RADIUS Interface

FISNFI40EMED.06

Nokia Siemens Networks Flexi ISN, Rel.

4.0

Operating Documentation, v.6

RADIUS Interface, Interface DescriptionDN70119375

Issue 5-3 en

2 DN70119375Issue 5-3 en

RADIUS Interface, Interface Description

Id:0900d80580804d96

The information in this document is subject to change without notice and describes only the product defined in the introduction of this documentation. This documentation is intended for the use of Nokia Siemens Networks customers only for the purposes of the agreement under which the document is submitted, and no part of it may be used, reproduced, modified or transmitted in any form or means without the prior written permission of Nokia Siemens Networks. The documentation has been prepared to be used by professional and properly trained personnel, and the customer assumes full responsibility when using it. Nokia Siemens Networks welcomes customer comments as part of the process of continuous development and improvement of the documentation.

The information or statements given in this documentation concerning the suitability, capacity, or performance of the mentioned hardware or software products are given "as is" and all liability arising in connection with such hardware or software products shall be defined conclusively and finally in a separate agreement between Nokia Siemens Networks and the customer. However, Nokia Siemens Networks has made all reasonable efforts to ensure that the instructions contained in the document are adequate and free of material errors and omissions. Nokia Siemens Networks will, if deemed necessary by Nokia Siemens Networks, explain issues which may not be covered by the document.

Nokia Siemens Networks will correct errors in this documentation as soon as possible. IN NO EVENT WILL Nokia Siemens Networks BE LIABLE FOR ERRORS IN THIS DOCUMENTA-TION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDI-RECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION IN IT.

This documentation and the product it describes are considered protected by copyrights and other intellectual property rights according to the applicable laws.

The wave logo is a trademark of Nokia Siemens Networks Oy. Nokia is a registered trademark of Nokia Corporation. Siemens is a registered trademark of Siemens AG.

Other product names mentioned in this document may be trademarks of their respective owners, and they are mentioned for identification purposes only.

Copyright Nokia Siemens Networks 2010. All rights reserved

f Important Notice on Product Safety Elevated voltages are inevitably present at specific points in this electrical equipment. Some of the parts may also have elevated operating temperatures.

Non-observance of these conditions and the safety instructions can result in personal injury or in property damage.

Therefore, only trained and qualified personnel may install and maintain the system.

The system complies with the standard EN 60950 / IEC 60950. All equipment connected has to comply with the applicable safety standards.

DN70119375Issue 5-3 en

3


Id:0900d80580804d96

Table of ContentsThis document has 96 pages.

1 Changes in RADIUS Interface Description . . . . . . . . . . . . . . . . . . . . . . . 71.1 Changes in release 4.0 CD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.2 Changes in release 4.0 CD3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.3 Changes in release 4.0 CD2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71.4 Changes in release 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.5 Changes between releases 3.2 and 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . 81.6 Changes between releases 3.1 and 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . 91.7 Changes between releases 3.0 and 3.1 . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.1 About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Overview of RADIUS interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.1 Key features of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2 RADIUS in the Flexi ISN environment . . . . . . . . . . . . . . . . . . . . . . . . . . 133.2.1 Authentication operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.2.2 Accounting operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2.3 Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.3 Interface protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.3.1 Message flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4 RADIUS license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5 Data elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.1 RADIUS interface data format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.1.1 Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.1.2 Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.1.3 Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.1.4 Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325.2 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.2.1 Vendor-specific attribute encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445.2.2 Attributes sent and received by Flexi ISN . . . . . . . . . . . . . . . . . . . . . . . 545.2.2.1 Access Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555.2.2.2 Access Accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565.2.2.3 Accounting Request Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575.2.2.4 Accounting Request Interim-Update . . . . . . . . . . . . . . . . . . . . . . . . . . . 595.2.2.5 Accounting Request Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615.2.2.6 Accounting Request On/Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635.2.2.7 Disconnect Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635.2.2.8 Disconnect ACK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645.2.2.9 Disconnect NAK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645.2.2.10 Change of Authorisation (CoA) Request . . . . . . . . . . . . . . . . . . . . . . . . 645.2.2.11 Change of Authorisation (CoA) ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . 655.2.2.12 Change of Authorisation (CoA) NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6 Additional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

4 DN70119375Issue 5-3 en


Id:0900d80580804d96

6.1 Support for DNS servers provided by the RADIUS server . . . . . . . . . . . 666.2 RADIUS Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676.2.1 Disconnect-Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676.2.2 Disconnect-ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686.2.3 Disconnect-NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686.3 Accounting Request Interim-Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686.4 Acct-Input-Gigawords and Acct-Output-Gigawords . . . . . . . . . . . . . . . . 696.5 Dynamic tunnelling of APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696.5.1 Tunnelling attributes related to authentication . . . . . . . . . . . . . . . . . . . . 726.5.2 Tunnelling attributes related to user authentication . . . . . . . . . . . . . . . . 736.5.3 Additional requirements related to dynamic tunnelling of APN . . . . . . . . 746.6 Nokia vendor-specific attribute Nokia-Session-Access-Method . . . . . . . 756.7 Charging profile fetching through RADIUS . . . . . . . . . . . . . . . . . . . . . . . 756.8 Defining OCS servers through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 766.9 Determining TREC through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 776.10 Nokia-Requested-APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 776.11 Transmission window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 786.12 Support for RADIUS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 796.13 Checks made on Disconnect-Requests and CoA-Requests; RFC 3576 806.14 Acct-Terminate-Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 816.15 Values and profiles determined through RADIUS. . . . . . . . . . . . . . . . . . 82

7 Retrieving service components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857.1 User profile fetching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857.2 Retrieving service components dynamically . . . . . . . . . . . . . . . . . . . . . . 917.2.1 CoA-Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 917.2.2 CoA-ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927.2.3 CoA-NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 927.3 Usage of the old service list fetching attribute . . . . . . . . . . . . . . . . . . . . 92

8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

9 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95


5


Id:0900d80580804d96

List of FiguresFigure 1 RADIUS message flow, basic case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Figure 2 RADIUS message flow, change PDP context parameters . . . . . . . . . . 28Figure 3 RADIUS message flow, disconnect by RADIUS server. . . . . . . . . . . . . 29Figure 4 RADIUS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

6 DN70119375Issue 5-3 en


Id:0900d80580804d96

List of TablesTable 1 Common RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Table 2 RADIUS authentication configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Table 3 RADIUS Accounting configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Table 4 RADIUS Disconnect configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Table 5 Summary of RADIUS data format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Table 6 Attribute format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Table 7 Attributes used by Flexi ISN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Table 8 Determined values in a RADIUS message . . . . . . . . . . . . . . . . . . . . . . . 84Table 9 Specific attribute format for Nokia vendor-specific service attributes . . . 86Table 10 Nokia-Service-Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Table 11 Nokia-Service-ID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Table 12 Nokia-Service-Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Table 13 Nokia-Service-Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Table 14 Nokia-Service-Primary-Indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Table 15 Nokia-Service-Charging-Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Table 16 Nokia-Service-Encrypted-Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90


7

RADIUS Interface, Interface Description Changes in RADIUS Interface Description

Id:0900d805807522e4

1 Changes in RADIUS Interface Description

1.1 Changes in release 4.0 CD4Changes in contentA new hardware configuration, Capacity Extender, is introduced.

A new vendor specific attribute, 3GPP-IMSI-MCC-MNC, has been added.

Changes in documentationSection Transmission window has been updated regarding the Capacity Extender con-figuration.

The new 3GPP-IMSI-MCC-MNC vendor specific attribute has been in Section Vendor-specific attribute encoding. The same attribute has been added in the tables of the Access Request, Accounting Request Start, Accounting Request Interim-Update and Accounting Request Stop Sections.

The descriptions of the following parameters have been updated in Section RADIUS in the Flexi ISN environment:

Numeric ID Encode Vendor-Specific Attributes Separately User Authentication Method Override User Name Containing APN/MSISDN IP Address Generation Method Dynamic Tunnels Secondary Account Server Mode RADIUS Accounting ModeSection RADIUS in the Flexi ISN environment has been updated with a Note.

The lengths value of the attribute NSN-Tunnel-Override-Username in Section Tunnel-ling attributes related to user authentication has been changed from 12 to 10.

1.2 Changes in release 4.0 CD3Changes in contentNo changes in content

Changes in documentationTable RADIUS authentication configuration has been updated.

1.3 Changes in release 4.0 CD2Changes in contentDocument updated with content for Optional Radius Accounting in 3GPP mode feature.

Changes in documentationSection Configuration parameters has been updated with values for the RADIUS Accounting configuration.

8 DN70119375Issue 5-3 en


Id:0900d805807522e4

Changes in RADIUS Interface Description

Section RADIUS license has been updated with information about the Optional Radius Accounting in 3GPP mode feature.

1.4 Changes in release 4.0Changes in contentDocument updated with content for Network Based QoS feature.

Changes in documentationSection Transmission window has been updated with values for the Dual-Chassis con-figuration.

1.5 Changes between releases 3.2 and 4.0Changes in contentThe new modes Redundancy and Semi Redundancy have been added to the Second-ary Account Server Mode option.A new Vendor-ID has been defined for Nokia Siemens Networks (28458 Nokia-Siemens-Networks).The vendor-specific attributes, NSN-Tunnel-User-Auth-Method and NSN-Tunnel-Override-Username have been defined to allow the User Authentication method within dynamic L2TP tunnelling when PAP tokens from PCO IE are not provided by the user equipment. In addition, other authentication methods are now possible within dynamic L2TP tunnels.Modifications in the 3GPP-Charging-Id and 3GPP-GGSN-Address attributes due to the new Charging ID Support feature.The value options None has been removed from the User Authentication Method parameter.The following configuration parameters have been removed: Tunneling in Authentication, Tunneling in Accounting.

Changes in documentationSection RADIUS in the Flexi ISN environment: Added the two above mentioned modes.

Section Configuration parameters: In Table 3, the modes Redundancy and Semi Redundancy have been added to the RADIUS Accounting configuration.

Section Vendor-specific attribute encoding: Added the above mentioned Vendor-Id and attributes.

Section Attributes sent and received by Flexi ISN: Added the above mentioned attri-butes to table Access Accept.

Section Tunnelling attributes related to user authentication: This new section describes the new vendor-specific attributes.

Section Additional requirements related to dynamic tunnelling of APN: This section has been renumbered from 6.5.2.

Section RADIUS in the Flexi ISN environment: Clarification added about switching back to the primary server from the secondary server. Information added about the Account-ing To Authentication Server option.

Section Configuration parameters: Added parameters Server switchover time and Accounting To Authentication Server. Removed parameters Tunnelling in Authentica-tion, Tunnelling in Accounting.

Section Vendor-specific attribute encoding: The definitions for the following attributes have been updated: 3GPP-Charging-Id, 3GPP-GGSN-Address.


9

RADIUS Interface, Interface Description Changes in RADIUS Interface Description

Id:0900d805807522e4

Section Disconnect-Request: Added clarification about the use of Acct-Session-Id and Acct-Multi-Session-Id attributes in disconnect messages.

Section Dynamic tunnelling of APN: In Section Tunnel-Assignment-ID, added clarifica-tion that an existing tunnel can be re-used only if the same service blade is used.

Section RADIUS in the Flexi ISN environment: Added clarification that if there is no reply to an Accounting Start message for a PDP context from the primary or secondary accounting servers, nothing will be sent to the extra RADIUS accounting servers regard-ing the PDP context.

Section Configuration parameters: In Table 3, the description for the value 'Redundancy' for the Secondary Account Server Mode parameter has been updated.

1.6 Changes between releases 3.1 and 3.2Changes in contentNew feature:

RADIUS IPS CompatibilityNew attributes

3GPP-Charging-Gateway-Address (Section Vendor-specific attribute encod-ing)

3GPP-GGSN-MCC-MNC (Section Vendor-specific attribute encoding) 3GPP-Selection-Mode (Section Vendor-specific attribute encoding) Service-Type (Section Attributes) Framed-Protocol (Section Attributes) Acct-Authentic (Section Attributes)Usage enhanced of old attributes:

3GPP-PDP-Type. Now also sent in Access-Request messages if the RADIUS Authentication Operation is IMSI-SGSN-3GPP.

3GPP-Charging-Characteristics. The attribute is also included in Account-ing-Requests (Start, Stop, and Interim) if the RADIUS Account Server Operation is 3GPP.

Acct-Terminate-Cause. Now also included in all Stop Accounting-Requests. New values defined for Acct-Terminate-Cause attribute (Section Acct-Termi-nate-Cause).

New configuration parameters

Server switchover time Accounting To Authentication Server

Changes in documentationSection Configuration parameters: a new tunnelling parameter have been added (Client tunnelling IP Address).

Section Message flow: the text has been updated.

Section Attributes: in Table Attributes used by Flexi ISN the descriptions of the Acct-Input-Octets and Acct-Output-Octets attributes have been modified.

Section Attributes sent and received by Flexi ISN: the structure has been modified and the tables have been updated.The following new sections have been added:

10 DN70119375Issue 5-3 en


Id:0900d805807522e4

Changes in RADIUS Interface Description

Acct-Terminate-Cause Values and profiles determined through RADIUSSection RADIUS in the Flexi ISN environment: Clarification about switching back to the primary server from the secondary Information added about the Accounting To Authen-tication Server option.

Section Authentication operations: validation information has been updated.

Section Configuration parameters: the following parameters have been added: Switcho-ver time, Tunneling in Authentication, Tunneling in Accounting, and Accounting To Authentication Server.

Section Message flow: the figures have been modified.

1.7 Changes between releases 3.0 and 3.1Changes in contentNew feature:

RADIUS accounting transmission window and queue enhancements (Section Transmission window

New value allowed for attribute Nokia-Session-Charging-Type.

Changes in documentationThe ID number for this document is now DN70119375 (previously DN04134636).


11

RADIUS Interface, Interface Description Introduction

Id:0900d805806888ed

2 IntroductionThis document specifies the interface between the Flexi ISN and its counterpart server for delivering subscriber identification, the remote authentication dial-in user service (RADIUS) server. This document is mainly based on RFC 2865 [6] and RFC 2866 [7], together with 3GPP standard TS 29.061 [3].

2.1 AboutThe main sections of this document are:

OverviewThis specifies the delivery of subscriber identification, the reference model, and the interfaces between the Flexi ISN and the RADIUS server.

Data elementsThis specifies the data elements for RADIUS authentication and accounting sup-ported by the Flexi ISN.

Additional featuresThis specifies some new attributes and additional features supported by the Flexi ISN.

Retrieving service componentsThis specifies the service aware features in RADIUS; user profile fetching during authentication and dynamically by using the CoA message.

It is not within the scope of this document to specify the Nokia proprietary RADIUS spec-ification between the Flexi ISN and Nokia Online Service Controller (OSC), used in the Intelligent Content Delivery (ICD) system.

2.2 AudienceUsers of this document should have a basic knowledge of the Flexi ISN, wireless net-works, the Internet, RADIUS, and RADIUS accounting and authentication protocol.

12 DN70119375Issue 5-3 en


Id:0900d80580773b2c

Overview of RADIUS interface

3 Overview of RADIUS interfaceIn the Flexi ISN, subscriber identification is the key to:

billing access control personalisation of servicesThe Flexi ISN supports these activities during request processing when it resolves sub-scriber identifiers by using RADIUS accounting protocol (RFC 2866 [7]).The interface protocol is further explained in Section Interface protocol.

The Flexi ISN also uses authentication packets provided by RFC 2865 [6].

RADIUS is transported by means of User Datagram Protocol (UDP), where the UDP destination port field is number 1812 for RADIUS Authentication messages, and number 1813 is for RADIUS Accounting messages.

g The interface between the Flexi ISN and the Traffic Analyser (TA) is based on Internet Protocol (IP) and RADIUS. This is, however, not described here, because the Flexi ISN-TA interface is invisible to the Flexi ISN. Nokia TA listens to RADIUS Accounting Start, Stop, Interim Update, On, and Off messages sent by the Flexi ISN. For the use of advanced features in Nokia TA, the RADIUS 3GPP Accounting mode needs to be enabled.

3.1 Key features of RADIUSRFC 2865 [6] and RFC 2866 [7] define the following as the key features of the RADIUS protocol:

Client/Server modelA Flexi ISN operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned.RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver a service to the user.

Network securityTransactions between the client and the RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and the RADIUS server to eliminate the possibility that someone snooping on an unsecured network could determine a user's password.When a user password is present, it is hidden using a method based on RSA Message Digest Algorithm version 5 (MD5).

Flexible authentication mechanismsThe RADIUS server can support a variety of methods to authenticate a user. When it is provided with the user name and the original password given to the user, it can support PPP PAP or CHAP, UNIX login, and other authentication mechanisms

Extensible protocolsAll transactions are comprised of variable length Attribute-Length-Value 3-tuples. New attribute values can be added without disturbing existing implementations of the protocol.


13

RADIUS Interface, Interface Description Overview of RADIUS interface

Id:0900d80580773b2c

3.2 RADIUS in the Flexi ISN environmentA Flexi ISN can use nine RADIUS servers for each access point. Four of the servers are very important; two pairs consisting of a primary and a secondary RADIUS server. The remaining five RADIUS servers are extra and optional accounting servers. The first pair of RADIUS servers is used for authentication and the second pair of RADIUS servers is used to deliver extra information for external systems (the accounting servers). The same server may take care of the two functions. One pair of RADIUS servers consists of a primary server and a secondary server. The Flexi ISN attempts to communicate first with the primary server; if there is no response, it communicates with the secondary server. When the Flexi ISN receives a response, it memorizes the IP address of the RADIUS server that responded. That server will be used in any further communication where possible.By default, the Flexi ISN tries to contact the primary server three times and waits for a response for 2, 4, and 8 seconds, respectively. If a secondary server exists and there is no response from the primary server, the Flexi ISN tries to contact the secondary server three times, as with the primary server. The operator can configure the number of attempts and the waiting times. The same values are used for the primary and secondary servers.When the Flexi ISN switches from a primary server to a secondary server because of no response from the primary server, there will be a try with a configurable interval to switch back to the primary server (RADIUS Switchover Time configuration parameter). This happens for both the authentication and accounting server pairs independently (an authentication pair switchover does not affect accounting).The RADIUS authentication server always operates in the Backup mode. The RADIUS accounting server can be set to operate in the following three modes:

The Backup mode The Semi Redundancy mode The Redundancy modeIn the Backup mode, the Flexi ISN forwards requests to a secondary server if the primary server is down or unreachable. In the Backup mode, the Flexi ISN also remem-bers the IP address of the RADIUS server that responded separately for each primary PDP context, in other words during one session. If the Accounting To Authentication Server option is enabled and authentication is used, accounting for the PDP context will be transmitted to the authentication server where the PDP context was authenticated (if authentication and accounting have all the same properties except the port number, which is the fixed value 1813, not read from the configuration). This functionality is sup-ported for any primary/secondary server combination, but not for the 3rd - 7th account-ing servers.

In the Semi Redundancy mode, the difference is that the Flexi ISN sends the request to the primary and secondary servers at the same time. If one of the servers responds, the accounting process continues normally, since a single server's response is considered success. There are no switchovers between the primary and secondary server in this mode because requests are always sent to both servers. No retransmission timeouts are performed if a response is received from either of the two accounting servers in order to speed-up the PDP context activation. Retransmissions are sent to both servers if they are out of service or no response is received. If the retransmission timeout setting expires; alarms are raised for both servers for notification of out of service.

In the Redundancy mode, requests are sent simultaneously to both servers and Flexi ISN treats them separately. As soon as a response is sent from one server to Flexi ISN, the PDP context activation procedure continues. Flexi ISN will continue sending retrans-

14 DN70119375Issue 5-3 en


Id:0900d80580773b2c


missions to the other server until it receives a response or the retransmission timeout setting expires. In case of no response, an alarm is raised indicating that this server is out of service. Flexi ISN will continue to send requests to both RADIUS servers on sub-sequent PDP Context Activations. Alarms are raised for both servers if they are out of service.

There are five extra RADIUS accounting servers (also known as 'fire and forget' servers) to which accounting messages are sent if those servers are configured in the accounting profile that the access point in use is pointing. It is important to note that the primary and secondary servers have different characteristics and supported features than the fire and forget servers. All accounting messages that are sent to the primary or secondary accounting server are sent to these servers only once, after a response from the pri-mary/secondary server has been received. This means that there is no retransmission to these servers. Note that if there is no reply to an Accounting Start message for a PDP context from the primary or secondary accounting servers, nothing will be sent to accounting servers 3 to 7 for the PDP context. The content of the accounting messages is slightly different for fire and forget messages. The Accounting To Authentication Server functionality does not cover fire and forget servers.

The Flexi ISN does not expect any Accounting-Response messages from the extra RADIUS accounting servers for the sent Accounting-Requests. Note that if there is no reply to an Accounting Start message for a PDP context from the primary or secondary accounting servers, nothing will be sent to the extra RADIUS accounting servers regard-ing the PDP context.

g Accounting messages are sent to 'fire and forget' servers, after the response of either the primary or the secondary server, as described above, but only for the "pri-mary" connection of the primary PDP context. On the other hand, in case of "sec-ondary" connections the accounting messages are not forwarded to 'fire and forget' servers, so this functionality cannot be used in Service Access Points.

3.2.1 Authentication operationsWhen the Flexi ISN has obtained the authentication information from the user, it creates an Access-Request containing attributes such as the user's name, the user's password, the ID of the client, and the Port ID that the user is accessing.The Access-Request is submitted to the RADIUS server via the network. If no response is returned within a certain length of time, the request is re-sent a number of times. The Flexi ISN can also forward requests to an alternate server (secondary server) if the primary server is down or unreachable.Once the RADIUS server receives the request, it validates the sending Flexi ISN. The Flexi ISN must have a shared secret with the RADIUS server, otherwise it will silently discard the request. If the Flexi ISN is valid, the RADIUS server consults a database of users to find the user whose name matches the request.If any condition is not met, the RADIUS server sends an Access-Reject response indi-cating that this user request is invalid.If all conditions are met and the RADIUS server wishes to issue a challenge to which the user must respond, the RADIUS server sends an Access-Challenge response. It may include a text message to be displayed by the GGSN/ISN to the user prompting for a response to the challenge, and may include a State attribute. The client could then resubmit its original Access-Request with a new request ID, with the User-Password attribute replaced by the response (encrypted), and including the State attribute from the Access-Challenge, if any.


15


Id:0900d80580773b2c

Flexi ISN does not support the challenge/ response, and treats this challenge as though it received an Access-Reject and sends a new Access-Request. Flexi ISN does not support this, because there is no way the Flexi ISN can communicate with the user.If all conditions are met, the list of configuration values for the user is placed into an Access-Accept response. These values include the type of service (for example: SLIP, PPP, Login User) and all the necessary values to deliver the desired service.

3.2.2 Accounting operationsThe Flexi ISN supports and sends the following RADIUS Accounting messages to the RADIUS accounting server:

Accounting StartThis is used when a PDP context is created.

Accounting StopThis is used when a PDP context is deleted.

Accounting ONThis is sent to the RADIUS server at the time the access point becomes active so that the IP addresses (that have possibly been left hanging) can be released.

Accounting OFFThis is sent to the RADIUS server at the time the access point becomes inactive so that the IP addresses can be released.

Accounting Interim-UpdateThis is sent to the RADIUS server when the PDP context is updated.

The Accounting-Request (whether for Start or Stop) is submitted to the RADIUS accounting server via the network.For more information, see RFC 2866 [7].

3.2.3 Configuration parametersThe RADIUS configuration in the Flexi ISN is located in the RADIUS profiles configura-tion. For instructions on configuring the RADIUS interface, see Access Points in Nokia Siemens Networks Flexi ISN.

16 DN70119375Issue 5-3 en


Id:0900d80580773b2c


Parameter Values Description

Numeric ID

(Routing Instance h Config (Default) h Flexi ISN Configuration h Access Point Configuration h Access Points)

0 - 2147483647 Some RADIUS servers cannot handle access point names and require a numeric value for identifi-cation.

The Numeric ID parame-ter will be inserted to the Called-Station-ID.

If the value 0 is inserted, no attribute will be sent.

Profile Name (string) The name of the RADIUS profile.

RowStatus Active / Not in service The status of the RADIUS profile.

Client IP Address IPv4 address Defines the actual source address of RADIUS mes-sages. The IP address to be inserted into the NAS-IP-Address attribute of RADIUS requests.

Type Normal (IPv4) GRE Tunnel (IPv4) IP over IP (IPv4)

The type of the access point to be used in the profile. The type is used to interpret the meaning of the Tunnel Remote IP Address parameter.

Retransmission Timeouts (Default) 2 4 8 RADIUS retransmission timeouts in seconds.

Encode Vendor-Specific Attri-butes Separately


Enabled / Disabled If this variable is set to Enabled, each vendor-specific sub-attribute is encoded into a separate vendor-specific attribute.

RoutingInstance routing instance The access point belongs to one of the existing routing instances. There is always at least the default instance.

Tunnel Remote IP Address IPv4 address The default router IP address or the endpoint of a GRE, IP-over-IP or L2TP tunnel.


17


Id:0900d80580773b2c

Table 1 Common RADIUS configuration

Secondary Tunnel Address IPv4 address The destination address of a secondary IP or L2TP tunnel. When both of the tunnel destination addresses are specified, under normal conditions load balancing is per-formed between the tunnels. When one of the tunnels fails the other tunnel is used for all traffic in the case of GRE/IPIP. PDP contexts of the failed tunnel are deleted for L2TP and new PDP contexts are created solely to the tunnel that functioned.

Tunnel Local IP Address IPv4 address The local tunnel IP address for an access point.

Client Tunneling IP Address IPv4 address If the access point type is GRE Tunnel or IP over IP and RADIUS authentica-tion or accounting messages is configured to be tunnelled, this IP address is to be put into the NAS-IP-Address attri-bute of the RADIUS request. This parameter specifies the actual source address of the RADIUS messages.

Server switchover time 1 min to 30 min After the primary RADIUS server has failed to reply and the Flexi ISN has switched over to use the secondary server, the Flexi ISN will try the primary server again after the time defined here.


18 DN70119375Issue 5-3 en


Id:0900d80580773b2c



Primary/Secondary Authentication Server IP Address

IPv4 address The IP address of the used RADIUS server.

Port Number 0 65535

(default) 1812

The port number of the RADIUS server.

Primary/Secondary Authentication Server Key

(string) The secret that is used to authenticate the RADIUS server. No special character ? should be used.

Description (string) The description of the used RADIUS server. Optional

User Authentication Method


Radius Authentication is used. The user must provide the user name and the password.

Radius With MSISDN Authentication is used. The MSISDN is used as the user name and the word password as the password.

Radius With APN Authentication is used. The access point name is used as the user name and the word password as the password.

Override User Name Con-taining APN/MSISDN


Disabled The user name and password is used as described above in User Authentication Method.

Enabled When the authentication method is RADIUS / L2TP PAP / L2TP CHAP with MSISDN / APN / IMSI, the Flexi ISN's behavior is modified as follows: If PAP or CHAP authentication tokens are received from the user equipment in the PCO IE, and the user name token is not empty, both the user name and the password from the corre-sponding tokens will be submit-ted for authentication. If the password provided by the user equipment is 'password', the authentication will be immedi-ately rejected.


19


Id:0900d80580773b2c

Table 2 RADIUS authentication configuration

IP Address Generation Method


GGSN The dynamic IP address allo-cation method. The Flexi ISN uses its own address pool.

DHCP The DHCP server allocates the IP address.

Radius The RADIUS server allocates the IP address.

Authentication Operation Simple Authentication The Access Request message will be sent with basic attri-butes only.

IMSI SGSN The IMSI and SGSN IP address attributes will be included in the Access Request message.

IMSI SGSN-3GPP Sub-attributes that comply with the 3GPP standard will be included in the Access Request message.

Dynamic Tunnels


Enabled / Disabled When set to Enabled, the Flexi ISN accepts the tunnel defini-tions given by the RADIUS server.

Optional RADIUS Authen-tication

Enabled / Disabled When set to Enabled, the Flexi ISN ignores the cases when RADIUS authentication fails, that is, when the RADIUS authentication server does not return a response or rejects the authentication.

Note that in some cases the authentication can fail even if this variable is set to Enabled. The Flexi ISN needs a response from the RADIUS authentication server to be able to continue if the access point is set to the RADIUS mode or IP Address Generation Method is set to RADIUS.


20 DN70119375Issue 5-3 en


Id:0900d80580773b2c



Primary/Secondary Accounting Server IP Address

IPv4 address The IP address of the used RADIUS server.

Port Number 0 - 65535

(default) 1813

The port number of the RADIUS server.

Primary/Secondary Accounting Server Key

(string) The secret that is used to authenticate the RADIUS server.

Description (string) The description of the used RADIUS server. Optional

Third/Fourth/Fifth/ Sixth/Seventh

Accounting Server IP Address Port Number Accounting Server Key Description

IPv4 address 0 - 65535

(default) 1813 (string) (string)

These servers can only be used if a primary and/or a secondary accounting server has been configured. Messages to these RADIUS servers are sent in the 'fire and forget' mode. The message is sent once and no reply is noticed.

Account Server Operation WAP Gateway Accounting is used and the account server is actually a WAP gateway that uses the supplied information for special purposes. When the con-nection to the server fails, the PDP context creation is rejected.

WAP Gateway, server optional

Accounting is used but it is optional. The PDP context creation is accepted even when there is a failure in the accounting process. The WAP gateway may then offer a limited set of ser-vices. This option has no effect on the authentica-tion process because of the parameter Optional RADIUS Authentication.

Table 3 RADIUS Accounting configuration


21


Id:0900d80580773b2c

IP Address Release Accounting is used and extra information is sent to the accounting server that may be used to release an allocated IP address.

3GPP Sub-attributes that comply with the 3GPP standard and some Nokia vendor-specific attri-butes will be included in Accounting Request packets. In addition, the Acct-Input-Gigawords and Acct-Output-Gigawords attributes are also included.

3GPP, server optional

Accounting is used but it is optional. The PDP context creation is accepted even when there is a failure in the accounting process. Sub-attributes that comply with the 3GPP standard and some Nokia vendor-specific attributes will be included in Accounting Request packets. In addi-tion, the Acct-Input-Gigawords and Acct-Output-Gigawords attributes are also included.


Table 3 RADIUS Accounting configuration (Cont.)

22 DN70119375Issue 5-3 en


Id:0900d80580773b2c


Secondary Account Server Mode Backup A fully configured timeout sequence is tried with a primary server and then with a secondary server if the primary does not respond.

If no responses are received at all from the primary Accounting server within a retrans-mission timeout, an alarm is raised for the primary server and then there is a switch to secondary Accounting server. At the particular case that the retransmission timeout is reached for primary Accounting server for some Radius Accounting requests (for example, due to capacity issues), but at the same time Flexi receives responses from the same server for other pending Accounting Requests, there is still a switch to secondary Accounting server, but no alarm is raised for the primary server, since there is no indication that it is inactive.

Semi Redundancy Both servers are used simultaneously. A response from either one is considered a success. No retransmission timeouts are performed as soon as response is received from one server. Only in case that both servers are out of service alarms will be raised.




23


Id:0900d80580773b2c

Redundancy Both servers are used simultaneously but Flexi ISN treats them sepa-rately. A response from either one is considered a success but Flexi ISN will keep sending retransmis-sions to the other server, until it receives a response from that server or the retransmission timeout setting expires. Then, an alarm will be raised indicating that this server is out of service, but Flexi ISN will continue to send requests to both RADIUS servers on next PDP context activation. In case that both servers are out of service alarms will be raised too.

Interim Accounting Enabled / Disabled When set to Enabled, the Flexi ISN sends an Accounting Request Interim-Update message to the RADIUS server when the PDP context is updated.

Send Interim When Container Closed

Enabled / Disabled This determines whether a RADIUS interim update message is sent when a volume or a time limit in the access point's charging limit profile is reached. RADIUS uses PDP-context-level values to measure volume and time limits. The default value is 'Disabled'.If this is set to Enabled, the Interim Accounting parameter must also be enabled.



24 DN70119375Issue 5-3 en


Id:0900d80580773b2c


RADIUS Accounting Mode


Asynchronous/ Syn-chronous

In the asynchronous mode, the Flexi ISN sends a PDP context response to the SGSN before an accounting start reply has been received. This makes the PDP context activation faster.In the synchronous mode, the Flexi ISN waits for the accounting start reply to arrive before responding to the SGSN. The PDP context will not be activated unless the accounting reply has been received.This parameter affects only the accounting start message

Notify AP Status Change ON/OFF Changing of the access point status from 'Active' to 'Not in service' leads to the sending of a 'RADIUS accounting OFF' message but no 'RADIUS accounting STOP' messages are sent. Changing the access point status from 'Not in service' to 'Active' leads to the sending of a 'RADIUS accounting ON' message.




25


Id:0900d80580773b2c

ON/OFF/STOP The changing of the access point status from `Active` to Not in service` leads to the sending of a `RADIUS accounting OFF` message and any possible `RADIUS accounting STOP` mes-sages. Changing the access point status from `Not in service` to `Active`, leads to the sending of a `RADIUS accounting ON` message.

STOP No 'RADIUS accounting ON or OFF' messages are sent but possible 'RADIUS accounting STOP' messages are sent if the access point status is changed from 'Active' to 'Not in service'.

Accounting To Authentication Server

Disabled / Enabled If this parameter is enabled and if authenti-cation is used, account-ing for the PDP context will be transmitted to the RADIUS server that has the same configuration parameters, except for the port number (fixed value 1813).



26 DN70119375Issue 5-3 en


Id:0900d80580773b2c


Table 4 RADIUS Disconnect configuration

3.3 Interface protocolThe interface between the Flexi ISN and the RADIUS server must follow the rules defined in RFC 2865 [6] and RFC 2866 [7], including those for handling retransmissions and request acknowledgements.

3.3.1 Message flowRADIUS message flow, basic case, RADIUS message flow, change PDP context parameters and RADIUS message flow, disconnect by RADIUS server represent the RADIUS message flows between a Flexi ISN and an authentication, authorization and accounting (AAA) server.


Disconnect Server IP Address 1 / 2 / 3 / 4

IPv4 address Contains the IP address of the RADIUS server from which a dis-connect message is accepted.

Disconnect Server Secret Key 1 / 2 / 3 / 4

(string) The secret that is used to authenticate the RADIUS dis-connect server.

Disconnect Server Description 1 / 2 / 3 / 4

(string) The description of the used RADIUS disconnect server. Optional


27


Id:0900d80580773b2c

Figure 1 RADIUS message flow, basic case

g A Create PDP Context message can be sent before receiving an accounting response (for example, in the asynchronous accounting mode) The Accounting Start message will be sent for the primary and the secondary PDP contexts.

28 DN70119375Issue 5-3 en


Id:0900d80580773b2c


Figure 2 RADIUS message flow, change PDP context parameters

g When CoA contains a Nokia-TREC-Index that results to a new QoS for the PDP context, Flexi ISN triggers an Update PDP Context Request with the new QoS (see Section Determining TREC through RADIUS).


29


Id:0900d80580773b2c

Figure 3 RADIUS message flow, disconnect by RADIUS server

30 DN70119375Issue 5-3 en


Id:0900d8058068af46

RADIUS license

4 RADIUS licenseSome RADIUS features require a valid license to be enabled.The following configuration options require the RADIUS addition license:

Authentication Operation IMSI-SGSN and IMSI-SGSN-3GPP and Account Server Operation 3GPP, and 3GPP, server optionalWithout a license RADIUS authentication works in the SIMPLE Authentication Oper-ation mode and a Flexi ISN 4.0 configured to use 3GPP or 3GPP server optional Account Server Operation will not use RADIUS accounting at all.Mainly this means that all the vendor-specific and Nokia vendor-proprietary attri-butes require a license. The only exception is the Account Server Operation modes WAP Gateway and WAP Gateway, server optional, which use the Nokia Siemens Networks vendor-proprietary attributes.

Interim AccountingWithout a license Interim Accounting is disabled.

Dynamic TunnelsWithout a license Dynamic Tunnels is disabled.

RADIUS Disconnect Without a license the Flexi ISN silently discards Disconnect Requests.

RADIUS Change-of-Authorization Without a license the Flexi ISN silently discards Change-of-Authorization Requests.

A proper license is required to be able to choose between the encoding methods that are available for vendor-specific attributes.

A license is required for receiving Accounting Stop messages when disabling an access point. Also the option to receive both Accounting Stop and On/Off messages when disabling or enabling an access point requires a license.

The following functionalities require the Network Based QoS Control license:

Handle the TREC AVP received in the CoA message Apply the TREC AVP received the Access-Accept message for all traffic classes

(also real-time)


31

RADIUS Interface, Interface Description Data elements

Id:0900d8058068b02b

5 Data elementsThe attributes defined in this section comply with the same basic attribute formats given in RFC 2865 [6] and RFC 2866 [7].

5.1 RADIUS interface data formatThe RADIUS data format is the format needed for sending required information between the Flexi ISN and the RADIUS server. Table 5 summarises the RADIUS data format. The fields are transmitted from left to right. When a reply is generated, the source and destination ports are reversed.

5.1.1 CodeThe code (the field in the first octet of a packet) identifies the type of the RADIUS packet. If a packet is received with an invalid code field, it is discarded (length, 1 octet).The codes are the following:

Code 1: Access-RequestThe Access-Request code (1) is sent by the Flexi ISN to the RADIUS server. It conveys the information used to determine whether a user is allowed to access a specific network access server and if there are any special requests for that user. The Access-Request code must be transmitted when wishing to authenticate a user and must contain a User-Name attribute and either a User-Password or CHAP-Password attribute.Upon receipt of an Access-Request from a valid client, an appropriate reply must be transmit-ted.

Code 2: Access-AcceptThe Access-Accept code (2) is sent by the RADIUS server and provides the specific configuration information necessary to begin the delivery service to the user.If all the attribute values received in an Access-Request are acceptable, the RADIUS implemen-tation must transmit a packet with the Code field set to 2 (Access-Accept).On reception of an Access-Accept, the Identifier field is matched with a pending Access-Request. Additionally, the Response Authenticator field must contain the correct response for the pending Access-Request.

Code 3: Access-RejectThe RADIUS server transmits the Access-Reject code (3) if any value for the received attributes is not acceptable.

Code 4: Accounting-RequestThe Accounting-Request code (4) is sent by the Flexi ISN to the RADIUS server and conveys information used to provide accounting for a service.The server must transmit

Code Identifier Length

Authenticator

Attributes:

Type

Length Value

Table 5 Summary of RADIUS data format

32 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

an Accounting-Response reply if it successfully records the accounting packet, and must not transmit a reply if it fails to record the accounting packet.This code must contain either NAS-IP-Address or NAS-Identifier.

Code 5: Accounting-ResponseThe Accounting-Response code (5) is sent by the RADIUS server to the client to acknowledge that the Accounting-Request has been received and recorded success-fully. There are no required attributes in this package.

Code 11: Access-ChallengeThe Access-Challenge code (11) is sent if the RADIUS server wishes to send the user a challenge requiring a response. Flexi ISN does not support Access-Challenge messages because there is no way for the Flexi ISN to communicate with the user.

Code 40: Disconnect-RequestFor more information, see Section Disconnect-Request.

Code 41: Disconnect-ACKFor more information, see Section Disconnect-ACK.

Code 42: Disconnect-NAKFor more information, see Section Disconnect-NAK.

Code 43: Change-of-Authorization-RequestFor more information, see Section CoA-Request.

Code 44: Change-of-Authorization-ACKFor more information, see Section CoA-ACK.

Code 45: Change-of-Authorization-NAKFor more information, see Section CoA-NAK.

5.1.2 IdentifierThe identifier aids in matching requests and replies (length, 1 octet).

5.1.3 LengthThe length indicates the length of the packet, including the Code, Identifier, Length, Authenticator, and Attributes (length, 2 octets). The minimum length is 20 and the maximum is 4096.The Flexi ISN silently discards packets received with an invalid length.

5.1.4 AuthenticatorThe authenticator is used to authenticate the reply from the RADIUS server and to authenticate the messages between the Flexi ISN and the RADIUS server (length, 16 octets, the most significant octet is transmitted first).There are two types of authentica-tors:


33


Id:0900d8058068b02b

Request AuthenticatorIn Access-Request packets, the authenticator value is a 16 octet random number called the Request Authenticator. The value should be unpredictable and unique in the lifetime of a secret (the password shared by the client and the RADIUS server). Since it is expected that the same secret may be used to authenticate the servers in different geo-graphic regions, the Request Authenticator field should display global and temporal uniqueness (RFC 2865 [6]).In Accounting-Request packets, the authenticator value is a 16-octet MD5 checksum, called the Request Authenticator (RFC 2866 [7]).The authen-ticator value in Disconnect-Request packets and the Change-of-Authorization-Request packets is encoded the same way as the authenticator value in Accounting-Request packets (RFC 3576 [12]).

Response AuthenticatorThe Authenticator field in Access-Accept, Access-Reject, and Access-Challenge packets is called the Response Authenticator, and contains a one-way MD5 hash cal-culated over a stream of octets consisting of:

the RADIUS packet, beginning with the Code field, including the Identifier, the Length, the Request Authenticator field from the Access-Request packet

the response attributes, followed by the shared secret (RFC 2865 [6]).The Authenticator field in an Accounting-Response packet is called the Response Authenticator, and it contains a one-way MD5 hash calculated over a stream of octets consisting of the Accounting-Response Code, Identifier, Length, the Request Authenti-cator field from the Accounting-Request packet being replied to, and the response attri-butes (if any) followed by the shared secret. The resulting 16 octets MD5 hash value is stored in the Authenticator field of the Accounting-Response packet (RFC 2866 [7]).The Authenticator value in Disconnect-Ack, Disconnect-Nak, Change-of-Authorization-ACK, and Change-of-Authorization-NAK packets is encoded the same way as the Account-ing-Response packet's Authenticator value (RFC 3576 [12]).

5.2 AttributesRADIUS attributes carry the specific authentication, authorisation, information, and con-figuration details for the request and reply.The attribute format is shown in Table 6:

TypeThe Type field is one octet. The Flexi ISN ignores attributes with an unknown type.

LengthThe Length field is one octet, and it indicates the length of this attribute including the Type, Length, and Value fields.The Flexi ISN ignores attributes with an invalid length.

ValueThe Value field is zero or more octets and contains information specific to the attri-bute. The Type and Length field determine the format and length of the Value field.

Type Length Value

Table 6 Attribute format

34 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

g None of the types in RADIUS terminate with a null character (NUL, /0, hex00). In particular, the types 'text' and 'string' in RADIUS do not terminate with a NUL. The Value field's length is determined by the Length field and does not use a terminator.

The format of the Value field is one of the five data types:

Text1-253 octets containing UTF-8 encoded 10646 characters. Texts of zero length must not be sent.

String1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of zero length must not be sent.

AddressA 32 bit value, the most significant octet first.

IntegerA 32 bit unsigned value, the most significant octet first.

TimeA 32 bit unsigned value, the most significant octet first - in seconds since 00:00:00 UTC, January 1, 1970.

Table 7 shows the list of attributes used by the Flexi ISN, the Type number, Length, Value format, and a short description.


35


Id:0900d8058068b02b

Attribute name Type Value format

Definition Sent or received and used

User-Name 1 String greater than or equal to 1 octet(s)

Indicates the name of the user to be authenti-cated.

Note that Flexi ISN does not always check the user name and password in the authen-tication process. The RADIUS server is responsible for the handling of empty authentication tokens.

The user name can be the user name received from the user equip-ment, the MSISDN, or the access point name. For more information, see configuration parameters User Authentication Method and Override User Name Containing APN/MSISDN in Section Configuration parame-ters

sent, received and used

User-Password 2 String, 16-128 octets

The password of the user according to RFC 2865.

When the User-Name is either the MSISDN or the APN the word pass-word is used as User-Password.

sent

Chap-Password 3 According to RFC 2865

The response value provided by a PPP Challenge Handshake Authentication Protocol (CHAP) user in response to the chal-lenge.

sent

36 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

NAS-IP-Address 4 Address, 4 octets

The IPv4 address of the Flexi ISN in the RADIUS interface.


NAS-Port 5 Integer 4 octets

If the PDP context was created through one of the multi-access (NAS) interfaces of the Flexi ISN, this attribute will contain the used inter-face identifier. Other-wise, this attribute is not sent.

The value is the Numeric ID defined in the NAS configuration. If the value is 0 (zero), there will be no attribute sent in the RADIUS messages.

sent

Service-Type 6 4 octets,

Possible values according to RFC 2865

This attribute indicates the type of service the user has requested, or the type of service to be provided. The attribute has the fixed value 2 (Framed). The Flexi ISN responds to a Discon-nect- or CoA-Request including an unsup-ported Service-Type attribute with a Discon-nect or CoA-NAK.


Framed-Protocol 7 4 octets Indicates the framing to be used for framed access. The attribute has the fixed value "7" (GPRS PDP Context)

sent, received

Framed-IP-address 8 Address, 4 octets

The clients IP address. May be used in Access-Accept packets. The IPv4 address in network byte order.





37


Id:0900d8058068b02b

Class 25 String, greater than or equal to 1 octet(s)

The class is received from the Access-Accept message, and it is sent in the accounting mes-sages.


Vendor-Specific 26 According to RFC 2865

Vendor-specific attri-bute(s).

See Section Vendor-specific attribute encod-ing.


Session-Timeout 27 Integer, 4 octets

A 32-bit unsigned integer with the maximum number of seconds that a user should be allowed to remain connected by the Flexi ISN.

received and used

Idle-Timeout 28 Integer, 4 octets

A 32-bit unsigned integer with the maximum number of consecutive seconds of idle time that a user should be permitted before being discon-nected by the Flexi ISN.

received and used

Called-Station-ID 30 String greater than or equal to 1 octet(s)

The access point name.

Some RADIUS servers do not accept a string here. It is possible to use a numerical value instead.

When a non-zero value is set in the configura-tion parameter Numeric Id that will be used. See Section Configuration parame-ters.

sent

Calling-Station-ID 31 String greater than or equal to 1 octet(s)

The clients MSISDN. sent



38 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

NAS-Identifier 32 String greater than or equal to 1 octet(s)

Contains a string identi-fying the Flexi ISN.


Proxy-State 33 String greater than or equal to 1 octet(s)

This attribute is used when a proxy server is forwarding messages from a server to a client and back.

If some Proxy-State attributes are received in a Disconnect- or CoA-Request, the Flexi ISN returns the attri-bute(s) unmodified (in same order) in the Response message.


Acct-Status-Type 40 4 octets Possible values:

1, Start 2, Stop 3,

Interim-Update

7, Account-ing On

8, Account-ing Off

Indicates whether an Accounting-Request marks the beginning of the user service (START) or the end (STOP). This is used by the Flexi ISN:

to mark the start of accounting (for example, upon booting) when an access point becomes active, by specifying Account-ing-On

to mark the end of accounting (for example, just before a scheduled reboot) when an access point comes inactive, by specify-ing Accounting-Off.

sent

Acct-Input-Octets (1)

42 Integer, 4 octets

This attribute indicates the number of bytes transmitted for the user for a given service from the MS (uplink).

sent




39


Id:0900d8058068b02b

Acct-Output-Octets (1)


This attribute indicates the number of bytes transmitted for the user for a given service towards the MS (down-link).

sent

Acct-Session-Id 44 String, 16 octets

A unique accounting ID to make it easy to match the Start and Stop records in a log file. The Start and Stop records for a given session must have the same Acct-Session-Id.

The Acct-Session-Id included in account-ing ON and OFF messages is not unique.


Acct-Authentic 45 Integer, 4 octets

This attribute indicates how the user was authenticated. Possible values are 1(RADIUS) and 2(Local).

sent

Acct-Session-Time 46 Integer, 4 octets

This attribute indicates for how many seconds the user has received the service.

sent

Acct-Input-Packets (1)


This attribute indicates how many packets have been received from the port while this service has been provided.

sent

Acct-Output-Packets (1)


This attribute indicates how many packets have been sent to the port while this service has been provided.

sent



40 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

Acct-Terminate-Cause


This attribute indicates how the session was terminated. The follow-ing values are sup-ported in the Flexi ISN:

1 (User Request) = Context termination related to SGSN or NAS.

3 (Lost Service) = Context termination related to an access point.

4 (Idle Timeout) = An idle time-out in Flexi ISN caused the context termina-tion

5 (Session Timeout) = A session time-out in the Flexi ISN caused the context termination.

6 (Admin Reset) = A Disconnect Request termi-nated the context.

10 (NAS Request) = A network-initiated context termination (default value). See Section Acct-Termi-nate-Cause.

sent

Acct-Multi-Session-Id

50 String, 16 octets

A backbone wide unique hexadecimal coded ASCII string. A unique accounting ID to make it easy to link together multiple related sessions.





41


Id:0900d8058068b02b

Acct-Link-Count (1) 51 Integer, 4 octets

This attribute gives the count of links which are known to have been in a given multilink session at the time the account-ing record is generated.

sent

Acct-Input-Giga-words (1)


This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 232 while this service has been pro-vided.

sent

Acct-Output-Giga-words (1)


This attribute indicates how many times the Acct-Output-Octets counter has wrapped around 232 while this service has been pro-vided.

sent

Event-Timestamp 55 Time, 4 octets

This message is included in a packet to record the time when something with or in the session occurred (for example, a deactiva-tion), in seconds, since January 1, 1970 00:00 UTC. (RFC 2869)


Chap-Challenge 60 String, greater than or equal to 5 octets

When the challenge is 16 octets long it is placed in the Request Authenticator field and the Challenge Hand-shake Authentication Protocol (CHAP-Chal-lenge) is not used. According to RFC 2865.

sent

NAS-Port-Type 61 4 octets

Possible values:

5, virtual

This attribute indicates the type of the physical port of the Flexi ISN that is authenticating the user. Always virtual (value=5).

sent



42 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

Tunnel-Type 64 3 octets

Possible values:

3, L2TP

7, IP-IP

10, GRE

The tunnel type used. According to RFC 2868.

received and used

Tunnel-Client-Endpoint

66 String or Address,

greater than or equal to 1 octet(s)

This attribute indicates the address of the initia-tor end of the tunnel.

received and used

Tunnel-Server-Endpoint

67 String or Address,


This attribute indicates the address of the server end of the tunnel.

received and used

Tunnel-Password 69 According to RFC 2868

Contains a password to be used to authenticate to a remote server

received and used

Tunnel-Assignment-ID

82 String,


This attribute indicates to the tunnel initiator the particular tunnel to which a session is to be assigned.

received and used

Tunnel-Preference 83 3 octets according to RFC 2868

This attribute indicates the relative preference assigned to each tunnel.

received and used

Tunnel-Client-Auth-ID

90 Text, greater than or equal to 1 octet(s)

This attribute specifies the name used by the tunnel initiator during the authentication phase of tunnel estab-lishment.

received and used

Error-Cause 101 4 octets

Possible values:

404, Invalid Request

The Value field is four octets, containing an integer specifying the cause of the error (RFC 3576 [12]).

sent




43


Id:0900d8058068b02b

Table 7 Attributes used by Flexi ISN

1) This attribute is not included in messages sent in the 'fire and forget' mode. In this mode the message is sent once and no reply is noticed.

Primary-DNS-Server (vendor-pro-prietary)

135 Address,

4 octets

The IPv4 address of the primary DNS server.

received and used

Secondary-DNS-Server (vendor-pro-prietary)

136 Address,

4 octets

The IPv4 address of the secondary DNS server.

received and used

IMSI (vendor- propri-etary)

224 String,

8 octets

This attribute contains the IMSI of the mobile station. Its format is a binary coded decimal with extra four bits set to 1 for an odd number of digits (for example, 123 equals hexadecimal bytes 21 F3)

sent

Charging-Id (vendor- proprietary)

225 Integer,

4 octets

This attribute together with the GGSN-IP-Address forms a unique ID for GPRS charging.

sent

Prepaid-Ind (vendor- proprietary)

226 Integer,

4 octets

This attribute indicates prepaid service contain-ing the Charging Char-acteristics field as described in 3GPP specification 32.015.

hot billing = 1

flat rate = 2

prepaid = 4

normal = 8

sent

GGSN-IP-Address (vendor- proprietary)

227 Address,

4 octets

The GGSN IP address on the GPRS back-bone. The IPv4 address.

sent

SGSN-IP Address (vendor- proprietary)

228 Address,

4 octets

The SGSN IP address on the GPRS back-bone. The IPv4 address.

sent



44 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

Vendor-proprietary attributes implemented in Flexi ISN

Nokia vendor-proprietary RADIUS attributes (224 - 228) Cisco vendor-proprietary RADIUS attributes (135 and 136)For more information, see Table 7.

5.2.1 Vendor-specific attribute encodingThe vendor-specific attribute (type 26) is available to allow vendors to support their own extended attributes.RFC 2865 [6] does not define how the encoding of the string field should be in the vendor-specific attribute. The Flexi ISN encodes as default the vendor-specific attributes, as advised in the last paragraph of section 5.26 of RFC 2865, encoding multiple sub-attributes with the same vendor-id within a single vendor-specific attribute. The encoding looks like the following:

Some RADIUS servers may require configuration or patching before being able to support this encoding.It is, however, configurable in the Flexi ISN to choose how the sub-attributes should be encoded. The configuration parameter Encode Vendor-Specific Attributes Separately is described in Section Configuration parame-ters. When this option is chosen each vendor-specific sub-attribute is encoded into a separate vendor-specific attribute. The encoding looks like the following:

1 octet Type = 26 (Vendor-Specific)

1 octet Length = 6 + (a + 2) + (b + 2) + n

4 octets Vendor-Id: 94 (Nokia)

311 (Microsoft)

10415 (3GPP)

28458 (Nokia-Siemens-Networks)

1 octet Vendor-Type

1 octet Vendor-Length = a + 2

a octet(s) Vendor-Value

1 octet Vendor-Type

1 octet Vendor-Length = b + 2

b octet(s) Vendor-Value

n octets Vendor-Type

up to Vendor-Length

1 octet Type = 26 (Vendor-Specific)

1 octet Length = 8 + n

4 octets Vendor-Id: 94 (Nokia)

311 (Microsoft)

10415 (3GPP)

28458 (Nokia-Siemens-Networks)


45


Id:0900d8058068b02b

Vendor-specific attributes implemented in Flexi ISN

Nokia vendor-specific attributes (value=94)

1 octet Vendor-Type

1 octet Vendor-Length = n + 2

n octet(s) Vendor-Value

Attribute name Type Value format Definition Sent or received and used

Nokia-UserProfile 2 String,

greater than or equal to1 octet(s)

A list of services separated by a space character. Includes one primary service flag (*) and can include an OCS prepaid flag ($).

received and used

Nokia-Service-Name

3 String,


The name of the service.

received and used

Nokia-Service-ID 4 Integer,

1 4 octets

The identification number of the service.

received and used

Nokia-Service-Username

5 String,


The user name. received and used

Nokia-Service-Password

6 String,


The password. received and used

Nokia-Service-Primary-Indicator

7 0 octets The Value field should be empty and is ignored. The Tag field shows the primary service.

received and used

Nokia-Service-Charging-Type

8 Integer,

2 octets

The first octet contains the wallet identifica-tion number. The second octet defines the wallet charging type.

received and used

46 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

Microsoft vendor-specific attributes (value=311)

Nokia-Service-Encrypted-Password

9 String

as defined in Section User profile fetching.

This attribute contains an encrypted password for the service.

received and used

Nokia-Session-Access-Method

10 1 octet

as defined in Section Nokia vendor-specific attribute Nokia-Session-Access-Method.

This attribute defines the access method for the user session.

sent

Nokia-Session-Charging-Type

11 1 octet

as defined in Section Charging profile fetching through RADIUS.

This attribute defines the charging type for the user session.


Nokia-OCS-ID1 12 Integer,

2 octets

The identification number of the OCS server that should be used in the first place.

received and used

Nokia-OCS-ID2 13 Integer,

2 octets

The identification number of the OCS server that should be used in the second place.

received and used

Nokia-TREC-Index 14 Integer,

1 octet

This attribute defines the TREC for the PDP context.

received and used

Nokia-Requested-APN

15 String,

greater than or equal to1 octet(s)

The name of the access point to which the mobile station requested connection.

sent



47


Id:0900d8058068b02b

3GPP vendor-specific attributes (value=10415). These require a license.


Definition Sent or received and

used

MS-Primary-DNS-Server

28 Address,

4 octets

The IPv4 address of the primary DNS server.

received and used

MS-Secondary-DNS-Server

29 Address,

4 octets

The IPv4 address of the secondary DNS server.

received and used


3GPP-IMSI 1 Text,

1 15 octets

The IMSI for this user.

sent

3GPP-Charging-Id 2 Integer,

4 octets

The charging ID for this PDP context. The Flexi ISN gener-ates this 3GPP charging ID for both virtual and normal PDP contexts with one exception. If the Flexi ISN acts as a NAS server and the charging ID selection is set to NAS Client, the charging ID will be the NAS clients charging ID and not the Flexi ISNs 3GPP charging ID.

sent

3GPP-PDP-Type 3 4 octets,

Possible values:

0, IPv4

The type of PDP context.

sent

48 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

3GPP-Charging-Gateway-Address

4 Address,

4 octets

The charging gateway IP address defined in the Flexi ISN configuration

sent

3GPP-GPRS-Nego-tiated-Qos-Profile

5 Text,

11, 27, or 33 octets

The QoS profile applied by the Flexi ISN.

. Flexi ISN 3.0 now supports also Release 5-extended QoS profiles (release indicator is 05), which consist of 33 octets.

sent

3GPP-SGSN-Address

6 Address,

4 octets

The SGSN IP address that is used by the GTP control plane for the handling of control mes-sages. It may be used to identify the PLMN to which the user is attached

sent



49


Id:0900d8058068b02b

3GPP-GGSN-Address

7 Address,

4 octets

Usually the Flexi ISNs IP address. The only exception is when the Flexi ISN acts as a NAS server and the charging ID selection is set to NAS Client; then the GGSN IP address will be the NAS clients GGSN IP address.

sent

3GPP-IMSI-MCC-MNC

8 Text, 5 or 6 octets

The MCC-MNC pair (RAI) of a users IMSI. This value is compared to the active insertions in the Home PLMN ID Config-uration table and in the Inbound Roaming Access Table. If a match is found in either of those, then the correspond-ing VSA is sent to the Radius server..

sent

3GPP-GGSN-MCC-MNC

9 Text,

5 or 6 octets

The MCC-MNC of the network the Flexi ISN belongs to. The used MCC-MNC will be marked in the Home PLMN ID table.

sent

3GPP-NSAP 10 1 octet Identifies a par-ticular PDP context

sent


50 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

3GPP-Session-Stop-Indicator

11 1 octet,

Fixed value FF (Hex)

Indicates that the last PDP context of a session is released and that the PDP session has been terminated. The fixed value is FF (Hex).

sent

3GPP-Selection-Mode

12 Text,

1 octet

Contains the selection mode for this PDP context received in the Create PDP Context Request message.

sent

3GPP-Charging-Characteristics

13 Text,

4 octets

This attribute contains the charging charac-teristics for this PDP context received in the Create PDP Context Request Message (only available in 3GPP R99 and later releases).

Note: If the charging type flags are not set from the HLR, then the Flexi ISN sets the post-paid flag.

sent



51


Id:0900d8058068b02b

3GPP-SGSN-MCC-MNC

18 Text,

5 or 6 octets

The MCC and MNC extracted from the RAI within the Create PDP Context Request or Update PDP Context Request message.

sent

3GPP-IMEISV 20 Text,

16 octets

This attribute contains the international mobile equip-ment identity (IMEI) and its software version received from the SGSN.

sent


52 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

3GPP-RAT-Type 21 1 octet,

Possible values:

1, UTRAN 2, GERAN 3, WLAN* 4-255

This attribute indicates which radio access technology (RAT) is cur-rently serving the user equip-ment. The RAT is received from the SGSN.

Note that the Flexi ISN uses the following values for:

253 = Nokia-WLAN *

254 = NAS

255 = Unspeci-fied SGSN

This is effective until the 3GPP specification defines new values for the spare numbers.

* The selection between WLAN and Nokia-WLAN depends on how the GGSN receives the RAT infor-mation over GTP-C. If the RAT Type infor-mation element is received, WLAN is sent. If Private Exten-sion information element is received, Nokia-WLAN is sent.

sent



53


Id:0900d8058068b02b

Nokia Siemens Networks vendor-specific attributes (value=28458).

3GPP-User-Location-Info

22 1-m octets, m depends on the Geographic Location Type

This attribute contains infor-mation about the user's geograph-ical location. The value of this attri-bute is copied without changes from the GTP information element User Location Infor-mation that is received from the SGSN. The Geographic Location Type is defined in 3GPP specification 29.060 [2].

sent

3GPP-MS-TimeZone

23 2 octets Indicates the time zone that the user is cur-rently located in. The value of this attribute is copied without changes from the GTP infor-mation element MS Time Zone that is received from SGSN. MS Time Zone is defined in 3GPP specification 29.060 [2].

sent


54 DN70119375Issue 5-3 en


Id:0900d8058068b02b

Data elements

5.2.2 Attributes sent and received by Flexi ISNAttributes delivered with the messages depend on the value of the configuration param-eters Authentication Operation and Account Server Operation. The unde-fined attributes received with the messages are discarded. The following tables contain the attributes sent and received by the Flexi ISN grouped by the type of the message and based on different parameter values:



NSN-Tunnel-User-Auth-Method

1 Integer,

3 octets

This attribute defines the user authentication method used with dynamic tunnels. The attribute contains a tag which is used to group attributes referring to the same tunnel.

Possible values are:

L2TP PAP = 1

L2TP PAP with MSISDN = 2

L2TP PAP with APN = 3

L2TP PAP with IMSI = 4

L2TP CHAP = 5

L2TP CHAP with MSISDN = 6

L2TP CHAP with APN = 7

L2TP CHAP with IMSI = 8

L2TP Proxy Authentication = 9

received and used

NSN-Tunnel-Override-Username

2 Integer,

1 octet

This attribute changes the user authentication in dynamic tunnels when cre-dentials are received from the terminal. When this attribute is set to enabled (1) the cre-dentials from the terminal will override the ones previously used. The authentication fails if the received password is "password". The attribute contains a tag which is used to group attributes referring to the same tunnel.

Possible values are: Enabled = 1

Disabled = other values

received and used


55


Id:0900d8058068b02b

5.2.2.1 Access Request

ID Attribute name Simple authentication

IMSI SGSN IMSI SGSN-3GPP

1 User-Name Yes Yes Yes

2 User-Password (1) Yes Yes Yes

3 CHAP-Password (2) Yes Yes Yes

4 NAS-IP-Address Yes Yes Yes

5 NAS-Port Yes Yes Yes

6 Service-Type Yes Yes Yes

7 Framed-Protocol Yes Yes Yes

30 Called-Station-Id Yes Yes Yes

31 Calling-Station-Id Yes Yes Yes

32 NAS-Identifier Yes Yes Yes

44 Acct-Session-Id Yes Yes Yes

50 Acct-Multisession-Id Yes Yes Yes

60 CHAP-Challenge (2) Yes Yes Yes

61 NAS-Port-Type Yes Yes Yes

224 IMSI Yes

228 SGSN-IP-A

Documents

RADIUS Interface