Overview

The SBC Core platforms support Lawful Intercept (LI) functionality using one of the following solutions:

  • Centralized PSX solution consisting of an external PSX, a third-party Intercept Server (IS), and RAMP
  • SBC ERE solution consisting of the ERE, a third-party Intercept Server and EMA

The SBC works in conjunction with the Intercept Server as well as the ERE and EMA (or an external PSX and RAMP) to provide call data and call content to law enforcement agencies for calls involving identified intercept subjects. When it receives matching LI criteria in a policy response from the ERE (or PSX), the SBC routes the call as directed and additionally reports call events to the Intercept Server. It also sends media stream (call content) to an IP address provided by the Intercept Server.

The SBC supports four types of LI:

  • Default LI
  • IMS LI
  • PCSI LI
  • PacketCable 2.0 LI

In order to intercept media packets, ensure RAMP is either the same or a higher version as that of the SBC and PSX platforms. 


The following table describes the Call Data Channel (CDC) configuration information required to distinguish between Default LI, IMS LI, and PCSI (P-Com.Session-Info) LI, and PacketCable 2.0 LI. It also lists the types of LI supported on different platforms:

LI Types and Supported Platforms

LI TypeCDC ConfigurationPlatformsRouting PolicyLI InterfaceStreams Supported
Intercept StandardVendor IdD-SBCSBC SWe/SBC 7000External PSXEREX1X2X3D-SBCSBC SWe/SBC 7000
Legacy LI (default)PacketCable, PacketCablePlusEtsiNone/Utimaco/Verint

Supported

SupportedSupportedSupportedSOAP
  • RADIUS
  • RADIUS over IPsec
UDPAudio OnlyAudio only
PCSI LIPacketCableSs8SupportedSupportedSupportedNot SupportedTLSNot Supported
  • TCP
  • TCP over IPsec

Audio,Video and T140

Audio, Video and T140
IMS LI3gpp/etsiVerint/utimaco/none/GroupTwoThousandSupportedSupportedSupportedSupportedSOAP
  • DSR
  • DSR over IPsec
  • TLS
  • UDP
  • UDP over IPsec
  • TCP
  • TCP over IPsec
  • TLS
Audio OnlyAll Streams
PacketCable 2.0PacketcableVTwonone/atos Not SupportedSupportedSupportedSupportedSOAP
  • Diameter
  • Diameter over IPsec
  • UDP
  • UDP over IPsec
Not SupportedAudio, Video

Note

The SBC CNe does not support multiple Mediation Servers. However, this feature is supported with a single mediation server.

Note

The RAMP supports the Df Group Name field to differentiate the targets from different regions in the X1 interface.

Each country has its own Law Enforcement Agency (LEA) and provisions the targets independently. CALEA deployments share a single RAMP and PSX Primaries. If multiple PSX primaries exist, the RAMP distributes the LI information to all of them.


The admin must first create a user "calea" on the SBC before attempting LI provisioning.

Creating CALEA Users Through CLI

Create a CALEA User

  1. Log on as admin user.
  2. Create a CALEA user, by executing the following command:

    % set oam localAuth user calea group Calea
    commit


    You will see a system-generated password. Use this password when you log on to CALEA user for the first time.

View the CALEA User Status From CLI

View the CALEA user status, by executing the following command:

Example: Viewing Single CALEA User
> show status oam localAuth userStatus
userStatus admin {
    currentStatus Enabled;
    userId        3000;
}
userStatus calea {
    currentStatus Enabled;
    userId        3329;
}
[ok]

Create Secondary CALEA Users From CLI to Support Multi-Country LI

Modified: for 12.1.2




The SBC is enhanced to support multiple CALEA users to align with RAMP. This allows "calea" users from different countries to push their targets to the respective X1 interfaces.

Start

  1. Create the primary calea user "calea" as admin user.
    Example
    set oam localAuth user calea group Calea
  2. Login as the 'calea' user and create the secondary calea users ("calea1," "calea2," etc.). All secondary users will belong to the same group "Calea."
    Example
    set oam localAuth user calea1 group Calea
    set oam localAuth user calea2 group Calea
    commit

For additional feature functionality, refer to Multi-Country LI for VoLTE IMS.

Creating CALEA Users Through EMA

Note

You do not need to create a CALEA user for RAMP registered D-SBC setups.

Create a CALEA User

  1. Log in to the EMA GUI.
  2. Select Administration > Users and Application Management > User and Session Management.
  3. Click New User. The Create User panel appears.
  4. Select Calea from the Role drop-down menu.


     

  5. Configure the other fields in the Create User panel.
  6. Click Save.
    The CALEA user saves with a temporary password, which appears in the Create User panel. Record the temporary password.


     

  7. Click the check mark icon.
  8. Select Admin > Log Out to logout. 
  9. A prompt to confirm the logout appears. Click Yes.
  10. Log into the EMA GUI as the CALEA user with the temporary password.
  11. A prompt to create a new password appears. Enter and confirm the new password.

  12. Click Sign In.

Create Secondary CALEA Users From EMA to Support Multi-Country LI

Modified: for 12.1.2



Create CALEA Users

  1. Login as user 'calea' and navigate to User and Session Management. The User Management window is displayed.


  2. Click New User on the Users section of the User Management window. The Create User window appears:


  3. In the User field, enter a username for the new calea user you are creating. 

    The following user-naming rules apply:

    • Usernames can begin with A-Z a-z _ only.
    • Usernames cannot start with a period, dash, or digit.
    • Usernames can contain a period(.), dash(-), alphabetic characters, digits, or underscore(_).
    • Usernames cannot consist of digits only.
    • Usernames can contain a maximum of 23 characters.

    The following names are not allowed:

    tty disk kmem dialout fax voice cdrom floppy tape sudo audio dip src utmp video sasl plugdev staff users nogroup i2c dba operator


  4. The Role field is hard-coded to "Calea."  
  5. Specify the following options for the new user account:
    • Allow Interactive Access (CLI and EMA): Enable this flag to allow the user to access interactive interfaces such as CLI/EMA.
    • Allow Machine to Machine Access (REST): Enable this flag to allow the specified user machine-to-machine access to the RESTCONF API. By default, this is Enabled.
    • Disabling of Account Enabled
    • Password Expiration Enabled: (This option is not editable by the calea user)
    • Account Removal Enabled: (This option is not editable by the calea user)
    • Account Enabled: If checked, the account will be enabled immediately.
    • Account Type: (This field is not editable by the calea user
  6. Click Save. A temporary password is provided for the user to initially log in and create a new password.

Edit CALEA Users

The access permission, role, and account-related information can be modified for an existing user.

  1. You cannot edit the name of the user, but you can modify the following settings. See Create a 'calea' User above for descriptions of the options.

    • Allow Interactive Access (CLI and EMA)
    • Allow Machine to Machine Access (REST)
    • Disabling of Account Enabled
    • Account Enabled
  2. Click Save to save your edits.