sbrc-7-3-release note.pdf1

Steel-Belted Radius Carrier ReleaseNotes

Release 7.329March 2011Revision 1

These Release Notes support Release 7.3 of Steel-Belted Radius Carrier (SBRC). Beforeyou install or use your new software, read theseReleaseNotes in their entirety, especiallyKnown Problems and Limitations on page 10.

Contents Release Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Release Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Enhancements in Logging Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Enhancement to AutoStop Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Session Limit License Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Pre-loading the libumem Allocator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Service Level Manager (SLM) Client Support . . . . . . . . . . . . . . . . . . . . . . . . . . 5New Parameter Added to the sessionTable.ini File . . . . . . . . . . . . . . . . . . . . . . 6

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7External Database Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Signalware and SS7 Interface Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Modified Open-Source Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Migrating from Earlier SBRC Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Migrating from Earlier SBRC Standalone Server Products . . . . . . . . . . . . . . . . 9Supported Releases for Standalone Server . . . . . . . . . . . . . . . . . . . . . . . . 9

Migrating from SBR Release 5.5 High Availability . . . . . . . . . . . . . . . . . . . . . . . 9Using a Transition Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Known Problems and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10CDMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10CoA/DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1Copyright 2011, Juniper Networks, Inc.

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11SBRC Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11SBRC Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Session State Register Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14SIM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17SMS Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17WiMAX Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19WiMAX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19sessionTable.ini . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19JDBC Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Current Sessions Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Release 7.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Requests for Comments (RFCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233GPP and 3GPP2 Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 25WiMAX Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Third-Party Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

General Statement of Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25SBR Carrier Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . 30Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Copyright 2011, Juniper Networks, Inc.2

Steel-Belted Radius Carrier Release 7.3 Release Notes

Release Overview

These releasenotescoverRelease7.3of the JuniperNetworksSteel-BeltedRadiusCarrierproduct.

Before You Start

Before you use your new software, read these Release Notes in their entirety, especiallythe section Known Problems and Limitations.

Documentation

Table 1 on page 3 lists and describes the Steel-Belted Radius Carrier documentationset:

Table 1: Steel-Belted Radius Carrier Documentation

DescriptionDocument

Describes how to install the Steel-Belted Radius Carrier software on the serverand the SBRC Administrator application on a client workstation.

Steel-Belted Radius Carrier Installation Guide

Describes how to configure and operate the Steel-Belted Radius Carrier and itsseparately licensedmodules.

Steel-Belted Radius Carrier Administrationand Configuration Guide

Describes the settings and valid values of the Steel-Belted Radius Carrierconfiguration files.

Steel-Belted Radius Carrier Reference Guide

Provides tips, use cases, and tools you need to:

Improve SBRC performance through planning, analysis, and configuration

Increase SBRC throughput and reliability

Analyze specific use cases, in the lab or in the production environment, toidentify areas of potential performance enhancement and to limit the impactof resource constraints and failure scenarios

Steel-Belted Radius Carrier Performance,Planning, and Tuning Guide

Contains the latest information about features, changes, known problems, andresolved problems in Release 7.3.

Steel-Belted Radius Carrier 7.3 Release Notes

NOTE: If the information in the Release Notes differs from the informationin any guide, follow the Release Notes.

You can find these release notes in AdobeAcrobat (PDF) format on the JuniperNetworksTechnical PublicationsWeb page, which is located at:

https://www.juniper.net/techpubs/software/carrier_aaa/carrier/

Release Highlights

Highlights include the following product enhancements:


Release Overview

Enhancements in LoggingModule

In SBRC 7.3, enhancements to logging have beenmade in the radius.ini and statlog.inifiles.

In the radius.ini file, you can set the LogLevel parameter as follows:

0 Default, errors

1 Log errors and warnings

2 Debugging messages including info, warnings, and errors

If the value for LogLevel is set as 2, then the entries to the server log file will contain boththethread ID(Log-Thread-ID)andtimestampswithmillisecond(LogHighResolutionTime)details, unless they are explicitly disabled.

In the statlog.ini file, the following new statistics have been added to the [Statistics]section:

Proxy-Threads

High-Proxy-Threads

High-Proxy-Threads-Since-Reset

Max-Proxy-Threads

Enhancement to AutoStop Feature

The Proxy AutoStop feature forwards session termination information to downstreamproxy RADIUS servers when a user session is closed, so that the resources associatedwith the user session can be freed.

In the radius.ini [Configuration] section, you can set the AcctAutoStopEnable parametervalue as Enabled, Disabled, or NoOnOff.

EnabledProxy AutoStop feature is enabled.

DisabledProxy AutoStop feature is disabled.

NoOnOffProxy AutoStop feature is enabled, but prevents Accounting-Stop packetsfrombeing sent in response to Accounting-On or Accounting-Off received fromaNAS.

Session Limit License Enhancements

InSBRC7.3, if thenumberof concurrent active sessions in a standaloneSBRC installationexceeds the license count, an SNMP error trap is generated and amessage is written tothe log.

In a cluster setup, each front-end SBRC servermonitors the number of concurrent activesessions individually. If the number of concurrent active sessions exceeds the licensecount, then each front-end server sends a trap and amessage is written to the log.



The format of the message written to the log is WARNING:%d active sessions exceedthe license limit of %d sessions. Please upgrade your SBRC license in order to remain incompliance with your license agreement. Here, the first %d indicates the number ofactivesessionsandthesecond%d indicates themaximumnumberofconcurrent sessionsset by the license.

SBRC uses the following proprietary SNMP trap variables:

funkSbrTrapVarCurrentSessionsTotal number of concurrent active sessions in theserver.

funkSbrTrapVarLicensedSessionsThemaximumnumberofconcurrentactivesessionsallowed by the license.

In fnkradtr.mib, the following trap is defined and generated:

TypeDescriptionTrap NameOID Suffix

ErrorTrap is sent when the number ofconcurrent active sessions inSteel-Belted Radius Carrier exceedsthe count set by the license.

funkSbrTrapMaxConcurrentSessionsExceeded10061

Pre-loading the libumemAllocator

InSBRC7.3, thesbrd.conf configuration file contains theparameterRADIUS_LD_PRELOAD.This parameter specifies an arbitrary space-separated list of libraries to be interposedon the RADIUS process. In particular, this parameter overrides mtmalloc with the newumemmemory allocator.

If commented out or set to "", the parameter does not override anything and the sbrdprocess uses the mtmalloc memory allocator as in previous releases.

The default value of /lib/libumem.so uses the umemmemory allocator, which providesimprovedmemory handling, instead of mtmalloc.

NOTE: In addition to improved performance considerations, the umemmemory allocator offers optional debug features that are controlled by theUMEM_DEBUG and UMEM_LOGGING parameters.

Service Level Manager (SLM) Client Support

The Steel-Belted Radius Carrier SLM software allows a carrier to establish limits forsubscriber connections basedon the number of ports available to a region or the numberof connections available to a subscriber or a subscriber tribe, or a combination of port-and subscriber-based limits. The level of control offered by SLM helps a carrier ensureand enforce the conditions of service-level agreements.

The SLM components consist of one or more SLM clients and a central SLM server.


Release Highlights

An SLM client is a Steel-Belted Radius Carrier server running the SLM client software. AnSLM client can perform authentication or accounting functions locally, or it can directauthentication or accounting requests (or both) to a proxy AAA server.

An SLM server can track port allocations and user connections across all SLM clients.The SLM server does not authenticate users.

NOTE: Youmust configure the SLM 5.3 server separately.

To configure an SBRC server as an SLM client, perform the following tasks:

1. Configure the radius.ini file to set up operation of the SLM client.

2. Configure the pasclnt.aut file to enable concurrency processing.

3. Configure the proxy.ini file to specify the operation of proxy realms.

4. Create a realm.pro or realm.dir file for each ISP Server proxy realm.

5. If youuseanon-defaultSLMattribute, configure the filter.ini file to include theattribute.

6. Use the SBRC Administrator interface to configure the SLM Server as a Proxy Target.

By default, the following SLMclient files are available at /opt/JNPRsbr/radius/pas/client:

pasclnt.aut

pasclnt.so

pasrealm.dir

pasrealm.pro

passerver.pro

To use these SLM client files, you need to copy them to the radius directory at/opt/JNPRsbr/radius.

See theSteel-BeltedRADIUSServiceLevelManager5.3AdministrationGuide (https://download.juniper.net/software/aaa_802/public/sbr/docs/SLM53ADMIN.pdf) for moreinformation.

NewParameter Added to the sessionTable.ini File

In the [Settings] section of sessionTable.ini file, the parameter GenerateUniqueIdFromIPhas been newly added. If set, this parameter is intended for use when SBRC is acting asan accounting server and ensures that the Framed-IP-Address attribute is unique in thesession table.

This parameter ensures that the Framed-IP-Address attribute is unique in the sessiontable when SBRC is acting as an accounting-only server and the SBR-generated classattributes are not present in Accounting-Requests.

If set to no, the GenerateUniqueIdFromIP parameter will be disabled.



If set to ipaddr, the parameter generates the unique session id from the IP address,which is the Framed-IP-Address of four octets, causing 16 total bytes of padding withzeroes.

If set to ipaddr-plus-nas, the parameter generates unique session id from IP addressand NAS name, which is the Framed-IP-Address of four octets, plus up to the first 12characters of the NAS name, causing 16 total bytes of padding with zeroes.

The default value is no.

SystemRequirements

For completedetailson thehardwareandsoftware requirements for runningastandaloneSteel-Belted Radius Carrier server or the optional SBR Carrier Session State Register(SSR) on Sun hardware under the Solaris 10 operating system, see Meeting SystemRequirements in the Steel-Belted Radius Carrier Installation Guide.

Software

Steel-Belted Radius Carrier server requires Sun Solaris 10 10/08 for SPARC platforms,with the appropriate patches.

Solaris Update 6 is required

Update 8 is recommended, for Oracle 11 support

Perl

Sun ships Solaris 10with Perl 5.8.4, andSteel-BeltedRadius Carrier has been testedwiththat version.MultiplePerl installations indiscretedirectoriesare supported, butattemptingto use other versions of Perl with SBR Carrier may cause problems.

Supported Browsers

The SBRC Administrator application can be launched from the browsers listed in Table2 on page 7.

Table 2: Supported Browsers

Operating SystemVersionsBrowser

Windows XP SP26.0, 7.0Internet Explorer

Windows XP SP22.0Mozilla Firefox

Solaris 10 with JRE 1.5.0_111.7Mozilla

JavaRuntimeEnvironment (JRE) 1.4.2 or newer is required for all browsers, and is availablefrom http://java.sun.com.


System Requirements

NOTE: Using theSBRCAdministrator onWindowswithAeroeffects enabledmight remove some of the UI elements. Youmust disable theWindows Aeroeffects.

External Database Requirements

Steel-Belted Radius Carrier supports:

Oracle version 9, 10, and 11; version 11.2.0 is recommended.

For the Steel-Belted Radius Carrier to act as an Oracle native client, the Oracle clientmust be set up before installing SBRCarrier because theOracle server location is usedduring installation.

The JDBC plug-in has been tested with Oracle running on Solaris and MySQL.

Signalware and SS7 Interface Requirements

If you want the Steel-Belted Radius Carrier server to support the optional SIMauthenticationmoduleor theoptionalWiMAXmodule,UlticomSignalware9withServicePack 5Tmust be installed in the server before you install SBR Carrier software.

If you want the Steel-Belted Radius Carrier server to communicate with any SS7 legacyequipment, install theUlticomSS7 communication board andSignalware 9with ServicePack 5T before you install SBR Carrier software.

CAUTION: Service Pack 5Tmust be installed, or Steel-Belted Radius Carriercannot use the Signalware communications stack.

The patch is delivered in the same directory as the SBRC and Signalware 9.tgz files as SIGNALWARE_9_SP5.T_SOLARIS10_UPGRADE.TGZ.

After the base Signalware 9 software is installed, use the Signalwareinstallation program to install the patch. For specific directions, refer to theSignalware documentation. To see a sample procedure for applying thepatch, see Installing Signalware Service Pack 5T in the SBR CarrierInstallation Guide.

The Signalware PH0301 and XH0303 boards are supported.

For more information, see the SBR Carrier Installation Guide.

Modified Open-Source Software

Embedded in this version of Steel-Belted Radius Carrier is open-source software thatJuniper Networks has modified. Themodified software includes:

LDAP C SDK from The Mozilla Foundation

HTTPClient from Ronald Tschalr



sunmd5.c from The OpenSolaris Project

You can obtain the source code for thesemodifications by requesting them from JuniperNetworks Technical Support. See Requesting Technical Support on page 31.

Migrating from Earlier SBRC Releases

SBR Carrier Release 7.3 can run as a standalone server or as part of a Session StateRegister cluster.

Migrating from Earlier SBRC Standalone Server Products

You can use the configuration script to move a number of files from selected previousSBRC releases to theRelease 7.3 environmentwhen installingSteel-BeltedRadiusCarrier.The corresponding Release 7.3 files are also loaded on the system, but are not activated.You are responsible for merging new settings from Release 7.3 configuration files intotheworking (pre-existing) configuration files. To support new features, SBRCusesdefaultvalues for any new settings that have not beenmerged into the working configurationfiles.

Supported Releases for Standalone Server

You canmigrate configuration files from these SBRC server releases to Release 7.3:

Mobile IP Module (MIM) Release 5.32

SIM Server Release 5.4

SBR Service Provider Edition Release 6.0 and Release 6.1

SBR Carrier Release 7.0 and previous 7.2.x releases

For complete details onmigrating from these releases, see the SBR Carrier InstallationGuide.

Migrating from SBR Release 5.5 High Availability

The easiestway to replace an existingSBRRelease 5.5HighAvailability (SBRHA) clusterwith a new Release 7.3 cluster is to fully install and configure the new cluster and thencut over to the new cluster.

Doing this causesabrief servicedisruption that youcanmitigatebyallowingboth clustersto run online in parallel long enough for existing sessions to drop off the old cluster asthey end. Because no new sessions are added to the old cluster, after some period oftime, most active sessions are managed by the new cluster. Any remaining long-termsessions are terminated when the old cluster is brought down. When the sessionsreconnect to the network, they connect to the new cluster.

Using a Transition Server

Somesitesmaynot have enough servers to support twoclusters running simultaneously.To address this issue, we developed amigration strategy that uses a transition server. Atransition server is a single machine that temporarily takes the place of your existing,


Migrating from Earlier SBRC Releases

working cluster while you take the servers from that cluster offline, install Release 7.3software on them, and then bring them back online as a Release 7.3 cluster.

Use a transition server in addition to the four servers that a basic cluster installationrequires to ensure redundancy. The fifth server performs the work of the entire clusterwhile you take the four existing SBR/HA Release 5.5 servers offline, update them, andbring them back online in an SSR Starter Kit configuration.

If a fifth host machine is not available and youmust work only with the four servers thatcurrently make up the SBR/HA Release 5.5 cluster, you can adapt the transition serverstrategy and borrow one server from the existing cluster to use as the transition server.Doing this increases the risk of cluster failure during the switchover because some levelof redundancy or capacity is removed from the existing, working cluster when you takeone host machine offline.

For details about migrating from SBR Release 5.5 High Availability, see the SBR CarrierInstallation Guide.

Known Problems and Limitations

These issues have been identified in Steel-Belted Radius Carrier 7.3. The identifier inparentheses is the Problem Report number in our bug database.

CDMA

Because prepaid session IDs are kept inmemory, if SBRC stops, these session IDsare lost. If prepaid session IDs are lost, the sessionsmust be deleted from the prepaidserver; otherwisenewprepaid sessionsmaynotbeavailable. (PR248265,PR444460)

To set session timeout, use the SessionTimeoutSeconds in the prepaid.att file or aSession-Timeout attribute in a profile. A session timeout cannot be set using a filterin the 3GPP2.ini file. (PR 248448, PR 306397)

CoA/DM

If a NAS client is configuredwithout saving the RFC3576 CoA/DMShared Secretpassword, a password appears to be configuredwhen the client is subsequentlyviewed. If unexpected results such as invalid signatures occur, make sure that thepassword is set correctly. (PR 420409)

Filters

Changing a rule in SBRCAdministrator with Filter>Edit Rule fromExclude or Add toReplace has no effect. Instead of changing the rule type, delete the attribute and thenadd a new attribute with the correct Replace type. (PR 298086)

A filter with an index that is configured to replace a parent attribute withmultipleinstances of a single subattribute does not always work correctly. To avoid this, setup the configuration so that it uses multiple separate attributes that each contain thesame subattribute. (PR 298631)



LDAP Authentication

Setting theMaxConcurrent setting in the ldapauth configuration file to very largevalues can cause Steel-Belted Radius Carrier to run out ofmemory and crash. As aworkaround, use smaller values of MaxConcurrent, for example less than 1000. (PR249953)

Logging

SBRCmustbe restartedtochangetheenabledstateofaccounting logging, includingdirected accounting loggingmethods. There is no workaround. (PR 579753)

Replication

After a server is configured as non-replicating, it cannot be converted to a primaryserver. Youmust reinstall the server to set it up as a primary server. (PR 436725)

Replica servers that are offline when the primary server publishes configurationdatamay not update correctly. (PR 284279) To correct this:

1. Execute on the replica:

# sbrsetuptool -identity REPLICA -primary name address secret

where:

name is the DNS name of the primary server.

address is the IP address of the primary server.

secret is the shared secret that authenticates configuration downloads.

2. Restart the replica.

SBRC Administrator

When a profile is configured in SBRCAdministrator, the value entered in a checklistcan exceed themaximum length for the value that is specified in the dictionary file.This does not cause any problems in Steel-Belted Radius Carrier, but if any externalapplications requireavaluewithaspecific length, theexternal applicationmaygeneratean error. (PR 306944)

The "Use different shared secret for accounting" box remains checked. Configure aclient through the SBRC Administrator GUI. Check the "Use different shared secret foraccounting" box. Enter a different shared secret, and click OK. Edit the client anduncheck the "Use different shared secret for accounting" box, and click OK. Edit theclient again and you will notice that "Use different shared secret for accounting" boxremains checked, and the shared secrets for accountingandauthorizationaredifferent.(PR 581706)

int4attributeswithvaluegreater than2147483648aredisplayedasnegativevaluesin the SBRC Administrator GUI. This occurs when you create a profile with a reply listcontaining an int4 attribute whose value is greater than 2147483648. Click Ok andview the reply list. The attribute displays a negative value. However, an int4 attribute



is anunsigned integer and thisworksproperly through theLDAPconfiguration interface(LCI). (PR 581771)

While editing the attributes of type int1, int2, or int4 in the SBRCAdministrator GUI,values are not checked tomake sure they are in a valid range. If you set a value thatis greater than themaximum range, the attributewill be deletedwithout awarning.There is no workaround. (PR 582099)

Signed integers are not supported. If a value greater than 2147483648 is entered(either through the SBRC Administrator or through the LCI), it appears as a negativenumber. (PR 582104)

If you edit deviceModels.xml and create a duplicatemodel entry, the SBRCAdministrator GUImay hangwhen trying to display the Current Sessions tab. Thereis no workaround other than correcting the error and restarting the Administrator. (PR583037)

After renaming a client, or deleting and then adding a client with a different name,the SBRCAdministratormust be restarted in order for the SCSmodule to recognizethe client. If the SBRC Administrator is closed and restarted, then the form to enterthe required attributes works properly. (PR 583077)

The value of Termination-Action for TLSandTTLSauthenticationmethods and theTLS helper cannot be set correctly through the SBRCAdministrator GUI. The valuesmust be setmanually by editing tlsauth.aut, ttlsauth.aut, or tlsauth.eap. (PR 583905)

After promoting a replica server to a primary server, the SBRC Administrator of theearlier primary server must be restarted. There is no workaround. (PR 586219)

SBRC Core

The UseMasterDictionary featuremay add or allow unknown attributes. This canresult in the dispatch of an incorrect packet. The problemoccurs if two vendor-specificdictionaries associate the same attribute number with different types (such as stringand integer). (PR 248477)

To open the audit log in a browser, the close-tag of the root element("")must bemanually moved to the end of the file. (PR 435027)

The proxy logging enhancement features introduced in Release 7.2.2 apply only toextended proxy or to realms defined in the proxy.ini file. They do not apply to legacyproxy, including Proxy-As-Authentication-Method. (PR 444675)

If SBRC receives anAccounting-Startmessage after the Accounting-Stopmessagefor the same session has already been processed, SBRCwill create a new sessionthat will only be removed by stale session purging ormanual deletion. (PR 447739)

To stop SBRCwhile in Management Mode, the command ./sbrd stop radius forcemust be used. (PR 533928)

PEAPwith innerTLSmay failwithWindowssupplicants.Microsoft technical supportreports that in EAP-PEAP phase 2, MS PEAP does not support fragmentation on theouter packets. To prevent this, set the inner TLS packet fragmentation so that no outerfragmentation is necessary during the negotiation. Edit tlsauth.aut, and in the[Server_settings] section, set TLS_Message_Fragment_Length=900. (PR 254219)



If the location of the logging directory is changed from the default, make sure thatthe directory exists before starting SBRC.Otherwise, SBRCmay fail to functioncorrectly. (PR 437583)

Whenasubattributestringwitha lengthof244characters is specified, theexpectedresponse is not returned. To avoid this situation, edit the string to reduce the numberof characters to fewer than 244. (PR 298055)

If RADIUS vendor-specific attributes (VSAs) are added to the session databaseschema, they should be defined as VARBINARY type. (PR 412255)

AcctCarryOver isnolongersupportedbecausetheexpandedcapacityofthedatabasemakes it unreasonable to write all existing sessions to a log file at one time. Thisissue applies to servers running standalone and in an SSR cluster. (PR 297789)

If user concurrency is enabled after user sessions have been established, thosesessions are not counted toward concurrency limits. (PR 431438)

Configuration of large checklists or return lists via the LDAP configuration interface(LCI) can result in a crash of the server. If the total permissible size of a configurationobject (64KB) is exceededby addingmany checklist or return list attributes to a nativeuser or profile object, then SBRCwill crash trying to process the LCI transaction. Aworkaround with better performance characteristics is to avoid very large checklistsand usemultiple native users or DialedNumber Identification Service (DNIS)mappinginstead. Very large return lists are not likely to be required in any valid configurationbecause a RADIUS packet can only contain less than 4 KB of return attributes. (PR451518)

Ifmulti-round(challenge)authentication isused, theAddFunkClientGroupToRequestfeature adds the Funk-Radius-Client-Group attribute-value pair (AVP) to only thefirst access request. Subsequent challenge responses will not have this attributeadded, and, therefore, cannot use this attribute in checklist processing when EAP orother challenge-based protocols are used. (PR 460109)

In scenarios where SBRC proxies requests to downstream authentication andaccounting servers, Class attributes are handled incorrectly if the downstreamRADIUS server returnsmore than one Class attribute. In such scenarios, thedownstreamaccountingserverswill not receive thecorrectClassattributes.Thesupportfor Class attributes in proxy scenarios works correctly only if the downstream serverreturns less than two Class attributes in the Access-Accept message. (PR 465894)

An Accounting-Interim does not create a session if an Accounting-Start has notbeen received earlier for the transaction or a phantomsession has not been createdThere is no workaround. (PR 575954)

The Round Robin Group feature does not work properly if Client profiles are usedwith precedence set to RADIUS-Client. There is no workaround. (PR 590176)

If an attribute of type "time" is added to a return list, the ldapsearch command'slistingof theprofilemaycontain jumbled results.There is noworkaround. (PR581767)



Session State Register Module

AHUP signal reinitializes the cluster, causing SBR Carrier to enter Managementmode and any IP address caches to be reinitialized. During this reinitialization,authentication requests exhibit longer than normal latency if IP address assignmentis configured. To prevent this behavior, set UpdatePlugins = 0 in the [HUP] section ofupdate.ini file. To use the USR2 signal instead of HUP to reinitialize the cluster, setUpdatePlugins = 1 in the [USR2] section. (PR 416232)

Configuring redirection and concurrency together causes sessions that are rejecteddue to concurrency limitations to be redirected and to populate the database, andmay interfere with correct operation of concurrency. (PR 422987)

AlthoughWimaxAcctFlows is included in the session table, it is not displayedby theShowSessions script. This is normal, as it consists of binary data and is not readable.(PR 440624)

SBRCarrier Cluster IP address allocation is limited to caching 30,000 IP addressesper SBRC front-end node. If any front-end node is configured to cachemore than atotalof30,000 IPaddressesviadbclusterndb.gen, then thisSBRCnodecannotcorrectlyclear up cached addresses on a restart. These failed restarts can lead to large amountsof leaked IP addresses that are no longer available for use until manually cleaned upvia SQL. The ClearCache.sh administration script cannot correct this situation since itwill also fail to clear the address cache in this situation. Customers should cap theirtotal caching at 30,000 IP addresses for each front-end node, proportionally reducingthe recommended cache sizes for their pools until the total is less than 30,000 IPaddresses. (PR 486733)

NDB nodes for the MySQL versions that ship with SBRC Release 7.3 cluster performbetterwhen thenumberof virtual processorsequals thenumberofphysical processors.Care must be taken to turn off the right virtual processors, to avoid turning an entirephysical CPU off and having two virtual processors run on one physical processor. Foran M3000 (a recommended platform), which defaults with eight virtual processors,the command to disable the extra processors is psradm -f 1 3 5 7. This command turnsoff every other virtual processor, leaving one virtual processor per physical processor.(PR 488756)

A new setting in the config.ini file for HeartBeatOrdermay alleviate certain issues.This isnotsetbydefault; itmustbeconfiguredmanually.Thischangecanbeappliedwith rolling restarts for most customers.

Forproper functioning, acertainproportionalitymustexistbetweeneachOSI stack-levelfailure condition, specifically between the NAS clients to the RADIUS front ends, theRADIUS S node to the D nodes, and among the ndb and dbapi nodes (M nodes to Dnodes). That dependency has to dowith timeout values associatedwithin the networkand the NDB itself.

RADIUS uses UDP as its transport. Network devices and OS stacks can be expectedto drop UDP packets under load conditions, and it is up to the application-levelretransmits to take effect. SBRC implements a packet cache to optimize respondingto a retransmitted RADIUS request. It does not have to do the authentication andback-end work to process the request a second time. Although values can change in



some use cases, normal RADIUS retransmit values are three retries to the same SBRCfront end with a 5-second delay between retries before attempting to transmit toanother front end. For values that are widely divergent from this, checkwith your salesengineer or JTAC.

The network between theSnodes and theDnodes has several timeout dependencies,as follows:

If using IPMP, the IPMPprobevalue shouldbe lower than twice theheartbeat timeoutappropriate for the connection. (Defaults for the S or M nodes to the D nodes arecontrolled by the /opt/JNPRhadm/config.ini file on the M nodes; the value is set byHeartBeatIntervalDbApi and is 1500ms by default, and the inter-D node timeout isHeartBeatIntervalueDbDb and is 200ms by default.) Widely divergent values mayimpact performance in the failure case, leading to unexpected outage.

HeartBeats are implemented in and among the D nodes so that failures are morequickly detected than the underlying TCP failure mechanism can detect. The initialdetection of fault happens after four times the HeartBeatInterval. After that isdetected, the D nodes attempt to repartition and form a valid cluster. This operationcan take several tomany seconds, depending on the type andmodeof failure: singleD node hard failures or hard networking loss are generally quickest; complete clustersplits (which, under the correct network design, require two underlying faults tooccur) and serious network faults (dropped connections and interfaces that aredown are detectable more easily than intermittent or one-way failing connectionscenarios) take longer to detect and compensate for.

Overall system load plays a part in fault recovery performance: many outstandingtransactions take longer to roll back than a few outstanding transactions.

During an extended loss of service due to significant failure (such as loss ofconnectivity between two halves of a cluster), SBRCmight need to reconnect to thenew cluster to continue processing, and failures of reconnection are managed bytimers set by the [Ndb] values DelayBetweenConnectRetriesSec andReconnectRetriesin in the dbclusterndb.gen file. Setting these values higher thanthedefaults canmake thesystemmore resilientat theexpenseofaperiodofdroppedRADIUS traffic. Setting TimeoutForFirstAliveSec and TimeoutAFterFirstALiveSeclower may also increase resiliency.

During processing, some NDB operations are designed to be retried to attempt toavoid lock contention. Setting the dbclusterndb.gen [Database] section Retries andDelayBetwenRetriesMillisec value higher can improve effective performance anddecreasedelays incaseswhere theunderlyingnetwork isprone to latencyordroppedpackets.

In cases where the underlying network is prone to short or long periods of latency,fault, or other unexpected cases, setting the values of HeartBeatInterval higher (andsetting all the proportionally related values appropriately) canmake the systemmore resilient. The trade-off is fast detection of serious failures (and after a failure,spending extra time setting up connections again) against the acceptance oftemporary processing delays due to minor faults that are otherwise survivable.



There is a known error in NDB for serious cluster failure (requiring automatic restartsof a node) under extended one-way traffic failure of the inter-D and SM-D network.Correct network design should not permit this to happen: IPMP probes with thecorrect values, for instance, cause this to fail over to a working link. TheHeartBeatOrder fixmentionedpreviously addresses temporary instancesof this typeof failure.

Certain, limited failure conditions (usually associated with serious, extended, andpathological network dysfunctions, mentioned previously) at restart may require amanual restart.

The default settings of CacheLowWater, CacheHighWater, and CacheChunkSizemay cause badly degraded performance. The defaults cannot bemade higherbecause one S node can pre-cache all the addresses in a small pool if theCacheLowWater is set higher than the number of addresses in a pool. Default to aCacheLowWaterandCacheChunkSize related to the transaction rateofnewaddressallocations for your installation so you are not too likely run out of addresses beforethe threads can fill up cache, and use Per-Pool settings to set any small poolsmuchlower than the default.

If performance is degraded, setting CacheThreadVerbose=1 and inspecting the logsfor "Emergency"allocations indicates that theCacheLowWaterandCacheChunkSizemay be too low. Another indicator is low CPU utilization on the front ends and highCPU utilization on ndb. (PR 543334)

If you start amanagement (mor sm) nodewithout running the configure 2 (createanewclusterdefinition)option,asyouwould in thecaseofa rolling restartupgradefromRelease 7.2.x to Release 7.3, you will seemultiple warnings such as thefollowing:

WARNING: 2010-11-30 15:25:23 [MgmtSrvr]WARNING -- at line 68: [api]Id is deprecated, use NodeId instead

These warnings can be safely ignored.

To avoid these warnings, make the following change in the /opt/JNPRhadm/config.inifile:

Change lines that read Id= to NodeId= on eachmanagementnode.

When using old style class attributes, SBRC cannotmatch the accounting startpacket to the phantom session, which can cause resource leaks. It is recommendedto use new style class attributes (set ClassAttributeStyle = 2 in radius.ini) with thisversion of SBRC. (PR 590221)



SIM Authentication

For EAP-SIM and EAP-AKA requests, the first byte of the request contains theEAP-Identifier thatSBRCarrierusestoselect theEAPmethod. If thisbyte is incorrect,SBR Carrier cannot properly identify and select the EAPmethod. In this case, SBRCarrier may respond with a protocol the client cannot support. If the client does notsupport NAK, and thus cannot respond with a NAK, the request fails. (PR 303268)

When the optional SIMModule is in use and SIMAUTH is used as an EAPmethod,changing the order of EAPmethods in SBRC Administrator does not take effect.Manually edit the eap.ini file to make the change. (PR 306868)

When using the SIM authenticationmodule with EAP-helper enabled and a profilechecklist with subattributes is in use, a false authorization can be returned. There isno workaround. In some cases, youmight be able to implement a valid check if thehelping authentication method is LDAP, because LDAP scripting may be able to workaround the checklist issue. (PR 310988)

CDR: the event timestamp value is incorrect in the CdrAccounts table. Although theevent timestamp in CDRs is always erroneously set to 1970-01-01 00:00:01(TZ=+00:00), the actual start time is present in AccStartTimeUTC. (PR 435470)

The UlticomSignalware communications stack that is accessed by the SIMauthenticationmodulemay generate false error messages in the Signalware log.When the stack is first accessed, an8057message is generated if everything isworkingproperly:

> 008057 26-Aug-2008 10:58:25 mercury.POP Info Signalware Application(s)

> Authorized.>After that, messages such as this example may be generated periodically as a countdown timer expires:

> 008056 26-Aug-2008 11:00:17 mercury.POP Critical Signalware > Application(s) Not Authorized: 60 Minutes Remaining to Authenticate>

These are false warnings that you can ignore.

SMSAuthorization

SMSauthorization is not enabled inRelease 7.3 of SBRCarrier. This is a known issuefor which there is no knownworkaround. (PR 566092)

SNMP

For the cluster version of SBRC, when address pools and ranges are configured inthe database (instead of configured locally), the following traps behave differentlyand indicate when the cache for a pool enters emergency state (the size becomeszero).The emergency continues until the cache size reaches or exceeds the configuredlow-water mark. The traps are sent under the following conditions:



funkSbrTrapIPAddrPoolLow Servicing a RADIUS request, SBR Carrier attemptsto get a new address from the pool and finds the cache is empty. The cache entersemergency state and SBR Carrier tries to refill it synchronously.

funkSbrTrapIPAddrPoolNormal In the cache-fill thread, the size of the queue hasreached or exceeded the low-water mark. (PR 249876)

WiMAXModule

WiMAX accounting records are too cryptic in the accounting log. Because Classattributes are presented in a binary format, some users may prefer not to log them.(PR 291646)

Caremust be taken to ensure the .aut file used for authentications is separate fromthe .aut file used for Authorize-Only requests, even though the two filesmay beusing the same database table. Also the authorizeOnly.aut file should not be able tohandle or pass any authentications. (PR 411144)

Smart Dynamic Home Agent (HA) Assignment can be used by the HAAA to assignthehHA-IP-MIP4address.The feature cannot currently beusedby theVAAAtoassignthe vHA-IP-MIP4 address. (PR 415662)

VisitedWiMAXnotworkingwhenproxy target isdeterminedbyascript.Thepresenceof "State" attribute processing determines how the request type is determined. Thefollowing script on the proxy is the solution. (PR 472642)

[Settings]LogLevel=2ScriptTraceLevel=2[Script]filter = new AttributeFilter();var state=filter.Get("State");if(state == null){ SbrWriteToLog("State is Null"); return "test"; # test is the realm being returned, matches a "pro" file.}else{return 0;}

Documentation Updates

Information in this section updates the published Steel-Belted Radius Carrier 7.3documentation set. The identifier in parentheses is the Problem Report number in ourbug database.



SNMP

If you have used the Solstice Enterprise Agents (SEA) SNMP utility in the past, thispackage is obsolete. It is possible to use the SNMP trap command supplied withSolaris SNMP as a replacement. The radiusd plug-in radiusd.net-snmp-5.0.9.sh isnow includedasasamplescript in the/opt/JNPRsbr/radius/samples/radiusddirectory.(PR 520180)

WiMAX

WimaxAcctFlows field is not populated by ShowSessions.sh when flow basedaccounting start has arrived. AlthoughWimaxAcctFlows is included in the sessiontable, it is not displayed by the ShowSessions script. This is normal, as it consists ofbinary data and is not readable. This needs to be documented in theWiMAX chapterof Steel-Belted Radius Carrier Reference Guide. (PR 440624)

sessionTable.ini

To enable the Acct-Multi-Session-Id attribute, the following line needs to be addedto the [AcctRequest] section of sessionTable.ini:AcctMultiSessionId=Acct-Multi-Session-Id. This attribute will not be returned by theldapsearch command, so it should be removed from the list on page 343 of theSteel-Belted Radius Carrier Administration and Configuration Guide. (PR 586258)

Installation

If running a four-way cluster of two pairs of mirrored NDB nodes with themirroredpairs in different data centers, after configuring, HeartBeatOrder should be setappropriate to the installation, as described in the /opt/JNPRhadm/config.ini file,and theM nodes and D nodes should be restarted in order. This needs to bedocumented in theconfig.ini chapter in theSteel-BeltedRadiusCarrierReferenceGuide.(PR 544966)

LDAP

The following issues refer to the Steel-Belted Radius Carrier Administration andConfiguration Guide.

The LDAP schema on page 345 has the following errors: radiusclass=nt-domain-user,nt-domain-group, nt-host-user and nt-host-group should be removed. Theradiusclass=client should include the following attribute: ip-address-range.

Figure 132 on page 346 needs to be changed as follows: radiusclass=ip-addr-pool onlyapplies to the standalone version, and not to the cluster. For radiusclass=proxy,description should be added to the attribute list. For radiusstatus=server, changeInvalid-Lists-Msg to Invalid-List-Msg.

In Figure 133 on page 347; radiusstatus=sessions_by_tribe is not supported,radiusstatus=sessions_by_mobile_session should be added; and username, tribe, andipaddressfrompool are not returned in the attribute list.


Documentation Updates

In Figure 134 on page 348, for stattype=authentication and stattype=accounting, adddropped-packet to the attributes list. The list of attributes returned by thestattype=server request does not match the current documentation:

start-time: 2011/01/27 10:41:28 up-time: 2916 ip-address: 10.13.20.46 version: v0.00.0 authentication-threads: 0 accounting-threads: 0 proxy-threads: 0 total-threads: 0 max-auth-threads: 100 max-acct-threads: 200 max-proxy-threads: 100 max-total-threads: 400 high-auth-threads: 1 high-acct-threads: 1 high-proxy-threads: 0 high-total-threads: 2 high-auth-threads-since-reset: 1 high-acct-threads-since-reset: 1 high-proxy-threads-since-reset: 0 high-total-threads-since-reset: 2

In Figure 135 on page 348, radiusstatus=tribes is not supported.

The following text, onpages348-9, is not correct. Theonly account allowed is "admin,"and thepassword is set through theLCI. TheBind requestmust referenceaSteel-BeltedRadius Carrier administrative account andmust provide the password thatauthenticates that account. This translates into the following command-line optionsfor each invocation of the LDAP utilities: -D ?cn= AdminName ,o=radius? -wAdminPassword, where AdminName is the administrative account name andAdminPassword is its password (PR 581742).



JDBC Plugins

Documentation on the JDBC driver class and connection URL need to be improved.(PR 418656).

Current Sessions Table

The field current-session-count has been added to the results for thestattype=server,radiusstatus=statisticsLCIquery.This reports thenumberofentriesin the current session table for the server. For a cluster, the number of session tableentrieswill be thenumberof entries for thewhole cluster,which is thesamenumberreported by the "ShowSessions.sh -c" script. This informationmust be documentedin the Steel-Belted Radius Carrier Reference Guide. (PR 594507)

Resolved Issues

Release 7.3

Lawful Intercept is not operational when Juniper NetworksMXSeries or ERX Seriesdevices are deployed. (PR 568968 and PR 390311)

The Auth Logs dialog in the Reports section of the SBRC Administrator does notcorrectly allow searching for events before a particular time and date. (PR 461691)

In cluster mode, SBR Carrier crashes on startup if the session database exists butno tables have been created. (PR 451019)

The OverwriteCstDataOnFailure feature that was introduced as a hotfix to theSBR/HARelease5.5xwasnot functional.Thishotfixwas introduced toenable sessiondatabase constraint violations to trigger replacement of old sessions by new sessionswhen Accounting-Stops are dropped by the network. (PR 309958)

Do not specify the -host option in the SignalwareMMLCREATE-PROCESS command, which is responsible for starting the authGatewayprocess used by the SIM Authenticationmodule.(PR 403141)

During a routed proxy authentication, inserted attributes are droppedwhen theauthentication includes a Challenge/Response sequence. (PR 480663)

Accounting Interim-Update isnotupdatingthephantomsession ifnoStarthasbeenreceived. (PR 515389)

WhenWiMAXmoduleenabled,SBRCaddsWiMAX-AAA-Session-IdtoAccess-Acceptfor non-WiMAX clients and the request is rejected. (PR 518605)

SBRC does not send an SNMP Trapwhen CST goes down. (PR 518792)

SBRCRFC-based SNMP stats counter does not resetwhen kill -USR2 PID is issued.(PR 524477)

Incomplete OIDs are sent to the trap host by the watchdog process. (PR 527924)

SSRDataNode does not reconnect automatically to the cluster when it is declareddead. (PR 531025)


Resolved Issues

Retry for hard error does not work in the .gen file whenMYSQL Server times out theconnection fromCarrier AAA. (PR 533164)

SBRCarrier configure script does not allow the use of a hyphen in the cluster name.(PR 534679)

LCI ldapsearch against reply-list (which by default uses -s sub) should return oneoutput per user, instead it returns toomany entries. (PR 542231)

SBRCAuth/Acct/Proxy thread settings are not updated correctly in the statlog. (PR546521)

Proxy SBRC server alters the state attribute resulting in access reject. (PR 574213)

LCI interface becomes nonresponsive after it serves a request from a bad TCPconnection. (PR 574522)

LogCallingStationId does not log when the parameter is defined under the[Configuration] sectionof radius.ini. This shouldbemoved to the [Logging] section.(PR 575541)

SBRC proxy server cores when it receives an Access-Reject with a reply-messagehavingmore than 40 characters. (PR 576370)

The RAM usage increases when SBRC reinitializes the settings by HUP signal. (PR576717)

SBRC truncates and drops replymessages. (PR 578305)

The use of structured attributes as part of authentication against LDAP fails. (PR581282)

XML export, replication, and debug-logging fails. (PR 581602)

The round robingroupsetappears tomisseveryother round-robin set. (PR589469)

Error Unknown Class SAVP received: 82 is recorded in the .log file. (PR 589537)

Class attributes need to be included in accounting requests in order for CDRaccounting to work properly. (PR 571405)

Regardless of the LogLevel setting, the followingmessages are incorrectly loggedfor every SBRC proxy accept response during the use of a non-challengeauthenticationmethod, such as PAP:

Proxy challenge state not found

No saved attributes retrieved for session key

Thesemessages do not indicate an error condition and can be ignored. (PR 578584)

SBRC crashesmultiple times while handling production traffic. (PR 585255)

LOCAL Tunnel Concurrency fails in HA 5.5. (PR 434571)

Whenconfigured forbothOracleandLDAPbackendsupport, LDAPauthenticationsmight cause SBRC to shut down unexpectedly. (PR 594403)

NDBversionupgradedto7.1.10,whichcontainsanewConnectivityCheckmechanismto helpmanage failures due to inter-D node latency. (PR 523958)



Related Documentation

Requests for Comments (RFCs)

The Internet Engineering Task Force (IETF) maintain an online repository of Request forComments (RFC)s online at http://www.ietf.org/rfc.html. Table 3 on page 23 lists theRFCs that apply to Steel-Belted Radius Carrier.

Table 3: RFCs Related to the Steel-Belted Radius Carrier

TitleRFC Number

Domain Names - Implementation and Specification. P. Mockapetris. November 1987.RFC 1035

Structure and Identification of Management Information for TCP/IP-based Internets.M. Rose, K.McCloghrie, May 1990.

RFC 1155

Management Information Base for Network Management of TCP/IP-based internets: MIB-II. K.McCloghrie, M. Rose, March 1991.

RFC 1213

The Definitions of Managed Objects for IP Mobility Support using SMIv2. D. Cong and others.October 1996.

RFC 2006

The TLS Protocol. T. Dierks, C. Allen. January 1999.RFC 2246

An Architecture for Describing SNMPManagement Frameworks. D. Harrington, R. Presuhn, B.Wijnen, January 1998.

RFC 2271

PPP Extensible Authentication Protocol (EAP). L. Blunk, J. Volbrecht, March 1998.RFC 2284

Microsoft PPP CHAP Extensions. G. Zorn, S. Cobb, October 1998.RFC 2433

Microsoft Vendor-specific RADIUS Attributes. G. Zorn. March 1999.RFC 2548

Proxy Chaining and Policy Implementation in Roaming. B. Aboba, J. Vollbrecht, June 1999.RFC 2607

RADIUS Authentication Client MIB. B. Aboba, G. Zorn. June 1999.RFC 2618

RADIUS Authentication Server MIB. G. Zorn, B. Aboba. June 1999RFC 2619

RADIUS Accounting Client MIB. B. Aboba, G. Zorn. June 1999.RFC 2620

RADIUS Accounting Server MIB. G. Zorn, B. Aboba. June 1999.RFC 2621

PPP EAP TLS Authentication Protocol. B. Aboba, D. Simon, October 1999.RFC 2622

Implementation of L2TP Compulsory Tunneling via RADIUS. B. Aboba, G. Zorn. April 2000.RFC 2809

RemoteAuthenticationDial InUserService (RADIUS).C.Rigney,S.Willens,A.Rubens,W.Simpson.June 2000.

RFC 2865


Related Documentation

Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)

TitleRFC Number

RADIUS Accounting. C. Rigney. June 2000.RFC 2866

RADIUS Accounting Modifications for Tunnel Protocol Support.G. Zorn, B. Aboba, D. Mitton. June2000.

RFC 2867

RADIUSAttributes for Tunnel Protocol Support.G.Zorn,D. Leifer, A. Rubens, J. Shriver,M.Holdrege,I. Goyret. June 2000.

RFC 2868

RADIUS Extensions. C. Rigney, W.Willats, P. Calhoun. June 2000.RFC 2869

Network Access Servers Requirements: Extended RADIUS Practices. D. Mitton. July 2000.RFC 2882

DHCP Relay Agent Information Option.M. Patrick. January 2001.RFC 3046

Authentication for DHCPMessages. R.Droms and others. June 2001.RFC 3118

RADIUS and IPv6. B. Aboba, G. Zorn, D. Mitton. August 2001.RFC 3162

IP Mobility Support for IPv4. C. Perkins. August 2002.RFC 3344

Authentication, Authorization, and Accounting (AAA) Transport Profile. B. Aboba, J. Wood. June2003.

RFC 3539

IANA Considerations for RADIUS (Remote Authentication Dial-In User Service). B. Aboba, July2003.

RFC 3575

RFC3576 - Dynamic Authorization Extensions to Remote to Remote Authentication Dial In UserService. NetworkWorking Group, 2003

RFC 3576

RADIUS (Remote Authentication Dial In User Service) Support For Extensible AuthenticationProtocol (EAP). B. Aboba, P. Calhoun, September 2003.

RFC 3579

IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines. P. Congdon,B. Aboba, A. Smith, G. Zorn, J. Roese, September 2003.

RFC 3580

Extensible Authentication Protocol. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz.June 2004.

RFC 3748

Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4.C. Perkinsand P. Calhoun. March 2005.

RFC 3957

Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs. D. Stanleyand others. March 2005.

RFC 4017

Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM)Subscriber Identity Modules (EAP-SIM). H. Haverinen, J. Salowey. January 2006.

RFC 4186

Extensible Authentication Protocol Method for Global System for 3rd Generation Authenticationand Key Agreement (EAP-AKA). J. Arkko, H. Haverinen. January 2006.

RFC 4187



Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)

TitleRFC Number

The Network Access Identifier. B. Aboba and others. December 2005.RFC 4282

Identity Selection Hints for the Extensible Authentication Protocol (EAP). F. Adrangi, V. Lortz, F.Bari, P. Eronen. January 2006.

RFC 4284

Chargeable User Identity. F. Adrangi and others. January 2006.RFC 4372

Lightweight Directory Access Protocol (LDAP) Technical Specification Road Map. K. Zeilenga,June 2006.

RFC 4510

Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated ProtocolVersion 0 (EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.

RFC 5281

3GPP and 3GPP2 Technical Specifications

The 3rd Generation Partnership Project (3GPP) and (3GPP2) maintains an onlinerepository of Technical Specifications and Technical Reports online at http://www.3gpp.org and http://www.3gpp2.org, respectively.

WiMAX Technical Specifications

TheWiMAX Forum Networking Group (NWG)maintains a repository of technicaldocuments and specifications online at http://www.wimaxforum.org. You can also viewtheWiMAX IEEE standards, 802.16e-2005 formobileWiMAX and 802.16-2004 for fixedWiMAX, online at http://www.ieee.org.

Third-Party Products

For information about configuring your Ulticom software and hardware, or your accessservers and firewalls, consult the manufacturers documentation.

General Statement of Compliance

Table 4 on page 25 lists Steel-Belted Radius Carrier Release 7.3 compliance withapplicable RFCs.

Table 4: Compliance of Steel-Belted Radius Carrier Release 7.3 with Applicable RFCs

NotesNameRFC Number

Structure and Identification of Management Informationfor TCP/IP-based Internets

1155

Management Information Base for Network Managementof TCP/IP-based internets: MIB-II

1213

Obsoleted by RFC 2138Remote Authentication Dial In User Service2058

Obsoleted by RFC 2139RADIUS Accounting2059



Table4:ComplianceofSteel-BeltedRadiusCarrierRelease7.3withApplicableRFCs(continued)

NotesNameRFC Number

Ascend Tunnel Management Protocol2107

Obsoleted by RFC 2865Remote Authentication Dial In User Service2138

Obsoleted by RFC 2866RADIUS Accounting2139

Obsoleted by RFC 2271An Architecture for Describing SNMPManagementFrameworks

2271

Updated by RFC 2484PPP Extensible Authentication Protocol (EAP)2284

Microsoft PPP CHAP Extensions2433

Microsoft Vendor-specific RADIUS Attributes2548

Proxy Chaining and Policy Implementation in Roaming2607

Obsoleted by RFC 4668RADIUS Authentication Client MIB2618

Obsoleted by RFC 4669RADIUS Authentication Server MIB2619

Obsoleted by RFC 4670RADIUS Accounting Client MIB2620

Obsoleted by RFC 4671RADIUS Accounting Server MIB2621

Obsoleted by RFC 5216PPP EAP TLS Authentication Protocol2716

ImplementationofL2TPCompulsoryTunnelingviaRADIUS2809

Remote Authentication Dial In User Service (RADIUS).2865

RADIUS Accounting2866

RADIUS Accounting Modifications for Tunnel ProtocolSupport

2867

RADIUS Attributes for Tunnel Protocol Support2868

RADIUS Extensions2869

Network Access Servers Requirements: Extended RADIUSPractices

2882

Generic AAA Architecture2903

AAA Authorization Framework2904

AAA Authorization Requirements2905




NotesNameRFC Number

AAA Authorization Requirements2906

Mobile IP Authentication, Authorization, and AccountingRequirements

2977

Criteria for Evaluating AAA Protocols for Network Access2989

Mobile IPv4 Challenge/Response Extensions3012

RADIUS and IPv63162

IANA Considerations for RADIUS (Remote AuthenticationDial In User Service)

3575

RADIUS (Remote Authentication Dial In User Service)Support For Extensible Authentication Protocol (EAP)

3579

IEEE 802.1X Remote Authentication Dial In User Service(RADIUS) Usage Guidelines

3580

Extensible Authentication Protocol (EAP)3748

Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks

3770

Remote Authentication Dial-In User Service (RADIUS)Attributes Suboption for the Dynamic Host ConfigurationProtocol (DHCP) Relay Agent Information Option

4014

Extensible Authentication Protocol (EAP) MethodRequirements for Wireless LANs

4017

Not supportedDiameter Extensible Authentication Protocol (EAP)Application

4072

State Machines for Extensible Authentication Protocol(EAP) Peer and Authenticator

4137

Extensible Authentication Protocol Method for GlobalSystem for Mobile Communications (GSM) SubscriberIdentity Modules (EAP-SIM)

4186

Extensible Authentication Protocol Method for 3rdGenerationAuthenticationandKeyAgreement (EAP-AKA)

4187

Identity Selection Hints for the Extensible AuthenticationProtocol (EAP)

4284




NotesNameRFC Number

Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks (WLAN)

4334

Chargeable User Identity4372

Obsoleted by RFC 5090RADIUS Extension for Digest Authentication4590

Additional Values for the NAS-Port-Type Attribute4603

Previousversion (RFC2618)supportedRADIUS Authentication Client MIB for IPv64668

Previousversion (RFC2619) supportedRADIUS Authentication Server MIB for IPv64669

Previousversion(RFC2220)supportedRADIUS Accounting Client MIB for IPv64670

Previousversion (RFC2221) supportedRADIUS Accounting Server MIB for IPv64671

Not supportedRADIUS Dynamic Authorization Client MIB4672

Not supportedRADIUS Dynamic Authorization Server MIB4673

Not supportedRADIUS Attributes for Virtual LAN and Priority Support4675

Not supportedDSL Forum Vendor-Specific RADIUS Attributes.4679

Not supportedExtensible Authentication Protocol (EAP) PasswordAuthenticated Exchange

4746

Not supportedExtensible Authentication Protocol Method forShared-secret Authentication and Key Establishment(EAP-SAKE)

4763

Not supportedThe EAP-PSK Protocol: A Pre-Shared Key ExtensibleAuthentication Protocol (EAP) Method.

4764

EAP-32The EAP Protected One-Time Password Protocol(EAP-POTP)

4793

RADIUS Delegated-IPv6-Prefix Attribute.4818

RADIUS Filter Rule Attribute4849

Not supportedMobile IPv6 Operation with IKEv2 and the Revised IPsecArchitecture.

4877

Guidance forAuthentication,Authorization, andAccounting(AAA) Key Management

4962




NotesNameRFC Number

Mobile IPv4 RADIUS Requirements5030

Common Remote Authentication Dial In User Service(RADIUS) Implementation Issues and Suggested Fixes

5080

The Extensible Authentication Protocol-Internet KeyExchange Protocol version 2 (EAP-IKEv2) Method

5106

Handover Key Management and Re-AuthenticationProblem Statement

5169

Dynamic Authorization Extensions to RemoteAuthentication Dial In User Service (RADIUS)

5176

Previousversion(RFC2716)supportedThe EAP-TLS Authentication Protocol5216

MIPv6 not supported3GPP2 X.S0011-D, Version: 1.0, Version Date: February,2006

Extensible Authentication Protocol Tunneled TransportLayer Security Authenticated Protocol Version 0(EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.

5281

Table 5 on page 29 lists the protocols supported in Steel-Belted Radius Carrier Release7.3.

Table 5: Protocols Supported in SBRC Carrier Release 7.3

NotesProtocol

UDP

IPv4

NAS-server onlyIPv6

DHCP v2

DHCP v3

LDAP v2

Not LCILDAP v3

JDBC

Oracle (SQL)



Table 5: Protocols Supported in SBRC Carrier Release 7.3 (continued)

NotesProtocol

ConfigurationXML

AdminHTTP v1.1

Except CRs 801, 823, OMA/DMWiMAX NWG 1.2.2

3GPP2

3GPP2 X.S0011-D

RADIUS only3GPP

WLAN UE23.234 (RADIUS)

G1 and Pk reference points29.061 (RADIUS)

RADIUS only Interface E5TISPAN

ES282.001

ES282.004

ES283.034

ES283.035

SBR Carrier Documentation and Release Notes

For a list of related SBR Carrier documentation, see http://www.juniper.net/support/products/carrier/carrier/.

If the information in the latest release notes differs from the information in thedocumentation, follow the Steel-Belted Radius Carrier Release Notes.

To obtain themost current version of all Juniper Networks technical documentation, seethe products documentation page on the Juniper NetworksWeb site at http://www.juniper.net/techpubs/.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we canimprove the documentation to better meet your needs. Send your comments [email protected], or fill out the documentation feedback form at https://www.juniper.net/cgi-bin/docbugreport. If you are using e-mail, be sure to includethe following information with your comments:



Document name

Document part number

Page number

Software release version

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistanceCenter (JTAC). If you are a customer with an active J-Care or JNASC support contract,or are covered under warranty, and need post-sales technical support, you can accessour tools and resources online or open a case with JTAC.

JTAC PoliciesFor a complete understanding of our JTAC procedures and policies,review the JTACUserGuide located at http://www.juniper.net/customers/support/downloads/710059.pdf

ProductWarrantiesForproductwarranty information, visithttp://www.juniper.net/support/warranty/

JTAC Hours of OperationThe JTAC centers have resources available 24 hours a day,7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an onlineself-service portal called the Customer Support Center (CSC) that provides youwith thefollowing features:

Find CSC offerings:

http://www.juniper.net/customers/support/

Search for known bugs:

http://www2.juniper.net/kb

Find product documentation:

http://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Base:

http://kb.juniper.net/

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum:



http://www.juniper.net/company/communities/

Open a case online in the CSC Case Manager:

http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

Use the Case Manager tool in the CSC at http://www.juniper.net/cm/

Call 1-888-314-JTAC (1-888-314-5822 toll free in the USA, Canada, and Mexico)

For international or direct-dial options in countries without toll-free numbers, visit http://www.juniper.net/support/requesting-support.html

When you are running SBRC Administrator, you can chooseWeb > Steel-Belted RadiusCarrier User Page to access a special home page for Steel-Belted Radius Carrier users.

When you contact technical support, be ready to provide:

Your Steel-Belted Radius Carrier release number (for example, Steel-Belted RadiusCarrier Release 7.3).

Information about the server configuration and operating system, including any OSpatches that have been applied.

For licensedproducts under a currentmaintenance agreement, your license or supportcontract number.

A detailed description of the problem.

Any documentation that may help in resolving the problem, such as error messages,core files, compiler listings, and error or RADIUS log files.

Revision History

March 2011FRS SBR Carrier Release 7.3

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Ulticom, Signalware, Programmable Network, Ultimate Call Control, and Nexworx are registered trademarks of Ulticom, Inc. Kineto andthe Kineto Logo are registered trademarks of KinetoWireless, Inc. Software Advancing Communications and SignalCare are trademarksandservicemarksofUlticom, Inc.CORBA(CommonObjectRequestBrokerArchitecture) is a registered trademarkof theObjectManagement



Group (OMG).Raima,RaimaDatabaseManager andRaimaObjectManager are trademarksofBirdstepTechnology. Sun, SunMicrosystems,the Sun logo, Java, Solaris, and all trademarks and logos that contain Sun, Solaris, or Java are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States and other countries. MySQL and the MySQL logo are registered trademarks of MySQL AB in theUnited States, the European Union, and other countries. All other trademarks, service marks, registered trademarks, or registered servicemarks are the property of their respective owners. All specifications are subject to change without notice.

Contains software copyright 20002010 by MySQL AB, distributed under license.

Portions of this software copyright 19992009Apasphere Ltd. This product includes omniOrb CORBA software fromApasphere Ltd, underthe LGPL license: The libraries in omniORB are released under the LGPL license.

Portions of this software copyright 2003-2009 LevWalkin All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions aremet:

1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

THISSOFTWAREISPROVIDEDBYTHEAUTHORANDCONTRIBUTORS``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES, INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.IN NO EVENT SHALL THE AUTHOROR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT,STRICTOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVEN IFADVISEDOFTHEPOSSIBILITYOF SUCH DAMAGE.

Portions of this software copyright 1989, 1991, 1992 by Carnegie Mellon UniversityDerivativeWork1996, 19982009 Copyright 1996, 19982009. The Regents of the University of California All Rights Reserved. Permissionto use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided thatthe above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supportingdocumentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertainingto distribution of the software without specific written permission.

CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALLWARRANTIESWITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMUOR THE REGENTS OF THEUNIVERSITYOFCALIFORNIABELIABLEFORANYSPECIAL, INDIRECTORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTING FROMTHE LOSSOF USE, DATAOR PROFITS,WHETHER IN AN ACTIONOF CONTRACT, NEGLIGENCE OROTHER TORTIOUSACTION, ARISING OUT OF OR IN CONNECTIONWITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Portions of this software copyright 20012009, Networks Associates Technology, Inc. All rights reserved. Redistribution and use in sourceand binary forms, with or without modification, are permitted provided that the following conditions are met:



3. Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.

THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERSANDCONTRIBUTORSAS ISANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



Portions of this software are copyright 20012009, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source andbinary forms, with or without modification, are permitted provided that the following conditions are met:



3. The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specificprior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AS IS AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUTNOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software copyright 19952009 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express orimplied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted toanyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to thefollowing restrictions:

1. The origin of this software must not bemisrepresented; youmust not claim that you wrote the original software. If you use this softwarein a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, andmust not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

HTTPClient package Copyright 19962009 Ronald Tschalr ([email protected])

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as publishedby the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANYWARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. For a copyof the GNU Lesser General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,USA.

Copyright (c) 20002009 The Legion Of The Bouncy Castle (http://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the"Software"), to deal in theSoftwarewithout restriction, includingwithout limitation the rights to use, copy,modify,merge, publish, distribute,sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the followingconditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TOTHEWARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORSORCOPYRIGHTHOLDERSBELIABLEFORANYCLAIM,DAMAGESOROTHERLIABILITY,WHETHERINANACTIONOFCONTRACT,TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTIONWITH THE SOFTWARE OR THE USE OROTHER DEALINGS IN THESOFTWARE.



ContentsRelease OverviewBefore You StartDocumentation

Release HighlightsEnhancements in Logging ModuleEnhancement to AutoStop FeatureSession Limit License EnhancementsPre-loading the libumem AllocatorService Level Manager (SLM) Client SupportNew Parameter Added to the sessionTable.ini File

System RequirementsSoftwarePerl

Supported BrowsersExternal Database RequirementsSignalware and SS7 Interface Requirements

Modified Open-Source SoftwareMigrating from Earlier SBRC ReleasesMigrating from Earlier SBRC Standalone Server ProductsSupported Releases for Standalone Server

Migrating from SBR Release 5.5 High AvailabilityUsing a Transition Server

Known Problems and LimitationsCDMACoA/DMFiltersLDAP AuthenticationLoggingReplicationSBRC AdministratorSBRC CoreSession State Register ModuleSIM AuthenticationSMS AuthorizationSNMPWiMAX Module

Documentation UpdatesSNMPWiMAXsessionTable.iniInstallationLDAPJDBC PluginsCurrent Sessions Table

Resolved IssuesRelease 7.3

Related DocumentationRequests for Comments (RFCs)3GPP and 3GPP2 Technical SpecificationsWiMAX Technical SpecificationsThird-Party Products

General Statement of ComplianceSBR Carrier Documentation and Release NotesDocumentation FeedbackRequesting Technical SupportSelf-Help Online Tools and ResourcesOpening a Case with JTAC

sbrc-7-3-release note.pdf1

Documents

sbr release

sbr carrier documentation

sbrc performance

earlier sbrc releases

contents release overview

new software

sbrc administrator application

sbrc administrator11sbrc