7.5.0 R1 Release Notes - Juniper Networks

Steel-Belted Radius®Carrier Release

Notes

Release 7.5.0January 2013Revision 2

TheseReleaseNotessupportRelease7.5.0ofSteel-BeltedRadiusCarrier (SBRC).Before

you install or use your new software, read theseReleaseNotes in their entirety, especially

“Known Problems and Limitations” on page 9.

Contents Release Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Release Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Upgrade of RAIMA RDM Embedded Database . . . . . . . . . . . . . . . . . . . . . . . . . 4

Support for a Solaris 11 Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Addition of a Low-End Session State Register License . . . . . . . . . . . . . . . . . . . 4

Removal of Deprecated Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Enhancement to SSR Update on Interim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

New Parameter Added to the wimax.ini File . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Two New Parameters Added to the RealmName.pro File . . . . . . . . . . . . . . . . . 5

Addition of a Transaction-Based License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Improvements to the LDAP Authentication Plug-in . . . . . . . . . . . . . . . . . . . . . 6

Support for the Chrome Browser in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Version Numbering for Authentication and Accounting Plug-ins . . . . . . . . . . . 7

System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

LDAP Plug-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

External Database Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Signalware and SS7 Interface Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Modified Open-Source Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Migrating from Earlier SBR Carrier Releases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Migrating from Earlier SBR Carrier Standalone Server Products . . . . . . . . . . . 9

1Copyright © 2013, Juniper Networks, Inc.

Known Problems and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

JavaScripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

CDMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

COA/DM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

SBR Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

SBRC Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

SSR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

SIM Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Proxy Spooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Session State Register Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Resolved Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Release 7.5.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Requests for Comments (RFCs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

WiMAX Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Third-Party Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

General Statement of Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

SBR Carrier Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Copyright © 2013, Juniper Networks, Inc.2

Steel-Belted Radius Carrier Release 7.5.0 Release Notes

Release Overview

These release notes cover Release 7.5.0 of the Juniper Networks Steel-Belted Radius

Carrier product.

Before You Start

Before you use your new software, read these Release Notes in their entirety, especially

the section Known Problems and Limitations.

Documentation

Table 1 on page 3 lists and describes the Steel-Belted Radius Carrier documentation

set:

Table 1: Steel-Belted Radius Carrier Documentation

DescriptionDocument

Describes how to install the Steel-Belted Radius Carrier software on the serverand the SBRC Administrator application on a client workstation.

Steel-Belted Radius Carrier Installation Guide

Describes how to configure and operate the Steel-Belted Radius Carrier and itsseparately licensedmodules.

Steel-Belted Radius Carrier Administrationand Configuration Guide

Describes the settings and valid values of the Steel-Belted Radius Carrierconfiguration files.

Steel-Belted Radius Carrier Reference Guide

Provides tips, use cases, and tools you need to:

• Improve SBRC performance through planning, analysis, and configuration

• Increase SBRC throughput and reliability

• Analyze specific use cases, in the lab or in the production environment, toidentify areas of potential performance enhancement and to limit the impactof resource constraints and failure scenarios

Steel-Belted Radius Carrier Performance,Planning, and Tuning Guide

Contains the latest information about features, changes, known problems, andresolved problems in Release 7.5.0.

Steel-Belted Radius Carrier Release Notes

NOTE: If the information in the Release Notes differs from the informationin any guide, follow the Release Notes.

You can find these release notes in AdobeAcrobat (PDF) format on the JuniperNetworks

Technical PublicationsWeb page, which is located at:

http://www.juniper.net/support/products/carrier/carrier/

Release Highlights

Highlights include the following product enhancements:


Release Overview


Upgrade of RAIMA RDMEmbedded Database

Steel-BeltedRadiusCarrier 7.5.0supports the latest versionof theRAIMARDMEmbedded

database. The RAIMA RDM Embedded database is upgraded from RDME version 7.0 to

11.0 when running the configure script.

NOTE: The RAIMA RDM Embedded database upgraded to the new version11.0 cannot be downgraded to the old version. Make sure that the old versionof the database is backed up.

For more information about RAIMA RDM Embedded database, see the Steel-Belted

Radius Carrier Installation Guide.

Support for a Solaris 11 Platform

Steel-BeltedRadius Carrier 7.5.0 supports the Solaris 11 operating system. You can install

and run SBR Carrier on a Solaris 11 platform. If you upgrade the operating system from

Solaris 10 to Solaris 11, SBR can be directly used without any additional requirement.

For more information about Solaris 11 support, see the Steel-Belted Radius Carrier

Installation Guide.

Addition of a Low-End Session State Register License

Three different licenses are available for the Steel-Belted Radius Carrier Session State

Register cluster kit:

• Regular starter kit license – Exists in previous releases and provides two data node

licenses and twomanagement node licenses. It does not impose any restriction on the

expansion kit or concurrent sessions. (SBR-SSR-START)

• Restricted cluster session license – Is introduced in this release and provides two data

node licenses and twomanagement node licenses. It imposes a restriction on the

number of concurrent sessions, which is 100,000. It does not allow you to add any

expansion kit licenses to that cluster. (SBR-SSR-LIMITED)

• Upgrade cluster license – Is introduced in this release and is available to enable you

to upgrade from a restricted cluster to a regular cluster. It only removes the restriction

on the number of concurrent sessions and enables the addition of an expansion kit

license. (SBR-SSR-UPG)

For more information about the low-end Session State Register license, see the

Steel-Belted Radius Carrier Administration and Configuration Guide and Steel-Belted

Radius Carrier Installation Guide.

Removal of Deprecated Code

Unused and deprecated codes have been removed to improve the performance of

Steel-BeltedRadiusCarrier 7.5.0.Additionally, theextendedproxy setting (realmsupport)

is always enabled.



Enhancement to SSRUpdate on Interim

Steel-Belted Radius Carrier 7.5.0 supports updating the Current Session Table (CST)

with additional attributes received in the Accounting-Interim packet. Enhancement to

the UpdateOnInterim feature has beenmade in the radius.ini file.

In the radius.ini file, you can specify theForceUpdateparameterwith additional attributes

to update the CST.

NOTE: The ForceUpdate parameter is valid only if the UpdateOnInterimparameter is set to 1.

Additional accounting attributes that can be updated include the following:

• User-Name

• NAS-IP-Address

• NAS-Port

• Calling-Station-ID

• NAS-Port-Type

For more information about the ForceUpdate parameter, see the Steel-Belted Radius

Carrier Reference Guide.

NewParameter Added to the wimax.ini File

In the [Settings] section of wimax.ini file, the DisableHaPhantom parameter has been

newly added. This parameter enables or disables the creation of phantom records for

authentication messages from the home agent.

• If set to 0, phantom records are created for authentication messages from the home

agent.

• If set to 1, phantomrecordsarenot created forauthenticationmessages fromthehome

agent.

Default value is 0.

For more information about the DisableHaPhantom parameter, see the Steel-Belted

Radius Carrier Reference Guide.

TwoNewParameters Added to the RealmName.pro File

In theRealmName.pro file, theRetryCount andSendStatusServer parameters havebeen

newly added.

The SendStatusServer parameter specifies the type of strobe request sent to verify the

status of the target server. This parameter is used along with the RetryCount parameter

to check the status of the target server before continuing with spooled proxy accounting

request retries.


Release Highlights

• If set to 1, the Status-Server typemessage is sent as a strobe request.

• If set to 0, the current authentication or accounting packet is sent as a strobe request.

Default value is 0.

The RetryCount parameter works with the proxy fast-fail mechanism and applies only

tospooledproxyaccountingandspecifies thenumberof timesaspooledproxyaccounting

request is retransmitted if an acknowledgment from the target system is not received

after a successful strobe attempt. If the number of retries is exhausted, then the original

request is dropped. Default value is 0.

For more information about the RetryCount and SendStatusServer parameters, see the

Steel-Belted Radius Carrier Reference Guide.

Addition of a Transaction-Based License

Steel-Belted Radius Carrier 7.5.0 provides an optional transaction-based license, which

allows proxy transactions when there is no additional session license. This license is

applicable only if you do not have a session license.

For more information about the transaction-based license, see the Steel-Belted Radius

Carrier Administration and Configuration Guide.

Improvements to the LDAP Authentication Plug-in

Steel-Belted Radius Carrier 7.5.0 supports the usage of the OpenLDAP-based version of

LDAP libraries in both Linux and Solaris, replacing the Mozilla LDAP C SDK libraries used

previously.

The LDAP plug-in uses OpenLDAP-2.4.32 libraries, which in turn depends on

OpenSSL-1.0.0j libraries. Only the required libraries are placed in the system as part of

SBR installation. If you upgrade OpenSSL package to the latest version, youmay have

to update OpenSSH if the latest version uses it.

Incorrect configurations in the ldapauth.aut file (for example, keeping the attribute list

empty) and restarting SBRmay result in an abnormal termination of SBR.

For more information about the LDAP database, see the Steel-Belted Radius Carrier

Administration and Configuration Guide and the Steel-Belted Radius Carrier Reference

Guide.

Support for the Chrome Browser in Linux

Steel-Belted Radius Carrier 7.5.0 supports the Google Chrome browser on a Linux

platform. Refer to Table 2 on page 7 for the list of supported browser versions and

operating systems.

For more information about supported browsers, see the Steel-Belted Radius Carrier

Administration and Configuration Guide.



Version Numbering for Authentication and Accounting Plug-ins

Steel-Belted Radius Carrier 7.5.0 includes version numbering for authentication and

accounting plug-ins that are installed by Steel-Belted Radius Carrier. This version

information is captured in the startup and system log files. If plug-ins without version

information are used, the log files record these plug-ins without version information.

Formore informationaboutversionnumbering forauthenticationandaccountingplug-ins,

see the Steel-Belted Radius Carrier Administration and Configuration Guide.

SystemRequirements

For complete details about the hardware and software requirements for running a

standalone Steel-Belted Radius Carrier server or the optional SBR Carrier Session State

Register (SSR), see “Meeting System Requirements” in the Steel-Belted Radius Carrier

Installation Guide.

Software

The Steel-Belted Radius Carrier server runs on both Oracle Solaris 10 and 11 and Red Hat

Enterprise Linux 6.1 on Intel (Xeon) platforms.

Perl

Steel-Belted Radius Carrier has been tested with Perl 5.8.4 and 5.8.8. Multiple Perl

installations in discrete directories are supported, but attempting to use other versions

of Perl with SBR Carrier may cause problems.

LDAP Plug-in

The LDAP plug-in requires SASL, which is not included with SBR. Youmust ensure that

you have the SASL package installed before starting SBR.

Supported Browsers

The SBR Administrator application can be launched from the browsers listed in Table 2

on page 7.

Table 2: Supported Browsers

Operating SystemVersionsBrowser

Linux -3223Google Chrome

Windows XP SP38Internet Explorer

Windows 78.0.7602Internet Explorer

Solaris 10/115Mozilla Firefox

Linux X8610Mozilla Firefox

Windows 711Mozilla Firefox


System Requirements

Table 2: Supported Browsers (continued)

Operating SystemVersionsBrowser

Windows XP SP313Mozilla Firefox

Java Runtime Environment (JRE) 1.4.2 or later is required for all browsers, and is available

from http://www.oracle.com/technetwork/java/index.html.

NOTE: Using theSBRCAdministrator onWindowswithAeroeffects enabledmight removesomeUIelements.Youmustdisable theWindowsAeroeffects.

External Database Requirements

Steel-Belted Radius Carrier supports:

• Oracle database versions 10 and 11; version 11.2.0 is recommended.

• For Steel-Belted Radius Carrier to act as an Oracle native client (only on Solaris), the

Oracle 32–bit client must be set up before installing SBR Carrier because the Oracle

server location is used during installation.

• The JDBCplug-in hasbeen testedwithOracledatabase runningonSolaris andMySQL.

Signalware and SS7 Interface Requirements

To support the optional SS7module, Ulticom’s Signalware 9 with Service Pack 6Vmust

be installed before installing SBR Carrier.

If you want the Steel-Belted Radius Carrier server to communicate with any SS7 legacy

equipment, install theUlticom’sSS7communicationboardandSignalware9withService

Pack 6V before you install the SBR Carrier software.

CAUTION: ServicePack6Vmustbe installed;otherwise,Steel-BeltedRadiusCarrier cannot use the Signalware communications stack.

The Signalware PH0301 and XH0303 boards are supported.

For more information, see the SBR Carrier Installation Guide.

Modified Open-Source Software

Embedded in Steel-Belted Radius Carrier 7.5.0 is an open-source software that Juniper

Networks has modified. Themodified software includes:

• HTTPClient from Innovation GmbH

• sunmd5.c from the OpenSolaris Project

• Spider Monkey 1.6 fromMozilla



http://www.oracle.com/technetwork/java/index.html

You can obtain the source code for thesemodifications from Juniper Networks Technical

Support. See “Requesting Technical Support” on page 26.

Migrating from Earlier SBR Carrier Releases

SBR Carrier Release 7.5.0 can run as a standalone server or as part of a Session State

Register cluster.

Migrating from Earlier SBR Carrier Standalone Server Products

You can use the configuration script to move a number of files from selected previous

SBRCarrier releases to theRelease7.5.0environmentwhen installingSteel-BeltedRadius

Carrier. The corresponding Release 7.5.0 files are also loaded on the system, but are not

activated. You are responsible for merging new settings fromRelease 7.5.0 configuration

files into the working (preexisting) configuration files. To support new features, SBR

Carrier uses default values for any new settings that have not beenmerged into the

working configuration files.

For complete details about migrating from the preceding releases, see the SBR Carrier

Installation Guide.

Known Problems and Limitations

These issues have been identified in Steel-Belted Radius Carrier 7.5.0. The identifier in

parentheses is the Problem Report number in our bug database.


Migrating from Earlier SBR Carrier Releases

JavaScripting

• A Java script that logs data containing formatting characters (for example, "%s")or other hex datamay cause SBR to crash. To prevent unpredictable side-effects, donot write scripts that log variable data. (PR 833713)

CDMA

• A session timeout cannot be set using a filter in the 3GPP2.ini file. To set sessiontimeout, use the SessionTimeoutSeconds in the prepaid.att file or a Session-Timeout

attribute in a profile. (PR 248448, PR 306397)

COA/DM

• Enabling the “COA” action event using the SBR Administrator bymodifyingdeviceModels.xmlmay result in an error. If you customize COA or DM bymodifying

the deviceModels.xml file, it is recommended that you obtain assistance from JTAC

to verify your configuration. Errors in deviceModels.xml—for example, missing,

misplaced, or misconfigured XML elements or referencing RADIUS attributes that are

not defined in the dictionaries, or both—could lead to undefined behavior ranging from

preventing the server from starting to invalid errors while using the SBR Administrator

to invoke COA or DM actions. Be sure to restart the server as well as the SBR

Administratorwhenever deviceModels.xml or dictionary, or both files aremodified. (PR

420928)

Filters

• Changing a rule in the SBR Administrator with Filter>Edit Rule from Exclude or Addto Replace has no effect. Instead of changing the rule type, delete the attribute andthen add a new attribute with the correct Replace type. (PR 298086)

• A filter with an index that is configured to replace a parent attribute withmultipleinstances of a single subattribute does not work correctly. To avoid this, set up theconfiguration so that it uses multiple separate attributes that each contain the same

subattribute. (PR 298631)

LDAP Authentication

• Setting theMaxConcurrentsetting in the ldapauthconfiguration file tohighervaluescan cause Steel-Belted Radius Carrier to run out ofmemory and crash. As aworkaround, use smaller valuesofMaxConcurrent. The recommendedmaximumvalue

is 1000. (PR 249953)

• Enteringmore than 124 characters for a native user results in an erroneous rejection.This problemwas introduced in SBRCarrier 7.3.1 andwill be resolved in future releases.

(PR 771505)

• Whenmany LDAP connections are configured andMaxConcurrent is set to a highvalue in ldapauth configuration, SBR can run out ofmemory andwill experiencedelay during the shutdown. (PR 839864)



• In previous versions of SBR Carrier in Solaris, LDAP used the Mozilla libraries for LDAP

communication. When LDAP is used, this requires the Cert7.db and Key3.db files as

the certificate store for trusted root certificates. Starting 7.4.0 Linux and 7.5.0 Solaris,

SBRCarrier uses theOpenLDAP libraries toprocess LDAP requests. ForSBR toprocess

LDAPrequests, youmustconfigureOpenLDAPtoaccept theserver certificate.Currently,

this is the only configuration supported and tested by SBR.

• The LDAPplug-in requires SASL,which is not includedwith SBR. Youmust ensure that

you have the SASL package installed before starting SBR.

SBR Administrator

• In SBRHA, theStatisticsGUI panel for System -Authentication andAccounting hassome inconsistencies with the documentation. The System - Authentication and

Accounting GUI mentions “Retries Sent” but it is documented as “Retries Received.”

Similarly, the System - Accounting GUI mentions “Failed Authentication” instead of

“Failed Accounting.” The document lists “Invalid Client” and “Invalid Shared Secret,”

which are not available in the SBR Administrator. These inconsistencies must be

corrected inboth theSBRAdministrator aswell as in thedocumentation. (PR434065)

• In the SBR Administrator, when TLS Secondary Authorization option is disabled,the configuration parameters to use the RADIUS User-Name attribute andCalling-Station-id attribute continue to be available. (PR 728565)

• When you configure a profile in SBR Administrator, the value entered in a checklistcan exceed themaximum length for the value that is specified in the dictionary file.This may result in erroneous failed authentications. (PR 306944)

• The “Use different shared secret for accounting” check box remains selected.Configure a client through the SBR Administrator. Select the “Use different shared

secret for accounting” check box. Enter a different shared secret and click OK. Edit the

client and deselect the “Use different shared secret for accounting” check box and

click OK. Edit the client again and you notice that the “Use different shared secret for

accounting” check box remains selected, and the shared secrets for accounting and

authorization are different. Towork around this problem, delete the accounting shared

secret before deselecting the check box. (PR 581706)

• int4 attributes with a value greater than 2,147,483,648 are displayed as negativevalues in the SBR Administrator. This occurs when you create a profile with a replylist containing an int4 attribute whose value is greater than 2,147,483,648. Click Ok

andview the reply list. Theattributedisplaysanegative value.However, an int4attribute

is anunsigned integer and thisworksproperly through theLDAPconfiguration interface

(LCI). (PR 581771)

• When you edit attributes of the int1, int2, or int4 type in the SBR Administrator, youare unable to select values tomake sure that they are in a valid range. If you set avalue that is greater than themaximum range, the attribute is deletedwithout awarning. There is no workaround. (PR 582099)

• Signed integers are not supported. If you enter a value greater than 2,147,483,648(either through the SBR Administrator or through the LCI), it appears as a negative

number. (PR 582104)



• If you edit deviceModels.xml and create a duplicatemodel entry, the SBRAdministrator may hangwhen trying to display the Current Sessions tab. There isno workaround other than correcting the error and restarting the Administrator. (PR

583037)

• After you rename a client, or delete and then add a clientwith a different name, youmust restart the SBR Administrator for the SCSmodule to recognize the client. Ifthe SBR Administrator is closed and restarted, then the form to enter the required

attributes works properly. (PR 583077)

• The value of Termination-Action for TLSandTTLSauthenticationmethods and theTLS helper cannot be set correctly through the SBR Administrator. The values must

be set manually by editing tlsauth.aut, ttlsauth.aut, or tlsauth.eap. (PR 583905)

• TheAdvancedServerSettingspanel forTLShelpercontains theChallenge_Timeoutfield. However, this setting is not supported for TLS helper. (PR 807813)

• TheSBRAdministratordoesnotallowyoutoenteran IPv6address foranycheck-listor return-list attribute of the ipv6addr type—for example, Login-IPv6-Host. You canuse the LCI as a workaround. (PR 6673775)

• The SBR Administrator does not allow you to enter an IPv6 address for RADIUSClient Address or Proxy Target Address. You can use the LCI as a workaround. (PR610064)

• When youmake changes to the “Authentication Policies / Order of Methods” panelor the “Authentication Policies / Reject Messages” panel, the Audit Log does notprovide specific information about the actions performed but rather it reads themas “Add/Modify authentication realm 'default'” (PR 249434).

• SBR Administrator is unavailable after you enable SNMP. Sometimes, when you

enable SNMP, youmight notice problems with connections on the TCP port 1812. (PR

776705)

• When you view the IP address pools in the SBR Administrator GUI, only the poolname appears and not the IP address range. The SBR Administrator GUI lists only

0.0.0.0. (PR 788982)

• SBR blocks port 1812 and SBR Administrator is not accessible when a significantamount of traffic results in approximately 5million phantomsessions. (PR 810722)

• Ifmore than25Called-Station-IDs are added toa tunnel configuration throughSBRAdministrator, all the Called-Station-IDs are not shown in the SBR Administrator.However, LCI andXMLexports showall theaddedCalled-Station-IDs. (PR840964)

SBRC Core

• Whenyouspecifyasubattributestringwitha lengthof244characters, theexpectedresponse is not returned. To avoid this situation, edit the string to reduce the number

of characters to fewer than 244. (PR 298055)

• If you enable user concurrency after user sessions have been established, thosesessions are not counted toward concurrency limits. (PR 431438)



• Ifyouusemultiround(challenge)authentication, theAddFunkClientGroupToRequestfeature adds the Funk-Radius-Client-Group attribute-value pair (AVP) to only thefirstaccess request.Subsequent challenge responsesdonothave this attributeadded,and, therefore, cannot use this attribute in checklist processing when EAP or other

challenge-based protocols are used. (PR 460109)

• The sbrd stop ssr command does not work on remote nodes. To ensure shutdownof ssr nodes, issue the command on each node. (PR 561992)

• Sessions are not handled correctly when the length of Acct-Session-Id is greaterthat 24 octets. Update /opt/JNPRhadm/CurrentSessions.sql and

/opt/JNPRhadm/UpdateSchema.pl to 48 or 64 and

SBR/dbcluster/common/scripts/UpdateSchema.pl to permit the argument of “7.2”

and “7.3”. Then in both cases, alter the table to update the length of the field. (PR

719218)

• When you are executing ./configure and ./sbrd, it is sometimes necessary for thesoftware to perform certain operations as the hadm user as opposed to the rootuser. When you switch between user accounts, the shell may emit messages suchas“Youhavenewmail.”Thesemessagesareannoyingbutharmless.Asaworkaround,

youmay create a zero-length file called .hushlogin in the hadm user’s home

directory—for example, execute as hadm: touch /opt/JNPRhadm/.hushlogin. The

.hushlogin file prevents the shell from emittingmessages when the hadm user logs in.

(PR 546477)

• When the Oracle server is restarted, the TCP connection in SBRmoves to theCLOSE_WAIT state and stays in the same state until the SBR process is restarted.This does not have any service impact, except that the number of stale connectionsincreases in proportion to the number of times the Oracle server is restarted. (PR813350)

• TheOracleFailoverRetry configuration in radsql.aut, radsql.acc, and radsql.gen filesmustbeset toavaluegreater than0.Setting thisvalue to0makes the retryattemptsto continue indefinitely and prevents SBR from shutting down gracefully, when thetarget Oracle servers are down. (PR 805357)

SSR

• The CreateDB.sh script fails during cluster initialization.While you run the

./CreateDB.sh script if you observe an error as shown in the following example, ensure

that the cluster is fully started, kill the mysqld andmysqld_safe processes manually,

and restart themusing “./sbrd start ssr” beforeattempting toexecute the ./CreateDB.sh

script again. (PR 755547)

hadm@sbr-blr-vm1:~> ./CreateDB.shCreating database "SteelBeltedRadius" (using ENGINE ndbcluster).Creatingmisc tables.Can't create database "SteelBeltedRadius" (or its tables).MySQL Error Message: ERROR 157 (HY000) at line 3: Could not connect to storageengineCleaning up (destroying fragments of database "SteelBeltedRadius").

hadm@sbr-blr-vm1:~> ps -ef|grepmysqld



hadm 11603 ... /bin/sh /opt/JNPRmysql/install/bin/mysqld_safehadm11720 ... /opt/JNPRmysql/install/bin/mysqld --basedir=/opt/JNPRmysql/install--datadir=/opt/JNPRmysqld/data--log-error=/opt/JNPRmysqld/mysqld_safe.err--pid-file=/opt/JNPRmysqld/mysqld.pid --socket=/opt/JNPRhadm/.mysql.sock--port=3001

hadm@sbr-blr-vm1:~> kill 11603 11720

hadm@sbr-blr-vm1:~> ./sbrd start ssrStarting ssr auxiliary processes

hadm@sbr-blr-vm1:~> ./CreateDB.sh

• When several IP pools are configured, the SBR service cannot be stopped using the./sbrdstop radiuscommand.Theworkaround is to kill theSBRservicebyusing “force”,“pkill”, or “kill <pid of SBR>” and then execute the MySQL commandmysql -D

SteelBeltedRadius -e 'update Sbr_IpAddrs set cache = 0where cache = <node ID> limit

10000'. (PR 792164)

• The stability of SBR is not guaranteed during amultinode failure of the cluster. Usethe watchdog process (radiusd) to mitigate such events. (PR 744690).

SIM Authentication

• The authGateway processmust be restarted whenever SBR restarts. This isapplicable only on a Linux platform.

Logging

• TheSNMPagentdoesnotwrite log fileswhen it is stopped.See the “LoggingBehaviorof the SNMP Agent” section in the SBR Carrier Reference Guide for more information.

(PR 469774)

• Binary attributesmay be interpreted as null and cause subsequent attributes to bedropped. (PR 741942)

• Accounting records are too cryptic in the accounting log. Because Class attributesare presented in hexadecimal format and can be quite long, they are not logged by

default. If desired, they can be added to the log by removing the comment “;” from

“Class=” in the account.ini file. (PR 291646)

• Theminimumvaluefor Interval-Secondsparameter in thestatlog.ini file is 10secondsbut the outputmay become garbled under extreme loadwhen the interval is lessthan 60 seconds. (PR 843496)

Installation

• WhenyouupgradeSBR7.2.4orearlier to7.5.0, youneedanewexecutionofconfigure3onallMnodes(prior toSBR7.2.4, allMnodesneededaconfigure3onanupgrade);otherwise, mysqld fails to start. The workaround for this problem is to edit the

/opt/JNPRhadm/my.cnf file to add to the [mysqld_safe] section:

log-error = /opt/JNPRmysqld/mysqld_safe.err



pid-file = /opt/JNPRmysqld/mysqld.pid

(PR 695553)

Proxy Spooling

• When the Proxy Fast-Fail mechanism is enabled, the strobe requests are not sentwith the existing default settings. Theworkaround for this problem is to set the value

of ResetSeconds greater than RetryInterval in the *.pro file. (PR 834978)

Documentation Updates

Information in this section updates the published Steel-Belted Radius Carrier 7.5.0

documentation set. The identifier in parentheses is the Problem Report number in our

bug database.

Installation

• SBR Carrier documentation requires update to SDK information. (PR 725585)

• The SBR SDK API call SbrWriteToLog() provides printf() functionality to customerplug-ins with certain vulnerabilities. When using SbrWriteToLog() function, youmust use a format string as the third parameter when logging variable data.

void SBRAPI sbrWriteToLog( HMODULE_CONTEXT hModuleContext, uint32 nLogLevel, const char * pszMsg, ... )

(PR 822544)


Documentation Updates

Session State Register Module

• If you start amanagement (Mor SM) nodewithout running the “configure 2 (createanewclusterdefinition)”option,asyouwould in thecaseofa rolling restartupgradefromRelease 7.2.x to Release 7.5.0, you will seemultiple warnings such as thefollowing:

WARNING: 2010-11-30 15:25:23 [MgmtSrvr]WARNING -- at line 68: [api]Id is deprecated, use NodeId instead

These warnings can be safely ignored.

To avoid these warnings, make the following change in the /opt/JNPRhadm/config.ini

file:

Change lines that read Id=<number> to NodeId=<number> on eachmanagement

node.

Resolved Issues

Release 7.5.0

• SBR is updated to storemultiple PDP contexts in the CST for the same session. (PR506200)

• SBR is updated to return all SBR-specific data during an snmpwalk. (PR 747105)

• SBR Administrator supports variousWeb browsers. (PR 778364)

• TheWiMAX-PMIP-Authenticated-Network-Identity reply attribute had a size limitof 126bytes. If thesize limitwasexceeded,duringWiMAXauthentication,SBRCarriercrashed because the stack variable could not handle the excess number of bytes.This issue has been resolved. (PR 783058)

• In SBR Carrier 7.5.0, DHCP IP allocation is enhanced to not show duplicate loggingrequests. (PR 788988)

• The JDBC accounting plug-in inserts IP addresses with the octets reversed. Thisissue has been reversed. (PR 791122)

• SBR Carrier 7.31 Standalone Edition had crashed during load testing. This issue hasbeen resolved. (PR 791425)

• The session-table issue of updating abnormally during authentication whenOuterNAIPlusMAC=ON in Proxy Scenario has been resolved. (PR 793333)

• UpdateSchema.pl is implemented to read the DB name from the DBName.txt file.(PR 795111)

• The shutdown algorithm for DHCP is changed by terminating the DHCP interfacesafter the DHCP thread is completed. (PR 801535)

• Memory leak in jnprsnmpd has been fixed. (PR 805946)



• LDAP error codes are updated to return FAILED for fatal errors. (PR 807780)

• The Linux strange spooled accounting behavior during startup and shutdownprocessing is corrected. (PR 807918)

• LDAP JavaScript is updated to return anappropriate error code for password failure.(PR 808064)

• SBR is updated to calculate the rate of authentication requests as they are receivedfrom the socket. (PR 808116)

• TheLCI functionality isenhancedtomanagea largenumberofsessions. (PR813462)

• Proxy-Stateattributes received inaproxy responsearedeleted if theoriginalattributewas added to a proxied request by SBR. This issue has been resolved. (PR 815261)

• Searching for an active session in the standalone SBR using the IP address returnsnothing. This issue has been resolved. (PR 815396)

• Thememory leaks issue has been resolved. (PR 816287)

• LCI retrievalof thecustomCSTstringattributeashexhasbeen resolved. (PR816623)

• QueryTimeout is updated in the radsqljdbc.acc file. (PR 817133)

• TheLdapVariables.add JavaScript is enhanced to return the correct attributeswhenthe return code is PASSWORDFAILED or NOT_FOUND. (PR 819950)

• Thendbdmtdprocesshadreached100%.This issuehasbeenresolved. (PR820609)

• When NoNullTermination was configured, SBR stored incorrect values in the CST.This issue has been resolved. (PR 821635)

• The standalone SSR initialization failure issue has been resolved. (PR 823412)

• The Omni Transaction table filled up and dropped communication to the HLR. Thisissue has been resolved. (PR 823880)

• When profile caching was enabledwith profiles containingmultiple attributes ofthe same type, SBR crashed or showed other errors related tomemory corruption.This issue has been resolved. (PR 827809)

• When you used the Convert-Calling-Station-Id setting to enable the use of binaryCalling-Station-Idattributes, theASCIICalling-Station-Idattributeswere incorrectlyrecorded in the .act file or SSR. This setting can nowbe enabled on a per-NAS basisto prevent the problem. (PR 829505)

• StandaloneSBRoccasionally failedtoupdateHA-RKs.This issuehasbeenresolved.(PR 830411)

• The SBR SDK function SbrCtrlGetRealmName() always returned the same realmname, when block=1 and smart proxy were enabled. This issue has been resolved.(PR 830624)

• NewFAPregistrations failedbecauseofanOMNIerror. This issuehasbeen resolved.(PR 832817)


Resolved Issues

• Accounting statistics incorrectly counted staleproxy responses. This issuehasbeenresolved. (PR 768789)

• The authentication log recorded the Proxy-State attribute in the User-Name field,if theProxy-State attributewaspresent in the request. This issuehasbeen resolved.(PR 832407)

Related Documentation

Requests for Comments (RFCs)

The Internet Engineering Task Force (IETF) maintains an online repository of Request

for Comments (RFC)s online at http://www.ietf.org/rfc.html. Table 3 on page 18 lists the

RFCs that apply to Steel-Belted Radius Carrier.

Table 3: RFCs Related to the Steel-Belted Radius Carrier

TitleRFC Number

Domain Names - Implementation and Specification. P. Mockapetris. November 1987.RFC 1035

Structure and Identification of Management Information for TCP/IP-based Internets.M. Rose, K.McCloghrie, May 1990.

RFC 1155

Management Information Base for Network Management of TCP/IP-based internets: MIB-II. K.McCloghrie, M. Rose, March 1991.

RFC 1213

The Definitions of Managed Objects for IP Mobility Support using SMIv2. D. Cong and others.October 1996.

RFC 2006

The TLS Protocol. T. Dierks, C. Allen. January 1999.RFC 2246

An Architecture for Describing SNMPManagement Frameworks. D. Harrington, R. Presuhn, B.Wijnen, January 1998.

RFC 2271

PPP Extensible Authentication Protocol (EAP). L. Blunk, J. Volbrecht, March 1998.RFC 2284

Microsoft PPP CHAP Extensions. G. Zorn, S. Cobb, October 1998.RFC 2433

Microsoft Vendor-specific RADIUS Attributes. G. Zorn. March 1999.RFC 2548

Proxy Chaining and Policy Implementation in Roaming. B. Aboba, J. Vollbrecht, June 1999.RFC 2607

RADIUS Authentication Client MIB. B. Aboba, G. Zorn. June 1999.RFC 2618

RADIUS Authentication Server MIB. G. Zorn, B. Aboba. June 1999RFC 2619

RADIUS Accounting Client MIB. B. Aboba, G. Zorn. June 1999.RFC 2620

RADIUS Accounting Server MIB. G. Zorn, B. Aboba. June 1999.RFC 2621

PPP EAP TLS Authentication Protocol. B. Aboba, D. Simon, October 1999.RFC 2622



http://www.ietf.org/rfc.html

Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)

TitleRFC Number

Implementation of L2TP Compulsory Tunneling via RADIUS. B. Aboba, G. Zorn. April 2000.RFC 2809

RemoteAuthenticationDial InUserService (RADIUS).C.Rigney,S.Willens,A.Rubens,W.Simpson.June 2000.

RFC 2865

RADIUS Accounting. C. Rigney. June 2000.RFC 2866

RADIUS Accounting Modifications for Tunnel Protocol Support.G. Zorn, B. Aboba, D. Mitton. June2000.

RFC 2867

RADIUSAttributes for Tunnel Protocol Support.G.Zorn,D. Leifer, A. Rubens, J. Shriver,M.Holdrege,I. Goyret. June 2000.

RFC 2868

RADIUS Extensions. C. Rigney, W.Willats, P. Calhoun. June 2000.RFC 2869

Network Access Servers Requirements: Extended RADIUS Practices. D. Mitton. July 2000.RFC 2882

DHCP Relay Agent Information Option.M. Patrick. January 2001.RFC 3046

Authentication for DHCPMessages. R.Droms and others. June 2001.RFC 3118

RADIUS and IPv6. B. Aboba, G. Zorn, D. Mitton. August 2001.RFC 3162

IP Mobility Support for IPv4. C. Perkins. August 2002.RFC 3344

Authentication, Authorization, and Accounting (AAA) Transport Profile. B. Aboba, J. Wood. June2003.

RFC 3539

IANA Considerations for RADIUS (Remote Authentication Dial-In User Service). B. Aboba, July2003.

RFC 3575

RFC3576 - Dynamic Authorization Extensions to Remote to Remote Authentication Dial In UserService. NetworkWorking Group, 2003

RFC 3576

RADIUS (Remote Authentication Dial In User Service) Support For Extensible AuthenticationProtocol (EAP). B. Aboba, P. Calhoun, September 2003.

RFC 3579

IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines. P. Congdon,B. Aboba, A. Smith, G. Zorn, J. Roese, September 2003.

RFC 3580

Extensible Authentication Protocol. B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz.June 2004.

RFC 3748

Authentication, Authorization, and Accounting (AAA) Registration Keys for Mobile IPv4. C. Perkinsand P. Calhoun. March 2005.

RFC 3957

Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs. D. Stanleyand others. March 2005.

RFC 4017


Related Documentation

Table 3: RFCs Related to the Steel-Belted Radius Carrier (continued)

TitleRFC Number

Extensible Authentication Protocol Method for Global System for Mobile Communications (GSM)Subscriber Identity Modules (EAP-SIM). H. Haverinen, J. Salowey. January 2006.

RFC 4186

Extensible Authentication Protocol Method for Global System for 3rd Generation Authenticationand Key Agreement (EAP-AKA). J. Arkko, H. Haverinen. January 2006.

RFC 4187

The Network Access Identifier. B. Aboba and others. December 2005.RFC 4282

Identity Selection Hints for the Extensible Authentication Protocol (EAP). F. Adrangi, V. Lortz, F.Bari, P. Eronen. January 2006.

RFC 4284

Chargeable User Identity. F. Adrangi and others. January 2006.RFC 4372

Lightweight Directory Access Protocol (LDAP) Technical Specification Road Map. K. Zeilenga,June 2006.

RFC 4510

Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated ProtocolVersion 0 (EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.

RFC 5281

UseofStatus-Server Packets in theRemoteAuthenticationDial InUser Service (RADIUS)ProtocolA. DeKok. August 2010.

RFC 5997

WiMAX Technical Specifications

TheWiMAX Forum Networking Group (NWG)maintains a repository of technical

documents and specifications online at http://www.wimaxforum.org. You can also view

theWiMAX IEEE standards, 802.16e-2005 formobileWiMAX and 802.16-2004 for fixed

WiMAX, online at http://www.ieee.org.

Third-Party Products

For information about configuring your Ulticom software and hardware, or your access

servers and firewalls, consult the manufacturer’s documentation.

General Statement of Compliance

Table 4 on page 20 lists Steel-Belted Radius Carrier Release 7.5.0 compliance with

applicable RFCs.

Table 4: Compliance of Steel-Belted Radius Carrier Release 7.5.0 with Applicable RFCs

NotesNameRFC Number

—Structure and Identification of Management Informationfor TCP/IP-based Internets

1155

—Management Information Base for Network Managementof TCP/IP-based internets: MIB-II

1213



http://www.wimaxforum.org

http://www.ieee.org

Table 4: Compliance of Steel-Belted Radius Carrier Release 7.5.0 with ApplicableRFCs (continued)

NotesNameRFC Number

Obsoleted by RFC 2138Remote Authentication Dial In User Service2058

Obsoleted by RFC 2139RADIUS Accounting2059

—Ascend Tunnel Management Protocol2107

Obsoleted by RFC 2865Remote Authentication Dial In User Service2138

Obsoleted by RFC 2866RADIUS Accounting2139

Obsoleted by RFC 2571An Architecture for Describing SNMPManagementFrameworks

2271

Updated by RFC 2484PPP Extensible Authentication Protocol (EAP)2284

—Microsoft PPP CHAP Extensions2433

—Microsoft Vendor-specific RADIUS Attributes2548

—Proxy Chaining and Policy Implementation in Roaming2607

Obsoleted by RFC 4668RADIUS Authentication Client MIB2618

Obsoleted by RFC 4669RADIUS Authentication Server MIB2619

Obsoleted by RFC 4670RADIUS Accounting Client MIB2620

Obsoleted by RFC 4671RADIUS Accounting Server MIB2621

Obsoleted by RFC 5216PPP EAP TLS Authentication Protocol2716

—ImplementationofL2TPCompulsoryTunnelingviaRADIUS2809

—Remote Authentication Dial In User Service (RADIUS).2865

—RADIUS Accounting2866

—RADIUS Accounting Modifications for Tunnel ProtocolSupport

2867

—RADIUS Attributes for Tunnel Protocol Support2868

—RADIUS Extensions2869

—Network Access Servers Requirements: Extended RADIUSPractices

2882




NotesNameRFC Number

—Generic AAA Architecture2903

—AAA Authorization Framework2904

—AAA Authorization Requirements2905

—AAA Authorization Requirements2906

—Mobile IP Authentication, Authorization, and AccountingRequirements

2977

—Criteria for Evaluating AAA Protocols for Network Access2989

—Mobile IPv4 Challenge/Response Extensions3012

—RADIUS and IPv63162

—IANA Considerations for RADIUS (Remote AuthenticationDial In User Service)

3575

—RADIUS (Remote Authentication Dial In User Service)Support For Extensible Authentication Protocol (EAP)

3579

—IEEE 802.1X Remote Authentication Dial In User Service(RADIUS) Usage Guidelines

3580

—Extensible Authentication Protocol (EAP)3748

—Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks

3770

—Remote Authentication Dial-In User Service (RADIUS)Attributes Suboption for the Dynamic Host ConfigurationProtocol (DHCP) Relay Agent Information Option

4014

—Extensible Authentication Protocol (EAP) MethodRequirements for Wireless LANs

4017

Not supportedDiameter Extensible Authentication Protocol (EAP)Application

4072

—State Machines for Extensible Authentication Protocol(EAP) Peer and Authenticator

4137

—Extensible Authentication Protocol Method for GlobalSystem for Mobile Communications (GSM) SubscriberIdentity Modules (EAP-SIM)

4186




NotesNameRFC Number

—Extensible Authentication Protocol Method for 3rdGenerationAuthenticationandKeyAgreement (EAP-AKA)

4187

—Identity Selection Hints for the Extensible AuthenticationProtocol (EAP)

4284

—Certificate Extensions and Attributes SupportingAuthentication in Point-to-Point Protocol (PPP) andWireless Local Area Networks (WLAN)

4334

—Chargeable User Identity4372

Obsoleted by RFC 5090RADIUS Extension for Digest Authentication4590

—Additional Values for the NAS-Port-Type Attribute4603

Previousversion (RFC2618)supportedRADIUS Authentication Client MIB for IPv64668

Previousversion (RFC2619) supportedRADIUS Authentication Server MIB for IPv64669

Previousversion(RFC2220)supportedRADIUS Accounting Client MIB for IPv64670

Previousversion (RFC2221) supportedRADIUS Accounting Server MIB for IPv64671

Not supportedRADIUS Dynamic Authorization Client MIB4672

Not supportedRADIUS Dynamic Authorization Server MIB4673

Not supportedRADIUS Attributes for Virtual LAN and Priority Support4675

Not supportedDSL Forum Vendor-Specific RADIUS Attributes.4679

Not supportedExtensible Authentication Protocol (EAP) PasswordAuthenticated Exchange

4746

Not supportedExtensible Authentication Protocol Method forShared-secret Authentication and Key Establishment(EAP-SAKE)

4763

Not supportedThe EAP-PSK Protocol: A Pre-Shared Key ExtensibleAuthentication Protocol (EAP) Method.

4764

—RADIUS Delegated-IPv6-Prefix Attribute.4818

—RADIUS Filter Rule Attribute4849

Not supportedMobile IPv6 Operation with IKEv2 and the Revised IPsecArchitecture.

4877




NotesNameRFC Number

—Guidance forAuthentication,Authorization, andAccounting(AAA) Key Management

4962

—Mobile IPv4 RADIUS Requirements5030

—Common Remote Authentication Dial In User Service(RADIUS) Implementation Issues and Suggested Fixes

5080

—The Extensible Authentication Protocol-Internet KeyExchange Protocol version 2 (EAP-IKEv2) Method

5106

—Handover Key Management and Re-AuthenticationProblem Statement

5169

—Dynamic Authorization Extensions to RemoteAuthentication Dial In User Service (RADIUS)

5176

Previousversion(RFC2716)supportedThe EAP-TLS Authentication Protocol5216

MIPv6 not supported3GPP2 X.S0011-D, Version: 1.0, Version Date: February,2006

—

—Extensible Authentication Protocol Tunneled TransportLayer Security Authenticated Protocol Version 0(EAP-TTLSv0) P. Funk, S. Blake-Wilson. August 2008.

5281

—UseofStatus-ServerPackets in theRemoteAuthenticationDial In User Service (RADIUS) Protocol. A. DeKok. August2010.

5997

Table 5 on page 24 lists the protocols supported in Steel-Belted Radius Carrier Release

7.5.0.

Table 5: Protocols Supported in SBR Carrier Release 7.5.0

NotesProtocol

—UDP

—IPv4

RADIUS onlyIPv6

—DHCP v2

—DHCP v3

—LDAP v2



Table 5: Protocols Supported in SBR Carrier Release 7.5.0 (continued)

NotesProtocol

Not LCILDAP v3

—JDBC

—Oracle (SQL)

ConfigurationXML

AdminHTTP v1.1

Except CRs 801, 823, OMA/DMWiMAX NWG 1.2.2

—3GPP2

—3GPP2 X.S0011-D

RADIUS only3GPP

WLAN UE23.234 (RADIUS)

Gi and Pk reference points29.061 (RADIUS)

RADIUS only Interface E5TISPAN

—ES282.001

—ES282.004

—ES283.034

—ES283.035

SBR Carrier Documentation and Release Notes

For a list of related SBR Carrier documentation, see

http://www.juniper.net/support/products/carrier/carrier/.

If the information in the latest release notes differs from the information in the

documentation, follow the Steel-Belted Radius Carrier Release Notes.

To obtain themost current version of all Juniper Networks technical documentation, see

the products documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.


SBR Carrier Documentation and Release Notes


http://www.juniper.net/techpubs/

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation to better meet your needs. Send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport. If you are using e-mail, be sure to include

the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version

Requesting Technical Support

Technical product support is available through the JuniperNetworksTechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC Policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf

• ProductWarranties—For product warranty information, visit

http://www.juniper.net/support/warranty/

• JTAC Hours of Operation—The JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides youwith the

following features:

• Find CSC offerings:

http://www.juniper.net/customers/support/

• Search for known bugs:

http://www2.juniper.net/kb

• Find product documentation:


• Find solutions and answer questions using our Knowledge Base:

http://kb.juniper.net/



https://www.juniper.net/cgi-bin/docbugreport

http://www.juniper.net/customers/support/downloads/710059.pdf

http://www.juniper.net/support/warranty/

http://www.juniper.net/customers/support/

http://www2.juniper.net/kb


http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Manager:

http://www.juniper.net/cm/

Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement

(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Casewith JTAC

You can open a case with JTAC on theWeb or by telephone.

• Use the Case Manager tool in the CSC at http://www.juniper.net/cm/

• Call 1-888-314-JTAC (1-888-314-5822 – toll free in the USA, Canada, and Mexico)

For international or direct-dial options in countries without toll-free numbers, visit

http://www.juniper.net/support/requesting-support.html

When you are running SBRC Administrator, you can chooseWeb > Steel-Belted Radius

Carrier Home Page to access a special home page for Steel-Belted Radius Carrier users.

When you contact technical support, be ready to provide:

• Your Steel-Belted Radius Carrier release number (for example, Steel-Belted Radius

Carrier Release 7.5.0).

• Information about the server configuration and operating system, including any OS

patches that have been applied.

• For licensedproducts under a currentmaintenance agreement, your license or support

contract number.

• A detailed description of the problem.

• Any documentation that may help in resolving the problem, such as error messages,

core files, compiler listings, and error or RADIUS log files.

Revision History

January 2013—SBR Carrier Release 7.5.0

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.



http://www.juniper.net/customers/csc/software/

https://www.juniper.net/alerts/

http://www.juniper.net/company/communities/


https://tools.juniper.net/SerialNumberEntitlementSearch/


http://www.juniper.net/support/requesting-support.html

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Ulticom, Signalware, Programmable Network, Ultimate Call Control, and Nexworx are registered trademarks of Ulticom, Inc. Kineto andthe Kineto Logo are registered trademarks of KinetoWireless, Inc. Software Advancing Communications and SignalCare are trademarksandservicemarksofUlticom, Inc.CORBA(CommonObjectRequestBrokerArchitecture) is a registered trademarkof theObjectManagementGroup (OMG).Raima,RaimaDatabaseManager andRaimaObjectManager are trademarksofBirdstepTechnology. Sun, SunMicrosystems,the Sun logo, Java, Solaris, and all trademarks and logos that contain Sun, Solaris, or Java are trademarks or registered trademarks of SunMicrosystems, Inc. in the United States and other countries. MySQL and the MySQL logo are registered trademarks of MySQL AB in theUnited States, the European Union, and other countries. All other trademarks, service marks, registered trademarks, or registered servicemarks are the property of their respective owners. All specifications are subject to change without notice.

Contains software copyright 2000–2010 by MySQL AB, distributed under license.

Portions of this software copyright 1999–2009Apasphere Ltd. This product includes omniOrb CORBA software fromApasphere Ltd, underthe LGPL license: The libraries in omniORB are released under the LGPL license.

Portions of this software copyright 2003-2009 LevWalkin <[email protected]> All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions aremet:

1. Redistributions of source codemust retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary formmust reproduce the above copyright notice, this list of conditions and the following disclaimer in thedocumentation and/or other materials provided with the distribution.

THISSOFTWAREISPROVIDEDBYTHEAUTHORANDCONTRIBUTORS``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES, INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.IN NO EVENT SHALL THE AUTHOROR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT,STRICTOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVEN IFADVISEDOFTHEPOSSIBILITYOF SUCH DAMAGE.

Portions of this software copyright 1989, 1991, 1992 by Carnegie Mellon UniversityDerivativeWork–1996, 1998–2009 Copyright 1996, 1998–2009. The Regents of the University of California All Rights Reserved. Permissionto use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided thatthe above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supportingdocumentation, and that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertainingto distribution of the software without specific written permission.

CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALLWARRANTIESWITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMUOR THE REGENTS OF THEUNIVERSITYOFCALIFORNIABELIABLEFORANYSPECIAL, INDIRECTORCONSEQUENTIALDAMAGESORANYDAMAGESWHATSOEVERRESULTING FROMTHE LOSSOF USE, DATAOR PROFITS,WHETHER IN AN ACTIONOF CONTRACT, NEGLIGENCE OROTHER TORTIOUSACTION, ARISING OUT OF OR IN CONNECTIONWITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Portions of this software copyright © 2001–2009, Networks Associates Technology, Inc. All rights reserved. Redistribution and use in sourceand binary forms, with or without modification, are permitted provided that the following conditions are met:





3. Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.

THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERSANDCONTRIBUTORS“AS IS”ANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software are copyright © 2001–2009, Cambridge Broadband Ltd. All rights reserved. Redistribution and use in source andbinary forms, with or without modification, are permitted provided that the following conditions are met:



3. The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specificprior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER “AS IS” AND ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, BUTNOT LIMITED TO, THE IMPLIEDWARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODSOR SERVICES; LOSS OFUSE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANYWAYOUTOF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of this software copyright © 1995–2009 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express orimplied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted toanyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to thefollowing restrictions:

1. The origin of this software must not bemisrepresented; youmust not claim that you wrote the original software. If you use this softwarein a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, andmust not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

HTTPClient package Copyright © 1996–2009 Ronald Tschalär ([email protected])

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as publishedby the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANYWARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. For a copyof the GNU Lesser General Public License, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,USA.

Copyright (c) 2000–2009 The Legion Of The Bouncy Castle (http://www.bouncycastle.org)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the"Software"), to deal in theSoftwarewithout restriction, includingwithout limitation the rights to use, copy,modify,merge, publish, distribute,sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the followingconditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.



THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TOTHEWARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORSORCOPYRIGHTHOLDERSBELIABLEFORANYCLAIM,DAMAGESOROTHERLIABILITY,WHETHERINANACTIONOFCONTRACT,TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTIONWITH THE SOFTWARE OR THE USE OROTHER DEALINGS IN THESOFTWARE.



7.5.0 R1 Release Notes - Juniper Networks

Documents

Transcript of 7.5.0 R1 Release Notes - Juniper Networks