6 Configuring a RADIUS Signaling Server Unit

This chapter describes how to configure an Oracle Communications Service Broker RADIUS Signaling Server Unit (SSU) using the Service Broker Administration Console.

About the RADIUS SSU

Service Broker uses the RADIUS SSU to receive RADIUS accounting and access requests from the network. The RADIUS SSU forwards these messages to appropriate components of the Processing Tier.

Figure 6-1 shows the RADIUS SSU in the Signaling Tier. The RADIUS SSU provides IM-OFCF with RADIUS connectivity.

Figure 6-1 Place of RADIUS SSU in the Overall Architecture of Service Broker

About RADIUS Authentication

A RADIUS authentication request contains an Attribute-Value Pair (AVP) called Nas-Identifier AVP. This AVP contains the identity of the Network Access Server (NAS) that provides service to the user. The NAS can be either Oracle BRM or Oracle ECE.

You can specify whether you want to perform authentication against Oracle BRM or Oracle ECE by defining a regular expression that Service Broker compares with the Nas-Identifier AVP.

If your regular expression matches the Nas-Identifier AVP, then Service Broker performs the authentication against the BRM. Otherwise, Service Broker performs the authentication against the ECE.

About Proxy and Local Realms

You can configure the RADIUS SSU to act as one of the following:

RADIUS server. In this configuration, the RADIUS SSU forwards accounting and authorization requests to Oracle BRM through IMs. The realm in which Oracle BRM is located is called local realm.
RADIUS proxy. In this configuration, the RADIUS SSU to bypass IMs and send requests directly to an external charging server known as proxy server. The realm in which such a proxy server is located is called proxy realm.

If you want the RADIUS SSU to forward requests to a server in a proxy realm rather than to Oracle BRM, you need to configure the table of realms and table of servers. The table of realms contains different realms to which the RADIUS SSU can forward the request based on the value of the User-Name attribute. The table of servers defines the servers in each of these realms. When the RADIUS SSU finds a match between the value of User-Name defined in the request and the value specified in the tables of realms, the RADIUS SSU forwards the requests to the first available server in the found realm.

About Communication with RADIUS Network Entities

The RADIUS SSU receives requests from NASs. To allow the RADIUS SSU to receive requests from NASs, you need to specify criteria that NASs must meet. A set of these criteria is known as client profile.

A client profile consists of the following:

Address information criteria. These criteria define the requirements for the address of NASs whose messages the RADIUS SSU can receive. For example, you can define that the RADIUS SSU can receive messages from any NAS whose IP address starts from 10.148.
AVPs that the RADIUS SSU should copy from a request sent by the NAS to the response generated by Service Broker.

You can create as many client profiles as you need. The RADIUS SSU applies the first profile found whose criteria fit the parameters of the NAS which attempts to connect to the RADIUS SSU.

Online Mediation Controller is provided with a default client profile already set up. This client profile defines that the RADIUS SSU copies User-Name and Acct-Session-Id attributes from a request to the response.

In addition, you can configure the RADIUS SSU to receive messages only from those NASs whose port is in a specified range.

About Receiving and Forwarding RADIUS Requests

When the RADIUS SSU receives a request from a NAS, the RADIUS SSU forwards the request to a Service Broker component. The RADIUS SSU decides to which component to route the request based on criteria known incoming routing rules.

The RADIUS SSU handles accounting and authorization requests differently. When the RADIUS receives an accounting request, the RADIUS SSU forwards it to an appropriate Service Broker component based on the realm from which the request is sent. This realm is called local realm.

The RADIUS SSU forwards all authorization requests to the component that you defined.

About RADIUS Dictionary

A dictionary is a set of attribute-value pairs that Service Broker uses to perform authorization and accounting operations. See the Customizing the RADIUS data dictionary section in Service Integration Components in Oracle Communications Billing and Revenue Management (BRM) 7.3.1 Documentation for more information about the format and syntax of RADIUS dictionaries.

By default, Service Broker uses the standard RADIUS dictionary defined in the RFC 2865 (see http://www.ietf.org/rfc/rfc2865.txt for more information). If you need Service Broker to recognize additional vendor-specific AVPs, you can provide Service Broker with a file that contains a custom dictionary. If any AVP defined in the custom dictionary conflict with the AVPs in any existing AVPs with the product, the custom dictionary one overrides the existing one.

Setting Up RADIUS Authentication

To specify whether Service Broker performs the authentication against the BRM or ECE:

In the navigation tree in the domain navigation pane, expand the OCSB node.
Expand the Signaling Tier node.
Select the SSU RADIUS node.
Click the OCS Authentication tab.
In the Nas Identifier pattern for BRM field, enter the string that Service Broker should compare with the Nas-Identifier AVP in the authentication request.
Click Apply.

Configuring Incoming Routing Rules

You configure rules for the following types of requests:

Accounting requests. See "Configuring Incoming Routing Rules for Accounting Requests" for more information.
Access requests. See "Specifying the Service Broker Component for Dispatching Access Requests" for more information.

Configuring Incoming Routing Rules for Accounting Requests

To configure RADIUS SSU Accounting parameters:

In the navigation tree in the domain navigation pane, expand the OCSB node.
Expand the Signaling Tier node.
Select the SSU RADIUS node.
In the SSU RADIUS tab, click the Accounting subtab.
At the bottom of the Incoming Routing Rules pane, click the New button.

The New dialog box appears.

Fill in the fields of the New dialog box described in Table 6-1.

Table 6-1 RADIUS Accounting Incoming Routing Parameters

Field Descriptions

Field	Descriptions
Name	Specifies a unique routing rule name.
Local Realm	Specifies the value to match against the Local Realm. Example: user-name`@isp.net` If a RADIUS accounting request arrives containing only a user name but without a Local Realm, the RADIUS SSU discards the request. To prevent the request from being discarded when no Local Realm is specified, set this field to any. The RADIUS SSU then forwards the request to the destination specified in the Alias field. Important: When typing any into the Local Realm field, you must use only lowercase, as follows: any. Do not type Any or ANY.
Alias	Specifies the URL of the destination IM to which the RADIUS message is dispatched. The alias has the following format: `SSU`:IM-instance-name.IM-type@domain-id IM-instance-name: IM instance name you specified when you added this IM in the IM configuration pane. IM-type: Type of IM instance. domain-id: Name of the Processing Domain or Processing Domain Group where the relevant IM or application is deployed. This parameter is required only when your Service Broker deployment includes two or more Processing Domains. Use the name given to the domain when it was created. This name is specified by the axia.domain.id property. Example: `SSU:imocf.IMOCF@ocsb`.1

Name

Specifies a unique routing rule name.

Local Realm

Specifies the value to match against the Local Realm.

Example:

user-name@isp.net

If a RADIUS accounting request arrives containing only a user name but without a Local Realm, the RADIUS SSU discards the request. To prevent the request from being discarded when no Local Realm is specified, set this field to any. The RADIUS SSU then forwards the request to the destination specified in the Alias field.

Important: When typing any into the Local Realm field, you must use only lowercase, as follows: any. Do not type Any or ANY.

Alias

Specifies the URL of the destination IM to which the RADIUS message is dispatched. The alias has the following format:

SSU:IM-instance-name.IM-type@domain-id

IM-instance-name: IM instance name you specified when you added this IM in the IM configuration pane.
IM-type: Type of IM instance.
domain-id: Name of the Processing Domain or Processing Domain Group where the relevant IM or application is deployed. This parameter is required only when your Service Broker deployment includes two or more Processing Domains.

Use the name given to the domain when it was created. This name is specified by the axia.domain.id property.

Example: SSU:imocf.IMOCF@ocsb.1

Click OK.

Specifying the Service Broker Component for Dispatching Access Requests

To specify the Service Broker component:

In the navigation tree in the domain navigation pane, expand the OCSB node.
Expand the Signaling Tier node.
Select the SSU RADIUS node.
In the SSU RADIUS tab, click the Access subtab.
In the Radius Access Inbound Destination field, enter the address of the Service Broker component to which you want to dispatch the RADIUS Access request.

The address has the following format: ssu:domain

domain: The name of the domain to which the request is despatched.

For example: ssu:ocsb

If you leave this field empty, the request is not routed through Service Broker.
Click Apply.

Specifying a Custom Dictionary

To specify a custom dictionary file:

In the navigation tree in the domain navigation pane, expand OCSB.
Expand the Signaling Tier node.
Select the RADIUS SSU node.
Click the RADIUS Custom Dictionary tab.
In the Custom dictionary file field, enter the path of the custom dictionary file located on your local file system.

Configuring Server Parameters

To receive RADIUS authentication and accounting requests from the network, you configure the following:

Server parameters, which define how the RADIUS SSU receives RADIUS requests. See "Configuring Server Parameters" for more information.
NAS port range, which defines the range of NASs ports from which the RADIUS SSU can receive accounting authentication and accounting requests. See "Specifying the NAS Port Range" for more information.

Configuring Server Parameters

To configure server parameters:

In the navigation tree in the domain navigation pane, expand OCSB.
Expand the Signaling Tier node.
Select the RADIUS SSU node.
Click the RADIUS tab.
Click the Server subtab and then the Server tab.
Click New.

The New dialog box appears.

Fill in the fields described in Table 6-2.

Table 6-2 Server Parameters

Field	Description
Target managed server	Specifies the target managed server.
IP Address	Specifies the IP address that the RADIUS SSU uses to listen for RADIUS messages.
Authentication Port	Specifies the port that the RADIUS SSU uses to receive RADIUS authentication messages.
Accounting Port	Specifies the port that the RADIUS SSU uses to receive RADIUS accounting messages.
UDP Connection timeout	Specifies the UDP connection timeout in seconds.
Retransmission detection time	Specifies the period during which the RADIUS SSU considers incoming RADIUS messages retransmissions if these messages have the same ID received and are sent by the same peer. The RADIUS SSU ignores these messages. If you set the retransmissionTime parameter to 0, the RADIUS SSU does not recognize these messages as retransmissions.
Root CA Store key	Specifies the root CA keystore key. You provide this key to the credential store that contains root CA certificates.
Server Key Store key	Specifies the server keystore. You provide this key to the credential store that contains server certificates.

Specifying the NAS Port Range

To specify the port range:

In the navigation tree in the domain navigation pane, expand OCSB.
Expand the Signaling Tier node.
Select the RADIUS SSU node.
Click the RADIUS tab and then the Server subtab.
In the Valid NAS Port Range tab, fill in the fields as described in Table 6-3.

Table 6-3 Valid NAS Port Range Parameters

Field Description

Min Value of NAS Port

Specifies the lower limit of the range.

Max Value of NAS Port

Specifies the upper limit of the range.

Field	Description
Min Value of NAS Port	Specifies the lower limit of the range.
Max Value of NAS Port	Specifies the upper limit of the range.

Setting Up Client Profiles

This set of settings consists of the following:

Client profiles. See "Setting Up a Client Profile" for more information.
AVPs that the RADIUS SSU needs to copy from a request to a response. See "Specifying AVPs to Be Copied from a Request to a Response" for more information.

Setting Up a Client Profile

To set up a client profile:

In the navigation tree in the domain navigation pane, expand OCSB.
Expand the Signaling Tier node.
Select the RADIUS SSU node.
Click the RADIUS tab and then the Client Profile tab.
Click the Client Profile tab.
Click New.

The New dialog box appears.

Fill in the fields described in Table 6-4.

Table 6-4 Client Profile Parameters

Field	Description
Client Address	Specifies the IP address of the RADIUS client from which the RADIUS SSU receives requests. To define a range of addresses to receive requests from a group of RADIUS clients, you can use a regular expression. For example, to define that the RADIUS SSU receives requests from the clients whose IP addresses start from 10.148, you can set the clientAddress parameter to 10.148..
Client NAS Identifier	Specified the ID of the Network Access Server (NAS) from which the RADIUS SSU receives accounting and access requests. To define a range of IDs to receive requests from a group of NASs, you can use a regular expression. For example, to define that the RADIUS SSU receives requests from the NASs whose IDs is in the oracle.com domain, you can set the clientNasId to *.oracle.com.
Authentication Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for authentication requests. You associate keys and passwords using the Credential Store tab.
Accounting Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for accounting requests. You associate keys and passwords using the Credential Store tab.

Specifying AVPs to Be Copied from a Request to a Response

To specify the AVPs:

In the navigation tree in the domain navigation pane, expand OCSB.
Expand the Signaling Tier node.
Select the RADIUS SSU node.
Click the RADIUS tab and then the Client Profile tab.
Click the Avps to copy from Request to Response tab.
Click New.

The New dialog box appears.
In the New dialog box, in the Attribute Name field, enter the name of the AVP that the RADIUS SSU needs to copy.
Click OK.

The new AVP appears in the configuration screen.

Configuring Proxy Realm

When you configure a proxy server, you define the following:

Proxy realm, which defines a realm to which the RADIUS SSU routes a request based on the User-Name AVP. See "Configuring a Proxy Realm" for more information.
Target server, which defines the server address and ports in the specified realm. See "Configuring Target Servers" for more information.

Configuring a Proxy Realm

To configure a proxy realm:

In the navigation tree in the domain navigation pane, expand OCSB.
Expand the Signaling Tier node.
Select the RADIUS SSU node.
Click the RADIUS tab.
Click the Proxy Realm subtab and then the Proxy Realm tab.
Click New.

The New dialog box appears.

Fill in the fields described in Table 6-5.

Table 6-5 Proxy Realm Parameters

Field	Description
Name	Specifies the name of the proxy realm.
Username Match Criteria	Specifies the User-Name AVP to be set in the incoming request. If this AVP matches the value of the userNameMatchCriteria parameter, the RADIUS SSU routes the request to the realm specified in the name parameter. To define a range of possible names, you can use regular expressions.
Authentication Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for authentication requests. You associate keys and passwords using the Credential Store tab.
Accounting Shared Secret Key	Specifies the key that you associated with the password that the RADIUS SSU uses for accounting requests. You associate keys and passwords using the Credential Store tab.
Request Timeout	Specifies the period, in seconds, that the RADIUS SSU waits for a response from the target RADIUS server.
Number Of Retries	Specifies the number of attempts that the RADIUS SSU tries to send a RADIUS request to the target RADIUS server.

Configuring Target Servers

To configure a target server:

In the navigation tree in the domain navigation pane, expand OCSB.
Expand the Signaling Tier node.
Select the RADIUS SSU node.
Click the RADIUS tab.
Click the Proxy Realm Configuration subtab and then the Target Servers tab.
In the Parent list, select the proxy realm for which you set up the server. The list displays the proxy realms that you configured using the ProxyRealm tab. See "Configuring Proxy Realm" for more information.
Click New.

The New dialog box appears.

Fill in the fields described in Table 6-6.

Table 6-6 TargetServers Parameters

Field	Description
Server Address	Specifies the IP address of the proxy server.
Authentication port	Specifies the port that the RADIUS SSU uses to receive RADIUS authentication messages.
Accounting port	Specifies the port that the RADIUS SSU uses to receive RADIUS access messages.

Configuring the Credential Store

You use the Credential Store to securely store, encrypt, and validate the credentials that Service Broker uses to communicate with RADIUS clients and servers. For more information about how the Credential Store works and how you configure credentials, see a discussion on administering Credential Stores in Oracle Communications Service Broker Security Guide.