Access Points in Nokia Siemens Networks Flexi ISN

FISNFI40EMED.03Nokia Siemens Networks Flexi ISN, Rel.

4.0,

Operating Documentation, v. 4

Access Points in Nokia Siemens Networks Flexi ISNDN04134496

Issue 6-3 en

2 DN04134496Issue 6-3 en

Access Points in Nokia Siemens Networks Flexi ISN

Id:0900d8058071050b

The information in this document is subject to change without notice and describes only the product defined in the introduction of this documentation. This documentation is intended for the use of Nokia Siemens Networks customers only for the purposes of the agreement under which the document is submitted, and no part of it may be used, reproduced, modified or transmitted in any form or means without the prior written permission of Nokia Siemens Networks. The documentation has been prepared to be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Nokia Siemens Networks welcomes customer comments as part of the process of continuous development and improvement of the documentation.

The information or statements given in this documentation concerning the suitability, capacity, or performance of the mentioned hardware or software products are given "as is" and all liability arising in connection with such hardware or software products shall be defined conclusively and finally in a separate agreement between Nokia Siemens Networks and the customer. However, Nokia Siemens Networks has made all reasonable efforts to ensure that the instructions contained in the document are adequate and free of material errors and omissions. Nokia Siemens Networks will, if deemed necessary by Nokia Siemens Networks, explain issues which may not be covered by the document.

Nokia Siemens Networks will correct errors in this documentation as soon as possible. IN NO EVENT WILL Nokia Siemens Networks BE LIABLE FOR ERRORS IN THIS DOCUMENTA-TION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDI-RECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT.

This documentation and the product it describes are considered protected by copyrights and other intellectual property rights according to the applicable laws.

The wave logo is a trademark of Nokia Siemens Networks Oy. Nokia is a registered trademark of Nokia Corporation. Siemens is a registered trademark of Siemens AG.

Other product names mentioned in this document may be trademarks of their respective owners, and they are mentioned for identification purposes only.

Copyright Nokia Siemens Networks 2010. All rights reserved

f Important Notice on Product Safety Elevated voltages are inevitably present at specific points in this electrical equipment. Some of the parts may also have elevated operating temperatures.

Non-observance of these conditions and the safety instructions can result in personal injury or in property damage.

Therefore, only trained and qualified personnel may install and maintain the system.

The system complies with the standard EN 60950 / IEC 60950. All equipment connected has to comply with the applicable safety standards.

DN04134496Issue 6-3 en

3


Id:0900d8058071050b

Table of ContentsThis document has 62 pages.

1 Changes in access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.1 Changes in release 4.0 CD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2 Changes in release 4.0 CD3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3 Changes in release 4.0 CD2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.4 Changes in release 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.5 Changes between releases 3.2 and 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . 81.6 Changes between releases 3.1 and 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . 91.7 Changes in release 3.1 CD1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.8 Changes between releases 3.0 and 3.1 . . . . . . . . . . . . . . . . . . . . . . . . 101.9 Changes in release 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.10 Changes between releases 2.0 and 3.0 . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Introduction to access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.1 Purpose of access points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Basic access point functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2.1 Access point name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2.2 Alias name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.2.3 Access points for corporations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142.2.4 Access point types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.3 Licensing and access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.4 Service aware configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152.5 IP management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.5.1 Dynamic and static mobile addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 162.5.2 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.5.3 Basic DHCP functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.5.4 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.5.5 Network address translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.6 RADIUS servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.6.1 RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.6.2 RADIUS accounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.6.3 RADIUS Disconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.7 IMS functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.7.1 P-CSCF discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Configuring IPv4 access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.1 Creating IPv4 access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213.2 Configuring AP IPv4 limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.3 Configuring AP IPv4 authentication and address allocation methods . . 263.4 Configuring AP IPv4 DHCP interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . 283.5 Defining RADIUS profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293.6 Configuring AP IPv4 RADIUS interfaces . . . . . . . . . . . . . . . . . . . . . . . . 353.7 Configuring AP IPv4 L2TP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.8 Configuring AP IPv4 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383.9 Configuring AP IPv4 toll-free network . . . . . . . . . . . . . . . . . . . . . . . . . . 383.10 Configuring AP IPv4 DNS server IP addresses. . . . . . . . . . . . . . . . . . . 39

4 DN04134496Issue 6-3 en


Id:0900d8058071050b

3.11 Configuring AP IPv4 WINS server IP addresses . . . . . . . . . . . . . . . . . . 403.12 Configuring AP IPv4 session timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . 403.13 Configuring AP IPv4 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . 413.14 Configuring AP IPv4 P-CSCF discovery . . . . . . . . . . . . . . . . . . . . . . . . . 423.15 Configuring AP IPv4 charging options . . . . . . . . . . . . . . . . . . . . . . . . . . 433.16 Configuring AP IPv4 Roaming Profile charging options . . . . . . . . . . . . . 453.17 Activating the access point configuration . . . . . . . . . . . . . . . . . . . . . . . . 463.18 Configuring default services for IPv4 access point . . . . . . . . . . . . . . . . . 47

4 Configuring IPv6 access points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.1 Creating IPv6 access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.2 Configuring AP IPv6 limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504.3 Configuring AP IPv6 user equipment IP addresses . . . . . . . . . . . . . . . . 504.4 Configuring AP IPv6 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514.5 Configuring AP IPv6 session timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . 524.6 Configuring AP IPv6 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . 534.7 Configuring AP IPv6 DNS discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . 544.8 Configuring AP IPv6 P-CSCF discovery . . . . . . . . . . . . . . . . . . . . . . . . . 544.9 Configuring AP IPv6 charging options . . . . . . . . . . . . . . . . . . . . . . . . . . 554.10 Activating the access point configuration . . . . . . . . . . . . . . . . . . . . . . . . 56

5 Other access point operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585.1 Configuring aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585.2 Copying access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585.3 Deactivating access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595.4 Deleting access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

6 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61


5


Id:0900d8058071050b

List of FiguresFigure 1 Roaming Profile Charging configuration . . . . . . . . . . . . . . . . . . . . . . . . 45Figure 2 OCS Diameter Peer Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

6 DN04134496Issue 6-3 en


Id:0900d8058071050b

List of TablesTable 1 RADIUS-related configuration parameters . . . . . . . . . . . . . . . . . . . . . . 35


7

Access Points in Nokia Siemens Networks Flexi ISN Changes in access points

Id:0900d805807104e2

1 Changes in access points

1.1 Changes in release 4.0 CD4Changes in contentA new access point mode, PCRF, is supported.

Changes in documentationThe following sections have been updated with information about the PCRF access point mode:

Creating IPv4 access points Configuring default services for IPv4 access point Access points for corporations Service aware configuration Configuring aliasesSection Licensing and access points has been updated with information about the Diameter Policy Control license.

Section Configuring AP IPv4 Roaming Profile charging options has been updated.

A Note has been added in Section Configuring AP IPv4 authentication and address allo-cation methods.

1.2 Changes in release 4.0 CD3Changes in contentThe feature Roaming Profile is supported.

New parameters, concerning RADIUS servers, that cannot be changed while an IPv4 Access Point is active have been added.

Changes in documentationA new note has been added in step Define the user equipment IP addresses.

Section Configuring AP IPv4 Roaming Profile charging options has been added.

Section Creating IPv4 access points has been updated.

1.3 Changes in release 4.0 CD2Changes in contentGTP Information Enrichment can be configured for each access point.

Optional Radius Accounting in 3GPP mode is now supported by Flexi ISN.

In the RADIUS Profile Configuration, the description of the parameter Optional Authen-tication has been updated.

Changes in documentationSection Defining RADIUS profiles has been updated with the above-mentioned content changes.

8 DN04134496Issue 6-3 en


Id:0900d805807104e2

Changes in access points

Section Configuring AP IPv4 authentication and address allocation methods has been updated with the addition of the Use GTP Information Enrichment drop-down list.

Section Defining RADIUS profiles has been updated with the addition of 3GPP, server optional option for the Account Server Operation parameter.Sections Configuring AP IPv4 charging options and Configuring AP IPv6 charging options have been updated with new information about disabling CDRs for Flat-rate Users.

1.4 Changes in release 4.0Changes in contentIn the L2TP access point configuration, the default values for Shared Secret and Hostname have been changed.

A new license has been added, which affects access points: Network Based QoS.

A new parameter has been added to access point Quality of Services: TREC ID for roamers.

The Go interface is no longer supported.

Changes in documentationSection Configuring AP IPv4 L2TP has been updated with the above-mentioned content changes.

Section Licensing and access points has been updated with the new license.

The instructions in Section Configuring AP IPv4 Quality of Service have been updated with the new parameter.

1.5 Changes between releases 3.2 and 4.0Changes in contentThe IP pool configured in the LNS is now optional to configure in the AP Configuration, when the Dynamic Tunnels parameter is enabled and the RADIUS server is config-ured to provide L2TP tunnel attributes during the authentication phase.

Antispoofing can now be disabled for L2TP access points.

The IP address lifetime feature is now supported. That is, there is a time period when the same addresses from the local IP pool are not re-allocated. This is configured with the new Quarantine Time parameter.Charging has been enhanced with overbilling protection.

A new license has been added, which affects access points: Mobile Router.

The value option None has been removed from the User Authentication Method parameter.

The Account Server Operation parameter no longer has the value None as one of the options.

RADIUS profiles for access points are now configured on separate Voyager pages.

The access point configuration can now contain multiple static IP range definitions.


9


Id:0900d805807104e2

Changes in documentationSection Creating IPv4 access points has been updated with the above-mentioned content change.

Section Licensing and access points has been updated with the new license.

Section Configuring AP IPv4 authentication and address allocation methods: the values for the User Authentication Method parameter have been updated.

Sections Configuring AP IPv4 limitations and Configuring AP IPv6 limitations: instruc-tions have been added for defining the IP address quarantine time.

Section Configuring AP IPv4 security: instructions have been added for the new IP Spoofing Prevention parameter.

Configuring AP IPv4 charging options and Configuring AP IPv6 charging options: instructions have been added for the new Overbilling Protection parameter.

A new section has been added: Defining RADIUS profiles.

The following section has been removed: Configuring RADIUS switch-over time (the instructions for this are now included in Section Defining RADIUS profiles.

Section Creating IPv4 access points: the instructions for defining the user equipment IP addresses has been updated.

Section Configuring AP IPv4 RADIUS interfaces: additional information has been added related to RADIUS accounting servers 3-7.

1.6 Changes between releases 3.1 and 3.2Changes in contentCharging options configuration:

A new parameter has been added (CDR Generation). A new value has been added to the Default Charging Profile parameter

(Postpaid with Credit Control).

Changes in documentationSection Access point types: the descriptions concerning Generic Routing Encapsulation (GRE) and IP over IP have been modified.

Section Network address translation (NAT): the information about disabling the NAT functionality has been updated.

The instructions in the following sections have been updated with the above-listed parameter changes:

Configuring AP IPv4 charging options Configuring AP IPv6 charging optionsThe document has also been updated to reflect the layout changes in the Voyager inter-face.

10 DN04134496Issue 6-3 en


Id:0900d805807104e2


1.7 Changes in release 3.1 CD1Changes in contentA new parameter has been added to RADIUS interface configuration: Accounting to Authenticated Server.

A new parameter has been added to access point common configuration: RADIUS Switchover Time.

Changes in documentationThe instructions in Section Configuring AP IPv4 RADIUS interfaces have been updated with the new parameter.

The following new section has been added: Configuring RADIUS switch-over time.

1.8 Changes between releases 3.0 and 3.1This includes all changes made in release 3.0 (and listed further below).

Changes in contentThe number of dynamic IP address ranges that can be configured for an access point has been increased from 4 to 10.

Hot billing can be configured for the default charging profile.

Changes in documentationThe following sections have been updated:

Creating IPv4 access points Configuring AP IPv4 RADIUS interfaces Configuring AP IPv4 DNS server IP addresses Configuring AP IPv4 Quality of Service Configuring AP IPv4 charging options Configuring AP IPv6 charging options

1.9 Changes in release 3.0Changes in content NetBIOS name servers (WINS) can be configured for IPv4 access points.

The values for the Send Interim When Container Closed parameter have been modified: the only possible values now are Disabled or Enabled.

The following access point types have been removed:

GRE (all) IP over IP (all)New RADIUS configuration attributes have been added:

Send Interim When Container Closed RADIUS Accounting Mode Tunneling in Authentication Tunneling in Accounting RADIUS Client Tunneling IP Address


11


Id:0900d805807104e2

A new attribute has been added for DHCP interface configuration: Tunneling.

A new attribute has been added for configuring charging options: Charging Limit Profile.

Changes in documentationThe following sections have been updated:

Access point types Configuring AP IPv4 DHCP interfaces Configuring AP IPv4 RADIUS interfaces Configuring AP IPv4 session timeouts Configuring AP IPv4 charging options Configuring AP IPv6 charging options

1.10 Changes between releases 2.0 and 3.0Changes in contentIPv6 access points are supported.

New RADIUS configuration attributes have been added:

Four sets of RADIUS Disconnect Server configuration entries have been added into the IPv4 access point. Each set consists of: Disconnect Server IP Address, Discon-nect Server Secret Key, and Disconnect Server Description.

Vendor-specific attributes can be encoded in one attribute or each in a separate attribute, depending on the configuration.

Responses to RADIUS authentication requests can be marked as optional. It is possible to define whether the Flexi ISN sends RADIUS Accounting STOP or

OFF message when an access point is disabled or enabled.

The 'Override User Name Containing APN/MSISDN' function now also applies to L2TP access points.

The Go interface in IPv4 and IPv6 access points is supported.

A new configuration defines attributes used in P-CSCF discovery.

The TREC identifier in access point configuration defines the default QoS for PDP con-texts.

CDR generation for flat-rate users can be disabled in the access point configuration.

Changes in documentation

Section Configuring AP IPv4 RADIUS interfaces has been updated.

Section Configuring AP IPv4 allocation methods has been updated and renamed Con-figuring AP IPv4 authentication and address allocation methods.

More information has been added to Sections Configuring AP IPv4 session timeouts and Configuring AP IPv6 session timeouts.

Instructions for configuring IPv6 access points have been added.

Configuration of services has been placed in a new separate document, Service Con-figuration in Flexi ISN.

Descriptions related to routing and tunnelling have been moved to Routing and Tunnel-ling in Flexi ISN.

12 DN04134496Issue 6-3 en


Id:0900d805807104e2


RADIUS attributes are no longer listed in this document, as they can be found in RADIUS Interface Description, Flexi ISN.


13

Access Points in Nokia Siemens Networks Flexi ISN Introduction to access points

Id:0900d805806955ee

2 Introduction to access points

2.1 Purpose of access pointsAn access point encapsulates the information required to access a particular service. Every PDP context creation request defines the access point. Based on this information the Flexi ISN will then define what services are allowed in the PDP context. The static access point configuration groups together many configuration parameters such as:

access point type, which defines the Gi connection type for the user plane traffic of the PDP context

IP address allocation and IP address pools associated with the access point RADIUS authentication and accounting overload control, for example the maximum number of PDP contexts security control for inter-mobile traffic DNS configuration IMS configuration for the P-CSCF discovery access-point-specific QoS control determination of allowed services for service aware PDP contexts default charging profileStatic access point configuration also states how the dynamically defined information is determined. For example, if the access point mode is RADIUS, the Flexi ISN will fetch the user profile from the RADIUS authentication server, and the access point configura-tion also defines the used RADIUS authentication server.

The number of access points required in the Flexi ISN depends on the services that are accessed through Flexi ISN. The minimum requirement is to have at least the following access points:

1 AP for general service access 1 AP for each corporate connection supported in Flexi ISNIf service awareness is not enabled in Flexi ISN, or the single access point name concept has not been taken fully into use, the following additional differentiation may be required:

1 AP for Internet access 1 AP for MMS traffic 1 AP for WAP accessAdditional access points may be required for various intranet connections. In general, at least one access point is required for each distinct data network, which has different IP connectivity.

2.2 Basic access point functionality

2.2.1 Access point nameIn the GPRS/3G backbone, the access point name (APN) is a reference that the Flexi ISN uses to select the correct access point. The APN is also used towards external control elements as the access point identifier. The APN is included, for example, in charging interfaces and RADIUS interfaces.

14 DN04134496Issue 6-3 en


Id:0900d805806955ee

Introduction to access points

To make the APN available to the SGSN, the APN must be configured in the packet core domain name system (DNS) as an A-type resource record. If the access point mode is context prohibited, then the APN is not configured to the DNS system, because the APN cannot be used directly in PDP context activations.

The APN is composed of two parts: the APN network identifier and the APN operator identifier. When a PDP context is activated, the SGSN selects the correct Flexi ISN for the PDP context creation based on the full APN, which consists of both the APN network identifier and APN operator identifier. When the PDP context activation request arrives at the Flexi ISN, the request contains only the APN network identifier.

The APN is defined in 3GPP specification 23.003.

APN network identifierThe APN network identifier is a mandatory label (for example, corporation), or a set of labels separated by dots. The labels are fully qualified domain names according to the DNS naming conventions (for example, company.com). To guarantee the identity of the APN, the GPRS/3G PLMN should allocate, either to an internet service provider (ISP) or a corporation, an APN network identifier identical to their domain name in the public Internet. The APN network identifier should not end in '.gprs' because that value is used in the APN operator identifier.

The APN configured in the Flexi ISN defines the APN network identifier.

APN operator identifierThe APN operator identifier is composed of three labels. The last label (or domain) must be 'gprs'. The first and second labels together uniquely identify the GPRS PLMN. For each operator, there is a default APN operator identifier (that is, the domain name). This default APN operator identifier is derived from the IMSI as follows: mnc.mcc.gprs.

The APN operator identifier is not used in the Flexi ISN configuration.

2.2.2 Alias nameAccess points can also have alternative short names called aliases (but not in the context prohibited mode. For more information, see Section Creating IPv4 access points). To make an alias available to the SGSN, the alias has to be configured in the packet core DNS as a CNAME-type resource record. This means that the alias name should not point to an access point that has the context prohibited mode.

An alias is indistinguishable from a real access point from the point of view of the GPRS subscriber. The charging records resulting from the sessions to an alias will always indicate the name of the requested access point (that is, the alias), which can be used to differentiate charging as if there were two separate actual access points.

2.2.3 Access points for corporationsIn Flexi ISN each corporation requires either their own access point with the GGSN, NPS, PCRF, RADIUS mode or a normal AP. In the first case, it is possible to activate additional access points and use the corporate AP together with a general service. The latter option is for cases where exclusive corporate access is required. The security of the Flexi ISN guarantees that there is no direct connection between the corporate access point and another access point.


15


Id:0900d805806955ee

2.2.4 Access point typesThe access point configuration defines how the user plane traffic packets are forwarded to external packet data networks, which are connected to Flexi ISN through the Gi inter-face. The following IPv4 access point types are supported by the Flexi ISN:

Normal (IPv4)User plane traffic is forwarded as plain IPv4 traffic in the Gi interface. The Flexi ISN supports multiple routing instances and virtual LAN networking. This means that it is possible to define plain IPv4 access points, which still provide distinct IPv4 connec-tivity.

Generic Routing Encapsulation (GRE)User plane traffic is encapsulated inside a GRE tunnel. The access point configura-tion defines the end points of the GRE tunnel.

IP over IPUser plane traffic is encapsulated inside an IP-IP tunnel. The access point configu-ration defines the end points of the IP-IP tunnel.

Native IPv6User plane traffic is forwarded as plain IPv6 traffic in the Gi interface.

IPv6 tunnelling over IPv4User plane traffic is encapsulated inside an IPv4 tunnel.

Layer 2 Tunneling Protocol (L2TP)User plane traffic is encapsulated inside an L2TP tunnel. There is one L2TP session for each activated PDP context.

2.3 Licensing and access pointsThe following Flexi ISN licenses affect access points:

IPv6 Access Point Support Tunnelling (L2TP, GRE) RADIUS additions Alias APN IMS Support Service Based QoS User Profile LDAP/Radius Mobile Router Network Based QoS Diameter Policy Control

2.4 Service aware configurationPurpose of service awarenessIf service awareness is enabled in the Flexi ISN, the full potential of the access point functionality can be realized. One of the main reasons for having service awareness is the simplified access point provisioning to user equipment. This so-called single access point name (APN) concept makes it possible to provision just one APN to the user equip-ment, and the activated services for the PDP context are determined dynamically during PDP context activation. In addition, service awareness makes it possible to activate multiple services in the same PDP context, even if they are using a distinct Gi connec-

16 DN04134496Issue 6-3 en


Id:0900d805806955ee


tion defined by separate access points. For more information about service awareness, see Service Awareness in Nokia Siemens Networks Flexi ISN.

Access point modesThe service awareness functionality is enabled by the access point Mode parameter in the access point configuration. The access point Mode parameter defines the Flexi ISN's behavior regarding the subscriber's session when the access point is directly requested by the subscriber in a Create PDP Context request or though an alias. The access point modes are the following:

NormalThe session will use the access point in the traditional way, with no support for service awareness. This is the only mode available for IPv6 access points.

GGSNThe session will use service awareness. The active services and the charging profile are defined in the local configuration, but the active services may also be imposed by the PCS/OCS.

PCRFThe session will use service awareness. The active services and the charging profile are defined in the local configuration, but the active services may also be imposed by the PCS.

RADIUSThe session will use service awareness. The user profile is fetched from the RADIUS authentication server.

NPSThe session will use service awareness. The user profile is fetched from the Nokia Siemens Networks Profile Server

Context prohibitedThe activation request will be rejected when the AP is directly requested by the sub-scriber in a Create PDP Context request or through an alias. In this case the access point is a private access point and it can be used only as service access points (see Service Awareness in Nokia Siemens Networks Flexi ISN).

In summary, the access point mode defines how the user profile is defined when a PDP context is activated. The user profile defines what services are active in the PDP context. Each service is linked to an access point. Based on this linkage, the Flexi ISN will activate one or more Gi connections for the new PDP context, and access points define the configuration of these Gi connections.

2.5 IP management

2.5.1 Dynamic and static mobile addressesThe Flexi ISN can accept a static IP address for the user equipment or it can provide a dynamic address that is valid only during the PDP context activation. Static addresses are useful in some special cases, but usually dynamic addressing is preferred. Static addresses are stored in the user profile in the HLR. Because the address defines the router through which the Internet is accessed, the fixed address must be allocated either from the accessed intranet or from the Flexi ISN network mask. The access point con-figuration defines the IP addresses that can be accepted as static addresses.


17


Id:0900d805806955ee

In most cases, the user equipment will request a dynamic IP address. There are four ways to allocate a dynamic IP address:

The Flexi ISN has its own address pool. This is the only address allocation method supported by the Flexi ISN when the address is an IPv6 address.

The Dynamic Host Configuration Protocol (DHCP) is able to discover a free IP address in the address pool that is maintained by a DHCP server. Many other con-figuration parameters within the network can be set by the same negotiation.

A RADIUS server can give an IP address when authentication is done. The Flexi ISN sends Accounting Start and Accounting Stop messages to release the allocated IP address.

When using an L2TP type access point, the L2TP network server (LNS) assigns the dynamic address for the user equipment.

2.5.2 RoutingAccess point configuration defines the routing functionality. It is possible to rely on static routes, but dynamic routing protocols such as OSPF can be also enabled in the access point configuration. The available routing configuration depends on the access point type. For example, OSPF is supported only in access points that are using a tunnelled Gi connectivity. For more information about routing and tunnelling, see Routing and Tunnelling in Nokia Siemens Networks Flexi ISN.

2.5.3 Basic DHCP functionalityWhen a Flexi ISN access point is configured to obtain user equipment (UE) IP addresses from the Dynamic Host Configuration Protocol (DHCP) servers, the access point configuration contains up to four DHCP server addresses. Multiple DHCP servers are configured for providing server redundancy. The Flexi ISN does not broadcast DHCP messages, but sends the DHCP messages to the servers named in the access point configuration. The Flexi ISN plays the part of a Relay Agent towards the DHCP servers and sends the DHCP messages across the local area networks. In addition to that, the Flexi ISN also runs the DHCP client state machines for the UEs. This involves taking care of all the IP address leases for the UEs by requesting, accepting, renewing, rebounding, and releasing them at appropriate times. When the DHCP server gives the DNS server IP addresses, they are sent to the UE in the GTP Protocol Configuration Options parameters.

The sending of the release message can be either enabled or disabled. When the PDP context is deleted, it is possible either to give the allocated IP address away or to let the DHCP server hold it for the rest of the lease time. If the number of available IP addresses is small, it is better to release the allocated address whenever possible. If there are plenty of addresses available, it might be better not to release the allocated address, because the next time the subscriber makes a GPRS/3G call the subscriber will be given the same address if there is some lease time left.

g The Flexi ISN generates the hardware address for the DHCP sessions from the last 12 digits of the IMSI. Therefore, it is important to make sure that none of the sub-scribers using a particular DHCP access point will be creating two sessions (that is, two primary PDP contexts) to this access point simultaneously from the same equip-ment, by error or intentionally. If the Flexi ISN reports 'PDP address collision' under a DHCP access point, it is a strong indicator of this problem.

18 DN04134496Issue 6-3 en


Id:0900d805806955ee


If this cannot be avoided, it is advisable to use the IP address allocation from the internal Flexi ISN pool.

2.5.4 DNS User equipment may also need to get the IP address of DNS servers. This information can be configured in the access point. The Flexi ISN may also receive the DNS server address from the DHCP or RADIUS server. If L2TP is used in the access point, the LNS may define the IP address of the DNS server.

Additional DNS servers may be defined in the secondary access point. The Flexi ISN is able to redirect DNS requests to these servers, if needed. For more information, see Service Awareness in Nokia Siemens Networks Flexi ISN.

2.5.5 Network address translation (NAT)By default, a new dynamic IP address is allocated for each activated access point. If more than one access point is activated when the PDP context is created, the user profile defines the primary access point (see Service Awareness in Nokia Siemens Networks Flexi ISN). The IP address of the user equipment will be defined by the primary access point. The Flexi ISN may have to allocate additional IP addresses to be used in the secondary Gi connections, which are defined by the secondary access point. If another IP address is allocated for the user equipment based on secondary access point configuration, the IP address(es) are not passed to the user equipment. Instead, they are stored internally in the Flexi ISN. When an uplink packet is to be sent to the other access point, the downlink IP address of the packet is changed. Similarly, when a downlink packet is received and it belongs to another access point, the downlink IP address of the packet is changed. In other words, the Flexi ISN uses the network address translator (NAT).

The NAT functionality may be disabled if all of the following conditions are true:

NAT is disabled in the secondary access point configuration (the Use Primary Address for Secondary Connection parameter is set to Enabled).

The IP address of the user equipment in the primary access point is valid also in the secondary access point (it matches the static IP range defined in the secondary access point).

The primary and the secondary access points are in different routing instances.Access point provisioning should make sure that NAT is not used in cases where NAT would break application protocols. For more information, see RFC 2993 and 3027. For example, the FTP passive mode must be used according to the recommendation in Section 4 of RFC 2428.

2.6 RADIUS servers

2.6.1 RADIUS authenticationRemote authentication dial-In user service (RADIUS) authentication is performed when a primary PDP context is created. The RADIUS server can then authenticate the PDP context and deny PDP context activation, if necessary. The RADIUS server may also provide information to the PDP context, such as the IP address of the user equipment


19


Id:0900d805806955ee

and the DNS server address. RADIUS may also define the user profile used in service aware PDP contexts.

The access point configuration defines whether RADIUS authentication is performed. Responses to RADIUS authentication can be marked optional if RADIUS authentication is used only to inform the RADIUS server about new PDP contexts. The access point configuration defines 1-2 RADIUS authentication servers. The same servers can be used in many access points.

2.6.2 RADIUS accountingRADIUS accounting messages are sent in following cases:

when a PDP context is created (RADIUS accounting START message) when a PDP context is updated (RADIUS accounting INTERIM message) when a PDP context is terminated (RADIUS accounting STOP) when an access point or the Flexi ISN is enabled (RADIUS ON message) when an access point or the Flexi ISN is disabled (RADIUS OFF message)The access point configuration defines whether sending these accounting messages is enabled. It also defines the used RADIUS accounting servers. The access point config-uration defines the primary and secondary RADIUS server, and additional 1-5 RADIUS servers.

2.6.3 RADIUS DisconnectThe Flexi ISN also supports RADIUS Disconnect messages. The access point configu-ration defines the RADIUS servers that may send Disconnect messages. If the Flexi ISN receives a Disconnect message, it will terminate the related PDP context.

2.7 IMS functionality

2.7.1 P-CSCF discoveryTo use Session Initiation Protocol (SIP) services, the user equipment needs to know the IP address of the P-CSCF. If this information is not configured in the user equipment, 3GPP has defined following alternatives in specification 23.228:

P-CSCF discovery based on DHCP P-CSCF discovery based on GPRS procedureThe Flexi ISN supports both of these methods, and they are supported in both IPv4 and IPv6 access points.

If the GPRS procedure is used for P-CSCF discovery, the user equipment uses special protocol configuration options (PCO) when it requests PDP context activation. The Flexi ISN then returns P-CSCF addresses in the PDP context activation response. The access point configuration defines how many P-CSCF addresses are returned to the user equipment. The actual P-CSCF addresses are not part of the access point config-uration.

If DHCP is used for P-CSCF discovery, the user equipment will send a DHCP request after the PDP context has been activated. The Flexi ISN is then acting as a DHCP relay agent and it will forward the DHCP request to the actual DHCP server. The access point

20 DN04134496Issue 6-3 en


Id:0900d805806955ee


configuration defines the IP address of the DHCP relay agent and where the DHCP requests are relayed. This DHCP configuration is separate from the basic DHCP config-uration, which is used to allocate IP addresses for user equipment. The DHCP server will then define the IP address of the P-CSCF and the Flexi ISN will relay the response back to the user equipment.


21

Access Points in Nokia Siemens Networks Flexi ISN Configuring IPv4 access points

Id:0900d80580710501

3 Configuring IPv4 access points

3.1 Creating IPv4 access pointsPurposeThis procedure provides instructions for creating a new access point (AP) and sets the ID information for a newly created AP. Creating and configuring the new AP provides the foundation for the remaining configuration tasks for IPv4 APs.

Before you startBefore configuring IPv4 APs, make sure that the system is fully configured for the Flexi ISN and that all the required physical interfaces have been set up.

Before starting this procedure, you need a name for the AP.

SummaryBelow are listed all the parameters that cannot be changed on the fly, that is, when the access point is active:

Identification Name Mode

Connection Type Type Virtual Mobile Address Tunnel Local IP Address Tunnel Remote IP Address Routing Instance Secondary Tunnel Address

RADIUS Servers From Radius Authentication Profile

Tunnel Remote IP Address Secondary Tunnel Address Routing Instance Primary Authentication Server IP Address/Port and Secondary Authentica-

tion Server IP Address/Port Authentication Operation Client IP Address Tunnel Local IP Address Client Tunneling IP Address

From Radius Accounting Profile Tunnel Remote IP Address Secondary Tunnel Address Routing Instance All Accounting Server IP Addresses and Ports Account Server Operation Secondary Account Server Mode Client IP Address

22 DN04134496Issue 6-3 en


Id:0900d80580710501

Configuring IPv4 access points

Tunnel Local IP Address Client Tunneling IP Address

From Radius Disconnect Profile Disconnect Server IP addresses 1-4 Client IP Address Tunnel Local IP Address Client Tunneling IP Address

Limitations Methods

IP Address Generation Method User Authentication Method

Mobile's IP AddressesSteps

1 On the Voyager home page, click Routing Instance.An AP belongs to one of the existing routing instances. There is always at least the 'default' instance. All of the traffic on the Gi side is controlled by the selected instance routing tables.

2 In Routing Instances, click Config (default).3 On the main configuration page, click Flexi ISN Configuration.4 In the Access Point Configuration section, click Access Points.

5 Click Create a new access point.6 Choose the type for the access point.

Select the type from one of the following:

normal IPv4 IP over IP GRE tunnel L2TP

This hides the configuration fields that are not used by the selected connection type access points and reveals L2TP-specific fields.

For more information about the types, see Section Access point types.

7 Click Apply.8 In the new screen, continue with access point definition.9 In the Name text box, enter the access point name (APN).


23


Id:0900d80580710501

The APN Network Identifier is a label (for example 'corporation') or a set of labels separated by dots, which is a fully qualified domain name according to the DNS naming conventions (for example 'company.com').

10 In the Description text box, enter a description for the access point.11 Verify that Row Status is Not in Service.

Some of the fields cannot be changed if the access point is active.

12 Select a mode from the following: Normal, GGSN, PCRF, Radius (not used in L2TP), NPS, or Context prohibited.

For information about the different AP modes, see Section Access point modes.

13 In the Numeric ID text box, give the possibility to substitute the APN with an integer in the RADIUS and Diameter messages' Called Station ID attribute.

This feature is required sometimes for the RADIUS servers that do not understand an alphanumeric string. The maximum value is 2147483647. An empty edit box value (or the value zero) indicates the use of the Name as the APN.

14 Define the connection type.Steps

1. If APs utilizing tunnelling are used, follow the steps below, otherwise start with step b:Steps1.1 Select the Tunnel Local IP Address.

This is the address for the remote end-router to use as the destination address for the tunnelled packets. Select the address from the list of loopback interface addresses.

1.2 Enter the Tunnel Remote IP Address.This is the address to use as the destination address for the tunnelled packets. If there are several APs using the tunnel to the same remote IP address, make sure the Tunnel Remote IP Address is also the same in all these access points.

1.3 Enter the Secondary Tunnel Address.This is the destination address of secondary GRE/IP-over-IP or L2TP tunnel. When both tunnel destination addresses are specified, under normal condi-tions load balancing is performed between the tunnels. When one of the tunnels fail, the other tunnel is used for all traffic if the tunnel is of type GRE/IPIP. For L2TP, the PDP contexts of the failed tunnel are deleted and new PDP contexts are created solely to the not failed tunnel.

24 DN04134496Issue 6-3 en


Id:0900d80580710501


g The primary/secondary tunnel address pair must be the same for all access points that have the same tunnelling protocol, MRI and tunnel local address.

Further InformationIf the dynamic tunnelling is enabled in the access point and the Flexi ISN receives tunnel parameters from the RADIUS server, the Flexi ISN will use those parameters for the user instead of the ones described above.

2. Enter the Virtual Mobile Address.The Virtual Mobile Address is the address that the Flexi ISN uses when it is acting as the DHCP relay agent. The Virtual Mobile Address is the first of several addresses from the IP address space of the user equipment. The Virtual Mobile Address is also used for setting up static routes for GRE/IP over IP tunnels.

3. For Normal IPv4 type APs, enable or disable the Redistribute to RIP setting.

If this option is enabled, static routes created for collecting packets for this access point will be marked for redistribution to RIP.

4. For Normal IPv4 type APs, enable or disable the Redistribute to OSPF External setting. If this option is enabled, static routes created for collecting packets for this access point will be marked for redistribution to OSPF.

5. Enable or disable OSPF.The open shortest path first (OSPF) protocol can be enabled for the GRE or IP-in-IP tunnels. OSPF is a routing protocol that advertises the dynamic and/or static mobile address spaces to the remote end router.To use OSPF, the Virtual Mobile Address must be set. It is used as the router identifier.Other settings, such as the OSPF area or OSPF hello/dead intervals, are not necessary since the Flexi ISN learns those from the OSPF hello packets of the remote router.

6. Select the routing instance for the Gi connection defined by the AP.An AP belongs to one of the existing routing instances. There is always at least the 'default' instance. All of the traffic on the Gi side is controlled by the selected instance routing tables.

7. For other than L2TP type APs, enter the ping intervalThe delay, in seconds, between the Internet Control Message Protocol (ICMP) Echo messages (ping) sent to the tunnel Remote IP Addresses. This parameter specifies the interval that a single service blade uses when sending the ping messages. Because all the service blades send these messages, the observed interval is shorter than configured one. If this is set to zero, no ICMP Echo messages are sent.

15 Define the user equipment IP addresses.Steps


25


Id:0900d80580710501

1. Use the IP Address Range and the corresponding Mask Length text boxes to allocate IP addresses for the user equipment. The type of the subnetwork IP address can be dynamic or static.

If the IP Address Generation Method is DHCP or RADIUS, the allocated IP address is checked to be within the subnetwork. If the IP Address Generation Method is GGSN, the subnetwork is a pool of addresses to be allocated for the user equipment.When the Dynamic Tunnels parameter is enabled and the RADIUS server is configured to provide L2TP tunnel attributes during the authentication phase, or when the access point is of type L2TP, the dynamic address pool configured in the LNS is not mandatory to be configured in the AP Configuration.If any of the IP Address Range text boxes is set to 0.0.0.0 and the correspond-ing Mask Length text box is set to 0, all IP addresses are accepted. If all the IP Address Range text boxes are set to 0.0.0.0 and the corresponding Mask Length text boxes are set to 32, none of the IP addresses are accepted.g When the Connection Type is Normal IPv4, do not set the IP address Mask

Length to 0, since the subnetworks are used for configuring static routes.When the Connection Type is one of the tunnels, it is possible to set the static IP address Mask Length to 0. When GRE or IP-in-IP tunnels are used, OSPF cannot advertise the subnetworks and static routes are needed at the other endpoint of the tunnel.

2. For IPv4 and L2TP access points, define whether broadcast type IP addresses are allowed.If this parameter is set to Enabled, the broadcast type IP addresses are allowed. This parameter determines whether addresses with zero or 255 in the last octet are excluded from the mobile pools.g When the IP Address generation method is GGSN, then the minimum

number of dynamic IP Addresses calculated by the pools should be at least

26 DN04134496Issue 6-3 en


Id:0900d80580710501


equal to the number of the SBs available in the Chassis. This ensures that all the SBs will get their fair-share of IP Addresses and guarantee a better system performance.

16 Click Apply.Note that the access point is not ready yet.

If the creation and naming of the access point fails, you will receive an error message. Otherwise, the procedure has been successful.

3.2 Configuring AP IPv4 limitationsPurposeThis procedure sets restrictions on the maximum number of PDP contexts and the maximum number of dynamic addresses that can be active. The license key may set additional restrictions.

Before you startThe creation of an access point with the identification information is a prerequisite. For more information, see Section Creating IPv4 access points.

Note that these parameters cannot be modified when the Row Status is Active.

Steps

1 In the Max Active PDP Contexts text box, enter the maximum number of active PDP contexts allowed.

2 In the Max Dynamic IP Addresses text box, enter the maximum number of dynamic IP addresses allowed.

3 Define the quarantine period for the IP address.This defines the time period (in seconds) when the same IP addresses from the local IP pools are not reallocated. When an allocated IP address is released, it cannot be re-allocated during the configured quarantine period. If all IP addresses are in use or in quarantine, no new PDP contexts can be created.


3.3 Configuring AP IPv4 authentication and address alloca-tion methodsPurposeThis procedure provides instructions for user authentication, dynamic address alloca-tion, and disabling the network address translator (NAT).


27


Id:0900d80580710501

Before you startThe creation of an access point with the identification information is a prerequisite. For more information, see Creating IPv4 access points. Note the following procedures also: Configuring AP IPv4 DHCP interfaces and Configuring AP IPv4 RADIUS interfaces.

Steps

1 Select the method for allocation of the dynamic IP address from the IP Address Generation Method text box.The Flexi ISN may use the DHCP server, the RADIUS server, or its own address pool. When the connection type is L2TP, the value is always L2TP.

2 Define the user authentication method.If RADIUS authentication is used, select one of the following from the User Authen-tication Method drop-down list:

Radius: PAP tokens from the user equipment are required to be used as a user name and a password.

Radius With MSISDN: the MSISDN of the user equipment is used as the user name and 'password' is used as the password.

Radius With APN: the access point name (APN) is used as the user name and 'password' is used as the password.

When the Connection Type is L2TP, select one of the following authentication methods:

L2TP PAP: PAP/PPP/L2TP authentication, PAP tokens from the user are required.

L2TP PAP with MSISDN: PAP/PPP/L2TP authentication, where the MSISDN is used as the username, and 'password' is the password.

L2TP PAP with APN: PAP/PPP/L2TP, where the APN is used as the username, and 'password' is the password.

L2TP PAP with IMSI: PAP/PPP/L2TP, where the IMSI is used as the username, and 'password' is the password.

L2TP CHAP: CHAP/PPP/L2TP, PAP tokens from the user are required.g CHAP credentials received from PCO IE in Create PDP Context Request

can not be used for L2TP Authentication. If CHAP challenge and response are sent from UE, then the only possible options for L2TP are not to use any authentication or to use the L2TP proxy authentication, where CHAP chal-lenge and response are simply forwarded to LNS and there is no real CHAP authentication.

L2TP CHAP with MSISDN: CHAP/PPP/L2TP, where the MSISDN is the username and 'password' is the password.

L2TP CHAP with APN: CHAP/PPP/L2TP, where the APN is the username and 'password' is the password.

L2TP CHAP with IMSI: CHAP/PPP/L2TP, where the IMSI is the username and 'password' is the password.

28 DN04134496Issue 6-3 en


Id:0900d80580710501


L2TP Proxy Auth: CHAP/L2TP, where proxy CHAP authentication is done according to RFC 2661, Section 4.4.5, based on the CHAP tokens received from the user.

3 When Override User Name Containing APN/MSISDN is set to Enabled, the Flexi ISN's behavior is modified as follows:

If PAP or CHAP authentication tokens are received from the UE in PCO IE, and the user name token is not empty, both the user name and the password from the cor-responding tokens will be submitted for authentication. If the password provided by the UE is 'password', the authentication will be immediately rejected.

If the User Authentication Method is set as:

Radius With MSISDN, the MSISDN of the user equipment is used as the user name and 'password' as password.

Radius With APN, the APN is used as the user name and 'password' as pass-word.

4 Select Enabled or Disabled from the Use Primary Address for Secondary Con-nection drop-down list.The secondary connection may use the IP address of the primary connection if this variable is enabled and if the IP address belongs to the address space defined by static IP address/mask of the Access Point of the secondary connection. In this case, network address translation (NAT) is disabled. Address spaces cannot be overlapping if they use the same tunnel or both APs are of type Normal IPv4 in the same routing instance. For more information about overlapping addresses, see Routing and Tunnelling in Nokia Siemens Networks Flexi ISN. If the Flexi ISN fails to use the secondary address, it tries to allocate a new dynamic address for the sec-ondary connection.

5 Select Enabled or Disabled from the Use GTP Information Enrichment drop-down list.

This option permits the use of GTP Information Enrichment feature for this access point. If this parameter is set to Enabled, the GTP Information Enrichment feature is enabled for every pdp context created on this access point. This feature must be configured for each access point separately and is under GTP Information Enrich-ment licence. If the GTP Information Enrichment licence is set to Off, the Use GTP Information Enrichment drop-down list is not visible.


3.4 Configuring AP IPv4 DHCP interfacesPurposeThis procedure provides instructions for configuring DHCP interfaces and specifically provides for address allocation from DHCP servers.

Before you startBefore configuring IPv4 access points, make sure that the system is fully configured for Flexi ISN and that all the physical interfaces have been made.


29


Id:0900d80580710501

Before starting these instructions, make sure that you have the IP address of the DHCP server.

The creation of an access point with the identification information is a prerequisite. For more information, see Section Creating IPv4 access points.

Steps

1 In the IP address edit boxes, enter the IP addresses of the DHCP servers that may be used.

Start filling from IP address 1. Unused DHCP servers should have an IP address of 0.0.0.0.

2 Choose whether Release Message Sending is enabled or disabled. When the PDP context is deleted, it is possible either to give the allocated IP address away or to let the DHCP server hold it for the rest of the lease time. When the number of available IP addresses is small, it is better to release the allocated address whenever possible. When there are plenty of IP addresses it is advisable not to release the available IP address. This means that the next time the user equipment makes a GPRS/3G call it will have the same IP address if there is suffi-cient lease time left for the IP address.

3 Define whether DHCP messages are tunnelled according to the other access point tunnelling configuration.

This parameter is visible only if the access type is GRE Tunnel or IP over IP.


3.5 Defining RADIUS profilesPurposeRADIUS profiles are required when configuring the access point RADIUS interface. These are not used in L2TP.


30 DN04134496Issue 6-3 en


Id:0900d80580710501


Steps

1 On the main Flexi ISN configuration page in Voyager, in the External Interface Con-figuration section, click RADIUS Profiles.

2 Define the RADIUS authentication profile.Steps1. On the RADIUS Profile Configuration page click the Authentication Profile Con-

figuration link.2. Click Create a new Authentication Profile.3. Enter the profile name.4. Define the primary and secondary authentication servers.

Primary/Secondary Authentication Server IP Address: The address of a possible RADIUS authentication server. Leave the default value if the server is not used.

Port Number: The port number of the RADIUS server. Primary/Secondary Authentication Server Key: The secret key of the

server. The maximum length is 255 characters. Do not use excessively long shared secrets because this will unnecessarily penalize the performance when processing RADIUS messages.

Server Description: Additional information about the server.


31


Id:0900d80580710501

5. Configure the following parameters.

Retransmission Timeouts: The number of timeouts in this list specifies the number of attempts the Flexi ISN tries to contact the RADIUS servers. Using the following format: (in seconds, separated by a space).

Authentication Operation: Select one of the following values:- IMSI SGSN: the IMSI and SGSN IP address attributes are included in the Access Request packet.- IMSI SGSN-3GPP: the IMSI and SGSN IP address attributes, among others, are included in the Access Request packet.- Simple Authentication: the Access Request message has no new attri-butes included in the message.

Optional Authentication: If this variable is set to Enabled, the GGSN will ignore the cases when the RADIUS authentication fails, that is, when the RADIUS authentication server does not return a response or rejects the authentication. Note that in some cases the authentication can fail even if this variable is set to Enabled. The GGSN needs a response from RADIUS authentication server to be able to continue, if the Access Point is set to RADIUS mode, or if IP Address Generation Method is set to RADIUS. The default value is Disabled.

Client IP Address: The Flexi ISN will use this address as the source address for RADIUS messages for the access point. It is also used as the value for the NAS-IP-Address attribute. If RADIUS is enabled, the Client IP Address cannot be set to 0.0.0.0.

RADIUS Switchover Time: This determines the switch-over time (in minutes) for all RADIUS servers defined in the access points. If the primary RADIUS server has failed to reply and the Flexi ISN has switched to use the secondary RADIUS server, the Flexi ISN will try the primary server again after the configured switchover time. The default value is 5 (minutes).Note that this can be set only if the ISN Function has been disabled.

Tunnel Local IP Address: The local tunnel IP address for an access point (tunnel GRE, IP-over-IP, or L2TP).

Client Tunneling IP Address: If the access point type is GRE Tunnel or IP over IP and RADIUS authentication is configured to be tunnelled, this IP address will be put into the NAS-IP-Address attribute of the RADIUS request. This parameter specifies the actual source address of the RADIUS message.

6. Click Apply and Save.

32 DN04134496Issue 6-3 en


Id:0900d80580710501


3 Define the RADIUS accounting profile.Steps

1. On the RADIUS Profile Configuration page click the Accounting Profile Config-uration link.

2. Click Create a new Accounting Profile.3. Enter the profile name.4. Configure the primary and secondary RADIUS accounting servers in the same

manner as for RADIUS authentication servers.

5. Configure up to up to five possible fire-and-forget RADIUS accounting servers in the same manner as for the primary and secondary accounting servers.The configured servers are used only if a primary/secondary accounting server is configured.Note that If there is no reply to a RADIUS Accounting Start message for a PDP context from the primary or secondary accounting servers, nothing will be sent to accounting servers 3 to 7 regarding the PDP context.

6. Configure the following parameters.


33


Id:0900d80580710501

Account Server Operation: Select one of the following values.Note that this parameter cannot be changed if the Row Status is Active.- WAP Gateway: The account server is actually a WAP gateway that uses the supplied information for special purposes (for more information, see the WAP gateway documentation). When the connection to the server fails, the PDP context creation is rejected.- WAP Gateway, server optional: The account server is a WAP gateway. The PDP context creation is accepted even when there is failure of either authentication or connection to the server. The WAP gateway may then offer a limited set of services.- IP Address Release: This is extra information that is sent to the accounting server whenever a new PDP context is either created or deleted. This infor-mation may be used to release an allocated IP address.- 3GPP: If this option is chosen, an encoding that complies with 3GPP stan-dards is used for the attributes that are sent in the Accounting Request packet (IMSI, SGSN Address, GGSN Address, and Charging Id). In addi-tion, some other 3GPP attributes and the Input-Gigawords attributes are included in the Accounting Request STOP and Accounting Request Interim-Update packets.- 3GPP, server optional: This option combines the 3GPP mode with the capability of creating PDP context, even when there is a failure in the accounting process.

When the Account Server Operation value is WAP-Gateway, server optional, or 3GPP, server optional PDP context creation is not depending on a response to the accounting request. For more information, see RADIUS Interface, Interface Description.

Retransmission Timeouts: The number of timeouts in this list specifies the number of attempts the Flexi ISN tries to contact the RADIUS servers. Using the following format: (in seconds, separated by a space).

Secondary Account Server Mode: If Backup is chosen, the Flexi ISN contacts the primary accounting server first and, if there is no response, then the secondary server. If Redundancy is chosen, the Flexi ISN contacts the primary and secondary servers at the same time. For more information, see Section RADIUS servers.

Interim Accounting: If Enabled is selected, the Flexi ISN sends an Accounting Request Interim-Update message to the RADIUS server when the PDP context is updated.

Send Interim When Container Closed: If Enabled is selected, an interim message is sent when a threshold value is reached and a minimum of 60 seconds has elapsed since the previous periodic interim accounting message.


RADIUS Switchover Time: This determines the switch-over time (in minutes) for all RADIUS servers defined in the access points. If the primary RADIUS server has failed to reply and the Flexi ISN has switched to use the

34 DN04134496Issue 6-3 en


Id:0900d80580710501


secondary RADIUS server, the Flexi ISN will try the primary server again after the configured switchover time. The default value is 5 (minutes).Note that this can be set only if the ISN Function has been disabled.

Notify AP Status Change: This determines whether RADIUS will act on the access point status change.- ON/OFF: changing the access point status from Active to Not in Service leads to the sending of a 'RADIUS accounting OFF' message but no 'RADIUS accounting STOP' messages are sent. Changing the access point status from Not in Service to Active leads to the sending of a 'RADIUS accounting ON' message.- ON/OFF/STOP: changing the access point status from Active to Not in Service leads to the sending of a 'RADIUS accounting OFF' message and possible 'RADIUS accounting STOP' messages. Changing the access point status from Not in Service to Active leads to the sending of a 'RADIUS accounting ON' message.- STOP: no 'RADIUS accounting ON or OFF' messages are sent but possible 'RADIUS accounting STOP' messages are sent if the access point status is changed from Active to Not in service.

Accounting to Authenticated Server: If this parameter is set to Enabled and if authentication is used, accounting for the PDP context will be trans-mitted to the RADIUS server which has the same configuration parameters except the port number (fixed value 1813)



7. Click Apply and Save.4 Define the RADIUS disconnect profile.

Steps

1. On the RADIUS Profile Configuration page click the Disconnect Profile Config-uration link.

2. Click Create a new Disconnect Profile.3. Enter the profile name.4. Define the possible disconnect servers.

Leave the default values if the servers are not used. Disconnect Server IP Address: The IP address of the RADIUS server from

which a disconnect message is accepted. Disconnect Server Secret Key: The secret that is used to authenticate the

RADIUS disconnect server. Disconnect Server Description: A description of the server.

5. Define the following parameters. Tunnel Remote IP Address: This is defined in the general Creating IPv4

access points. Secondary Tunnel Address: This is defined in the general Creating IPv4

access points.


35


Id:0900d80580710501




6. Click Apply and Save.

3.6 Configuring AP IPv4 RADIUS interfacesPurposeThis procedure provides instructions on the configuration of RADIUS interfaces. These are not used in L2TP.

Before you startThe creation of the following is a prerequisite:

an access point with the identification information. For more information, see Section Creating IPv4 access points

the RADIUS profiles. For more information see Section Defining RADIUS profiles.Before starting the configuration of RADIUS interfaces, you should become familiar with the items in Table 1. The information is essential to RADIUS configuration.

Parameter Value range Description

Identification

Numeric ID Integer Some RADIUS servers cannot handle access point names (APNs) and therefore require a numeric value for identification.

See Section Creating IPv4 access points.

Methods

IP Address Gen-eration Method

Options:

GGSN DHCP RADIUS

The dynamic IP address allocation method: to allocate an IP address for the user equipment during authentication.

See Section Configuring AP IPv4 authenti-cation and address allocation methods.

User Authenti-cation Method

Options:

RADIUS RADIUS with

MSISDN RADIUS with APN

The RADIUS authentication method to be used.


Table 1 RADIUS-related configuration parameters

36 DN04134496Issue 6-3 en


Id:0900d80580710501


Use the information in Table 1, along with the following instructions:

Steps

1 On the access point configuration page, from the Dynamic Tunnels drop-down list, select Enabled or Disabled.

If Enabled is selected, the RADIUS server can specify the tunnel type and the parameters for opening a dynamic tunnel. Attributes are included in the Access-Response packets.

2 In Encode Vendor-Specific Attributes Separately, select Enabled or Disabled.RADIUS supports two encoding methods for vendor-specific attributes. If the value enabled is selected, each vendor-specific attribute is encoded to a separate RADIUS attribute.

If the value is disabled, multiple vendor-specific attributes can be bundled to one RADIUS attribute, if they all use the same vendor identifier.

3 From the Accounting Mode drop-down list, select Asynchronous or Synchronous.In the asynchronous mode the Flexi ISN sends the PDP context response to the SGSN before the accounting reply has been received. This makes the PDP context activation faster.

Override User Name Contain-ing APN/ MSISDN

Enabled/Disabled This parameter may be used to fine-tune the Flexi ISN's behaviour when the User Authentication Method is RADIUS / L2TP PAP / L2TP CHAP with MSISDN / APN / IMSI.

When Enabled, the Flexi ISN's behaviour is modified as follows:

If PAP or CHAP authentication tokens are received from the UE in the PCO informa-tion element (IE), and the user name token is not empty, both the user name and the password from the corresponding tokens will be submitted for authentication. If the password provided by the UE is 'pass-word', the authentication will be immedi-ately rejected.


Parameter Value range Description

Table 1 RADIUS-related configuration parameters (Cont.)


37


Id:0900d80580710501

In the synchronous mode the Flexi ISN waits for the accounting reply to arrive before responding to the SGSN. The PDP context will not be activated unless the account-ing reply has been received.

4 Select the RADIUS profiles to be used, if any.For instructions on creating RADIUS authentication, accounting, and disconnect profiles, see Section Defining RADIUS profiles.

5 Click Apply.Note that the AP is not ready yet.

Further InformationFor instructions on how to select user authentication and address allocation methods, see Section Configuring AP IPv4 authentication and address allocation methods.

3.7 Configuring AP IPv4 L2TPPurposeFollow the instructions below if the chosen access point type is L2TP.

Before you startThe access point must be created. For more information, see Section Creating IPv4 access points.

Steps

1 Enter a shared secret for L2TP.The shared secret is used for authenticating the access point and LNS. The default value is Default Shared Secret.

g Do not use excessively long shared secrets, this will penalize performance when processing RADIUS messages.

2 Enter the hostname for the L2TP.This value is used as the hostname attribute when establishing an L2TP tunnel. The default value is Default Hostname.

3 Change the remote port number if necessary.The remote port number is 1701 by default (RFC2661).

4 Set the value of the Hello interval.The Hello interval is the delay between sending Hello messages to the L2TP network server (LNS). The default value is 60 seconds. If you set the value of the Hello interval to 0 (zero), no Hello messages will be sent.


38 DN04134496Issue 6-3 en


Id:0900d80580710501


3.8 Configuring AP IPv4 securityPurposeTraffic between two user equipment is a potential security problem when the user equip-ment are connected to the same Flexi ISN, because the traffic does not go through any external firewall.


Steps

1 Select Enabled from the Intermobile Traffic drop-down list to allow traffic from one user equipment to another user equipment if they belong to the same access point.

g The flow initiation rules apply also here and the uplink/downlink packets may be dropped if the flow initiation is not allowed.

2 Traffic from one user equipment to another user equipment inside different access points is allowed if you select Enabled from the Inter-AP Traffic drop-down menu. This applies only to access points inside one Flexi ISN.

3 When the Selection Mode value in the GTP message indicates that the user equip-ment is not verified, the Flexi ISN will reject the PDP context activation request unless you set Unverified Mobile Acceptance to Enabled.

4 Select whether IP spoofing is enabled or disabled.If you want to use to use routable subnets behind the GPRS/3G modem or router, you must disable IP spoofing, because antispoofing prevent the uplink packets orig-inating from the mobile router subnet.

This parameter is configurable if the access point type is L2TP or the Dynamic Tunnels parameter is set to enabled for any other access point type.


3.9 Configuring AP IPv4 toll-free networkPurposeIt is possible to define a network that is free of charge, that is, toll-free. The charging counters are updated separately for toll-free and non-toll-free traffic. To determine if a network is toll-free, the destination address is checked for uplink traffic and the source address is checked for downlink traffic.

There can be four toll-free networks.

g The configuration of toll-free networks is not necessary for service aware sessions, because the charging of the traffic flows is determined based on the charging class configuration. If a toll-free network is nevertheless used, it must be configured in the


39


Id:0900d80580710501

AP which allocates the IP address visible to the user of this session, that is, the primary service access point. Toll-free networks from other service access points of this session will not apply to it.

Before you startThe creation of an access point with the identification information is a prerequisite. For more information, see Section Creating IPv4 access points. Note the following proce-dures also: Configuring AP IPv4 DHCP interfaces and Configuring AP IPv4 RADIUS interfaces.

Steps

1 In the Toll Free Network and the Toll Free Network Mask Length edit boxes, determine the network to be used.


3.10 Configuring AP IPv4 DNS server IP addressesPurposeIn Service Aware Flexi ISN, most of the services that are available are DNS based. This procedure provides brief instructions on DNS addresses.


Steps

1 In the DNS 1 and the DNS 2 text boxes, verify that the set values are not 0.0.0.0.Define the primary DNS server in DNS1 and the secondary DNS server in DNS2.Note that DNS redirection is configured by defining additional DNS servers to the secondary access point. If DNS redirection is not required, the same DNS servers are defined for both the primary and secondary access points.

DNS server IP addresses may be overridden by RADIUS, DHCP, or L2TP.

2 In the IP Address for L7 DNS Queries text box, enter the IPv4 address that layer 7 proxy analysers use as a source address in DNS queries.

This parameter should be defined when L7 analysers are used, in other cases it has no meaning.

40 DN04134496Issue 6-3 en


Id:0900d80580710501



3.11 Configuring AP IPv4 WINS server IP addressesPurposeThis procedure provides brief instructions for NetBIOS naming service (WINS) server addresses.


Steps

1 Enter the IP address of the primary NetBIOS name server (WINS).2 Enter the IP address of the secondary NetBIOS name server (WINS).3 Click Apply.

Note that the access point is not ready yet.

3.12 Configuring AP IPv4 session timeoutsPurposeSession timeouts restrict the lifetime of PDP contexts.


Steps

1 Use the Session Timeout text box to limit the overall lifetime of a PDP context.Note that because of the internal implementation the actual time is longer than the configured value. This additional time varies from 0 seconds to 1 minute.

2 In the Idle Timeout text box, set the maximum time the PDP context can stay idle without any traffic.

Or


41


Id:0900d80580710501

If you choose not to use timeouts, in the Session Timeout or the Idle Timeout text box, either leave the field empty or set the value to 0 to indicate that the time-out function is not used.

Further InformationTimeouts are expressed in seconds. Timeouts may be overridden by the attributes in the RADIUS Access Accept message.

Timeouts are not dynamic. The PDP context activation is done with the information available in the APN settings during activation or supplied by RADIUS during acti-vation only. If the settings are changed during the lifetime of a PDP context, the timeouts are not changed for that PDP context.

The duration of the G-CDR differs from the Session Timeout value. When you set the Session Timeout to a certain value, the G-duration within the G-CDR is not auto-matically the same value.

For service-aware sessions, the session timeouts and idle timeouts calculated for the primary service access point will be applied to the whole session, and the timeouts from the other access points will be ignored.


3.13 Configuring AP IPv4 Quality of ServicePurposeYou can either remark the DSCP of mobile-originated IP packets or leave it untouched. The same marking system is used in the GPRS/3G backbone.


Steps

1 Enable the DSCP marking. When enabled, the DSCP of IP packets is remarked.OR

Disable the DSCP marking. When disabled, the DSCP of IP packets is not touched

2 Set the limit of total bit rate capacity for real time contexts.In the Max Bitrate for Realtime Traffic text box, set the limit for the total bit rate capacity that can be used for real-time (conversational and streaming) contexts. The dimension is kilobits per second. It should be greater than or equal to the sum of Max Bitrate for Conversational Traffic and Max Bitrate for Streaming Traffic.

42 DN04134496Issue 6-3 en


Id:0900d80580710501


3 Set the limit of total bit rate capacity used for the conversational class.In the Max Bitrate for Conversational Traffic, set the limit for the total bit rate capacity used for the Conversational class. The dimension is kilobits per second. When summed with Max Bitrate for Streaming Traffic it should be smaller than or equal to Max Bitrate for Realtime Traffic.

4 Set the limit of total bit rate capacity used for the streaming class.In the Max Bitrate for Streaming Traffic, set the limit for the total bit rate capacity used for the Streaming class. The dimension is kilobits per second. When summed with Max Bitrate for Conversational Traffic it should smaller than or equal to Max Bitrate for Realtime Traffic.

5 Select the TREC ID.This refers to an existing treatment class (TREC). If the value 'Not used' is selected, the TREC is not used for the given access point.

Note that TREC is not used when the access point mode is Normal. In that case only the 'Not used' option is available.

6 Select the TREC ID for roamers.This refers to an existing treatment class (TREC) and defines the TREC used for roamers. If the value 'Not used' is selected, TREC ID for roamers is not used for the given access point.

TREC ID for roamers is not configurable when the access point mode is either Normal or IPv6. In that case only the 'Not used' option is available.

Note that this option is available only when the Network Based QoS license is installed.

7 Determine whether real-time primary PDP context activations are permitted to the access point.

8 Select the policing method.This parameter is a workaround solution for situations where some mobile stations and some streaming servers do not co-operate very well when dealing with the maximum bit rate. '3GPP Policing' means strict policing according to 3GPP stan-dards.

Documents

Access Points in Nokia Siemens Networks Flexi ISN