RADIUS Interface

FISNFI40EMED.
06
Nokia Siemens Networks Flexi ISN, Rel.
4.0
Operating Documentation, v.6
RADIUS Interface, Interface Description
DN70119375
Issue 5-3 en
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Nokia Siemens Networks customers only for the purposes of the agreement under which
the document is submitted, and no part of it may be used, reproduced, modified or transmitted
in any form or means without the prior written permission of Nokia Siemens Networks. The
documentation has been prepared to be used by professional and properly trained personnel,
and the customer assumes full responsibility when using it. Nokia Siemens Networks welcomes
customer comments as part of the process of continuous development and improvement of the
documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Nokia Siemens Networks and the customer. However,
Nokia Siemens Networks has made all reasonable efforts to ensure that the instructions
contained in the document are adequate and free of material errors and omissions. Nokia
Siemens Networks will, if deemed necessary by Nokia Siemens Networks, explain issues which
may not be covered by the document.
Nokia Siemens Networks will correct errors in this documentation as soon as possible. IN NO
EVENT WILL Nokia Siemens Networks BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED
TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY
OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION
IN IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
The wave logo is a trademark of Nokia Siemens Networks Oy. Nokia is a registered trademark
of Nokia Corporation. Siemens is a registered trademark of Siemens AG.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright Nokia Siemens Networks 2010. All rights reserved
Important Notice on Product Safety

Elevated voltages are inevitably present at specific points in this electrical equipment.
Some of the parts may also have elevated operating temperatures.
Non-observance of these conditions and the safety instructions can result in personal
injury or in property damage.
Therefore, only trained and qualified personnel may install and maintain the system.
The system complies with the standard EN 60950 / IEC 60950. All equipment connected
has to comply with the applicable safety standards.
Id:0900d80580804d96
DN70119375
Issue 5-3 en
Table of Contents
This document has 96 pages.
DN70119375
Issue 5-3 en
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
Changes in RADIUS Interface Description . . . . . . . . . . . . . . . . . . . . . . . 7

Changes in release 4.0 CD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changes in release 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes between releases 3.2 and 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes between releases 3.1 and 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changes between releases 3.0 and 3.1 . . . . . . . . . . . . . . . . . . . . . . . . 10
2
2.1
2.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3
3.1
3.2
3.2.1
3.2.2
3.2.3
3.3
3.3.1
Overview of RADIUS interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Key features of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS in the Flexi ISN environment . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Interface protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Message flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5
5.1
5.1.1
5.1.2
5.1.3
5.1.4
5.2
5.2.1
5.2.2
5.2.2.1
5.2.2.2
5.2.2.3
5.2.2.4
5.2.2.5
5.2.2.6
5.2.2.7
5.2.2.8
5.2.2.9
5.2.2.10
5.2.2.11
5.2.2.12
Data elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS interface data format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vendor-specific attribute encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attributes sent and received by Flexi ISN . . . . . . . . . . . . . . . . . . . . . . .
Access Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request Interim-Update . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request On/Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disconnect Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disconnect ACK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disconnect NAK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change of Authorisation (CoA) Request . . . . . . . . . . . . . . . . . . . . . . . .
Change of Authorisation (CoA) ACK . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change of Authorisation (CoA) NAK . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Id:0900d80580804d96
12
12
13
14
15
15
26
26
31
31
31
32
32
32
33
44
54
55
56
57
59
61
63
63
64
64
64
65
65
6.1
6.2
6.2.1
6.2.2
6.2.3
6.3
6.4
6.5
6.5.1
6.5.2
6.5.3
6.6
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
6.15
Support for DNS servers provided by the RADIUS server . . . . . . . . . . . 66

RADIUS Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Disconnect-Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Disconnect-ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Disconnect-NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Accounting Request Interim-Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Acct-Input-Gigawords and Acct-Output-Gigawords . . . . . . . . . . . . . . . . 69
Dynamic tunnelling of APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Tunnelling attributes related to authentication . . . . . . . . . . . . . . . . . . . . 72
Tunnelling attributes related to user authentication . . . . . . . . . . . . . . . . 73
Additional requirements related to dynamic tunnelling of APN . . . . . . . . 74
Nokia vendor-specific attribute Nokia-Session-Access-Method . . . . . . . 75
Charging profile fetching through RADIUS . . . . . . . . . . . . . . . . . . . . . . . 75
Defining OCS servers through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 76
Determining TREC through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Nokia-Requested-APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Transmission window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Support for RADIUS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Checks made on Disconnect-Requests and CoA-Requests; RFC 3576 80
Acct-Terminate-Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Values and profiles determined through RADIUS. . . . . . . . . . . . . . . . . . 82
7
7.1
7.2
7.2.1
7.2.2
7.2.3
7.3
Retrieving service components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

User profile fetching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Retrieving service components dynamically . . . . . . . . . . . . . . . . . . . . . . 91
CoA-Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
CoA-ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
CoA-NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Usage of the old service list fetching attribute . . . . . . . . . . . . . . . . . . . . 92
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Id:0900d80580804d96
DN70119375
Issue 5-3 en
List of Figures
Figure 1
Figure 2
Figure 3
Figure 4
DN70119375
Issue 5-3 en
RADIUS
RADIUS
RADIUS
RADIUS
message flow, basic case . . . . . . . . . . . . . . . . . . . . . . . . . . . .

message flow, change PDP context parameters . . . . . . . . . .
message flow, disconnect by RADIUS server. . . . . . . . . . . . .
proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Id:0900d80580804d96
27
28
29
80
List of Tables
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Table 7
Table 8
Table 9
Table 10
Table 11
Table 12
Table 13
Table 14
Table 15
Table 16
Common RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

RADIUS authentication configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
RADIUS Accounting configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
RADIUS Disconnect configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Summary of RADIUS data format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Attribute format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Attributes used by Flexi ISN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Determined values in a RADIUS message . . . . . . . . . . . . . . . . . . . . . . . 84
Specific attribute format for Nokia vendor-specific service attributes . . . 86
Nokia-Service-Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Nokia-Service-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Nokia-Service-Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Nokia-Service-Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Nokia-Service-Primary-Indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Nokia-Service-Charging-Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Nokia-Service-Encrypted-Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Id:0900d80580804d96
DN70119375
Issue 5-3 en
Changes in RADIUS Interface Description
1 Changes in RADIUS Interface Description

1.1
Changes in release 4.0 CD4

Changes in content
A new hardware configuration, Capacity Extender, is introduced.
A new vendor specific attribute, 3GPP-IMSI-MCC-MNC, has been added.
Changes in documentation
Section Transmission window has been updated regarding the Capacity Extender configuration.
The new 3GPP-IMSI-MCC-MNC vendor specific attribute has been in Section Vendorspecific attribute encoding. The same attribute has been added in the tables of the
Access Request, Accounting Request Start, Accounting Request Interim-Update and
Accounting Request Stop Sections.
The descriptions of the following parameters have been updated in Section RADIUS in
the Flexi ISN environment:
Numeric ID
Encode Vendor-Specific Attributes Separately
User Authentication Method
Override User Name Containing APN/MSISDN
IP Address Generation Method
Dynamic Tunnels
Secondary Account Server Mode
RADIUS Accounting Mode
Section RADIUS in the Flexi ISN environment has been updated with a Note.
The lengths value of the attribute NSN-Tunnel-Override-Username in Section Tunnelling attributes related to user authentication has been changed from 12 to 10.
1.2

Changes in content
No changes in content
Table RADIUS authentication configuration has been updated.
1.3

Changes in content
Document updated with content for Optional Radius Accounting in 3GPP mode feature.
Section Configuration parameters has been updated with values for the RADIUS
Accounting configuration.
DN70119375
Issue 5-3 en
Id:0900d805807522e4
Section RADIUS license has been updated with information about the Optional Radius
Accounting in 3GPP mode feature.
1.4
Changes in release 4.0

Changes in content
Document updated with content for Network Based QoS feature.
Section Transmission window has been updated with values for the Dual-Chassis configuration.
1.5
Changes between releases 3.2 and 4.0

Changes in content
The new modes Redundancy and Semi Redundancy have been added to the Secondary Account Server Mode option.A new Vendor-ID has been defined for Nokia Siemens
Networks (28458 Nokia-Siemens-Networks).The vendor-specific attributes, NSNTunnel-User-Auth-Method and NSN-Tunnel-Override-Username have been
defined to allow the User Authentication method within dynamic L2TP tunnelling when
PAP tokens from PCO IE are not provided by the user equipment. In addition, other
authentication methods are now possible within dynamic L2TP tunnels.Modifications in
the 3GPP-Charging-Id and 3GPP-GGSN-Address attributes due to the new
Charging ID Support feature.The value options None has been removed from the User
Authentication Method parameter.The following configuration parameters have been
removed: Tunneling in Authentication, Tunneling in Accounting.
Section RADIUS in the Flexi ISN environment: Added the two above mentioned modes.
Section Configuration parameters: In Table 3, the modes Redundancy and Semi
Redundancy have been added to the RADIUS Accounting configuration.
Section Vendor-specific attribute encoding: Added the above mentioned Vendor-Id and
attributes.
Section Attributes sent and received by Flexi ISN: Added the above mentioned attributes to table Access Accept.
Section Tunnelling attributes related to user authentication: This new section describes
the new vendor-specific attributes.
Section Additional requirements related to dynamic tunnelling of APN: This section has
been renumbered from 6.5.2.
Section RADIUS in the Flexi ISN environment: Clarification added about switching back
to the primary server from the secondary server. Information added about the Accounting To Authentication Server option.
Section Configuration parameters: Added parameters Server switchover time and
Accounting To Authentication Server. Removed parameters Tunnelling in Authentication, Tunnelling in Accounting.
Section Vendor-specific attribute encoding: The definitions for the following attributes
have been updated: 3GPP-Charging-Id, 3GPP-GGSN-Address.
Id:0900d805807522e4
DN70119375
Issue 5-3 en
Section Disconnect-Request: Added clarification about the use of Acct-Session-Id

and Acct-Multi-Session-Id attributes in disconnect messages.
Section Dynamic tunnelling of APN: In Section Tunnel-Assignment-ID, added clarification that an existing tunnel can be re-used only if the same service blade is used.
Section RADIUS in the Flexi ISN environment: Added clarification that if there is no reply
to an Accounting Start message for a PDP context from the primary or secondary
accounting servers, nothing will be sent to the extra RADIUS accounting servers regarding the PDP context.
Section Configuration parameters: In Table 3, the description for the value 'Redundancy'
for the Secondary Account Server Mode parameter has been updated.
1.6

Changes in content
New feature:
RADIUS IPS Compatibility
New attributes
3GPP-Charging-Gateway-Address (Section Vendor-specific attribute encoding)

3GPP-GGSN-MCC-MNC (Section Vendor-specific attribute encoding)
3GPP-Selection-Mode (Section Vendor-specific attribute encoding)
Service-Type (Section Attributes)
Framed-Protocol (Section Attributes)
Acct-Authentic (Section Attributes)
Usage enhanced of old attributes:
3GPP-PDP-Type. Now also sent in Access-Request messages if the RADIUS

Authentication Operation is IMSI-SGSN-3GPP.
3GPP-Charging-Characteristics. The attribute is also included in Accounting-Requests (Start, Stop, and Interim) if the RADIUS Account Server Operation is
3GPP.
Acct-Terminate-Cause. Now also included in all Stop Accounting-Requests.
New values defined for Acct-Terminate-Cause attribute (Section Acct-Terminate-Cause).
New configuration parameters
Server switchover time

Accounting To Authentication Server
Section Configuration parameters: a new tunnelling parameter have been added (Client
tunnelling IP Address).
Section Message flow: the text has been updated.
Section Attributes: in Table Attributes used by Flexi ISN the descriptions of the AcctInput-Octets and Acct-Output-Octets attributes have been modified.
Section Attributes sent and received by Flexi ISN: the structure has been modified and
the tables have been updated.The following new sections have been added:
DN70119375
Issue 5-3 en
Id:0900d805807522e4
Acct-Terminate-Cause
Values and profiles determined through RADIUS
Section RADIUS in the Flexi ISN environment: Clarification about switching back to the
primary server from the secondary Information added about the Accounting To Authentication Server option.
Section Authentication operations: validation information has been updated.
Section Configuration parameters: the following parameters have been added: Switchover time, Tunneling in Authentication, Tunneling in Accounting, and Accounting To
Authentication Server.
Section Message flow: the figures have been modified.
1.7

Changes in content
New feature:
RADIUS accounting transmission window and queue enhancements (Section

Transmission window
New value allowed for attribute Nokia-Session-Charging-Type.

The ID number for this document is now DN70119375 (previously DN04134636).
10
Id:0900d805807522e4
DN70119375
Issue 5-3 en
Introduction
2 Introduction
This document specifies the interface between the Flexi ISN and its counterpart server
for delivering subscriber identification, the remote authentication dial-in user service
(RADIUS) server. This document is mainly based on RFC 2865 [6] and RFC 2866 [7],
together with 3GPP standard TS 29.061 [3].
2.1
About
The main sections of this document are:
Overview
This specifies the delivery of subscriber identification, the reference model, and the
interfaces between the Flexi ISN and the RADIUS server.
Data elements
This specifies the data elements for RADIUS authentication and accounting supported by the Flexi ISN.
Additional features
This specifies some new attributes and additional features supported by the Flexi
ISN.
Retrieving service components
This specifies the service aware features in RADIUS; user profile fetching during
authentication and dynamically by using the CoA message.
It is not within the scope of this document to specify the Nokia proprietary RADIUS specification between the Flexi ISN and Nokia Online Service Controller (OSC), used in the
Intelligent Content Delivery (ICD) system.
2.2
Audience
Users of this document should have a basic knowledge of the Flexi ISN, wireless networks, the Internet, RADIUS, and RADIUS accounting and authentication protocol.
DN70119375
Issue 5-3 en
Id:0900d805806888ed
11
Overview of RADIUS interface
3 Overview of RADIUS interface

In the Flexi ISN, subscriber identification is the key to:
billing
access control
personalisation of services
The Flexi ISN supports these activities during request processing when it resolves subscriber identifiers by using RADIUS accounting protocol (RFC 2866 [7]).The interface
protocol is further explained in Section Interface protocol.
The Flexi ISN also uses authentication packets provided by RFC 2865 [6].
RADIUS is transported by means of User Datagram Protocol (UDP), where the UDP
destination port field is number 1812 for RADIUS Authentication messages, and number
1813 is for RADIUS Accounting messages.
g The interface between the Flexi ISN and the Traffic Analyser (TA) is based on
Internet Protocol (IP) and RADIUS. This is, however, not described here, because
the Flexi ISN-TA interface is invisible to the Flexi ISN. Nokia TA listens to RADIUS
Accounting Start, Stop, Interim Update, On, and Off messages sent by the Flexi ISN.
For the use of advanced features in Nokia TA, the RADIUS 3GPP Accounting mode
needs to be enabled.
3.1
Key features of RADIUS

RFC 2865 [6] and RFC 2866 [7] define the following as the key features of the RADIUS
protocol:
12
Client/Server model
A Flexi ISN operates as a client of RADIUS. The client is responsible for passing
user information to designated RADIUS servers, and then acting on the response
that is returned.RADIUS servers are responsible for receiving user connection
requests, authenticating the user, and then returning all configuration information
necessary for the client to deliver a service to the user.
Network security
Transactions between the client and the RADIUS server are authenticated through
the use of a shared secret, which is never sent over the network. In addition, any
user passwords are sent encrypted between the client and the RADIUS server to
eliminate the possibility that someone snooping on an unsecured network could
determine a user's password.When a user password is present, it is hidden using a
method based on RSA Message Digest Algorithm version 5 (MD5).
Flexible authentication mechanisms
The RADIUS server can support a variety of methods to authenticate a user. When
it is provided with the user name and the original password given to the user, it can
support PPP PAP or CHAP, UNIX login, and other authentication mechanisms
Extensible protocols
All transactions are comprised of variable length Attribute-Length-Value 3-tuples.
New attribute values can be added without disturbing existing implementations of
the protocol.
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
3.2
RADIUS in the Flexi ISN environment

A Flexi ISN can use nine RADIUS servers for each access point. Four of the servers are
very important; two pairs consisting of a primary and a secondary RADIUS server. The
remaining five RADIUS servers are extra and optional accounting servers. The first pair
of RADIUS servers is used for authentication and the second pair of RADIUS servers is
used to deliver extra information for external systems (the accounting servers). The
same server may take care of the two functions.
One pair of RADIUS servers consists of a primary server and a secondary server. The
Flexi ISN attempts to communicate first with the primary server; if there is no response,
it communicates with the secondary server. When the Flexi ISN receives a response, it
memorizes the IP address of the RADIUS server that responded. That server will be
used in any further communication where possible.By default, the Flexi ISN tries to
contact the primary server three times and waits for a response for 2, 4, and 8 seconds,
respectively. If a secondary server exists and there is no response from the primary
server, the Flexi ISN tries to contact the secondary server three times, as with the
primary server. The operator can configure the number of attempts and the waiting
times. The same values are used for the primary and secondary servers.
When the Flexi ISN switches from a primary server to a secondary server because of no
response from the primary server, there will be a try with a configurable interval to switch
back to the primary server (RADIUS Switchover Time configuration parameter). This
happens for both the authentication and accounting server pairs independently (an
authentication pair switchover does not affect accounting).
The RADIUS authentication server always operates in the Backup mode.
The RADIUS accounting server can be set to operate in the following three modes:
The Backup mode

The Semi Redundancy mode
The Redundancy mode
In the Backup mode, the Flexi ISN forwards requests to a secondary server if the
primary server is down or unreachable. In the Backup mode, the Flexi ISN also remembers the IP address of the RADIUS server that responded separately for each primary
PDP context, in other words during one session. If the Accounting To Authentication
Server option is enabled and authentication is used, accounting for the PDP context will
be transmitted to the authentication server where the PDP context was authenticated (if
authentication and accounting have all the same properties except the port number,
which is the fixed value 1813, not read from the configuration). This functionality is supported for any primary/secondary server combination, but not for the 3rd - 7th accounting servers.
In the Semi Redundancy mode, the difference is that the Flexi ISN sends the request to
the primary and secondary servers at the same time. If one of the servers responds, the
accounting process continues normally, since a single server's response is considered
success. There are no switchovers between the primary and secondary server in this
mode because requests are always sent to both servers. No retransmission timeouts
are performed if a response is received from either of the two accounting servers in
order to speed-up the PDP context activation. Retransmissions are sent to both servers
if they are out of service or no response is received. If the retransmission timeout setting
expires; alarms are raised for both servers for notification of out of service.
In the Redundancy mode, requests are sent simultaneously to both servers and Flexi
ISN treats them separately. As soon as a response is sent from one server to Flexi ISN,
the PDP context activation procedure continues. Flexi ISN will continue sending retrans-
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
13
missions to the other server until it receives a response or the retransmission timeout
setting expires. In case of no response, an alarm is raised indicating that this server is
out of service. Flexi ISN will continue to send requests to both RADIUS servers on subsequent PDP Context Activations. Alarms are raised for both servers if they are out of
service.
There are five extra RADIUS accounting servers (also known as 'fire and forget' servers)
to which accounting messages are sent if those servers are configured in the accounting
profile that the access point in use is pointing. It is important to note that the primary and
secondary servers have different characteristics and supported features than the fire
and forget servers. All accounting messages that are sent to the primary or secondary
accounting server are sent to these servers only once, after a response from the primary/secondary server has been received. This means that there is no retransmission
to these servers. Note that if there is no reply to an Accounting Start message for a PDP
context from the primary or secondary accounting servers, nothing will be sent to
accounting servers 3 to 7 for the PDP context. The content of the accounting messages
is slightly different for fire and forget messages. The Accounting To Authentication
Server functionality does not cover fire and forget servers.
The Flexi ISN does not expect any Accounting-Response messages from the extra
RADIUS accounting servers for the sent Accounting-Requests. Note that if there is no
reply to an Accounting Start message for a PDP context from the primary or secondary
accounting servers, nothing will be sent to the extra RADIUS accounting servers regarding the PDP context.
g Accounting messages are sent to 'fire and forget' servers, after the response of
either the primary or the secondary server, as described above, but only for the "primary" connection of the primary PDP context. On the other hand, in case of "secondary" connections the accounting messages are not forwarded to 'fire and forget'
servers, so this functionality cannot be used in Service Access Points.
3.2.1
Authentication operations
When the Flexi ISN has obtained the authentication information from the user, it creates
an Access-Request containing attributes such as the user's name, the user's password,
the ID of the client, and the Port ID that the user is accessing.
The Access-Request is submitted to the RADIUS server via the network. If no response
is returned within a certain length of time, the request is re-sent a number of times. The
Flexi ISN can also forward requests to an alternate server (secondary server) if the
primary server is down or unreachable.
Once the RADIUS server receives the request, it validates the sending Flexi ISN. The
Flexi ISN must have a shared secret with the RADIUS server, otherwise it will silently
discard the request. If the Flexi ISN is valid, the RADIUS server consults a database of
users to find the user whose name matches the request.
If any condition is not met, the RADIUS server sends an Access-Reject response indicating that this user request is invalid.
If all conditions are met and the RADIUS server wishes to issue a challenge to which the
user must respond, the RADIUS server sends an Access-Challenge response. It may
include a text message to be displayed by the GGSN/ISN to the user prompting for a
response to the challenge, and may include a State attribute. The client could then
resubmit its original Access-Request with a new request ID, with the User-Password
attribute replaced by the response (encrypted), and including the State attribute from
the Access-Challenge, if any.
14
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Flexi ISN does not support the challenge/ response, and treats this challenge as though
it received an Access-Reject and sends a new Access-Request. Flexi ISN does not
support this, because there is no way the Flexi ISN can communicate with the user.
If all conditions are met, the list of configuration values for the user is placed into an
Access-Accept response. These values include the type of service (for example: SLIP,
PPP, Login User) and all the necessary values to deliver the desired service.
3.2.2
Accounting operations
The Flexi ISN supports and sends the following RADIUS Accounting messages to the
RADIUS accounting server:
Accounting Start
This is used when a PDP context is created.
Accounting Stop
This is used when a PDP context is deleted.
Accounting ON
This is sent to the RADIUS server at the time the access point becomes active so
that the IP addresses (that have possibly been left hanging) can be released.
Accounting OFF
This is sent to the RADIUS server at the time the access point becomes inactive so
that the IP addresses can be released.
Accounting Interim-Update
This is sent to the RADIUS server when the PDP context is updated.
The Accounting-Request (whether for Start or Stop) is submitted to the RADIUS

accounting server via the network.For more information, see RFC 2866 [7].
3.2.3
Configuration parameters
The RADIUS configuration in the Flexi ISN is located in the RADIUS profiles configuration. For instructions on configuring the RADIUS interface, see Access Points in Nokia
Siemens Networks Flexi ISN.
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
15
Parameter
Numeric ID
Values
0 - 2147483647
(Routing Instance h Config

(Default) h Flexi ISN
Configuration h Access Point
Configuration h Access
Points)
Description
Some RADIUS servers
cannot handle access
point names and require a
numeric value for identification.
The Numeric ID parameter will be inserted to the
Called-Station-ID.
If the value 0 is inserted,
no attribute will be sent.
Profile Name
(string)
The name of the RADIUS

profile.
RowStatus
Active / Not in service
The status of the RADIUS

profile.
Client IP Address
IPv4 address
Defines the actual source

address of RADIUS messages. The IP address to
be inserted into the NASIP-Address attribute of
RADIUS requests.
Type
The type of the access

point to be used in the
profile. The type is used to
interpret the meaning of
the Tunnel Remote IP
Address parameter.
Retransmission Timeouts
(Default) 2 4 8
RADIUS retransmission
timeouts in seconds.
Encode Vendor-Specific Attributes Separately
Enabled / Disabled
If this variable is set to

Enabled, each vendorspecific sub-attribute is
encoded into a separate
vendor-specific attribute.
RoutingInstance
routing instance
The access point belongs

to one of the existing
routing instances. There
is always at least the
default instance.
Tunnel Remote IP Address
IPv4 address
The default router IP

address or the endpoint of
a GRE, IP-over-IP or
L2TP tunnel.
Normal (IPv4)
GRE Tunnel (IPv4)
IP over IP (IPv4)

Points)
16
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Description
Secondary Tunnel Address
IPv4 address
The destination address

of a secondary IP or L2TP
tunnel. When both of the
tunnel destination
addresses are specified,
under normal conditions
load balancing is performed between the
tunnels. When one of the
tunnels fails the other
tunnel is used for all traffic
in the case of GRE/IPIP.
PDP contexts of the failed
tunnel are deleted for
L2TP and new PDP
contexts are created
solely to the tunnel that
functioned.
Tunnel Local IP Address
IPv4 address
The local tunnel IP

address for an access
point.
Client Tunneling IP Address
IPv4 address
If the access point type is

GRE Tunnel or IP over IP
and RADIUS authentication or accounting
messages is configured to
be tunnelled, this IP
address is to be put into
the NAS-IP-Address attribute of the RADIUS
request. This parameter
specifies the actual
source address of the
RADIUS messages.
Server switchover time
1 min to 30 min
After the primary RADIUS

server has failed to reply
and the Flexi ISN has
switched over to use the
secondary server, the
Flexi ISN will try the
primary server again after
the time defined here.
Table 1
DN70119375
Issue 5-3 en
Values
Common RADIUS configuration
Id:0900d80580773b2c
17
Parameter
Values
Primary/Secondary
Authentication Server IP
Address
IPv4 address
The IP address of the used

RADIUS server.
Port Number
0 65535
The port number of the

RADIUS server.
(default) 1812
Primary/Secondary
(string)
Authentication Server Key
The secret that is used to

authenticate the RADIUS
server. No special character ?
should be used.
Description
(string)
The description of the used

RADIUS server. Optional
User Authentication
Method
Radius
Authentication is used. The

user must provide the user
name and the password.
Radius With MSISDN

MSISDN is used as the user
name and the word password
as the password.
Radius With APN

access point name is used as
the user name and the word
password as the password.
(Routing Instance h
Config (Default) h Flexi
ISN Configuration h
Access Point
Points)
Override User Name Con- Disabled

taining APN/MSISDN
(Routing Instance h
ISN Configuration h
Access Point
Points)
18
Description
Enabled
Id:0900d80580773b2c
The user name and password

is used as described above in
User Authentication
Method.
When the authentication
method is RADIUS / L2TP PAP
/ L2TP CHAP with MSISDN /
APN / IMSI, the Flexi ISN's
behavior is modified as follows:
If PAP or CHAP authentication
tokens are received from the
user equipment in the PCO IE,
and the user name token is not
empty, both the user name and
the password from the corresponding tokens will be submitted for authentication. If the
password provided by the user
equipment is 'password', the
authentication will be immediately rejected.
DN70119375
Issue 5-3 en
Parameter
Values
IP Address Generation
Method
Description
GGSN
The dynamic IP address allocation method. The Flexi ISN

uses its own address pool.
DHCP
The DHCP server allocates the

IP address.
Radius
The RADIUS server allocates

the IP address.
Simple Authentication
The Access Request message

will be sent with basic attributes only.
IMSI SGSN
The IMSI and SGSN IP

address attributes will be
included in the Access
Request message.
IMSI SGSN-3GPP
Sub-attributes that comply with

the 3GPP standard will be
included in the Access
Request message.
Enabled / Disabled
When set to Enabled, the Flexi

ISN accepts the tunnel definitions given by the RADIUS
server.
Optional RADIUS Authen- Enabled / Disabled

tication
When set to Enabled, the Flexi

ISN ignores the cases when
RADIUS authentication fails,
that is, when the RADIUS
authentication server does not
return a response or rejects the
authentication.
(Routing Instance h
ISN Configuration h
Access Point
Points)
Authentication Operation
Dynamic Tunnels
(Routing Instance h
ISN Configuration h
Access Point
Points)
Note that in some cases the

authentication can fail even if
this variable is set to Enabled.
The Flexi ISN needs a
response from the RADIUS
authentication server to be
able to continue if the access
point is set to the RADIUS
mode or IP Address
Generation Method is set to
RADIUS.
Table 2
DN70119375
Issue 5-3 en
RADIUS authentication configuration
Id:0900d80580773b2c
19
Parameter
Values
Primary/Secondary Accounting
Server IP Address
IPv4 address
The IP address of the

used RADIUS server.
Port Number
0 - 65535
The port number of the

RADIUS server.
(default) 1813
Primary/Secondary Accounting
Server Key
(string)

authenticate the RADIUS
server.
Description
(string)
The description of the

used RADIUS server.
Optional
Third/Fourth/Fifth/ Sixth/Seventh
Accounting Server IP Address

Port Number
Accounting Server Key
Description
Account Server Operation
Table 3
20
Description
IPv4 address
0 - 65535
(default) 1813
(string)
(string)
These servers can only

be used if a primary
and/or a secondary
accounting server has
been configured.
Messages to these
RADIUS servers are sent
in the 'fire and forget'
mode. The message is
sent once and no reply is
noticed.
WAP Gateway
Accounting is used and

the account server is
actually a WAP gateway
that uses the supplied
information for special
purposes. When the connection to the server fails,
the PDP context creation
is rejected.
WAP Gateway,
server optional
Accounting is used but it

is optional. The PDP
context creation is
accepted even when
there is a failure in the
accounting process. The
WAP gateway may then
offer a limited set of services. This option has no
effect on the authentication process because of
the parameter Optional
RADIUS
Authentication.
RADIUS Accounting configuration
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Values
Description
IP Address Release Accounting is used and

extra information is sent
to the accounting server
that may be used to
release an allocated IP
address.
Table 3
DN70119375
Issue 5-3 en
3GPP
Sub-attributes that
comply with the 3GPP
standard and some Nokia
vendor-specific attributes will be included in
Accounting Request
packets. In addition, the
Acct-InputGigawords and AcctOutput-Gigawords
attributes are also
included.
3GPP, server
optional
Accounting is used but it

is optional. The PDP
context creation is
accepted even when
there is a failure in the
accounting process. Subattributes that comply
with the 3GPP standard
and some Nokia vendorspecific attributes will be
included in Accounting
Request packets. In addition, the Acct-InputGigawords and AcctOutput-Gigawords
attributes are also
included.
RADIUS Accounting configuration (Cont.)
Id:0900d80580773b2c
21
Parameter
Secondary Account Server Mode
Values
Backup
Description
A fully configured timeout
sequence is tried with a
primary server and then
with a secondary server if
the primary does not
respond.
If no responses are
received at all from the
primary Accounting
server within a retransmission timeout, an alarm
is raised for the primary
server and then there is a
switch to secondary
Accounting server. At the
particular case that the
retransmission timeout is
reached for primary
Accounting server for
some Radius Accounting
requests (for example,
due to capacity issues),
but at the same time Flexi
receives responses from
the same server for other
pending Accounting
Requests, there is still a
switch to secondary
Accounting server, but no
alarm is raised for the
primary server, since
there is no indication that
it is inactive.
Semi Redundancy
Table 3
22
Both servers are used

simultaneously. A
response from either one
is considered a success.
No retransmission
timeouts are performed
as soon as response is
received from one server.
Only in case that both
servers are out of service
alarms will be raised.
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Description
Redundancy
Both servers are used

simultaneously but Flexi
ISN treats them separately. A response from
either one is considered a
success but Flexi ISN will
keep sending retransmissions to the other server,
until it receives a
response from that server
or the retransmission
timeout setting expires.
Then, an alarm will be
raised indicating that this
server is out of service,
but Flexi ISN will continue
to send requests to both
RADIUS servers on next
PDP context activation.
In case that both servers
are out of service alarms
will be raised too.
Interim Accounting
Enabled / Disabled
When set to Enabled, the

Flexi ISN sends an
Accounting Request
Interim-Update message
to the RADIUS server
when the PDP context is
updated.
Send Interim When Container

Closed
Enabled / Disabled
This determines whether

a RADIUS interim update
message is sent when a
volume or a time limit in
the access point's
charging limit profile is
reached. RADIUS uses
PDP-context-level values
to measure volume and
time limits. The default
value is 'Disabled'.If this
is set to Enabled, the
Interim Accounting
parameter must also be
enabled.
Table 3
DN70119375
Issue 5-3 en
Values
Id:0900d80580773b2c
23
Parameter
RADIUS Accounting Mode
Configuration h Access Points)
Notify AP Status Change
Table 3
24
Values
Description
Asynchronous/ Syn- In the asynchronous

chronous
mode, the Flexi ISN
sends a PDP context
response to the SGSN
before an accounting
start reply has been
received. This makes the
PDP context activation
faster.In the synchronous
mode, the Flexi ISN waits
for the accounting start
reply to arrive before
responding to the SGSN.
The PDP context will not
be activated unless the
accounting reply has
been received.This
parameter affects only
the accounting start
message
ON/OFF
Changing of the access

point status from 'Active'
to 'Not in service' leads to
the sending of a 'RADIUS
accounting OFF'
message but no 'RADIUS
accounting STOP'
messages are sent.
Changing the access
point status from 'Not in
service' to 'Active' leads
to the sending of a
'RADIUS accounting ON'
message.
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Accounting To Authentication
Server
Table 3
DN70119375
Issue 5-3 en
Values
Description
ON/OFF/STOP
The changing of the

access point status from
`Active` to `Not in service`
leads to the sending of a
`RADIUS accounting
OFF` message and any
possible `RADIUS
accounting STOP` messages. Changing the
access point status from
`Not in service` to
`Active`, leads to the
sending of a `RADIUS
accounting ON`
message.
STOP
No 'RADIUS accounting
ON or OFF' messages
are sent but possible
'RADIUS accounting
STOP' messages are
sent if the access point
status is changed from
'Active' to 'Not in service'.
Disabled / Enabled
If this parameter is
enabled and if authentication is used, accounting for the PDP context
will be transmitted to the
RADIUS server that has
the same configuration
parameters, except for
the port number (fixed
value 1813).
Id:0900d80580773b2c
25
Parameter
Description
Disconnect Server IP
Address 1 / 2 / 3 / 4
IPv4 address
Contains the IP address of the

RADIUS server from which a disconnect message is accepted.
Disconnect Server Secret

Key 1 / 2 / 3 / 4
(string)

authenticate the RADIUS disconnect server.
Disconnect Server
Description 1 / 2 / 3 / 4
(string)
The description of the used

RADIUS disconnect server.
Optional
Table 4
3.3
Values
RADIUS Disconnect configuration
Interface protocol
The interface between the Flexi ISN and the RADIUS server must follow the rules
defined in RFC 2865 [6] and RFC 2866 [7], including those for handling retransmissions
and request acknowledgements.
3.3.1
Message flow
RADIUS message flow, basic case, RADIUS message flow, change PDP context
parameters and RADIUS message flow, disconnect by RADIUS server represent the
RADIUS message flows between a Flexi ISN and an authentication, authorization and
accounting (AAA) server.
26
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Figure 1
RADIUS message flow, basic case
g A Create PDP Context message can be sent before receiving an accounting

response (for example, in the asynchronous accounting mode) The Accounting
Start message will be sent for the primary and the secondary PDP contexts.
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
27
Figure 2
RADIUS message flow, change PDP context parameters
g When CoA contains a Nokia-TREC-Index that results to a new QoS for the PDP
context, Flexi ISN triggers an Update PDP Context Request with the new QoS (see
Section Determining TREC through RADIUS).
28
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Figure 3
DN70119375
Issue 5-3 en
RADIUS message flow, disconnect by RADIUS server
Id:0900d80580773b2c
29
RADIUS license
4 RADIUS license
Some RADIUS features require a valid license to be enabled.The following configuration
options require the RADIUS addition license:
Authentication Operation IMSI-SGSN and IMSI-SGSN-3GPP and Account Server

Operation 3GPP, and 3GPP, server optional
Without a license RADIUS authentication works in the SIMPLE Authentication Operation mode and a Flexi ISN 4.0 configured to use 3GPP or 3GPP server optional
Account Server Operation will not use RADIUS accounting at all.
Mainly this means that all the vendor-specific and Nokia vendor-proprietary attributes require a license. The only exception is the Account Server Operation modes
WAP Gateway and WAP Gateway, server optional, which use the Nokia Siemens
Networks vendor-proprietary attributes.
Interim Accounting
Without a license Interim Accounting is disabled.
Dynamic Tunnels
Without a license Dynamic Tunnels is disabled.
RADIUS Disconnect
Without a license the Flexi ISN silently discards Disconnect Requests.
RADIUS Change-of-Authorization
Without a license the Flexi ISN silently discards Change-of-Authorization Requests.
A proper license is required to be able to choose between the encoding methods
that are available for vendor-specific attributes.
A license is required for receiving Accounting Stop messages when disabling an
access point. Also the option to receive both Accounting Stop and On/Off messages
when disabling or enabling an access point requires a license.
The following functionalities require the Network Based QoS Control license:
30
Handle the TREC AVP received in the CoA message

Apply the TREC AVP received the Access-Accept message for all traffic classes
(also real-time)
Id:0900d8058068af46
DN70119375
Issue 5-3 en
Data elements
5 Data elements
The attributes defined in this section comply with the same basic attribute formats given
in RFC 2865 [6] and RFC 2866 [7].
5.1
RADIUS interface data format

The RADIUS data format is the format needed for sending required information between
the Flexi ISN and the RADIUS server. Table 5 summarises the RADIUS data format.
The fields are transmitted from left to right. When a reply is generated, the source and
destination ports are reversed.
Code
Identifier
Length
Authenticator
Attributes:
Length
Value
Type
Table 5
5.1.1
Summary of RADIUS data format
Code
The code (the field in the first octet of a packet) identifies the type of the RADIUS packet.
If a packet is received with an invalid code field, it is discarded (length, 1 octet).The
codes are the following:
Code 1: Access-Request
The Access-Request code (1) is sent by the Flexi ISN to the RADIUS server. It conveys
the information used to determine whether a user is allowed to access a specific network
access server and if there are any special requests for that user. The Access-Request
code must be transmitted when wishing to authenticate a user and must contain a
User-Name attribute and either a User-Password or CHAP-Password attribute.Upon
receipt of an Access-Request from a valid client, an appropriate reply must be transmitted.
Code 2: Access-Accept
The Access-Accept code (2) is sent by the RADIUS server and provides the specific
configuration information necessary to begin the delivery service to the user.If all the
attribute values received in an Access-Request are acceptable, the RADIUS implementation must transmit a packet with the Code field set to 2 (Access-Accept).On reception
of an Access-Accept, the Identifier field is matched with a pending Access-Request.
Additionally, the Response Authenticator field must contain the correct response for the
pending Access-Request.
Code 3: Access-Reject
The RADIUS server transmits the Access-Reject code (3) if any value for the received
attributes is not acceptable.
Code 4: Accounting-Request
The Accounting-Request code (4) is sent by the Flexi ISN to the RADIUS server and
conveys information used to provide accounting for a service.The server must transmit
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
31
Data elements
an Accounting-Response reply if it successfully records the accounting packet, and

must not transmit a reply if it fails to record the accounting packet.This code must
contain either NAS-IP-Address or NAS-Identifier.
Code 5: Accounting-Response
The Accounting-Response code (5) is sent by the RADIUS server to the client to
acknowledge that the Accounting-Request has been received and recorded successfully. There are no required attributes in this package.
Code 11: Access-Challenge
The Access-Challenge code (11) is sent if the RADIUS server wishes to send the user
a challenge requiring a response. Flexi ISN does not support Access-Challenge
messages because there is no way for the Flexi ISN to communicate with the user.
Code 40: Disconnect-Request
For more information, see Section Disconnect-Request.
Code 41: Disconnect-ACK
For more information, see Section Disconnect-ACK.
Code 42: Disconnect-NAK
For more information, see Section Disconnect-NAK.
Code 43: Change-of-Authorization-Request
For more information, see Section CoA-Request.
Code 44: Change-of-Authorization-ACK
For more information, see Section CoA-ACK.
Code 45: Change-of-Authorization-NAK
For more information, see Section CoA-NAK.
5.1.2
Identifier
The identifier aids in matching requests and replies (length, 1 octet).
5.1.3
Length
The length indicates the length of the packet, including the Code, Identifier, Length,
Authenticator, and Attributes (length, 2 octets). The minimum length is 20 and the
maximum is 4096.The Flexi ISN silently discards packets received with an invalid
length.
5.1.4
Authenticator
The authenticator is used to authenticate the reply from the RADIUS server and to
authenticate the messages between the Flexi ISN and the RADIUS server (length, 16
octets, the most significant octet is transmitted first).There are two types of authenticators:
32
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Request Authenticator
In Access-Request packets, the authenticator value is a 16 octet random number called
the Request Authenticator. The value should be unpredictable and unique in the lifetime
of a secret (the password shared by the client and the RADIUS server). Since it is
expected that the same secret may be used to authenticate the servers in different geographic regions, the Request Authenticator field should display global and temporal
uniqueness (RFC 2865 [6]).In Accounting-Request packets, the authenticator value is a
16-octet MD5 checksum, called the Request Authenticator (RFC 2866 [7]).The authenticator value in Disconnect-Request packets and the Change-of-Authorization-Request
packets is encoded the same way as the authenticator value in Accounting-Request
packets (RFC 3576 [12]).
Response Authenticator
The Authenticator field in Access-Accept, Access-Reject, and Access-Challenge
packets is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of:
the RADIUS packet, beginning with the Code field, including the Identifier, the
Length, the Request Authenticator field from the Access-Request packet
the response attributes, followed by the shared secret (RFC 2865 [6]).
The Authenticator field in an Accounting-Response packet is called the Response

Authenticator, and it contains a one-way MD5 hash calculated over a stream of octets
consisting of the Accounting-Response Code, Identifier, Length, the Request Authenticator field from the Accounting-Request packet being replied to, and the response attributes (if any) followed by the shared secret. The resulting 16 octets MD5 hash value is
stored in the Authenticator field of the Accounting-Response packet (RFC 2866 [7]).The
Authenticator value in Disconnect-Ack, Disconnect-Nak, Change-of-Authorization-ACK,
and Change-of-Authorization-NAK packets is encoded the same way as the Accounting-Response packet's Authenticator value (RFC 3576 [12]).
5.2
Attributes
RADIUS attributes carry the specific authentication, authorisation, information, and configuration details for the request and reply.The attribute format is shown in Table 6:
Type
Table 6
DN70119375
Issue 5-3 en
Length
Value
Attribute format
Type
The Type field is one octet. The Flexi ISN ignores attributes with an unknown type.
Length
The Length field is one octet, and it indicates the length of this attribute including the
Type, Length, and Value fields.The Flexi ISN ignores attributes with an invalid
length.
Value
The Value field is zero or more octets and contains information specific to the attribute. The Type and Length field determine the format and length of the Value field.
Id:0900d8058068b02b
33
Data elements
g None of the types in RADIUS terminate with a null character (NUL, /0, hex00). In
particular, the types 'text' and 'string' in RADIUS do not terminate with a NUL. The
Value field's length is determined by the Length field and does not use a terminator.
The format of the Value field is one of the five data types:
Text
1-253 octets containing UTF-8 encoded 10646 characters. Texts of zero length must
not be sent.
String
1-253 octets containing binary data (values 0 through 255 decimal, inclusive).
Strings of zero length must not be sent.
Address
A 32 bit value, the most significant octet first.
Integer
A 32 bit unsigned value, the most significant octet first.
Time
A 32 bit unsigned value, the most significant octet first - in seconds since 00:00:00
UTC, January 1, 1970.
Table 7 shows the list of attributes used by the Flexi ISN, the Type number, Length,
Value format, and a short description.
34
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
User-Name
Type
Value
format
Definition
Sent or
received
and used
String
greater than
or equal to 1
octet(s)
Indicates the name of

the user to be authenticated.
sent,
received
and used
Note that Flexi ISN

does not always check
the user name and
password in the authentication process. The
RADIUS server is
responsible for the
handling of empty
authentication tokens.
The user name can be
the user name received
from the user equipment, the MSISDN, or
the access point name.
For more information,
see configuration
parameters User
Authentication
Method and Override
User Name
Containing
APN/MSISDN in Section
Configuration parameters
User-Password
String, 16128 octets
The password of the

user according to RFC
2865.
sent
When the User-Name

is either the MSISDN or
the APN the word password is used as UserPassword.
Chap-Password
DN70119375
Issue 5-3 en
According to
RFC 2865
Id:0900d8058068b02b
The response value

provided by a PPP
Challenge Handshake
Authentication Protocol
(CHAP) user in
response to the challenge.
sent
35
Data elements
Attribute name
Type
Value
format
Definition
Sent or
received
and used
NAS-IP-Address
Address, 4
octets
The IPv4 address of the

Flexi ISN in the
RADIUS interface.
sent,
received
and used
NAS-Port
Integer 4
octets
If the PDP context was

created through one of
the multi-access (NAS)
interfaces of the Flexi
ISN, this attribute will
contain the used interface identifier. Otherwise, this attribute is not
sent.
sent
The value is the

Numeric ID defined in
the NAS configuration.
If the value is 0 (zero),
there will be no attribute
sent in the RADIUS
messages.
Service-Type
4 octets,
Possible
values
according to
RFC 2865
36
This attribute indicates sent,

the type of service the
received
user has requested, or and used
the type of service to be
provided. The attribute
has the fixed value 2
(Framed). The Flexi ISN
responds to a Disconnect- or CoA-Request
including an unsupported Service-Type
attribute with a Disconnect or CoA-NAK.
Framed-Protocol
4 octets
Indicates the framing to

be used for framed
access. The attribute
has the fixed value "7"
(GPRS PDP Context)
Framed-IP-address
Address, 4
octets
The clients IP address. sent,

May be used in Access- received
Accept packets. The
and used
IPv4 address in network
byte order.
Id:0900d8058068b02b
sent,
received
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Value
format
Definition
Sent or
received
and used
Class
25
String,
greater than
or equal to 1
octet(s)
The class is received

sent,
from the Access-Accept received
message, and it is sent and used
in the accounting messages.
Vendor-Specific
26
According to
RFC 2865
Vendor-specific attribute(s).
See Section Vendorspecific attribute encoding.
sent,
received
and used
Session-Timeout
27
Integer, 4
octets
A 32-bit unsigned
integer with the
maximum number of
seconds that a user
should be allowed to
remain connected by
the Flexi ISN.
Idle-Timeout
28
Integer, 4
octets
A 32-bit unsigned
received
integer with the
and used
maximum number of
consecutive seconds of
idle time that a user
should be permitted
before being disconnected by the Flexi ISN.
Called-Station-ID
30
String
greater than
or equal to 1
octet(s)
The access point name. sent
received
and used
Some RADIUS servers

do not accept a string
here. It is possible to
use a numerical value
instead.
When a non-zero value
is set in the configuration parameter
Numeric Id that will
be used. See Section
Configuration parameters.
Calling-Station-ID
DN70119375
Issue 5-3 en
31
String
greater than
or equal to 1
octet(s)
Id:0900d8058068b02b
The clients MSISDN.
sent
37
Data elements
Attribute name
Type
Value
format
Definition
Sent or
received
and used
NAS-Identifier
32
String
greater than
or equal to 1
octet(s)
Contains a string identi- sent,

fying the Flexi ISN.
received
and used
Proxy-State
33
String
greater than
or equal to 1
octet(s)
This attribute is used

when a proxy server is
forwarding messages
from a server to a client
and back.
sent,
received
and used
If some Proxy-State
attributes are received
in a Disconnect- or
CoA-Request, the Flexi
ISN returns the attribute(s) unmodified (in
same order) in the
Response message.
Acct-Status-Type
40
4 octets
Possible
values:
1, Start
2, Stop
3,
InterimUpdate
7,
Accounting On
8,
Accounting Off
Indicates whether an
Accounting-Request
marks the beginning of
the user service
(START) or the end
(STOP). This is used by
the Flexi ISN:
Acct-Input-Octets
(1)
38
42
Integer, 4
octets
Id:0900d8058068b02b
sent
to mark the start of

accounting (for
example, upon
booting) when an
access point
becomes active, by
specifying Accounting-On
to mark the end of
accounting (for
example, just
before a scheduled
reboot) when an
access point comes
inactive, by specifying Accounting-Off.
This attribute indicates

the number of bytes
transmitted for the user
for a given service from
the MS (uplink).
sent
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Value
format
Definition
Sent or
received
and used
Acct-Output-Octets
(1)
43
Integer, 4
octets

the number of bytes
transmitted for the user
for a given service
towards the MS (downlink).
Acct-Session-Id
44
String, 16
octets
A unique accounting ID sent,

to make it easy to match received
the Start and Stop
and used
records in a log file. The
Start and Stop records
for a given session must
have the same AcctSession-Id.
sent
The Acct-SessionId included in accounting ON and OFF

messages is not
unique.
DN70119375
Issue 5-3 en
Acct-Authentic
45
Integer, 4
octets

how the user was
authenticated. Possible
values are 1(RADIUS)
and 2(Local).
sent
Acct-Session-Time
46
Integer, 4
octets

for how many seconds
the user has received
the service.
sent
Acct-Input-Packets
(1)
47
Integer, 4
octets
This attribute indicates sent

how many packets have
been received from the
port while this service
has been provided.
Acct-OutputPackets (1)
48
Integer, 4
octets

how many packets have
been sent to the port
while this service has
been provided.
Id:0900d8058068b02b
39
Data elements
Attribute name
Acct-TerminateCause
Type
49
Value
format
Integer, 4
octets
Definition

how the session was
terminated. The following values are supported in the Flexi ISN:
Acct-Multi-SessionId
40
50
String, 16
octets
Id:0900d8058068b02b
Sent or
received
and used
sent
1 (User Request) =
Context termination
related to SGSN or
NAS.
3 (Lost Service) =
Context termination
related to an access
point.
4 (Idle Timeout) =
An idle time-out in
Flexi ISN caused
the context termination
5 (Session Timeout)
= A session timeout in the Flexi ISN
caused the context
termination.
6 (Admin Reset) = A
Disconnect
Request terminated the context.
10 (NAS Request) =
A network-initiated
context termination
(default value). See
Section Acct-Terminate-Cause.
A backbone wide
unique hexadecimal
coded ASCII string. A
unique accounting ID to
make it easy to link
together multiple
related sessions.
sent,
received
and used
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Value
format
Sent or
received
and used
Acct-Link-Count (1)
51
Integer, 4
octets
This attribute gives the sent

count of links which are
known to have been in a
given multilink session
at the time the accounting record is generated.
Acct-Input-Gigawords (1)
52
Integer, 4
octets

how many times the
Acct-Input-Octets
counter has wrapped
around 232 while this
service has been provided.
sent
Acct-Output-Gigawords (1)
53
Integer, 4
octets

how many times the
Acct-Output-Octets
counter has wrapped
around 232 while this
service has been provided.
sent
Event-Timestamp
55
Time, 4
octets
This message is
included in a packet to
record the time when
something with or in the
session occurred (for
example, a deactivation), in seconds, since
January 1, 1970 00:00
UTC. (RFC 2869)
sent,
received
and used
Chap-Challenge
60
String,
greater than
or equal to 5
octets
When the challenge is

sent
16 octets long it is
placed in the Request
Authenticator field and
the Challenge Handshake Authentication
Protocol (CHAP-Challenge) is not used.
According to RFC 2865.
NAS-Port-Type
61
4 octets

the type of the physical
port of the Flexi ISN that
is authenticating the
user. Always virtual
(value=5).
Possible
values:
5, virtual
DN70119375
Issue 5-3 en
Definition
Id:0900d8058068b02b
sent
41
Data elements
Attribute name
Tunnel-Type
Type
64
Value
format
3 octets
Possible
values:
Definition
Sent or
received
and used
The tunnel type used.

received
According to RFC 2868. and used
3, L2TP
7, IP-IP
10, GRE
Tunnel-ClientEndpoint
66
String or
Address,
greater than
or equal to 1
octet(s)
Tunnel-ServerEndpoint
67
String or
Address,
greater than
or equal to 1
octet(s)
Tunnel-Password
69
Tunnel-Assignment- 82
ID
This attribute indicates received

the address of the
and used
server end of the tunnel.
According to
RFC 2868
Contains a password to
be used to authenticate
to a remote server
received
and used
String,

to the tunnel initiator the
particular tunnel to
which a session is to be
assigned.
received
and used
greater than
or equal to 1
octet(s)
Tunnel-Preference
83
3 octets
according to
RFC 2868

the relative preference
assigned to each
tunnel.
received
and used
Tunnel-Client-AuthID
90
Text, greater
than or equal
to 1 octet(s)
This attribute specifies

the name used by the
tunnel initiator during
the authentication
phase of tunnel establishment.
received
and used
Error-Cause
101
4 octets
The Value field is four

octets, containing an
integer specifying the
cause of the error (RFC
3576 [12]).
sent
Possible
values:
404, Invalid
Request
42
This attribute indicates received

the address of the initia- and used
tor end of the tunnel.
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Primary-DNSServer (vendor-proprietary)
135
Secondary-DNSServer (vendor-proprietary)
136
Value
format
Address,
4 octets
Address,
4 octets
IMSI (vendor- propri- 224

etary)
String,
Charging-Id
225
(vendor- proprietary)
Integer,
Prepaid-Ind (vendor- 226

proprietary)
Integer,
8 octets
4 octets
4 octets
Definition
Sent or
received
and used

primary DNS server.
received
and used

secondary DNS server.
received
and used
This attribute contains

the IMSI of the mobile
station. Its format is a
binary coded decimal
with extra four bits set to
1 for an odd number of
digits (for example, 123
equals hexadecimal
bytes 21 F3)
sent
This attribute together

with the GGSN-IPAddress forms a
unique ID for GPRS
charging.
sent

prepaid service containing the Charging Characteristics field as
described in 3GPP
specification 32.015.
hot billing = 1
flat rate = 2
prepaid = 4
normal = 8
GGSN-IP-Address
227
SGSN-IP Address
228
Table 7
Address,
4 octets
Address,
4 octets
The GGSN IP address

on the GPRS backbone. The IPv4
address.
sent
The SGSN IP address

on the GPRS backbone. The IPv4
address.
sent
Attributes used by Flexi ISN
1) This attribute is not included in messages sent in the 'fire and forget' mode. In this
mode the message is sent once and no reply is noticed.
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
43
Data elements
Vendor-proprietary attributes implemented in Flexi ISN
Nokia vendor-proprietary RADIUS attributes (224 - 228)

Cisco vendor-proprietary RADIUS attributes (135 and 136)
For more information, see Table 7.
5.2.1
Vendor-specific attribute encoding

The vendor-specific attribute (type 26) is available to allow vendors to support their own
extended attributes.RFC 2865 [6] does not define how the encoding of the string field
should be in the vendor-specific attribute. The Flexi ISN encodes as default the vendorspecific attributes, as advised in the last paragraph of section 5.26 of RFC 2865,
encoding multiple sub-attributes with the same vendor-id within a single vendor-specific
attribute. The encoding looks like the following:
1 octet
Type = 26 (Vendor-Specific)
1 octet
Length = 6 + (a + 2) + (b + 2) + n
4 octets
Vendor-Id: 94 (Nokia)
311 (Microsoft)
10415 (3GPP)
28458 (Nokia-Siemens-Networks)
1 octet
Vendor-Type
1 octet
Vendor-Length = a + 2
a octet(s)
Vendor-Value
1 octet
Vendor-Type
1 octet
Vendor-Length = b + 2
b octet(s)
Vendor-Value
n octets
Vendor-Type
up to
Vendor-Length
Some RADIUS servers may require configuration or patching before being able to
support this encoding.It is, however, configurable in the Flexi ISN to choose how the
sub-attributes should be encoded. The configuration parameter Encode VendorSpecific Attributes Separately is described in Section Configuration parameters. When this option is chosen each vendor-specific sub-attribute is encoded into a
separate vendor-specific attribute. The encoding looks like the following:
1 octet
Type = 26 (Vendor-Specific)
1 octet
Length = 8 + n
4 octets
Vendor-Id: 94 (Nokia)
311 (Microsoft)
10415 (3GPP)
44
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
1 octet
Vendor-Type
1 octet
Vendor-Length = n + 2
n octet(s)
Vendor-Value
Vendor-specific attributes implemented in Flexi ISN
Nokia vendor-specific attributes (value=94)

Attribute name
Nokia-UserProfile
Type
Value format
String,
greater than or
equal to1 octet(s)
DN70119375
Issue 5-3 en
Nokia-ServiceName
Nokia-Service-ID
String,
greater than or
equal to 1 octet(s)
Integer,
Definition
Sent or
received
and used
A list of services
separated by a
space character.
Includes one
primary service
flag (*) and can
include an OCS
prepaid flag ($).
received
and used
The name of the

service.
received
and used
1 4 octets
The identification received

number of the
and used
service.
String,
The user name.
received
and used
The password.
received
and used
received
and used
Nokia-ServiceUsername
Nokia-ServicePassword
Nokia-ServicePrimary-Indicator
0 octets
The Value field

should be empty
and is ignored.
The Tag field
shows the
primary service.
Nokia-ServiceCharging-Type
Integer,
The first octet

received
contains the
and used
wallet identification number. The
second octet
defines the wallet
charging type.
greater than or
equal to 1 octet(s)
String,
greater than or
equal to 1 octet(s)
2 octets
Id:0900d8058068b02b
45
Data elements
Attribute name
Type
Nokia-ServiceEncryptedPassword
Nokia-SessionAccess-Method
10
Nokia-SessionCharging-Type
11
Nokia-OCS-ID1
12
Value format
String
as defined in
Section User
profile fetching.
1 octet
as defined in
Section Nokia
vendor-specific
attribute NokiaSession-AccessMethod.
1 octet
as defined in
Section Charging
profile fetching
through RADIUS.
Integer,
2 octets
Nokia-OCS-ID2
13
Integer,
2 octets
Nokia-TREC-Index
14
Integer,
1 octet
Nokia-RequestedAPN
46
15
String,
greater than or
equal to1 octet(s)
Definition
Sent or
received
and used
This attribute
contains an
encrypted
password for the
service.
received
and used
This attribute
defines the
access method
for the user
session.
sent
This attribute
sent,
defines the
received
charging type for and used
the user session.
number of the
and used
OCS server that
should be used
in the first place.
number of the
and used
OCS server that
should be used
in the second
place.
This attribute
defines the
TREC for the
PDP context.
received
and used
The name of the sent

access point to
which the mobile
station requested
connection.
Microsoft vendor-specific attributes (value=311)
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
Type
MS-Primary-DNSServer
28
MS-SecondaryDNS-Server
29
Value
format
Address,
4 octets
Address,
4 octets
Definition
Sent or
received and
used
The IPv4 address

of the primary
DNS server.
received and
used
The IPv4 address

of the secondary
DNS server.
received and
used
3GPP vendor-specific attributes (value=10415). These require a license.

Attribute name
3GPP-IMSI
Type
Value format
Text,
1 15 octets
3GPP-Charging-Id
Integer,
4 octets
3GPP-PDP-Type
4 octets,
Possible values:
Definition
Sent or
received
and used
The IMSI for this

user.
sent
The charging ID
for this PDP
context. The
Flexi ISN generates this 3GPP
charging ID for
both virtual and
normal PDP
contexts with
one exception. If
the Flexi ISN
acts as a NAS
server and the
charging ID
selection is set
to NAS Client,
the charging ID
will be the NAS
clients charging
ID and not the
Flexi ISNs
3GPP charging
ID.
sent
The type of PDP

context.
sent
0, IPv4
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
47
Data elements
Attribute name
Type
3GPP-ChargingGateway-Address
3GPP-GPRS-Negotiated-Qos-Profile
Value format
Address,
4 octets
Text,
11, 27, or 33
octets
Definition
Sent or
received
and used
The charging
gateway IP
address defined
in the Flexi ISN
configuration
sent
The QoS profile

applied by the
Flexi ISN.
sent
<Release indicator> <release

specific QoS IE
UTF-8 encoding>. Flexi ISN
3.0 now
supports also
Release 5extended QoS
profiles (release
indicator is 05),
which consist of
33 octets.
3GPP-SGSNAddress
48
Address,
4 octets
Id:0900d8058068b02b
The SGSN IP
address that is
used by the GTP
control plane for
the handling of
control messages. It may be
used to identify
the PLMN to
which the user is
attached
sent
DN70119375
Issue 5-3 en
Data elements
Attribute name
DN70119375
Issue 5-3 en
Type
Value format
Address,
Definition
Sent or
received
and used
3GPP-GGSNAddress
3GPP-IMSI-MCCMNC
Text, 5 or 6
octets
The MCC-MNC sent

pair (RAI) of a
users IMSI. This
value is
compared to the
active insertions
in the Home
PLMN ID Configuration table and
in the Inbound
Roaming Access
Table. If a match
is found in either
of those, then
the corresponding VSA is sent
to the Radius
server..
3GPP-GGSN-MCCMNC
Text,
The MCC-MNC
of the network
the Flexi ISN
belongs to. The
used MCC-MNC
will be marked in
the Home PLMN
ID table.
sent
3GPP-NSAP
10
Identifies a particular PDP

context
sent
4 octets
5 or 6 octets
1 octet
Id:0900d8058068b02b
Usually the Flexi sent

ISNs IP
address. The
only exception is
when the Flexi
ISN acts as a
NAS server and
the charging ID
selection is set
to NAS Client;
then the GGSN
IP address will
be the NAS
clients GGSN IP
address.
49
Data elements
Attribute name
Type
3GPP-SessionStop-Indicator
11
3GPP-SelectionMode
12
3GPP-ChargingCharacteristics
13
Value format
1 octet,
Fixed value FF
(Hex)
Text,
1 octet
Text,
4 octets
Definition
Sent or
received
and used
Indicates that
sent
the last PDP
context of a
session is
released and
that the PDP
session has
been terminated.
The fixed value
is FF (Hex).
Contains the
selection mode
for this PDP
context received
in the Create
PDP Context
Request
message.
sent
This attribute
sent
contains the
charging characteristics for this
PDP context
received in the
Create PDP
Context Request
Message (only
available in
3GPP R99 and
later releases).
Note: If the
charging type
flags are not set
from the HLR,
then the Flexi
ISN sets the
post-paid flag.
50
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
Type
3GPP-SGSN-MCCMNC
18
3GPP-IMEISV
20
Value format
Text,
5 or 6 octets
Text,
16 octets
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
Definition
Sent or
received
and used
The MCC and

sent
MNC extracted
from the RAI
within the Create
PDP Context
Request or
Update PDP
Context Request
message.
This attribute
contains the
international
mobile equipment identity
(IMEI) and its
software version
received from
the SGSN.
sent
51
Data elements
Attribute name
3GPP-RAT-Type
Type
21
Value format
1 octet,
Possible values:
1, UTRAN
2, GERAN
3, WLAN*
4-255
<spare>
Definition
This attribute
indicates which
radio access
technology
(RAT) is currently serving
the user equipment. The RAT
is received from
the SGSN.
Sent or
received
and used
sent
Note that the

Flexi ISN uses
the following
values for:
253 = NokiaWLAN *
254 = NAS
255 = Unspecified SGSN
This is effective
until the 3GPP
specification
defines new
values for the
spare numbers.
* The selection
between WLAN
and NokiaWLAN depends
on how the
GGSN receives
the RAT information over
GTP-C. If the
RAT Type information element
is received,
WLAN is sent. If
Private Extension information
element is
received, NokiaWLAN is sent.
52
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
Value format
Definition
Sent or
received
and used
3GPP-UserLocation-Info
22
1-m octets, m
depends on the
Geographic
Location Type
This attribute
sent
contains information about the
user's geographical location. The
value of this attribute is copied
without changes
from the GTP
information
element User
Location Information that is
received from
the SGSN. The
Geographic
Location Type is
defined in 3GPP
specification
29.060 [2].
3GPP-MSTimeZone
23
2 octets
Indicates the
time zone that
the user is currently located in.
The value of this
attribute is
copied without
changes from
the GTP information element
MS Time Zone
that is received
from SGSN. MS
Time Zone is
defined in 3GPP
specification
29.060 [2].
DN70119375
Issue 5-3 en
Type
sent
Nokia Siemens Networks vendor-specific attributes (value=28458).
Id:0900d8058068b02b
53
Data elements
Attribute name
NSN-Tunnel-UserAuth-Method
Type
Value
format
Integer,
3 octets
Definition
Sent or
received
and used
This attribute defines the user

authentication method used
with dynamic tunnels. The
attribute contains a tag which
is used to group attributes
referring to the same tunnel.
received
and used
Possible values are:

L2TP PAP = 1
L2TP PAP with MSISDN = 2
L2TP PAP with APN = 3
L2TP PAP with IMSI = 4
L2TP CHAP = 5
L2TP CHAP with MSISDN = 6
L2TP CHAP with APN = 7
L2TP CHAP with IMSI = 8
L2TP Proxy Authentication =
9
NSN-TunnelOverride-Username
Integer,
1 octet
This attribute changes the

user authentication in
dynamic tunnels when credentials are received from the
terminal. When this attribute
is set to enabled (1) the credentials from the terminal will
override the ones previously
used. The authentication fails
if the received password is
"password". The attribute
contains a tag which is used
to group attributes referring to
the same tunnel.
received
and used
Possible values are: Enabled

=1
Disabled = other values
5.2.2
Attributes sent and received by Flexi ISN

Attributes delivered with the messages depend on the value of the configuration parameters Authentication Operation and Account Server Operation. The undefined attributes received with the messages are discarded. The following tables contain
the attributes sent and received by the Flexi ISN grouped by the type of the message
and based on different parameter values:
54
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
5.2.2.1
Access Request
ID
DN70119375
Issue 5-3 en
Data elements
Attribute name
Simple
authentication
IMSI SGSN
IMSI SGSN3GPP
User-Name
Yes
Yes
Yes
User-Password (1)
Yes
Yes
Yes
CHAP-Password (2) Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed-Protocol
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
50
Acct-Multisession-Id
Yes
Yes
Yes
60
CHAP-Challenge (2) Yes
Yes
Yes
61
NAS-Port-Type
Yes
Yes
224
IMSI
Yes
228
SGSN-IP-Address
Yes
26/94/15
Nokia-RequestedAPN
Yes
26/10415/1
3GPP-IMSI
Yes
26/10415/2
3GPP-Charging-Id
Yes
26/10415/3
3GPP-PDP Type
Yes
26/10415/4
Yes
26/10415/5
3GPP-GPRS-Negotiated-QoS-Profile
Yes
26/10415/6
3GPP-SGSNAddress
Yes
26/10415/7
3GPP-GGSNAddress
Yes
26/10415/8
3GPP-IMSI-MCCMNC
Yes
26/10415/9
3GPP-GGSN- MCCMNC
Yes
26/10415/10
3GPP-NSAPI
Yes
Yes
Id:0900d8058068b02b
55
Data elements
ID
Simple
authentication
IMSI SGSN3GPP
3GPP-SelectionMode
Yes
26/10415/13
Yes
26/10415/18
3GPP-SGSN-MCCMNC(3)
Yes
26/10415/20
3GPP-IMEISV (4)
Yes
26/10415/21
3GPP-RAT-Type
Yes
26/10415/22
3GPP-UserLocation-Info(4)
Yes
26/10415/23
3GPP-MSTimeZone (4)
Yes
The User-Password is not sent when using CHAP as the authentication type.
Sent only when using CHAP as the authentication type.
Sent only if the PDP context request contained the RAI.
Sent only if received from the SGSN.
Access Accept
ID
56
IMSI SGSN
26/10415/12
1.
2.
3.
4.
5.2.2.2
Attribute name
Attribute name
Framed-IP-Address
25
Class
27
Session-Timeout
28
Idle-Timeout
64
Tunnel-type
66
Tunnel-Client-Endpoint
67
Tunnel-Server-Endpoint
69
Tunnel-Password
82
Tunnel-Assignment-Id
83
Tunnel-Preference
90
Tunnel-Client-Auth-Id
135
Primary-DNS-Server
136
Secondary-DNS-Server
26/94/2
Nokia-UserProfile
26/94/3
Nokia-Service-Name
26/94/4
Nokia-Service-ID
26/94/5
Nokia-Service-Username
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
ID
Attribute name
26/94/6
Nokia-Service-Password
26/94/7
Nokia-Service-Primary-Indicator
26/94/8
Nokia-Service-Charging-Type
26/94/9
Nokia-Service-Encrypted-Password
26/94/11
Nokia-Session-Charging-Type
26/94/12
Nokia-OCS-ID1
26/94/13
Nokia-OCS-ID2
26/94/14
Nokia-TREC-Index (1)
26/311/28
MS-Primary-DNS-server
26/311/29
MS-Secondary-DNS-Server
26/28458/1
NSN-Tunnel-User-Auth-Method
26/28458/2
NSN-Tunnel-Override-Username
The particular application of this AVP depends on the Network Based QoS Control
license. Without this license this AVP applies only for non real-time traffic classes (since
it replaces the default TREC id configured in the Flexi ISN Access Point). With this
license it applies for all traffic classes.
5.2.2.3
Accounting Request Start

ID
DN70119375
Issue 5-3 en
Attribute name
WAP GW and IP address

WAP GW,
release
server optional
3GPP and 3GPP,

server optional
User-Name (1)
Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed Protocol
Yes
Yes
Yes
Framed-IP-Address
Yes
Yes
Yes
25
Class
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
45
Acct-Authentic
Yes
Yes
Yes
50
Acct-Multisession-Id Yes
Yes
Yes
51
Acct-Link-Count
Yes
Yes
Yes
Id:0900d8058068b02b
57
Data elements
ID
58
Attribute name

WAP GW,
release
server optional
3GPP and 3GPP,

server optional
Yes
61
NAS-Port-Type
Yes
Yes
224
IMSI
Yes
225
Charging-ID
Yes
226
Prepaid-Ind
Yes
227
GGSN-IP-Address
Yes
228
SGSN-IP-Address
Yes
26/94/10
Yes
26/94/11
Yes
26/94/15
Nokia-RequestedAPN
Yes
Yes
26/10415/ 3GPP-IMSI
1
Yes
26/10415/ 3GPP-Charging-Id
2
Yes
26/10415/ 3GPP-PDP Type

3
Yes
26/10415/ 3GPP-Charging4
Gateway-Address
Yes
26/10415/ 3GPP-GPRS-Nego5
tiated-QoS-Profile
Yes
26/10415/ 3GPP-SGSN6
Address
Yes
26/10415/ 3GPP-GGSN7
Address
Yes
26/10415/ 3GPP-IMSI-MCC8
MNC
Yes
26/10415/ 3GPP-GGSN- MCC9

MNC (2)
Yes
26/10415/ 3GPP-NSAPI
10
Yes
26/10415/ 3GPP- Selection12

Mode
Yes
26/10415/ 3GPP-Charging13
Characteristics
Yes
26/10415/ 3GPP-SGSN-MCC18
MNC
Yes
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
ID
Data elements
Attribute name

WAP GW,
release
server optional
3GPP and 3GPP,

server optional
26/10415/ 3GPP-IMEISV (3)

20
Yes
26/10415/ 3GPP-RAT-Type
21
Yes
26/10415/ 3GPP-User22
Location-Info (3)
Yes
26/10415/ 3GPP-MS23
TimeZone (3)
Yes
1. Not sent if the username is empty.

2. Sent only if the PDP context request contained the RAI.
3. Sent only if received from the SGSN.
5.2.2.4
Accounting Request Interim-Update

ID
DN70119375
Issue 5-3 en
Attribute name

WAP GW,
release
server optional
3GPP and
3GPP, server
optional
User-Name (1)
Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed Protocol
Yes
Yes
Yes
Framed-IP-Address
Yes
Yes
Yes
25
Class
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
42
Acct-Input-Octets
Yes
Yes
43
Acct-Output-Octets
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
45
Acct-Authentic
Yes
Yes
Yes
46
Acct-Session-Time
Yes
Yes
47
Acct-Input-Packets
Yes
Yes
48
Acct-OutputPackets
Yes
Yes
Id:0900d8058068b02b
59
Data elements
ID
60
Attribute name

WAP GW,
release
server optional
3GPP and
3GPP, server
optional
50
Yes
Yes
Yes
51
Acct-Link-Count
Yes
Yes
Yes
52
Acct-Input-Gigawords
Yes
53
Acct-Output-Gigawords
Yes
55
Event-Timestamp
Yes
Yes
Yes
61
NAS-Port-Type
Yes
Yes
Yes
224
IMSI
Yes
225
Charging-ID
Yes
226
Prepaid-Ind
Yes
227
GGSN-IP-Address
Yes
228
SGSN-IP-Address
Yes
26/94/10
Yes
26/94/11
Yes
26/94/15
Nokia-RequestedAPN
Yes
26/10415/1
3GPP-IMSI
Yes
26/10415/2
3GPP-Charging-Id
Yes
26/10415/3
3GPP-PDP Type
Yes
26/10415/4
Yes
26/10415/5
Yes
26/10415/6
3GPP-SGSNAddress
Yes
26/10415/7
3GPP-GGSNAddress
Yes
26/10415/8
3GPP-IMSI-MCCMNC
Yes
26/10415/9
3GPP-GGSN- MCCMNC
Yes
Yes
26/10415/10 3GPP-NSAPI
Yes
26/10415/12 3GPP- SelectionMode
Yes
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
ID
Data elements
Attribute name

WAP GW,
release
server optional
3GPP and
3GPP, server
optional
26/10415/13 3GPP-ChargingCharacteristics
Yes
26/10415/18 3GPP-SGSN-MCCMNC (2)
Yes
26/10415/21 3GPP-RAT-Type
Yes
26/10415/22 3GPP-UserLocation-Info (3)
Yes
26/10415/23 3GPP-MSTimeZone (3)
Yes
1. Not sent if the username is empty.

2. Sent only if the PDP context request contained the RAI.
3. Sent only if received from the SGSN.
5.2.2.5
Accounting Request Stop

ID
DN70119375
Issue 5-3 en
Attribute name
WAP GW and
WAP GW,
server
optional
IPaddress
release
3GPP and 3GPP,

server optional
User-Name (1)
Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed Protocol
Yes
Yes
Yes
Framed-IP-Address
Yes
Yes
Yes
25
Class
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
42
Acct-Input-Octets
Yes
Yes
43
Acct-Output-Octets
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
45
Acct-Authentic
Yes
Yes
Yes
46
Acct-Session-Time
Yes
Yes
47
Acct-Input-Packets
Yes
Yes
Id:0900d8058068b02b
61
Data elements
ID
62
Attribute name
WAP GW and
WAP GW,
server
optional
IPaddress
release
3GPP and 3GPP,

server optional
48
Acct-OutputPackets
Yes
49
Acct-TerminateCause
Yes
Yes
Yes
50
Yes
Yes
Yes
51
Acct-Link-Count
Yes
Yes
Yes
52
Acct-Input-Gigawords
Yes
53
Acct-Output-Gigawords
Yes
61
NAS-Port-Type
Yes
224
IMSI
Yes
225
Charging-ID
Yes
226
Prepaid-Ind
Yes
227
GGSN-IP-Address
Yes
228
SGSN-IP-Address
Yes
26/94/15
Nokia-RequestedAPN
Yes
26/10415/
1
3GPP-IMSI
Yes
26/10415/
2
3GPP-Charging-Id
Yes
26/10415/
3
3GPP-PDP Type
Yes
26/10415/
4
Yes
26/10415/
5
Yes
26/10415/
6
3GPP-SGSNAddress
Yes
26/10415/
7
3GPP-GGSNAddress
Yes
26/10415/
8
3GPP-IMSI-MCCMNC
Yes
26/10415/
9
3GPP-GGSN- MCCMNC
Yes
Id:0900d8058068b02b
Yes
Yes
Yes
Yes
DN70119375
Issue 5-3 en
ID
WAP GW and
WAP GW,
server
optional
IPaddress
release
Yes
26/10415/
11
3GPP- SessionStop-Indicator (4)
Yes
26/10415/
12*
3GPP- SelectionMode
Yes
26/10415/
13
Yes
26/10415/
18
3GPP-SGSN-MCCMNC (2)
Yes
26/10415/
21
3GPP-RAT-Type
Yes
26/10415/
22
3GPP-UserLocation-Info (3)
Yes
26/10415/
23
3GPP-MSTimeZone (3)
Yes
Not sent if the username is empty.

Sent only if the PDP context request contained the RAI.
Sent only if received from the SGSN.
Sent only for the last context of the PDP session.
Accounting Request On/Off

Attribute name
WAP GW and
WAP GW,
server optional
IP
address
release
3GPP and
3GPP, server
optional
NAS-IP-Address
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
61
NAS-Port-Type
Yes
Yes
Yes
Disconnect Request
ID
1
DN70119375
Issue 5-3 en
3GPP and 3GPP,

server optional
3GPP-NSAPI
ID
5.2.2.7
Attribute name
26/10415/
10
1.
2.
3.
4.
5.2.2.6
Data elements
Attribute name
User-Name
Id:0900d8058068b02b
63
Data elements
ID
Attribute name
NAS-IP-Address
Service-Type
32
NAS-Identifier
33
Proxy-State
44
Acct-Session-Id *
50
Acct-Multisession-Id *
55
Event-Timestamp
* : The request must contain at least one of these attributes
5.2.2.8
Disconnect ACK
ID
5.2.2.9
Attribute name
33
Proxy-State (1)
49
55
Event-Timestamp
Disconnect NAK
ID
Attribute name
33
Proxy-State (1)
55
Event-Timestamp
Sent only if the request contained the Proxy-State attribute.
5.2.2.10
Change of Authorisation (CoA) Request

ID
64
Attribute name
User-Name
NAS-IP-Address
Service-Type
32
NAS-Identifier
33
Proxy-State
44
Acct-Session-Id *
50
Acct-Multisession-Id *
55
Event-Timestamp
26/94/3
Nokia-Service-Name
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
ID
Attribute name
26/94/4
Nokia-Service-ID
26/94/5
26/94/6
26/94/7
26/94/8
26/94/9
26/94/14
Nokia-TREC-Index **
* : The request must contain at least one of these attributes.**: This AVP requires AcctSession-Id to be present in CoA. Otherwise Nokia-TREC-Index is ignored by Flexi ISN.
5.2.2.11
Change of Authorisation (CoA) ACK

ID
Attribute name
33
Proxy-State (1)
55
Event-Timestamp
Sent only if the request contained the Proxy-State attribute(s)
5.2.2.12
Change of Authorisation (CoA) NAK

ID
Attribute name
33
Proxy-State (1)
55
Event-Timestamp
101
Error-Cause
Sent only if the request contained the Proxy-State attribute.
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
65
Additional features
6 Additional features
Flexi ISN supports a few features not specified in the basic RADIUS documents RFC
2865 [6] and RFC 2866 [7]. This section provides a list of those features and information
about attributes related to the features.
6.1
Support for DNS servers provided by the RADIUS server

DNS attributes defined in RFC 2548
RFC 2548 [5] defines two vendor-specific sub-attributes, which can be used to define
the DNS server:
MS-Primary-DNS-Server. This sub-attribute is used to indicate the address of

the primary DNS server to be used by the MS. It may be included in the AccessAccept packets.
MS-Secondary-DNS-Server. This sub-attribute is used to indicate the address of
the secondary DNS server to be used by the MS. It may be included in the AccessAccept packets.
g The DNS server address may be received also via other sources (for example,
PPP).
The specific attribute format is:
Field Name
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
12
Vendor-Id
4 octets
311 (Microsoft)
Vendor-Type
1 octet
28 (MS-Primary-DNS-Server)
29 (MS-Secondary-DNS-Server)
Vendor-Length
1 octet
IPv4-Address
4 octet
IP address of the primary/secondary DNS server
The 3GPP standard TS 29.061 [3] requires that the DNS server addresses are specified
according to RFC 2548 [5].
Other vendor-specific DNS address definitions
RADIUS servers use also their own vendor-specific DNS attributes. Thus, even if the
Flexi ISN supports the attributes described in the previous section, the RADIUS server
may use its own vendor-specific DNS attributes. At least Ascend and Cisco have defined
their own vendor-specific DNS attributes. The main difference between Cisco's and
Microsoft's approach is that Cisco uses non-standardised attribute identifiers instead of
using the recommended Vendor-Specific attribute [1]. The Flexi ISN supports
Cisco's attributes Primary-DNS-Server and Secondary-DNS-Server in the
Access-Accept message. See the attribute table in Section Attributes.
66
Id:0900d805807522ee
DN70119375
Issue 5-3 en
6.2
Additional features
RADIUS Disconnect
The basic RADIUS does not contain any message that could be used to terminate PDP
contexts from a RADIUS server. Some vendors have defined three RADIUS messages
for this purpose (RFC 2882 [11]):
Disconnect-Request (type 40)

Disconnect-ACK (type 41)
Disconnect-NAK (type 42)
The messages are explained in detail in RFC 3576 [12]. The support for disconnect
request is required in TS 29.061 [3].
Flexi ISN as RADIUS server
The RADIUS protocol defined in RFC 2865 [6] and RFC 2866 [7] does not allow unsolicited messages sent from the RADIUS server to the GGSN. The Disconnect-Request
is always sent from the RADIUS server to the GGSN. Thus, the roles of the GGSN and
the RADIUS server must be reversed. The GGSN is able to receive RADIUS packets
sent to UDP ports 1700 and 3799 and acts like a RADIUS server when DisconnectRequest is received. The response messages Disconnect-ACK and Disconnect-NAK
are sent from the port and to the port from which the Disconnect-Request was received.
When the GGSN receives the Disconnect-Request, it checks if the request can be fulfilled and sends a response message Disconnect-ACK (PDP context successfully terminated) or Disconnect-NAK (request failed).Previously the Flexi ISN accepted
Disconnect-Requests sent only by a known RADIUS Accounting server, now the
RADIUS server can also be a known Authentication server, that is, the RADIUS server
must be found in the Flexi ISN configuration database as primary or secondary Authentication or Accounting server. Additionally, there is the possibility to name four separate
Disconnect servers if some other RADIUS server than the primary or secondary Authentication or Accounting server is wished to be used. See RADIUS Disconnect configuration table in Section Configuration parameters. Also the configured OSC servers are
valid Disconnect servers as long as the RADIUS interface towards OSC is enabled.See
also the common information for Disconnect- and CoA-Requests:
6.2.1
Proxy-State attribute information in Section Support for RADIUS proxy.

New rules for Disconnect- and CoA-Request reading, Section Checks made on Disconnect-Requests and CoA-Requests; RFC 3576.
Disconnect-Request
The Authenticator field of the Disconnect-Request packet is calculated in the same way
as for an Accounting-Request packet. For more information, see Section Authenticator.
The Disconnect-Request must contain at least one of the following attributes (TS 29.061
[3]):
Acct-Session-Id. The user session identifier. The GGSN IP address and

charging ID concatenated in a UTF-8 encoded hexadecimal.
Acct-Multi-Session-Id. An identifier for multiple related sessions.
When the Flexi ISN sends a disconnect message (that means that it is acting as a NAS
server), it includes only the Acct-Session-Id attribute and not the Acct-MultiSession-Id. But when the Flexi ISN (acting either as a NAS server or NAS client)
receives a Disconnect-Request, it can handle it properly when either the Acct-
DN70119375
Issue 5-3 en
Id:0900d805807522ee
67
Additional features
Session-Id attribute or Acct-Multi-Session-Id is included.The DisconnectRequest may optionally contain one of the following attributes:
Username. The user name provided by the user (extracted from the Create PDP
Context Request message) or PPP authentication phase (if PPP PDP type is used).
If no username is available, a generic username configurable on a per APN basis is
present. If the Username has been sent in the Access-Accept message, this user
name is used in preference to the above
Framed-IP-Address. The user's IP address.
More optional attributes are listed in RFC 3576 [12].Flexi ISN is able to map the received
attributes to a unique PDP context or to a whole user session. The procedure allows
several connections to be disconnected with one request (for example, all connections
of one user) or only one PDP context may be terminated.Note that Flexi ISN is able to
receive Acct-Multi-Session-Id and is able to terminate a whole session at once.
6.2.2
Disconnect-ACK
The Disconnect-ACK packet is sent when the Disconnect-Request has been received
and the whole session or the PDP context was terminated. The Flexi ISN sends the
packet as soon as the Delete PDP Context Request has been sent to the SGSN. There
is no need to wait for the response from the SGSN before Disconnect-ACK is sent to the
RADIUS server. TS 29.061 [3] and RFC 3576 [12] do not specify the content of the Disconnect-ACK. The Flexi ISN implementation sends the Event-Timestamp attribute for
security reasons and the Acct-Terminate-Cause attribute with the value 6 (AdminReset) in this message.
6.2.3
Disconnect-NAK
The Disconnect-NAK packet is sent when the Disconnect-Request has been received
and the PDP context was not terminated (for example, the PDP context was not found).
TS 29.061 [3] and RFC 3576 [12] do not specify the content of the Disconnect-NAK. The
Flexi ISN implementation sends the Event-Timestamp attribute in this message.
6.3
Accounting Request Interim-Update

This requires a license.RFC 2866 [7] defines the Account-Request packet, which is
used in the accounting. One of the attributes of the packet is Acct-Status-Type,
which defines the type of the Account-Request. This attribute may have the value
Interim-Update (value 3). The interim updates are used to inform the RADIUS server
about the current accounting status. The interim updates are sent whenever the PDP
context is updated.An interim update is also sent when the volume or time limit value in
the access point's charging limit profile is reached. The time difference between two
interim update messages for reaching a threshold value is 60 seconds. If it is triggered
earlier, the interim update request will not be sent. To use this functionality, the Send
Interim When Container Closed parameter in access point configuration should
be set to Enabled.The content of the interim update message is defined in Section
16.4.8 of TS 29.061 [3].Note that all standard RADIUS attributes in an interim update
message are cumulative. For example, if the optional attribute Acct-Input-Packets
is included, it should contain the total number of packets sent by the user, not just the
packets sent after the previous accounting message.Interim update messages contain
all of the attributes found in an accounting stop message. For example, if the IMSI is
68
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
included in the Accounting Stop message, it should also be included in the interim
update message.
6.4
Acct-Input-Gigawords and Acct-Output-Gigawords

These attributes require a license.The RFC 2869 [10] defines two attributes:
Acct-Input-Gigawords. This attribute indicates how many times the Acct-InputOctets counter has wrapped around 232 while this service has been provided, and
can only be present in Accounting-Request records where the Acct-StatusType is set to Stop or Interim-Update.
Field Name
Length
Value
Type
1 octet
52
Length
1 octet
Value
4 octets
Acct-Output-Gigawords. The attribute indicates how many times the AcctOutput-Octets counter has wrapped around 232 while this service has been provided, and can only be present in Accounting-Request records where the AcctStatus-Type is set to Stop or Interim-Update.
Field Name
Length
Value
Type
1 octet
53
Length
1 octet
Value
4 octets
Although TS 29.061 [3] does not use these two attributes, they are clearly needed
whenever the above-mentioned counters wrap around. The Flexi ISN uses these two
attributes.
6.5
Dynamic tunnelling of APN

This requires a license.The Flexi ISN supports different tunnelling protocols (for
example, GRE, L2TP), but the choice between the tunnelling protocols is static. A more
flexible approach is to select the used tunnelling protocol dynamically. When RADIUS
is used, it is possible to provide this functionality. RADIUS has attributes that carry the
tunnelling information between the RADIUS server and the RADIUS client (GGSN)
(RFC 2868 [9]).These attributes are received from the RADIUS server during the
authentication process and are included in Access-Accept packets.
Tunnel-Type
The main RADIUS attribute is Tunnel-Type.
Field Name
DN70119375
Issue 5-3 en
Length
Value
Type
1 octet
64
Length
1 octet
Id:0900d805807522ee
69
Additional features
Field Name
Length
Value
Tag
1 octet
The tag field is intended to provide

the means for grouping attributes,
which refer to the same tunnel, in
the same packet.
Value
3 octets
Defines the tunneling protocol. The

GGSN supports the following
values in the attribute:
L2TP (3)
IP-IP (7)
GRE (10)
If the Tunnel-Type attribute is present in an Access-Request packet sent from a Flexi

ISN, it should be taken as a hint to the RADIUS server as to which tunnelling protocols
are supported by the tunnel endpoint. The RADIUS server may, however, ignore the
hint.
Tunnel-Server-Endpoint
This attribute indicates the address of the server end of the tunnel. The TunnelServer-Endpoint must be included in the Access-Accept packet if the initiation of a
tunnel is desired. The Flexi ISN supports the attribute.
Field Name
Length
Value
Type
1 octet
66
Length
1 octet
greater than or equal to 3
Tag
1 octet

the same packet.
Value
String
This string is either the fully qualified

domain name (FQDN) of the tunnel
client machine, or it is a dotteddecimal IP address. Only the
dotted-decimal format for IP
addresses is supported in the Flexi
ISN.
If for some reason the Flexi ISN does not accept the received IP address, the Flexi ISN
behaves as though an Access-Reject had been received.
Tunnel-Client-Endpoint
This attribute indicates the address of the initiator end of the tunnel. The TunnelClient-Endpoint is not mandatory in the Access-Accept packet, so the Flexi ISN is
prepared for the case where the attribute is missing.
70
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
Field Name
Length
Value
Type
1 octet
67
Length
1 octet
Tag
1 octet

the same packet.
Value
String
This string is either the fully qualified

domain name (FQDN) of the tunnel
client machine, or it is a dotteddecimal IP address. The Flexi ISN
supports both formats (the dotteddecimal and FQDN) for the IP
addresses.
If for some reason the Flexi ISN does not accept the received IP address, the Flexi ISN
behaves as though an Access-Reject had been received.
Tunnel-Assignment-ID
Field Name
Length
Value
Type
1 octet
82
Length
1 octet
Tag
1 octet

the same packet.
Value
String
There is no restriction on the format

of the ID
Some tunnelling protocols, such as L2TP, allow for sessions between the same two
tunnel endpoints to be multiplexed over the same tunnel, and also for a given session
to use its own dedicated tunnel. This attribute provides a mechanism for RADIUS to be
used to inform the tunnel initiator (for example, LAC) whether to assign the session to a
multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing
multiplexed tunnels to be assigned to different multiplexed tunnels. The TunnelAssignment-ID attribute is of significance only to RADIUS and the tunnel initiator. The
ID assigned by the tunnel initiator, the Flexi ISN, is not conveyed to the tunnel
peer.When the Tunnel-Assignment-ID attribute is received, the Flexi ISN should
assign a session to a tunnel in the following manner:
DN70119375
Issue 5-3 en
If this attribute is present and a tunnel exists between the specified endpoints with
the specified ID, the session should be assigned to that tunnel. An existing tunnel
can be re-used only if the same service blade is used.
If this attribute is present and no tunnel exists between the specified endpoints with
the specified ID, a new tunnel should be established for the session and the specified ID should be associated with the new tunnel.
Id:0900d805807522ee
71
Additional features
If this attribute is not present, then the session is assigned to an unnamed tunnel. If an
unnamed tunnel does not yet exist between the specified endpoints, it is established and
used for this and subsequent sessions established without the Tunnel-AssignmentID attribute. The Flexi ISN must not assign a session for which a TunnelAssignment-ID attribute was not specified to a named tunnel (that is, one that was
initiated by a session specifying this attribute).
Tunnel-Preference
If more than one set of tunnelling attributes is returned by the RADIUS server to the Flexi
ISN, this attribute should be included in each set to indicate the relative preference
assigned to each tunnel. Accordingly, when there are multiple dynamic tunnelling configurations sets and the highest priority fails, the second highest will be tried.Note:
Tunnel failure can only be detected on L2TP tunnels. For IPIP and GRE the highest
priority is always used unconditionally.
Field Name
6.5.1
Length
Value
Type
1 octet
83
Length
1 octet
Tag
1 octet

the same packet.
Value
3 octets
0x000000 is most preferred and

0xFFFFFF least preferred.
Tunnelling attributes related to authentication

Tunnel-Password
The attribute contains a password to be used to authenticate to a remote server.
Field Name
72
Length
Value
Type
1 octet
69
Length
1 octet
Tag
1 octet
The tag field is intended to provide the

means for grouping attributes, which
refer to the same tunnel, in the same
packet.
Salt
2 octets
The Salt field is used to ensure the

uniqueness of the encryption key used
to encrypt each instance of the
Tunnel-Password attribute occurring
in a given Access-Accept packet. The
most significant bit (leftmost) of the Salt
field must be set (1). The contents of
each Salt field in a given AccessAccept packet must be unique.
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Field Name
Additional features
Length
String
Value
The plaintext String field consists of
three logical sub-fields:
Data-Length (1 octet)
Password sub-fields
Padding sub-field (optional)
Tunnel-Client-Auth-ID
The attribute specifies the name used by the tunnel initiator during the authentication
phase of tunnel establishment.
Field Name
Length
Type
1 octet
90
Length
1 octet
Tag
1 octet

the same packet.
String
6.5.2
Value
The String field contains the authentication name of the tunnel initiator.
Tunnelling attributes related to user authentication

NSN-Tunnel-User-Auth-Method
The attribute specifies the user authentication method used with dynamic tunnels.
Field Name
DN70119375
Issue 5-3 en
Length
Value
Type
1 octet
Length
1 octet
12
Vendor-Id
4 octets
Vendor-Type
1 octet
1 (NSN-Tunnel-User-Auth-Method)
Vendor-Length
1 octet
Tag
1 octet

the same packet.
Id:0900d805807522ee
73
Additional features
Field Name
Integer
Length
3 octets
Value
The Integer field defines the User
Authentication method.
1 = L2TP PAP
2 = L2TP PAP with MSISDN
3 = L2TP PAP with APN
4 = L2TP PAP with IMSI
5 = L2TP CHAP
6 = L2TP CHAP with MSISDN
7 = L2TP CHAP with APN
8 = L2TP CHAP with IMSI
9 = L2TP Proxy Authentication
NSN-Tunnel-Override-Username
The attribute changes the user authentication in dynamic tunnels when credentials are
received from the terminal. When the attribute is set to Enabled (1) the credentials from
the terminal override the ones previously used. The authentication fails if the received
password is "password".
Field Name
Length
Value
Type
1 octet
Length
1 octet
10
Vendor-Id
4 octets
Vendor-Type
1 octet
2 (NSN-Tunnel-Override-Username)
Vendor-Length
1 octet
Tag
1 octet

the same packet.
Integer
1 octet
The Integer field enables the

Override Username method.
1 = Enabled
other values = Disabled
6.5.3
Additional requirements related to dynamic tunnelling of APN
74
The Flexi ISN supports dynamic tunnels in all APN types (RFC 2868 [9]).
Arbitrary dynamic tunnelling configurations are supported (RFC 2868 [9]).
The RADIUS server may return an arbitrary tunnelling configuration. If the RADIUS
server is unreliable, the Flexi ISN does not allow this. If, however, the RADIUS
server can be trusted, the Flexi ISN allows those tunnelling configurations, which are
not predefined in the Flexi ISN.
Id:0900d805807522ee
DN70119375
Issue 5-3 en
6.6
Additional features
The Flexi ISN includes tunnelling attributes in an Access-Request packet.
Nokia vendor-specific attribute Nokia-Session-AccessMethod

This attribute requires a licence.The Nokia-Session-Access-Method attribute indicates which access method is chosen to use for the user session. The NokiaSession-Access-Method vendor-specific attribute is encoded as follows:
Field Name
Length
Value
Type
1 octet
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
10 (Nokia-Session-Access-Method)
Vendor-Length
1 octet
Value
1 octet
The Value field contains the access

method.
0 = GPRS (undefined)
1 = SGSN (2G / 3G / unspecified)
2 = WLAN
3 = IP (NAS)
6.7
Charging profile fetching through RADIUS

The vendor-specific attribute Nokia-Session-Charging-Type indicates which
charging type is chosen for the session. It also defines whether online charging (via the
OCS interface) is enabled. With this attribute the charging profile is also fetched from
the RADIUS server during RADIUS authentication. The attribute can be received from
RADIUS during the authentication process even when no user profile is fetched from
RADIUS. The Nokia-Session-Charging-Type vendor-specific attribute is encoded
as follows:
Field Name
DN70119375
Issue 5-3 en
Length
Value
Type
1 octet
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
11 (Nokia-Session-Charging-Type)
Vendor-Length
1 octet
Id:0900d805807522ee
75
Additional features
Field Name
Value
Length
1 octet
Value
The Value field contains the
charging profile.
0 = prepaid
1 = post-paid
2 = post-paid with credit control
3 = prepaid with credit card
4 = HLR
5 = wallet specific
6 = wallet specific without credit
control
7= hot billing
Note that online charging (OCS
interface) is disabled if values 1, 6,
or 7 are received, or if value 4 is
received and the current charging
characteristics does not have the
Prepaid bit set.
6.8
Defining OCS servers through RADIUS

The local Flexi ISN configuration makes it possible to define multiple OCS connections,
but cannot completely support subscriber-specific OCS interface selection. Therefore
the used OCS may also be defined and received from the RADIUS server during the
authentication process.The OCS given from RADIUS will be used if it is also listed in the
local configuration of the Flexi ISN, and it will be ignored if there is no existing connection
to such OCS.Two OCS identifiers can be received from the RADIUS server with the
Nokia-specific attributes Nokia-OCS-ID1 and Nokia-OCS-ID2. If the OCS interface
fails, the recovery may use alternate OCS defined by RADIUS.The OCS identifiers can
be received from RADIUS during the authentication process even when no user profile
is fetched from RADIUS, that is, the access point can be in 'Normal', 'GGSN' or 'Radius'
mode. If the Nokia Siemens Networks Profile Server has returned OCS identifiers, the
values coming from the RADIUS server are ignored.The Nokia-OCS-ID1 and NokiaOCS-ID2 attributes are encoded as follows:
Nokia-OCS-ID1
Field Name
76
Length
Value
Type
1 octet
Length
1 octet
10
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
12 (Nokia-OCS-ID1)
Vendor-Length
1 octet
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
Field Name
Value
Length
2 octets
Defines the identification number of

the OCS server that should be used
in the first place. Integer, allowed
range: 1 - 65535
Nokia-OCS-ID2
Field Name
6.9
Value
Length
Value
Type
1 octet
Length
1 octet
10
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
13 (Nokia-OCS-ID2)
Vendor-Length
1 octet
Value
2 octets
Defines the identification number of

the OCS server that should be used
in the second place. Integer,
allowed range: 1 - 65535
Determining TREC through RADIUS

The default TREC for the PDP context can be determined through RADIUS during the
authentication process; the access point must be in the Radius mode. This is done with
the Nokia vendor-specific attribute Nokia-TREC-Index. This attribute may be present
in the CoA message. It is applicable when Acct-Session-Id is also present. In this
case the TREC parameters restrict the QoS requested from SGSN for the specific PDP
context.If the result is an updated QoS, then Flexi ISN initiates an Update PDP Context
Request towards SGSN.For more information about TREC, see Quality of Service in
Nokia Siemens Networks Flexi ISN, Release 4.0.The Nokia-TREC-Index attribute is
encoded as follows:
Field Name
6.10
Length
Value
Type
1 octet
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
14 (Nokia-TREC-Index)
Vendor-Length
1 octet
Value
1 octet
The Value field contains the TREC

Index. Integer, allowed range: 1-10.
Nokia-Requested-APN
Usage of this attribute requires a licence.The Nokia-Requested-APN attribute indicates the name of the access point to which the user equipment requested connecting.
DN70119375
Issue 5-3 en
Id:0900d805807522ee
77
Additional features
The value is copied from the access point name (APN) that is received from the SGSN
in the Create PDP Context request. Note that the requested APN may be different from
the negotiated APN (that is sent in the Called-Station-Id attribute). When the
requested APN is an alias to a physical access point, the negotiated APN contains the
name of the physical access point. Also the user profile may override the requested
APN. In this case the negotiated APN contains the name of the access point specified
in the user profile.The Nokia-Requested-APN attribute is encoded as follows:
Field Name
6.11
Length
Value
Type
1 octet
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
15 (Nokia-Requested-APN)
Vendor-Length
1 octet
Value
String
Contains the requested access

point name as an UTF-8 string..
Transmission window
This section outlines the implementation and basic functionality of RADIUS transmission
windows and waiting queues in the Flexi ISN. A transmission window contains a set of
RADIUS requests that are currently being handled between the RADIUS client (the Flexi
ISN) and the RADIUS server (the AAA server). The standard defines that a transmission
window can have a maximum size of 256 simultaneous requests. This value is valid in
entry, medium and large configurations and applicable for each service blade (SB). In
the Capacity Extender (CE) and Dual-Chassis (DC) configurations, a value of 1785
simultaneous requests has been chosen for the whole system in order to avoid congestions in RADIUS servers. This means that the transmission window for each service
blade is reduced to 1785/13 = 137 simultaneous requests, where 13 is the number of
SBs in the DC. Each RADIUS request inside a transmission window is identified by a
unique RADIUS ID. Note that in DC and with high loads, a transmission window of 256
simultaneous requests for each SB would result in a total of 3328 simultaneous requests
for each RADIUS server, which is considered a very high value.The Flexi ISN creates
its own, independent transmission window, of 256 requests each, for every uniquely
defined connection between the RADIUS client and the RADIUS server. In the Capacity
Extender and Dual-Chassis configurations the value of the requests is 137. The functionality is available for all types of RADIUS servers; multiple independent transmission
windows are possible for both RADIUS authentication and RADIUS accounting connections. When a new RADIUS request is sent out, it will use a certain transmission window
according to the destination. A connection between the RADIUS client and the RADIUS
server is defined by the following parameters:
78
server address
server port
client address
tunnel endpoint address (if configured)
routing instance
(client port, unique, and fixed for each Flexi ISN service blade, see below)
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
For a RADIUS connection to get its own transmission window, the value for at least one
of the above listed parameters must be different from those in other existing configurations. The parameters are defined mainly in the access point configuration. If two or
more configurations end up being the same, the RADIUS request message for those
access points will use a shared transmission window (to the same shared RADIUS
server). Each service blade of the Flexi ISN uses a fixed unique source port (the client
port) for an outgoing request. This means that there is a separate transmission window
from each service blade to a given destination. The number of the simultaneous
requests depends on the configuration:
In the Flexi ISN basic configuration there are: 2 service blades x 256 = 512 simultaneous requests to the same destination.
In the full Flexi ISN configuration there are: 4 service blades x 256 = 1024 (in the
one-blade GGSN the number was 256).
In the Capacity Extender and Dual-Chassis configurations there are: 13 service
blades x 137 = 1785 (approximately) simultaneous requests to the same destination.
When the number of requests to be sent is large, the transmission window size limits the
rate at which the requests are sent. On the other hand, some RADIUS servers have difficulties handling a big burst of simultaneous RADIUS messages, so the transmission
window acts as a protection mechanism as well.If the given transmission window is full
(that is, there are no free IDs left), the RADIUS request will be temporarily stored to one
of the transmission-window-specific waiting queues. Once any of the ongoing procedures is finished, that request is removed from the transmission window and a pending
request is inserted into the transmission window from a waiting queue. The pending
authentication requests have one waiting queue for each transmission window, which is
emptied in FIFO order. The pending accounting requests have multiple waiting queues
for each transmission window. The queues are sorted by the accounting message type
and the access point index, and they are emptied in a round-robin fashion.
6.12
Support for RADIUS proxy

The Flexi ISN supports the proxy functionality. With proxy RADIUS, a RADIUS client
(the forwarding server) receives a request from a RADIUS server, forwards the request
to a remote RADIUS client (the Flexi ISN), receives the reply from the remote client (the
Flexi ISN), and sends the reply to the server, possibly with changes to reflect local
administrative policy. A common use for proxy RADIUS is roaming. Roaming permits
two or more administrative entities to allow each other's users to dial in to either entity's
network for service. RFC 2865 [6] and RFC 3576 [12].The proxy functionality is fulfilled
with the Proxy-State (33) attribute. The attribute is sent by a proxy server to another
server or a Flexi ISN when forwarding a request and must be returned unmodified in the
response. When the proxy server receives the response to its request, it removes its
own Proxy-State (the last Proxy-State in the packet) before forwarding the
response to the RADIUS server.For an example, see Figure 4.
DN70119375
Issue 5-3 en
Id:0900d805807522ee
79
Additional features
Figure 4
RADIUS proxy
A RADIUS server can function as both a forwarding server and a remote server. One
forwarding server can forward to another forwarding server to create a chain of proxies.This means that if there are any Proxy-State attributes in the Disconnect-Request
or CoA-Request received from the RADIUS server, the Flexi ISN will include those
Proxy-State attributes in its response to the server.The Flexi ISN can copy up to 10
Proxy-State attributes from the request to the response packet. The attributes are
copied in order, without modifying the attributes.
6.13
Checks made on Disconnect-Requests and CoARequests; RFC 3576

Here are some hints for what it takes for a successful Disconnect-Request or CoARequest. Additionally, the rules given in Section RADIUS Disconnect, for Disconnect
and Section Retrieving service components dynamically for CoA must be followed
before the request can be fulfilled. These checks are common for Disconnect- and CoARequests.
80
The following attributes, if included, must match in order for a Disconnect- or CoARequest to be successful, otherwise a Disconnect- or CoA-NAK is sent.
NAS-IP-Address
NAS-Identifier
User-Name
Acct-Session-Id or Acct-Multi-Session-Id (must be included in the
message)
When the Event-Timestamp (55) attribute is present in a Disconnect- or CoARequest, the Flexi ISN checks that the Event-Timestamp attribute is current
within a time window of 300 seconds. If the Event-Timestamp attribute is not
current, then the message is silently discarded.
Id:0900d805807522ee
DN70119375
Issue 5-3 en
6.14
Additional features
The Service-Type (6) attribute is used for feature activation (for example, a usage
model similar to that supported in Diameter). The Flexi ISN responds to Disconnector CoA-Request including a unsupported Service-Type attribute with a Disconnect- or CoA-NAK.
The Acct-Terminate-Cause attribute indicates how the session was terminated. Below
is list of values supported by the Flexi ISN and descriptions of reasons that could have
caused the context termination:
DN70119375
Issue 5-3 en
1, User Request
Context termination related to an SGSN or NAS.
the SGSN cannot be reached or is down
the SGSN has been restarted
an update PDP Context request to the SGSN has failed
an SGSN has suddenly changed its GTP version
the SGSN or NAS has created a new PDP context with the same IMSI and
NSAPI as an already existing PDP context
the SGSN assigned the TEID user plane of an already existing PDP context to
a new PDP context
an error indication message from the SGSN
a delete PDP context request from an SGSN
a RADIUS Accounting Stop, Accounting Off (=going down), or Accounting On
(=restarted) message received from NAS
the NAS did not supply an essential attribute
NAS accounting timeout, no accounting message received for the NAS context
the NAS configuration has been changed or deleted
the NAS context has the same accounting session ID as an already existing
context
3, Lost Service
Context termination related to an access point.
an access point was critically reconfigured
an access point was disabled
the access point name does not match any existing and enabled access point
4, Idle Timeout
An idle time-out in the Flexi ISN caused the context termination.
5, Session Timeout
A session time-out in the Flexi ISN caused the context termination.
6, Admin Reset
A Disconnect Request terminated the context.
Disconnect Request message from a standard RADIUS interface.
a Disconnect Request message from the RADIUS-OCS interface.
10, NAS Reset, default value
A network-initiated context termination.
Id:0900d805807522ee
81
Additional features
6.15
Values and profiles determined through RADIUS

This section clarifies which values and profiles can be defined and received from the
RADIUS server. More information about the attributes and messages mentioned in this
section can be found in several places elsewhere in this document. Table 8 shows the
values that can be determined in a RADIUS message. Also the access point mode that
is required for each value is described. Note that only the attributes that affect the Flexi
ISN functionality are mentioned here. Normal RADIUS 'received and send' attributes are
left out, such as the Class attribute.
82
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Profile / value and

attribute name
AP mode:
Normal
AP mode:
RADIUS
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Defining DNS server Yes
Yes
Yes
Dynamic IP address
allocation
CoA- Request
SessionTimeout (27)
Idle-Timeout
(28)
Dynamic tunneling
parameters
Access-Accept
Framed-IPAddress (8
Defining session
timeouts
DN70119375
Issue 5-3 en
Additional features
Tunnel-Type
(64)
Tunnel-ClientEndpoint (66)
Tunnel-ServerEndpoint (67)
TunnelPassword (69)
Tunnel-Assignment-Id (82)
Tunnel-Preference (83)
Tunnel-ClientAuth-Id (90)
Primary-DNSServer (135)
SecondaryDNS-Server
(136)
MS-PrimaryDNS-Server
(26/311/28)
MS-SecondaryDNS-Server
(26/311/29)
Id:0900d805807522ee
83
Additional features
Profile / value and

attribute name
Access-Accept
User profile fetching
Yes
1. Old method
Yes
CoA- Request
AP mode:
Normal
Yes
AP mode:
RADIUS
Yes
Yes
Nokia-Userprofile (26/94/2)
2. Retrieving service
components
Nokia-ServiceName (26/94/3)
Nokia-Service-Id
(26/94/4)
Nokia-ServiceUsername
(26/94/5)
Nokia-ServicePassword
(26/94/6)
Nokia-ServicePrimary-Indicator (26/94/7)
Nokia-ServiceCharging-Type
(26/94/8)
Nokia-ServiceEncryptedPassword
(26/94/9)
Charging profile
fetching
Yes
Yes
Yes
Yes
Yes
Nokia-TRECIndex (26/94/14)
Table 8
84
Yes
Nokia-OCS-Id1
(26/94/12)
Nokia-OCS-Id2
(26/94/13)
Defining the treatment class
Yes
(26/94/11)
Defining OCS
servers
Yes
Determined values in a RADIUS message
Id:0900d805807522ee
DN70119375
Issue 5-3 en
7 Retrieving service components

The Flexi ISN can be configured to fetch the user profile from a RADIUS server in case
the Nokia Subscription Manager is not available in the network. For this purpose the
external RADIUS server (the context access point and the RADIUS server needs to be
so configured) will deliver this information in the Nokia vendor-specific attributes.
The Flexi ISN can fetch the user profile from a RADIUS server during the authentication
process in the Access-Accept message (Section User profile fetching) or dynamically
through the CoA-message (Section Retrieving service components dynamically).
The Flexi ISN must be configured accordingly, that is, the access point must be in the
Radius mode.
The User Profile LDAP/RADIUS licence is required to be able to use this feature.
7.1
User profile fetching

The Nokia vendor-specific attributes listed below should be used for this purpose, and
these attributes will overwrite the old Nokia-User Profile attribute (Section Usage
of the old service list fetching attribute).For the attributes, the same structure is used as
for dynamic tunnelling parameters in RADIUS. A Nokia vendor-specific attribute is
defined for each attribute describing a part of one service. All attributes belonging to a
service in a profile are linked together with a tag.The following Nokia vendor-specific
attributes (as defined below) are used for retrieving service components:
Nokia-Service-Name
Nokia-Service-Id
The specific attribute format for Nokia vendor-specific service attributes is shown in
Table 9:
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
85
Field Name
Length
Value
Type
1 octet
Length
1 octet
9 + N octets of the Value length
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
3 (Nokia-Service-Name)
4 (Nokia-Service-ID)
5 (Nokia-Service-Username)
6 (Nokia-Service-Password)
7 (Nokia-Service-Primary-Indicator)
8 (Nokia-Service-Charging-Type)
9 (Nokia-Service-Encrypted-Password)
Vendor-Length
1 octet
Tag
1 octet

the same packet. The Tag field is
not allowed to be 0 (zero), except in
the Nokia-Service-ChargingType attribute.
Value
N octet
Value of the service attribute.
Table 9
Specific attribute format for Nokia vendor-specific service attributes
Field Name
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet
The Tag field is intended to provide

which refer to the same service, in
not allowed to be 0 (zero).
Value
1-247 octets
The Value field (UTF-8 encoded

string) contains the service name.
Table 10
86
Length
Nokia-Service-Name
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
Field Name
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
4-7
Tag
1 octet

the means for grouping attributes in
the same packet, which refer to the
same service. The Tag field is not
allowed to be 0 (zero).
Value
1-4 octets
The Value field contains the service

identification number.
Table 11
Nokia-Service-ID
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet

Value
1-247 octets

string) contains the username for
the service.
Table 12
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet

Value
1-247 octets

string) contains the password for
the service.
Table 13
DN70119375
Issue 5-3 en
Length
Id:0900d8058068cfe6
87
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet

same service. Tag field is not
Value
0 octets
The Value field should be empty

and is ignored. The Tag field shows
the primary service.
Table 14
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet

same service.
If the Tag field = 0, all the services
that did not get their own charging
type will use this one
Value
2 octets
The Value field is divided into the

following:
Wallet-Id
1 octet
The number of the wallet used by

the subscriber to pay for a given
service.
The Wallet-Id field contains the
wallet identification number (1
127)..
Charging-Type
1 octet
The Charging-Type field defines the

wallet charging type used by WalletId.
0 = prepaid
1 = post-paid
2 = post-paid with credit control
3 = prepaid with credit card
Table 15
88
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
greater than 5
Tag
1 octet

same service. Tag field is not
Value
3 247 octets
The Value field is divided into the

following:
Salt
1 octet
The Salt field is used to ensure the

uniqueness of the encryption key
used to encrypt each instance of the
Nokia-Service-EncryptedPassword attribute. The most significant bit (leftmost) of the Salt field
must be set.
String
1 octet
The plaintext String field consists of

three logical sub-fields:
Data-Length (1 octet)
Password
Padding (optional, 1 15
octets)
The Data-Length sub-field contains

the length of the unencrypted
Password sub-field. The Password
sub-field contains the actual password. If the combined length (in
octets) of the unencrypted DataLength and Password sub-fields is
not an even multiple of 16, then the
Padding sub-field must be present.
The String field follows an encryption that also the TunnelPassword attributes string field
have (RFC 2868), and it must be
encrypted as follows, prior to transmission:
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
89
Field Name
Length
Value
Construct a plaintext version of the
String field by concatenating the
Data-Length and Password subfields. If necessary, pad the resulting string until its length (in octets) is
an even multiple of 16. Zero octets
(0x00) should be used for padding.
Call this plaintext P.
Call the shared secret S, the
pseudo-random 128-bit Request
Authenticator (from the corresponding Access-Request packet) R,
and the contents of the Salt field A.
Break P into 16 octet chunks p(1),
p(2)...p(i), where i = len(P)/16. Call
the cipher text blocks c(1), c(2)...c(i)
and the final cipher text C. Intermediate values b(1), b(2)...b(i) are
required. Encryption is performed in
the following manner ('+' indicates
concatenation):
b(1) = MD5(S + R + A) c(1) = p(1)
xor b(1)
C = c(1)
b(2) = MD5(S + c(1))
c(2) = p(2)
xor b(2)
C = C + c(2)
.
b(i) = MD5(S + c(i-1))

c(i) = p(i)
xor b(i)
C = C + c(i)
The resulting encrypted String field
will contain
c(1)+c(2)+...+c(i).
Table 16
Nokia vendor-specific attributes can be included in Access-Accept and Change-ofAuthorization messages.The required attributes for retrieving service components successfully are:
90
Nokia-Service-Name or Nokia-Service-Id
Nokia-Service-Primary-Indicator for one service to describe which service
will be used as the primary service.
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
7.2
Retrieving service components dynamically

The Change-of-Authorization message is used for activating and terminating services
on the fly. While a PDP context is active, new services may be added or an already
active service may be terminated. When new services have been added, new connections are activated, if necessary.The RADIUS protocol does not allow unsolicited
messages sent from the RADIUS server to the Flexi ISN, however the CoA-Request is
always sent from the RADIUS server to the Flexi ISN (see the Disconnect-Requests).
Thus, the roles of the Flexi ISN and the RADIUS server must be reversed. The Flexi ISN
acts like a RADIUS server when CoA-Request is received (RFC 3576 [12]).When the
Flexi ISN receives the CoA-Request, it checks if the request can be fulfilled and sends
a response message; CoA-ACK (service components retrieved successfully) or CoANAK (request failed) (RFC 3576 [12]).The Flexi ISN accepts CoA-Requests sent by a
RADIUS Authentication Accounting or Disconnect server configured in a Radius profile;
however the optional RADIUS Accounting servers are not accepted.See also the
common information for Disconnect- and CoA-Requests:
Proxy-State attribute information in Section Support for RADIUS proxy

New rules for Disconnect- and CoA-Request reading, Section Checks made on Disconnect-Requests and CoA-Requests; RFC 3576.
The used destination port for CoA-Request messages is UDP port 3799. For responses,
the source and destination ports are reversed. The packet format consists of the fields:
Code, Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV)
format (RFC 3576 [12]). All fields hold the same meaning as those described in RADIUS
RFC 2865 [6]. The Authenticator field is calculated in the same way as specified for an
Accounting-Request (RFC 2866 [7]).Unlike RADIUS as defined in RFC 2865 [6], the
responsibility for retransmission of CoA-Request messages lies with the RADIUS server
(RFC 3576 [12]).The RADIUS codes for the CoA messages are assigned as follows
(RFC 3576 [12]):
7.2.1
CoA-Request (43)
CoA-ACK (44)
CoA-NAK (45)
CoA-Request
To retrieve service components through the CoA-Request the Nokia vendor-specific
attributes defined in Section User profile fetching, must be used. The CoA-Request must
contain at least one of the following attributes to be successful in service components
retrieving:
Acct-Session-Id. The user session identifier. The GGSN IP address and

charging ID concatenated in a UTF-8 encoded hexadecimal.
Acct-Multi-Session-Id. An identifier for multiple related sessions.
Additionally, the Nokia vendor-specific service attributes must be included in the CoARequest. The required service attributes are Nokia-Service-Name or NokiaService-Id. The Nokia-Service-Primary-Indicator must be given to one service.Flexi ISN is able to map received attributes to a unique service. This procedure
allows a service to be activated or terminated dynamically. The received attributes in the
Change-of-Authorization message will together contain a new replacing profile. This
makes terminating a service simple; the service that should be terminated is left out of
the replacing profile.
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
91
g The charging type (wallet ID and wallet charging type) of an already active service
cannot be changed in the updated user profile. This will lead to session termination.
Example 1
isp_service, default_service, and news_service are activated.news_service will be terminated.A new replacing user profile is sent containing the attributes for isp_service and
default_service.In this case the Nokia-Service-Name or Nokia-Service-Id attribute for the remaining services is enough.
Example 2
isp_service and news_service are activated.A new service, default_service, will be activated.A new replacing user profile is sent containing attributes for isp_service,
news_service, and default_service.In this case all possible Nokia service attributes for
default_service must be included. Additionally, the Nokia-Service-Name or NokiaService-Id attribute for already active services (isp_service and news_service) are
included in the user profile.
7.2.2
CoA-ACK
The CoA-ACK packet is sent when the CoA-Request has been received and the user
profile was read successfully. The Flexi ISN implementation sends the EventTimestamp attribute for security reasons in CoA-ACK.
7.2.3
CoA-NAK
The CoA-NAK packet is sent when the CoA-Request has been received and the service
component retrieving failed (for example, the required attributes are not included in
CoA-Request, the primary indicator is missing, the required service is not found, the
user session is not found, and the RADIUS server is not reliable).The Flexi ISN implementation sends the Event-Timestamp attribute for security reasons and the ErrorCause attribute with the value 404 (Invalid Request) in this message.
7.3
Usage of the old service list fetching attribute

The service list information can also be delivered in the Nokia vendor-specific attribute
Nokia-UserProfile (as defined below). If the Nokia-UserProfile attribute is
used in tandem with the Nokia-Service attributes (defined in Section User profile fetching) the information in the Nokia-UserProfile attribute will be ignored
g This attribute can only be used in the Access-Accept message.

Field Name
92
Length
Value
Type
1 octet
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
2 (Nokia-UserProfile)
Vendor-Length
1 octet
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
Field Name
Value
Length
N octet
Value
Encoded as a string
List of services and primary/prepaid
flag (as defined below).
The value is encoded as defined here:
Service lists are separated by space character. One of the services will be marked
with a '*' to be considered the primary service.
The Service Aware profile from RADIUS may contain an indicator that the session
is OCS prepaid. The indicator is a single dollar sign ('$'). It is placed in the list of
active services as if it was an additional service.
The order does not matter.
Below are some examples of possible values:

$ isp_service *default_service news_service*corporate_access $
weather_service*wap_access $
If the prepaid indicator is present, it forces the session into OCS prepaid mode.
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
93
References
8 References
1. 1.RADIUS Attributes. Cisco web documentation http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/scradatb.htm
2. 3GPP TS 29.060 GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface
(Release 6), V6.6.0, (2004-09)
3. 3GPP TS 29.061 Interworking between the Public Land Mobile Network (PLMN)
supporting Packet Based Services and Packet Data Networks (PDN), V5.9.1 (200506)
4. 3GPP TS 32.015 Telecommunications management; Charging management; 3G
call and event data for the Packet Switched (PS) domain, v3.12.0, 2003
5. RFC 2548 Microsoft Vendor-specific RADIUS Attributes, G. Zorn
http://www.ietf.org/rfc/rfc2548.txt
6. RFC 2865 Remote Authentication Dial In User Service (RADIUS). C. Rigney, et al
7. RFC 2866 RADIUS Accounting. C. Rigney http://www.ietf.org/rfc/rfc2866.txt
8. RFC 2867 RADIUS Tunnel Accounting Support, G.Zorn et al.
9. RFC 2868 RADIUS Attributes for Tunnel Protocol Support, G.Zorn et al.
10. RFC 2869 RADIUS Extensions, C. Rigney et al. http://www.ietf.org/rfc/rfc2869.txt
11. RFC 2882 Network Access Servers Requirements: Extended RADIUS Practices, D.
Mitton http://www.ietf.org/rfc/rfc2882.txt
12. RFC 3576 Dynamic Authorization Extensions to Remote Authentication Dial-In User
Service (RADIUS), Murtaza S. Chiba et al. http://www.ietf.org/rfc/rfc3576.txt
94
Id:0900d8058068c3dc
DN70119375
Issue 5-3 en
Abbreviations
9 Abbreviations
DN70119375
Issue 5-3 en
AAA
Authentication, Authorization and Accounting
APN
Access Point Name
ASCII
American Standard Code for Information Interchange
CDR
Charging Data Record
CE
Capacity Extender
CHAP
Challenge Handshake Authentication Protocol
CoA
Change-of-Authorization
DC
Dual-Chassis
DNS
Domain Name Server
FIFO
First In First Out
FQDN
Fully Qualified Domain Name
G-CDR
GGSN CDR
GGSN
Gateway GPRS Support Node
GPRS
General Packet Radio Service
GRE
Generic Routing Encapsulation
GTP
GPRS Tunnelling Protocol
HLR
Home Location Register
ICD
Intelligent Content Delivery
IE
Information Element
IMEISV
International Mobile Equipment Id and its Software Version
IMSI
International Mobile Subscriber Identity
IP
Internet Protocol
IP-IP
IP in IP Tunnel Protocol
L2TP
Layer 2 Tunnel Protocol
LAC
Link Access Control
MCC
Mobile Country Code
MD5
Message Digest Algorithm
MNC
Mobile Network Code
MSISDN
Mobile Station ISDN
NAS
Network Access Server
OCS
Online Charging System
OSC
Online Service Controller
PAP
Password Authentication Protocol
PCO
Packet Configuration Options
PDP
Packet Data Protocol
PLMN
Public Land Mobile Network
PPP
Point-to-Point Protocol
Id:0900d805807522e0
95
Abbreviations
96
QoS
Quality of Service
RADIUS
Remote Authentication Dial-in User Service
RAI
Routing Area Identity
RAT
Radio Access Technology
RFC
Request For Comment
RSA
Rivest-Shamir-Adleman
SB
Service Blade
SGSN
Serving GPRS Support Node
SLIP
Serial Line IP protocol
TA
Traffic Analyzer
TREC
Treatment Class
TRW
Transmission Window
UDP
User Data Protocol
UE
User Equipment
Id:0900d805807522e0
DN70119375
Issue 5-3 en

RADIUS Interface

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RADIUS Interface

Uploaded by

Copyright:

Available Formats

FISNFI40EMED.

RADIUS Interface, Interface Description

Important Notice on Product Safety

RADIUS Interface, Interface Description

Changes in RADIUS Interface Description . . . . . . . . . . . . . . . . . . . . . . . 7

Overview of RADIUS interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Interface, Interface Description

Support for DNS servers provided by the RADIUS server . . . . . . . . . . . 66

Retrieving service components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

RADIUS Interface, Interface Description

message flow, basic case . . . . . . . . . . . . . . . . . . . . . . . . . . . .

RADIUS Interface, Interface Description

Common RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

RADIUS Interface, Interface Description

Changes in RADIUS Interface Description

1 Changes in RADIUS Interface Description

Changes in release 4.0 CD4

Changes in release 4.0 CD3

Changes in release 4.0 CD2

Changes in RADIUS Interface Description

RADIUS Interface, Interface Description

Changes in release 4.0

Changes between releases 3.2 and 4.0

RADIUS Interface, Interface Description

Changes in RADIUS Interface Description

Section Disconnect-Request: Added clarification about the use of Acct-Session-Id

Changes between releases 3.1 and 3.2

RADIUS IPS Compatibility

3GPP-Charging-Gateway-Address (Section Vendor-specific attribute encoding)

Usage enhanced of old attributes:

3GPP-PDP-Type. Now also sent in Access-Request messages if the RADIUS

New configuration parameters

Server switchover time

Changes in RADIUS Interface Description

RADIUS Interface, Interface Description

Changes between releases 3.0 and 3.1

RADIUS accounting transmission window and queue enhancements (Section

New value allowed for attribute Nokia-Session-Charging-Type.

RADIUS Interface, Interface Description

Overview of RADIUS interface

RADIUS Interface, Interface Description

3 Overview of RADIUS interface

Key features of RADIUS

RADIUS Interface, Interface Description

Overview of RADIUS interface

RADIUS in the Flexi ISN environment

The Backup mode

Overview of RADIUS interface

RADIUS Interface, Interface Description

RADIUS Interface, Interface Description

Overview of RADIUS interface

The Accounting-Request (whether for Start or Stop) is submitted to the RADIUS

Overview of RADIUS interface

RADIUS Interface, Interface Description

(Routing Instance h Config

The name of the RADIUS

Active / Not in service

The status of the RADIUS

Defines the actual source

The type of the access

Encode Vendor-Specific Attributes Separately

If this variable is set to

The access point belongs

Tunnel Remote IP Address