Per default configuration SBR collects session information of all open sessions in memory and a local file called radads.hst. This file will provide session information even after the server is rebooted. If a Server runs for years and some of these sessions are never closed with an Accounting-Stop SBR continues to track them on local memory and in the local file. So both of them will grow into memory usage. The radads.hst you have is read-in right when you start the server. If it's a big one, the Server will consume a high amount of memory right after you started it. As a first step delete the file radads.hst before you start the server and have a look on the memory usage. You can disable this behavior permanently if you wish but you must consider some drawbacks mentioned in KB14347 then. ... View more

Concurrency controll will only work if you are the final AAA Server (probally after the end of a proxy cain) that does the final authentication. If you are a proxy inbeteen, SBR is not controlling any limits in terms of sessions/realms he just proxy forwards (and may add filterprocessing). He does not generate any Access-Rejects because he is not authenticating. Even if you would consider it as "nice to have feature" as soon as you do MORE then PAP authentication it won't work anymore. For example EAP-TTLS (say you do Wi-Fi or fixed WiMAX). Everybody is encouraged to use EAP-Idents like "[email protected]" and the proxy server can not look into the inner protocol. With looking at the Access-Requests such a proxy receives he can not make any realm based desisions to spoof this. The Username may be "anonymous" or hidden by pseudo identitys. You don't know how much Access-Request / Access-Challenges are send back an forth (between Client and End Server) to complete an authentication for a session. You can't even wait till you see the final Access-Accept send by the remote Authentication server to overwrite it with a reject because this packet does not contain the Username with the realm anymore. The example I used is for tracking sessions at the AAA who is doing the final authentication at the end of a proxy chain. Adding/modifying attributes here to the Access-Request messages will not pass them back. I've used Called-Station-Id because this attribute is one of the fixed attributes you can see/browse for in the 7.2 session GUI. You may use any other homegrown Attribute as well. My example is using directed Realms for selecting the authentication method and filter. Thus from SBR view an Proxy OUT filter would applied to these attributes to an Access-Request before it does the final (see it as a local proxy) authentication. ... View more

The new concurrency Module is to be used on Top of the Session State Register (SSR) to make the concurrency tracking global and not local on a per Server basis. Traditionally SBR checks/limits Concurrency on a per Server basis on the used Authentication-Method PLUS the Username. This is used in a check for being this account unique. As Realms are only a PART of the Username in a regular case you can not use this schema to contoll the amount of sessions per realm (except for Tunnels which is different and also local). BUT in V7.2 the concurrency module enables you not only to use the Authentication-Method PLUS the Username but to do your concurrency checks on ANY other Radius Attribute instead. Depending on how you work with Realms this enables you to apply concurrency checks on a per realm basis. First you must tell SBR on which (new) attribute limits have to be applied. Like in Radiu.ini [Configuration] Apply-Login-Limits = yes Login-Limit-Key = Called-Station-Id To give an example you may use local directed realms that you identify in your Proxy.ini . On each Realm*.dir file you add an individual output filter to all Authentication AND Accounting methods. In the Filter.ini for every Realm you set an individual Attribute Filter that deletes the Attribute you use for realm based checks and set's a uniques new Value identifiying the particular Realm like [Realm1] Allow Exclude Called-Station-Id Add Called-Station-Id Realm1 This will allow to keep controll for the Authentication Methods you use later on in the authentication where for example in a SQL Authentication method you use the %LoginLimit identifier to be used to controll the individual limit for a Realm. It's only an example of how this might be implemented. I can not say if this is what exact you need. It is mandatory for all kinds of session control/limits the AAA Server is getting proper Accounting information because that's the only way those knowledge about the ongoing session can be maintained. ... View more

Depends on what you define as a "provisioning system" SBR has to communicate with. With the SIM option SBR-Carrier >= V7.0 (or the old SBR-SIM version) can talk to an HLR via SS7 (classical T1/E1-Links) or SIGTRAN (IP). SBR receives preprovisioned credentials from the HLR to authenticate sessions using EAP-SIM/AKA in this case. It is a D'-Interface using MAP-messages for authentication from an HLR. MML is used in the product to create the SS7 or SIGTRAN links between the AAA-Server and the Operators SS7-Network to get to the HLR. You would setup Point code Routing or Global Title Routing via the MML files. ... View more

Originally SBR-HA was only designed to run on Solaris Sparc 9 machines. There is a Patch avail to have it supported on Solaris 10. You must open a case with JTAC to get this patch. ... View more