (SSR), see “Meeting System Requirements” in the Steel-Belted Radius Carrier

Installation Guide.

Software

The Steel-Belted Radius Carrier server runs on both Oracle Solaris 10 and 11 and Red Hat

Enterprise Linux 6.1 on Intel (Xeon) platforms.



Perl

Steel-Belted Radius Carrier has been tested with Perl 5.8.4 and 5.8.8. Multiple Perl

installations in discrete directories are supported, but attempting to use other versions

of Perl with SBR Carrier may cause problems.

LDAP Plug-in

The LDAP plug-in requires SASL, which is not included with SBR. Youmust ensure that

you have the SASL package installed before starting SBR.

Supported Browsers

The SBR Administrator application can be launched from the browsers listed in

Table 2 on page 7.

Table 2: Supported Browsers

Operating SystemVersionsBrowser

Linux -3223Google Chrome

Windows XP SP38Internet Explorer

Windows 78.0.7602Internet Explorer

Solaris 10/115Mozilla Firefox

Linux X8610Mozilla Firefox

Windows 711Mozilla Firefox

Windows XP SP313Mozilla Firefox

Java Runtime Environment (JRE) 1.4.2 or later is required for all browsers, and is available

from http://www.oracle.com/technetwork/java/index.html.

NOTE: Using theSBRCAdministrator onWindowswithAeroeffects enabledmight removesomeUIelements.Youmustdisable theWindowsAeroeffects.

External Database Requirements

Steel-Belted Radius Carrier supports:

• Oracle database versions 10 and 11; version 11.2.0 is recommended.

• For Steel-Belted Radius Carrier to act as an Oracle native client (only on Solaris), the

Oracle 32–bit client must be set up before installing SBR Carrier because the Oracle

server location is used during installation.

• The JDBCplug-in hasbeen testedwithOracledatabase runningonSolaris andMySQL.


System Requirements

http://www.oracle.com/technetwork/java/index.html

Signalware and SS7 Interface Requirements

To support the optional SS7module, Ulticom’s Signalware 9 with Service Pack 6Vmust

be installed before installing SBR Carrier.

If you want the Steel-Belted Radius Carrier server to communicate with any SS7 legacy

equipment, install theUlticom’sSS7communicationboardandSignalware9withService

Pack 6V before you install the SBR Carrier software.

CAUTION: ServicePack6Vmustbe installed;otherwise,Steel-BeltedRadiusCarrier cannot use the Signalware communications stack.

The Signalware PH0301 and XH0303 boards are supported.

For more information, see the SBR Carrier Installation Guide.

Modified Open-Source Software

Embedded in Steel-Belted Radius Carrier 7.6.0 is an open-source software that Juniper

Networks has modified. Themodified software includes:

• HTTPClient from Innovation GmbH

• sunmd5.c from the OpenSolaris Project

• Spider Monkey 1.6 fromMozilla

• INIH parser from Google Project Hosting

You can obtain the source code for thesemodifications from Juniper Networks Technical

Support. See “Requesting Technical Support” on page 26.

Migrating from Earlier SBR Carrier Releases

SBR Carrier Release 7.6.0 can run as a standalone server or as part of a Session State

Register cluster.

Migrating from Earlier SBR Carrier Standalone Server Products

You can use the configuration script to move a number of files from selected previous

SBR Carrier releases to the Release 7.6.0 environment when installing Steel-Belted

Radius Carrier. The corresponding Release 7.6.0 files are also loaded on the system, but

are not activated. You are responsible for merging new settings from Release 7.6.0

configuration files into the working (preexisting) configuration files. To support new

features, SBRCarrier uses default values for any newsettings that have not beenmerged

into the working configuration files.

For complete details about migrating from the preceding releases, see the SBR Carrier

Installation Guide.



Known Problems and Limitations

These issues have been identified in Steel-Belted Radius Carrier 7.6.0. The identifier in

parentheses is the Problem Report number in our bug database.

COA/DM

• Enabling the “COA” action event using the SBR Administrator bymodifyingdeviceModels.xmlmay result in an error. If you customize COA or DM bymodifying

the deviceModels.xml file, it is recommended that you obtain assistance from JTAC

to verify your configuration. Errors in deviceModels.xml—for example, missing,

misplaced, or misconfigured XML elements or referencing RADIUS attributes that are

not defined in the dictionaries, or both—could lead to undefined behavior ranging from

preventing the server from starting to invalid errors while using the SBR Administrator

to invoke COA or DM actions. Be sure to restart the server as well as the SBR

Administratorwhenever deviceModels.xml or dictionary, or both files aremodified. (PR

420928)

• WhenusingJavaScript toperformDynamicAuthorization(COA/DM), thescriptmayfail with themessage "no NAS-IP-Address or NAS-IPv6-Address attribute found intransaction".Workaround is toadd theNAS-Identifier andAcct-Session-Idparameters

manually. (PR 905584)

Filters

• Changing a rule in the SBR Administrator with Filter>Edit Rule from Exclude or Addto Replace has no effect. Instead of changing the rule type, delete the attribute andthen add a new attribute with the correct Replace type. (PR 298086)

• A filter with an index that is configured to replace a parent attribute withmultipleinstances of a single subattribute does not work correctly. To avoid this, set up theconfiguration so that it uses multiple separate attributes that each contain the same

subattribute. (PR 298631)

LDAP Authentication

• Setting theMaxConcurrentsetting in the ldapauthconfiguration file tohighervaluescan cause Steel-Belted Radius Carrier to run out ofmemory and crash. As aworkaround, use smaller valuesofMaxConcurrent. The recommendedmaximumvalue

is 1000. (PR 249953)

• Enteringmore than 124 characters for a native user results in an erroneous rejection.This problemwas introduced in SBRCarrier 7.3.1 andwill be resolved in future releases.

(PR 771505)

• In previous versions of SBR Carrier in Solaris, LDAP used the Mozilla libraries for LDAP

communication. When LDAP is used, this requires the Cert7.db and Key3.db files as

the certificate store for trusted root certificates. Starting 7.4.0 Linux and 7.5.0 Solaris,

SBRCarrier uses theOpenLDAP libraries toprocess LDAP requests. ForSBR toprocess

LDAPrequests, youmustconfigureOpenLDAPtoaccept theserver certificate.Currently,

this is the only configuration supported and tested by SBR.



• When you have a large number of LDAP connections configured, SBRCmay takeseveral minutes to shut down, and the SBRD script displays a shutdown failuremessage in the terminal. (PR 847961)

• LDAP authentication hangs against the attribute directory when the attribute list isempty. (PR 842475)

SBR Administrator

• In SBRHA, theStatisticsGUI panel for System -Authentication andAccounting hassome inconsistencies with the documentation. The System - Authentication and

Accounting GUI mentions “Retries Sent” but it is documented as “Retries Received.”

Similarly, the System - Accounting GUI mentions “Failed Authentication” instead of

“Failed Accounting.” The document lists “Invalid Client” and “Invalid Shared Secret,”

which are not available in the SBR Administrator. These inconsistencies must be

corrected inboth theSBRAdministrator aswell as in thedocumentation. (PR434065)

• In the SBR Administrator, when TLS Secondary Authorization option is disabled,the configuration parameters to use the RADIUS User-Name attribute andCalling-Station-id attribute continue to be available. (PR 728565)

• When you configure a profile in SBR Administrator, the value entered in a checklistcan exceed themaximum length for the value that is specified in the dictionary file.This may result in erroneous failed authentications. (PR 306944)

• The “Use different shared secret for accounting” check box remains selected.Configure a client through the SBR Administrator. Select the “Use different shared

secret for accounting” check box. Enter a different shared secret and click OK. Edit the

client and deselect the “Use different shared secret for accounting” check box and

click OK. Edit the client again and you notice that the “Use different shared secret for

accounting” check box remains selected, and the shared secrets for accounting and

authorization are different. Towork around this problem, delete the accounting shared

secret before deselecting the check box. (PR 581706)

• int4 attributes with a value greater than 2,147,483,648 are displayed as negativevalues in the SBR Administrator. This occurs when you create a profile with a replylist containing an int4 attribute whose value is greater than 2,147,483,648. Click Ok

andview the reply list. Theattributedisplaysanegative value.However, an int4attribute

is anunsigned integer and thisworksproperly through theLDAPconfiguration interface

(LCI). (PR 581771)

• When you edit attributes of the int1, int2, or int4 type in the SBR Administrator, youare unable to select values tomake sure that they are in a valid range. If you set avalue that is greater than themaximum range, the attribute is deletedwithout awarning. There is no workaround. (PR 582099)

• Signed integers are not supported. If you enter a value greater than 2,147,483,648(either through the SBR Administrator or through the LCI), it appears as a negative

number. (PR 582104)

• If you edit deviceModels.xml and create a duplicatemodel entry, the SBRAdministrator may hangwhen trying to display the Current Sessions tab. There is



no workaround other than correcting the error and restarting the Administrator. (PR

583037)

• After you rename a client, or delete and then add a clientwith a different name, youmust restart the SBR Administrator for the SCSmodule to recognize the client. Ifthe SBR Administrator is closed and restarted, then the form to enter the required

attributes works properly. (PR 583077)

• The value of Termination-Action for TLSandTTLSauthenticationmethods and theTLS helper cannot be set correctly through the SBR Administrator. The values must

be set manually by editing tlsauth.aut, ttlsauth.aut, or tlsauth.eap. (PR 583905)

• TheSBRAdministratordoesnotallowyoutoenteran IPv6address foranycheck-listor return-list attribute of the ipv6addr type—for example, Login-IPv6-Host. You canuse the LCI as a workaround. (PR 6673775)

• The SBR Administrator does not allow you to enter an IPv6 address for RADIUSClient Address or Proxy Target Address. You can use the LCI as a workaround. (PR610064)

• When youmake changes to the “Authentication Policies / Order of Methods” panelor the “Authentication Policies / Reject Messages” panel, the Audit Log does notprovide specific information about the actions performed but rather it reads themas “Add/Modify authentication realm 'default'” (PR 249434).

• SBR Administrator is unavailable after you enable SNMP. Sometimes, when you

enable SNMP, youmight notice problems with connections on the TCP port 1812.

Workaround is to disable Solaris sma and snmpdx. (PR 776705)

• When you view the IP address pools for a cluster with the SBR Administrator GUI,only the pool names appear and not the IP address range. The SBR Administrator

GUI lists only 0.0.0.0. Workaround is to use the provided scripts to view IP pool

configuration for a cluster. (PR 788982)

• SBR is not accessible when a significant amount of traffic results in approximately5million phantom sessions. (PR 810722)

• In the SBRAdministrator GUI, access to all details on the Statistics page, certificatedetails on the Authentication Policies page, and locked account details on theReports page are blocked. (PR 899270)

• SBR is reset automatically after importing a native userwith an oversized return listattribute from an XML file. PR (896673)

• InSolaris 11, theauthenticationofaUNIXuserwiththeSHA-256passwordencryptionis rejected. (PR 851507)

• Configuringahostnamewithaspecial character (suchasanunderscore)asaclusternode fails. (PR 780808)

• The statlog.ini file does not contain the proxy or dropped packet parameter. (PR749790)

• Users with read-only privileges set in admin.ini cannot run a query to find currentactive sessions. (513775)



SBRC Core

• Whenyouspecifyasubattributestringwitha lengthof244characters, theexpectedresponse is not returned. To avoid this situation, edit the string to reduce the number

of characters to fewer than 244. (PR 298055)

• If you enable user concurrency after user sessions have been established, thosesessions are not counted toward concurrency limits. (PR 431438)

• Ifyouusemultiround(challenge)authentication, theAddFunkClientGroupToRequestfeature adds the Funk-Radius-Client-Group attribute-value pair (AVP) to only thefirstaccess request.Subsequent challenge responsesdonothave this attributeadded,and, therefore, cannot use this attribute in checklist processing when EAP or other

challenge-based protocols are used. (PR 460109)

• The sbrd stop ssr command does not work on remote nodes. To ensure shutdownof ssr nodes, issue the command on each node. (PR 561992)

• Sessions are not handled correctly when the length of Acct-Session-Id is greaterthat 24 octets. Update /opt/JNPRhadm/CurrentSessions.sql and

/opt/JNPRhadm/UpdateSchema.pl to 48 or 64 and

SBR/dbcluster/common/scripts/UpdateSchema.pl to permit the argument of “7.2”

and “7.3”. Then in both cases, alter the table to update the length of the field. (PR

719218)

• When you are executing ./configure and ./sbrd, it is sometimes necessary for thesoftware to perform certain operations as the hadm user as opposed to the rootuser. When you switch between user accounts, the shell may emit messages suchas“Youhavenewmail.”Thesemessagesareannoyingbutharmless.Asaworkaround,

youmay create a zero-length file called .hushlogin in the hadm user’s home

directory—for example, execute as hadm: touch /opt/JNPRhadm/.hushlogin. The

.hushlogin file prevents the shell from emittingmessages when the hadm user logs in.

(PR 546477)

• When the Oracle server is restarted, the TCP connection in SBRmoves to theCLOSE_WAIT state and stays in the same state until the SBR process is restarted.This does not have any service impact, except that the number of stale connectionsincreases in proportion to the number of times the Oracle server is restarted. (PR813350)

• Profile name and response attributes are not returned by the SQLAUTH plug-in ifbinding order is not sequential. (PR 861700)

• The User Concurrency table does not display proxy realm names. (PR 857901)

• The Inbound-from-Proxy control point is called after the inbound filters are applied.(PR 889762)

• In the rfc4679.dct file, the names of the Agent-Circuit-Id and Agent-Remote-Idattributes are not defined asmentioned by the RFC 4679. Instead, the names arerespectivelymentioned as DSL-Agent-Circuit-Id and DSL-Agent-Remote-Id.



SSR

• The CreateDB.sh script fails during cluster initialization.While you run the

./CreateDB.sh script if you observe an error as shown in the following example, ensure

that the cluster is fully started, kill the mysqld andmysqld_safe processes manually,

and restart themusing “./sbrd start ssr” beforeattempting toexecute the ./CreateDB.sh

script again. (PR 755547)

hadm@sbr-blr-vm1:~> ./CreateDB.shCreating database "SteelBeltedRadius" (using ENGINE ndbcluster).Creatingmisc tables.Can't create database "SteelBeltedRadius" (or its tables).MySQL Error Message: ERROR 157 (HY000) at line 3: Could not connect to storageengineCleaning up (destroying fragments of database "SteelBeltedRadius").

hadm@sbr-blr-vm1:~> ps -ef|grepmysqldhadm 11603 ... /bin/sh /opt/JNPRmysql/install/bin/mysqld_safehadm11720 ... /opt/JNPRmysql/install/bin/mysqld --basedir=/opt/JNPRmysql/install--datadir=/opt/JNPRmysqld/data--log-error=/opt/JNPRmysqld/mysqld_safe.err--pid-file=/opt/JNPRmysqld/mysqld.pid --socket=/opt/JNPRhadm/.mysql.sock--port=3001

hadm@sbr-blr-vm1:~> kill 11603 11720

hadm@sbr-blr-vm1:~> ./sbrd start ssrStarting ssr auxiliary processes

hadm@sbr-blr-vm1:~> ./CreateDB.sh

• When several IP pools are configured, the SBR service cannot be stopped using the./sbrdstop radiuscommand.Theworkaround is to kill theSBRservicebyusing “force”,“pkill”, or “kill <pid of SBR>” and then execute the MySQL commandmysql -D

SteelBeltedRadius -e 'update Sbr_IpAddrs set cache = 0where cache = <node ID> limit

10000'. (PR 792164)

• The stability of SBR is not guaranteed during amultinode failure of the cluster. Usethe watchdog process (radiusd) to mitigate such events. (PR 744690).

SIM Authentication

• The authGateway processmust be restarted whenever SBR restarts. This isapplicable only on a Linux platform.

Logging

• Binaryattributesmaybe interpretedasnull stringsandcausesubsequentattributesto be dropped. (PR 741942)

• Accounting records are too cryptic in the accounting log. Because Class attributesare presented in hexadecimal format and can be quite long, they are not logged by



default. If desired, they can be added to the log by removing the comment “;” from

“Class=” in the account.ini file. (PR 291646)

• SBRC truncates a line in the accounting log when a nonprintable character isencountered. (PR 898866)

• SBRC logsageneric errorwhen theauthGatewayapplicationdoesnot respondwithtriplets or quintets. (PR 868119)

Installation

• WhenyouupgradeSBR7.2.4orearlier to7.6.0, youneedanewexecutionofconfigure3onallMnodes(prior toSBR7.2.4, allMnodesneededaconfigure3onanupgrade);otherwise, mysqld fails to start. The workaround for this problem is to edit the

/opt/JNPRhadm/my.cnf file to add to the [mysqld_safe] section:

log-error = /opt/JNPRmysqld/mysqld_safe.errpid-file = /opt/JNPRmysqld/mysqld.pid

(PR 695553)

Proxy Spooling

• Proxy spool filesmay be created even after a proxy realm is disabled and a HUPsignal is issued. (PR 901533)

Separate Session Database Process

• When you upgrade the SBR Carrier software from previous releases to the 7.6 .0release, youmust convert session store file (radads.hst) to a new format that iscompatible with the 7.6.0 release. This conversion delays the SBR startup for thefirst time after the upgrade. The approximate time taken for converting the 1-GBpersistent session store file (radads.hst) to a new format (radadscst.hst) is 8–10minutes.

• If the size of the persistent session store file is greater than 2 GB, SBR Carrier failswhile loading the .hst file during the SBR startup. SBRCarrier fails regardless of thesettingofSTANDALONEMODE(local or cstserver). If the size of the .hst file exceeds2GB(which ispossiblewhentheSTANDALONEMODEparameter is set tocstserver),youmust delete the file before you restart the SBR Carrier. This problemwill beaddressed in the next release.

Documentation Updates

Information in this section updates the published Steel-Belted Radius Carrier 7.6.0

documentation set. The identifier in parentheses is the Problem Report number in our

bug database.

Installation

• SBR Carrier documentation requires update to SDK information. (PR 725585)



• The SBR SDK API call SbrWriteToLog() provides printf() functionality to customerplug-ins with certain vulnerabilities. When using SbrWriteToLog() function, youmust use a format string as the third parameter when logging variable data.

void SBRAPI sbrWriteToLog( HMODULE_CONTEXT hModuleContext, uint32 nLogLevel, const char * pszMsg, ... )

(PR 822544)

Session State Register Module

• If you start amanagement (Mor SM) nodewithout running the “configure 2 (createanewclusterdefinition)”option,asyouwould in thecaseofa rolling restartupgradefromRelease 7.2.x to Release 7.6.0, you will seemultiple warnings such as thefollowing:

WARNING: 2010-11-30 15:25:23 [MgmtSrvr]WARNING -- at line 68: [api]Id is deprecated, use NodeId instead

These warnings can be safely ignored.

To avoid these warnings, make the following change in the /opt/JNPRhadm/config.ini

file:

Change lines that read Id=<number> to NodeId=<number> on eachmanagement

node.

Resolved Issues

Release 7.6.0

• The new parameter SendAckOnProxyFailure is added to the RealmName.pro file tocheck whether the SBRC server sends an accounting acknowledgment to the NAD

when a proxy accounting request is not acknowledged. (PR 872748)

• Handling of response attributes by plug-ins is improved. (PR 886340)

• While running SBRC in Linux, an incorrect warning message is displayed as “sm nodes

require at least 2 GB physical memory” even if your server has enoughmemory. This

issue has been resolved. (PR 886886)

• The CST failure on exceeding user concurrency login limits when

AuthResponseOnCstFailure=Accept has been resolved. (PR 884402)

• IP addresses are reused unexpectedly within fewminutes for several IP pools. This

issue has been resolved. (PR 883576)

• The kinetoUMAAttrHandler.so file fails to load with the error condition “undefinedsymbol: _ZN11AttrFlatten12AttributeDefINS_17ResponseAttrTraitEEC1ERKSs”whenever

SBR restarts. This issue has been resolved. (PR 882792)


Resolved Issues

• SBRC displays a ProxySpooler error in the debug log when SBRC processes the first

accounting-request after rebooting. This issue has been resolved. (PR 891794)

• The total authentication transaction counts 2, if you send a single authentication

transaction to SBRwith a clean statlog. This issue has been resolved. (874072).

• The Backup or Restore option on the File menu is enabled or disabled based on the

status of the primary flag instead of replica flag. (PR 873288)

• Transaction ID for the rejections of tunneled authentication is written in the SBR log.

This issue has been resolved. (PR 871142)

• When SBRC is configured to use a proxy as an authentication method, SBRC proxies

the requestbut reloadsafter receiving theproxy response.This issuehasbeen resolved.

(PR 868853)

• The NAS-IP-Address is reversed after the first interim update. This issue has been

resolved. (PR 864878)

• When Proxy-State (attr 33) is received in the control-point plug-in, the data type is

reported as SBR_TYPE_BINARY even if the Proxy-State value is defined as a string in

the radius.dct dictionary file. This issue has been resolved. (PR 863225)

• SBRC is reset while parsing subattributes of an incorrect WiMAX attribute. This issue

has been resolved. (PR 854744)

• SBRC is reloadedwhen the ASNGW-PostSession-Filter parameter in thewimax.ini file

is enabled. This issue has been resolved. (PR 851765)

• The data type in the dictionary file is changed to not add invalid characters at the end

of the SBR accounting log. (PR 851551)

• Amemory leak issue has been resolved. (PR 831101)

• SBRC discarded accounting requests because the session record is not received from

an SSR cluster. This issue has been resolved. (PR 785398)

• The OracleFailoverRetry configuration in radsql.aut, radsql.acc, and radsql.gen files

must be set to a value greater than 0. Setting this value to 0makes the retry attempts

continue indefinitely and prevents SBR from shutting down gracefully, when the target

Oracle servers are down. This issue has been resolved. (PR 805357)

• A JavaScript that logs data containing formatting characters (for example, "%s") or

other hexadecimal data may cause SBR to reset. This issue has been resolved. (PR

833713)

• When the Proxy Fast-Fail mechanism is enabled, the strobe requests are not sentwith

the existing default settings. This issue has been resolved. (PR 834978)

• WhenmanyLDAPconnectionsare configuredandMaxConcurrent is set toahigh value

in ldapauth configuration, SBR can run out of memory and experience delay during

shutdown. This issue has been resolved. (PR 839864)

• If more than 25 Called-Station-IDs are added to a tunnel configuration through SBR

Administrator, all Called-Station-IDsare not shown in theSBRAdministrator. However,

LCI and XML exports show all added Called-Station-IDs. This issue has been resolved.

(PR 840964)



• Theminimum value for Interval-Seconds parameter in the statlog.ini file is 10 seconds

but the outputmay become garbled under extreme loadwhen the interval is less than

60 seconds. This issue has been resolved. (PR 843496)

• When the Final-Response control point plug-in is enabled, the Proxy-State attribute

does not appear in the summary of the authentication response even if the

authentication response packet contains the attribute. This issue has been resolved.

(PR 894314)

• TheSNMPagentdoesnotwrite log fileswhen it is stopped.This issuehasbeen resolved.

See the “Logging Behavior of the SNMP Agent” section in the SBR Carrier Reference

Guide for more information. (PR 469774)

• SBR crashes while receiving an accounting request with an incorrect shared secret.

This issue has been resolved. (PR 902373)

• The Reject Log field in the failed authentication requests report contains garbled

characters during tunnel authentication. This issue has been resolved. (PR 892014)

• The SBR admin GUI can be started fromMozilla Firefox and Google Chrome browsers

even after upgrading the Java version to Java 7 update 21 (JRE version 1.7.0_21-b11). (PR

891236)

• MySQL Cluster 7.2.5 TAR for Solaris 10 SPARC (64 bit) patch is added to protect the

management daemon from crashing while executing certain ndb_mgm commands.

(PR 886951)

• An invalid script code is returned when script execution fails. This issue has been

resolved. (PR 872735)

• Debug and trace logs generated by the authGateway process contain date and

timestamp. (PR 868122)

• Amemory leak issue in SBR Carrier is fixed. (PR 858379)

• An incorrect threadvalue is observed in statlogafter youchange themaximumnumber

of threads in the radius.ini file. This issue has been resolved. (PR 847304)

• The authentication log recorded the Proxy-State attribute in the User-Name field if

the Proxy-State attributewas present in the request. This issue has been resolved. (PR

832407)

• The standalone edition of SBR Carrier 7.31 had crashed during load testing. This issue


• The JDBC accounting plug-in inserts IP addresses with the octets reversed. This issue


Related Documentation

Requests for Comments (RFCs)

The Internet Engineering Task Force (IETF) maintains an online repository of Request

for Comments (RFC)s online at http://www.ietf.org/rfc.html. Table 3 on page 18 lists the

RFCs that apply to Steel-Belted Radius Carrier.



http://www.ietf.org/rfc.html

Table 3: RFCs Related to the Steel-Belted Radius Carrier

TitleRFC Number

Domain Names - Implementation and Specification. P. Mockapetris. November 1987.RFC 1035

Structure and Identification of Management Information for TCP/IP-based Internets.M. Rose, K.McCloghrie, May 1990.

RFC 1155

Management Information Base for Network Management of TCP/IP-based internets: MIB-II. K.McCloghrie, M. Rose, March 1991.

RFC 1213

The Definitions of Managed Objects for IP Mobility Support using SMIv2. D. Cong and others.October 1996.

RFC 2006

The TLS Protocol. T. Dierks, C. Allen. January 1999.RFC 2246

An Architecture for Describing SNMPManagement Frameworks. D. Harrington, R. Presuhn, B.Wijnen, January 1998.

RFC 2271

PPP Extensible Authentication Protocol (EAP). L. Blunk, J. Volbrecht, March 1998.RFC 2284

Microsoft PPP CHAP Extensions. G. Zorn, S. Cobb, October 1998.RFC 2433

Microsoft Vendor-specific RADIUS Attributes. G. Zorn. March 1999.RFC 2548

Proxy Chaining and Policy Implementation in Roaming. B. Aboba, J. Vollbrecht, June 1999.RFC 2607

RADIUS Authentication Client MIB. B. Aboba, G. Zorn. June 1999.RFC 2618

RADIUS Authentication Server MIB. G. Zorn, B. Aboba. June 1999RFC 2619

RADIUS Accounting Client MIB. B. Aboba, G. Zorn. June 1999.RFC 2620

RADIUS Accounting Server MIB. G. Zorn, B. Aboba. June 1999.RFC 2621

PPP EAP TLS Authentication Protocol. B. Aboba, D. Simon, October 1999.RFC 2622

Implementation of L2TP Compulsory Tunneling via RADIUS. B. Aboba, G. Zorn. April 2000.RFC 2809

RemoteAuthenticationDial InUserService (RADIUS).C.Rigney,S.Willens,A.Rubens,W.Simpson.June 2000.

RFC 2865

RADIUS Accounting. C. Rigney. June 2000.RFC 2866

RADIUS Accounting Modifications for Tunnel Protocol Support.G. Zorn, B. Aboba, D. Mitton. June2000.

RFC 2867

RADIUSAttributes for Tunnel Protocol Support.G.Zorn,D. Leifer, A. Rubens, J. Shriver,M.Holdrege,I. Goyret. June 2000.

RFC 2868

RADIUS Extensions. C. Rigney, W.Willats, P. Calhoun. June 2000.RFC 2869



Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)

TitleRFC Number

Network Access Servers Requirements: Extended RADIUS Practices. D. Mitton. July 2000.RFC 2882

DHCP Relay Agent Information Option.M. Patrick. January 2001.RFC 3046

Authentication for DHCPMessages. R.Droms and others. June 2001.RFC 3118

RADIUS and IPv6. B. Aboba, G. Zorn, D. Mitton. August 2001.RFC 3162

IP Mobility Support for IPv4. C. Perkins. August 2002.RFC 3344

Authentication, Authorization, and Accounting (AAA) Transport Profile. B. Aboba, J. Wood. June2003.

RFC 3539

IANA Considerations for RADIUS (Remote Authentication Dial-In User Service). B. Aboba, July2003.

RFC 3575

RFC3576 - Dynamic Authorization Extensions to Remote to Remote Authentication Dial In UserService. NetworkWorking Group, 2003

RFC 3576

RADIUS (Remote Authentication Dial In User Service) Support For Extensible AuthenticationProtocol (EAP). B. Aboba, P. Calhoun, September 2003.

RFC 3579

IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines. P. Congdon,B. Aboba, A. Smith, G. Zorn, J. Roese, September 2003.

RFC 3580

Extensible Authentication Protocol. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz.June 2004.

RFC 3748

Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4. C. Perkinsand P. Calhoun. March 2005.

RFC 3957

Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs. D. Stanleyand others. March 2005.

RFC 4017

Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM)Subscriber Identity Modules (EAP-SIM). H. Haverinen, J. Salowey. January 2006.

RFC 4186

Extensible Authentication Protocol Method for Global System for 3rd Generation Authenticationand Key Agreement (EAP-AKA). J. Arkko, H. Haverinen. January 2006.

RFC 4187

The Network Access Identifier. B. Aboba and others. December 2005.RFC 4282

Identity Selection Hints for the Extensible Authentication Protocol (EAP). F. Adrangi, V. Lortz, F.Bari, P. Eronen. January 2006.

RFC 4284

Chargeable User Identity. F. Adrangi and others. January 2006.RFC 4372

Lightweight Directory Access Protocol (LDAP) Technical Specification Road Map. K. Zeilenga,June 2006.

RFC 4510



Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)

TitleRFC Number

Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated ProtocolVersion 0 (EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.

RFC 5281

UseofStatus-Server Packets in theRemoteAuthenticationDial InUser Service (RADIUS)ProtocolA. DeKok. August 2010.

RFC 5997

WiMAX Technical Specifications

TheWiMAX Forum Networking Group (NWG)maintains a repository of technical

documents and specifications online at http://www.wimaxforum.org. You can also view

theWiMAX IEEE standards, 802.16e-2005 formobileWiMAX and 802.16-2004 for fixed

WiMAX, online at http://www.ieee.org.

Third-Party Products

For information about configuring your Ulticom software and hardware, or your access

servers and firewalls, consult the manufacturer’s documentation.

General Statement of Compliance

Table 4 on page 20 lists Steel-Belted Radius Carrier Release 7.6.0 compliance with

applicable RFCs.

Table 4: Compliance of Steel-Belted Radius Carrier Release 7.6.0 with Applicable RFCs

NotesNameRFC Number

—Structure and Identification of Management Informationfor TCP/IP-based Internets

1155

—Management Information Base for Network Managementof TCP/IP-based internets: MIB-II

1213

Obsoleted by RFC 2138Remote Authentication Dial In User Service2058

Obsoleted by RFC 2139RADIUS Accounting2059

—Ascend Tunnel Management Protocol2107

Obsoleted by RFC 2865Remote Authentication Dial In User Service2138

Obsoleted by RFC 2866RADIUS Accounting2139

Obsoleted by RFC 2571An Architecture for Describing SNMPManagementFrameworks

2271

Updated by RFC 2484PPP Extensible Authentication Protocol (EAP)2284



http://www.wimaxforum.org

http://www.ieee.org

Table 4: Compliance of Steel-Belted Radius Carrier Release 7.6.0 with ApplicableRFCs (continued)

NotesNameRFC Number

—Microsoft PPP CHAP Extensions2433

—Microsoft Vendor-specific RADIUS Attributes2548

—Proxy Chaining and Policy Implementation in Roaming2607

Obsoleted by RFC 4668RADIUS Authentication Client MIB2618

Obsoleted by RFC 4669RADIUS Authentication Server MIB2619

Obsoleted by RFC 4670RADIUS Accounting Client MIB2620

Obsoleted by RFC 4671RADIUS Accounting Server MIB2621

Obsoleted by RFC 5216PPP EAP TLS Authentication Protocol2716

—ImplementationofL2TPCompulsoryTunnelingviaRADIUS2809

—Remote Authentication Dial In User Service (RADIUS).2865

—RADIUS Accounting2866

—RADIUS Accounting Modifications for Tunnel ProtocolSupport

2867

—RADIUS Attributes for Tunnel Protocol Support2868

—RADIUS Extensions2869

—Network Access Servers Requirements: Extended RADIUSPractices

2882

—Generic AAA Architecture2903

—AAA Authorization Framework2904

—AAA Authorization Requirements2905

—AAA Authorization Requirements2906

—Mobile IP Authentication, Authorization, and AccountingRequirements

2977

—Criteria for Evaluating AAA Protocols for Network Access2989

—Mobile IPv4 Challenge/Response Extensions3012




NotesNameRFC Number

—RADIUS and IPv63162

—IANA Considerations for RADIUS (Remote AuthenticationDial In User Service)

3575

—RADIUS (Remote Authentication Dial In User Service)Support For Extensible Authentication Protocol (EAP)

3579

—IEEE 802.1X Remote Authentication Dial In User Service(RADIUS) Usage Guidelines

3580

—Extensible Authentication Protocol (EAP)3748

—Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks

3770

—Remote Authentication Dial-In User Service (RADIUS)Attributes Suboption for the Dynamic Host ConfigurationProtocol (DHCP) Relay Agent Information Option

4014

—Extensible Authentication Protocol (EAP) MethodRequirements for Wireless LANs

4017

Not supportedDiameter Extensible Authentication Protocol (EAP)Application

4072

—State Machines for Extensible Authentication Protocol(EAP) Peer and Authenticator

4137

—Extensible Authentication Protocol Method for GlobalSystem for Mobile Communications (GSM) SubscriberIdentity Modules (EAP-SIM)

4186

—Extensible Authentication Protocol Method for 3rdGenerationAuthenticationandKeyAgreement (EAP-AKA)

4187

—Identity Selection Hints for the Extensible AuthenticationProtocol (EAP)

4284

—Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks (WLAN)

4334

—Chargeable User Identity4372

Obsoleted by RFC 5090RADIUS Extension for Digest Authentication4590

—Additional Values for the NAS-Port-Type Attribute4603




NotesNameRFC Number

Previousversion (RFC2618)supportedRADIUS Authentication Client MIB for IPv64668

Previousversion (RFC2619) supportedRADIUS Authentication Server MIB for IPv64669

Previousversion(RFC2220)supportedRADIUS Accounting Client MIB for IPv64670

Previousversion (RFC2221) supportedRADIUS Accounting Server MIB for IPv64671

Not supportedRADIUS Dynamic Authorization Client MIB4672

Not supportedRADIUS Dynamic Authorization Server MIB4673

Not supportedRADIUS Attributes for Virtual LAN and Priority Support4675

—DSL Forum Vendor-Specific RADIUS Attributes4679

Not supportedExtensible Authentication Protocol (EAP) PasswordAuthenticated Exchange

4746

Not supportedExtensible Authentication Protocol Method forShared-secret Authentication and Key Establishment(EAP-SAKE)

4763

Not supportedThe EAP-PSK Protocol: A Pre-Shared Key ExtensibleAuthentication Protocol (EAP) Method.

4764

—RADIUS Delegated-IPv6-Prefix Attribute.4818

—RADIUS Filter Rule Attribute4849

Not supportedMobile IPv6 Operation with IKEv2 and the Revised IPsecArchitecture.

4877

—Guidance forAuthentication,Authorization, andAccounting(AAA) Key Management

4962

—Mobile IPv4 RADIUS Requirements5030

—Common Remote Authentication Dial In User Service(RADIUS) Implementation Issues and Suggested Fixes

5080

—The Extensible Authentication Protocol-Internet KeyExchange Protocol version 2 (EAP-IKEv2) Method

5106

—Handover Key Management and Re-AuthenticationProblem Statement

5169




NotesNameRFC Number

—Dynamic Authorization Extensions to RemoteAuthentication Dial In User Service (RADIUS)

5176

Previousversion(RFC2716)supportedThe EAP-TLS Authentication Protocol5216

MIPv6 not supported3GPP2 X.S0011-D, Version: 1.0, Version Date: February,2006

—

—Extensible Authentication Protocol Tunneled TransportLayer Security Authenticated Protocol Version 0(EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.

5281

—UseofStatus-ServerPackets in theRemoteAuthenticationDial In User Service (RADIUS) Protocol. A. DeKok. August2010.

5997

Table 5 on page 24 lists the protocols supported in Steel-Belted Radius Carrier Release

7.65.0.

Table 5: Protocols Supported in SBR Carrier Release 7.6.0

NotesProtocol

—UDP

—IPv4

RADIUS onlyIPv6

—DHCP v2

—DHCP v3

—LDAP v2

Not LCILDAP v3

—JDBC

—Oracle (SQL)

ConfigurationXML

AdminHTTP v1.1

Except CRs 801, 823, OMA/DMWiMAX NWG 1.2.2



Table 5: Protocols Supported in SBR Carrier Release 7.6.0 (continued)

NotesProtocol

—3GPP2

—3GPP2 X.S0011-D

RADIUS only3GPP

WLAN UE23.234 (RADIUS)

Gi and Pk reference points29.061 (RADIUS)

RADIUS only Interface E5TISPAN

—ES282.001

—ES282.004

—ES283.034

—ES283.035

SBR Carrier Documentation and Release Notes

For a list of related SBR Carrier documentation, see

http://www.juniper.net/support/products/carrier/carrier/.

If the information in the latest release notes differs from the information in the

documentation, follow the Steel-Belted Radius Carrier Release Notes.

To obtain themost current version of all Juniper Networks technical documentation, see

the products documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation to better meet your needs. Send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport. If you are using e-mail, be sure to include

the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version


SBR Carrier Documentation and Release Notes


http://www.juniper.net/techpubs/

https://www.juniper.net/cgi-bin/docbugreport

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC Policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf

• ProductWarranties—For product warranty information, visit

http://www.juniper.net/support/warranty/

• JTAC Hours of Operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings:

http://www.juniper.net/customers/support/

• Search for known bugs:

http://www2.juniper.net/kb

• Find product documentation:


• Find solutions and answer questions using our Knowledge Base:

http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Manager:

http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/



http://www.juniper.net/customers/support/downloads/710059.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb


http://kb.juniper.net/

http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/


https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Manager tool in the CSC at http://www.juniper.net/cm/

• Call 1-888-314-JTAC (1-888-314-5822 – toll free in the USA, Canada, and Mexico)

For international or direct-dial options in countries without toll-free numbers, visit

http://www.juniper.net/support/requesting-support.html

When you are running SBRC Administrator, you can chooseWeb > Steel-Belted Radius

Carrier Home Page to access a special home page for Steel-Belted Radius Carrier users.

When you contact technical support, be ready to provide:

• Your Steel-Belted Radius Carrier release number (for example, Steel-Belted Radius

Carrier Release 7.6.0).

• Information about the server configuration and operating system, including any OS

patches that have been applied.

• For licensedproducts under a currentmaintenance agreement, your license or support

contract number.

• A detailed description of the problem.

• Any documentation that may help in resolving the problem, such as error messages,

core files, compiler listings, and error or RADIUS log files.

Revision History

August 2013—SBR Carrier Release 7.6.0

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Ulticom, Signalware, Programmable Network, Ultimate Call Control, and Nexworx are registered trademarks of Ulticom, Inc. Kineto andthe Kineto Logo are registered trademarks of KinetoWireless, Inc. Software Advancing Communications and SignalCare are trademarksandservicemarksofUlticom, Inc.CORBA(CommonObjectRequestBrokerArchitecture) is a registered trademarkof theObjectManagementGroup (OMG).Raima,RaimaDatabaseManager andRaimaObjectManager are trademarksofBirdstepTechnology. Sun, SunMicrosystems,the Sun logo, Java, Solaris, and all trademarks and logos that contain Sun, Solaris, or Java are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States and other countries. MySQL and the MySQL logo are registered trademarks of MySQL AB in theUnited States, the European Union, and other countries. All other trademarks, service marks, registered trademarks, or registered servicemarks are the property of their respective owners. All specifications are subject to change without notice.

Contains software copyright 2000–2010 by MySQL AB, distributed under license.

Portions of this software copyright 2003-2009 LevWalkin <[email protected]> All rights reserved.




http://www.juniper.net/support/requesting-support.html

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions aremet:

1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

THISSOFTWAREISPROVIDEDBYTHEAUTHORANDCONTRIBUTORS``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES, INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.IN NO EVENT SHALL THE AUTHOROR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT,STRICTOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVEN IFADVISEDOFTHEPOSSIBILITYOF SUCH DAMAGE.

Portions of this software copyright 1989, 1991, 1992 by Carnegie Mellon UniversityDerivativeWork–1996, 1998–2009 Copyright 1996, 1998–2009. The Regents of the University of California All Rights Reserved. Permissionto use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided thatthe above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supportingdocumentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertainingto distribution of the software without specific written permission.

CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALLWARRANTIESWITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMUOR THE REGENTS OF THEUNIVERSITYOFCALIFORNIABELIABLEFORANYSPECIAL, INDIRECTORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTING FROMTHE LOSSOF USE, DATAOR PROFITS,WHETHER IN AN ACTIONOF CONTRACT, NEGLIGENCE OROTHER TORTIOUSACTION, ARISING OUT OF OR IN CONNECTIONWITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Portions of this software copyright © 2001–2009, Networks Associates Technology, Inc. All rights reserved. Redistribution and use in sourceand binary forms, with or without modification, are permitted provided that the following conditions are met:



3. Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.

THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERSANDCONTRIBUTORS“AS IS”ANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software are copyright © 2001–2009, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source andbinary forms, with or without modification, are permitted provided that the following conditions are met:



3. The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specificprior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER “AS IS” AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUTNOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.



IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software copyright © 1995–2009 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express orimplied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted toanyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to thefollowing restrictions:

1. The origin of this software must not bemisrepresented; youmust not claim that you wrote the original software. If you use this softwarein a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, andmust not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

HTTPClient package Copyright © 1996–2009 Ronald Tschalär ([email protected])

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as publishedby the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANYWARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. For a copyof the GNU Lesser General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,USA.

Copyright (c) 2000–2009 The Legion Of The Bouncy Castle (http://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the"Software"), to deal in theSoftwarewithout restriction, includingwithout limitation the rights to use, copy,modify,merge, publish, distribute,sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the followingconditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TOTHEWARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORSORCOPYRIGHTHOLDERSBELIABLEFORANYCLAIM,DAMAGESOROTHERLIABILITY,WHETHERINANACTIONOFCONTRACT,TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTIONWITH THE SOFTWARE OR THE USE OROTHER DEALINGS IN THESOFTWARE.

Contains software copyright 2000–2013 by Oracle America, Inc., distributed under license.

Steel-BeltedRadiususesThrift, licensedunder theApacheLicense,Version2.0 (the “License”); youmaynotuse this file except in compliancewith the License.

Youmay obtain a copy of the license at

http://www.apache.org/licenses/LICENSE-2.0

Unless requiredbyapplicable lawor agreed to inwriting, softwaredistributedunder the License is distributedonan “AS IS”BASIS,WITHOUTWARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

See the License for the specific language governing permissions and limitations under the License.

Steel-Belted Radius uses Cyrus SASL under the following license:

Copyright © 1994-2012 Carnegie Mellon University. All rights reserved.






3. The name "CarnegieMellonUniversity"must not be used to endorse or promote products derived from this softwarewithout priorwrittenpermission. For permission or any legal details, please contact

Office of Technology TransferCarnegie Mellon University5000 Forbes AvenuePittsburgh, PA 15213-3890(412) 268-4387, fax: (412) [email protected]

4. Redistributions of any formwhatsoever must retain the following acknowledgment:

"This product includes software developed by Computing Services at Carnegie Mellon University (http://www.cmu.edu/computing/)."

CARNEGIEMELLONUNIVERSITYDISCLAIMSALLWARRANTIESWITHREGARDTOTHISSOFTWARE, INCLUDINGALL IMPLIEDWARRANTIESOFMERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECTOR CONSEQUENTIAL DAMAGES OR ANY DAMAGESWHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER INAN ACTION OF CONTRACT, NEGLIGENCE OROTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTIONWITH THE USE ORPERFORMANCE OF THIS SOFTWARE.

Steel-Belted Radius uses OpenSSL versions 0.9.8h and 1.0.0-25, which have the following terms:

Copyright ©1998-2011 The OpenSSL Project. All rights reserved.




3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this softwarewithout prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior writtenpermission of the OpenSSL Project.

6. Redistributions of any formwhatsoever must retain the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ''AS IS'' AND ANY EXPRESSED OR IMPLIEDWARRANTIES, INCLUDING, BUTNOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHERIN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCEOROTHERWISE) ARISING IN ANYWAYOUTOF THEUSEOF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



The "inih" library is distributed under the New BSD license:

Copyright © 2009, Brush Technology. All rights reserved.


2.Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

3. Neither the name of Brush Technology nor the names of its contributors may be used to endorse or promote products derived from thissoftware without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY BRUSH TECHNOLOGY ''AS IS'' AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUT NOTLIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NOEVENT SHALL BRUSH TECHNOLOGY BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISEDOF THE POSSIBILITY OF SUCH DAMAGE.



Documents

Steel-Belted Radius® Carrier Release Notes -