Professional Documents
Culture Documents
06
Nokia Siemens Networks Flexi ISN, Rel.
4.0
Operating Documentation, v.6
RADIUS Interface, Interface Description
DN70119375
Issue 5-3 en
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Nokia Siemens Networks customers only for the purposes of the agreement under which
the document is submitted, and no part of it may be used, reproduced, modified or transmitted
in any form or means without the prior written permission of Nokia Siemens Networks. The
documentation has been prepared to be used by professional and properly trained personnel,
and the customer assumes full responsibility when using it. Nokia Siemens Networks welcomes
customer comments as part of the process of continuous development and improvement of the
documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Nokia Siemens Networks and the customer. However,
Nokia Siemens Networks has made all reasonable efforts to ensure that the instructions
contained in the document are adequate and free of material errors and omissions. Nokia
Siemens Networks will, if deemed necessary by Nokia Siemens Networks, explain issues which
may not be covered by the document.
Nokia Siemens Networks will correct errors in this documentation as soon as possible. IN NO
EVENT WILL Nokia Siemens Networks BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED
TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY
OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION
IN IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
The wave logo is a trademark of Nokia Siemens Networks Oy. Nokia is a registered trademark
of Nokia Corporation. Siemens is a registered trademark of Siemens AG.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright Nokia Siemens Networks 2010. All rights reserved
Id:0900d80580804d96
DN70119375
Issue 5-3 en
Table of Contents
This document has 96 pages.
DN70119375
Issue 5-3 en
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
2
2.1
2.2
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3
3.1
3.2
3.2.1
3.2.2
3.2.3
3.3
3.3.1
RADIUS license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5
5.1
5.1.1
5.1.2
5.1.3
5.1.4
5.2
5.2.1
5.2.2
5.2.2.1
5.2.2.2
5.2.2.3
5.2.2.4
5.2.2.5
5.2.2.6
5.2.2.7
5.2.2.8
5.2.2.9
5.2.2.10
5.2.2.11
5.2.2.12
Data elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS interface data format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Vendor-specific attribute encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Attributes sent and received by Flexi ISN . . . . . . . . . . . . . . . . . . . . . . .
Access Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access Accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request Interim-Update . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Accounting Request On/Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disconnect Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disconnect ACK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Disconnect NAK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change of Authorisation (CoA) Request . . . . . . . . . . . . . . . . . . . . . . . .
Change of Authorisation (CoA) ACK . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change of Authorisation (CoA) NAK . . . . . . . . . . . . . . . . . . . . . . . . . . .
Additional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Id:0900d80580804d96
12
12
13
14
15
15
26
26
31
31
31
32
32
32
33
44
54
55
56
57
59
61
63
63
64
64
64
65
65
6.1
6.2
6.2.1
6.2.2
6.2.3
6.3
6.4
6.5
6.5.1
6.5.2
6.5.3
6.6
6.7
6.8
6.9
6.10
6.11
6.12
6.13
6.14
6.15
7
7.1
7.2
7.2.1
7.2.2
7.2.3
7.3
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Id:0900d80580804d96
DN70119375
Issue 5-3 en
List of Figures
Figure 1
Figure 2
Figure 3
Figure 4
DN70119375
Issue 5-3 en
RADIUS
RADIUS
RADIUS
RADIUS
Id:0900d80580804d96
27
28
29
80
List of Tables
Table 1
Table 2
Table 3
Table 4
Table 5
Table 6
Table 7
Table 8
Table 9
Table 10
Table 11
Table 12
Table 13
Table 14
Table 15
Table 16
Id:0900d80580804d96
DN70119375
Issue 5-3 en
Numeric ID
Encode Vendor-Specific Attributes Separately
User Authentication Method
Override User Name Containing APN/MSISDN
IP Address Generation Method
Dynamic Tunnels
Secondary Account Server Mode
RADIUS Accounting Mode
Section RADIUS in the Flexi ISN environment has been updated with a Note.
The lengths value of the attribute NSN-Tunnel-Override-Username in Section Tunnelling attributes related to user authentication has been changed from 12 to 10.
1.2
1.3
DN70119375
Issue 5-3 en
Id:0900d805807522e4
Section RADIUS license has been updated with information about the Optional Radius
Accounting in 3GPP mode feature.
1.4
1.5
Id:0900d805807522e4
DN70119375
Issue 5-3 en
1.6
New attributes
Changes in documentation
Section Configuration parameters: a new tunnelling parameter have been added (Client
tunnelling IP Address).
Section Message flow: the text has been updated.
Section Attributes: in Table Attributes used by Flexi ISN the descriptions of the AcctInput-Octets and Acct-Output-Octets attributes have been modified.
Section Attributes sent and received by Flexi ISN: the structure has been modified and
the tables have been updated.The following new sections have been added:
DN70119375
Issue 5-3 en
Id:0900d805807522e4
Acct-Terminate-Cause
Values and profiles determined through RADIUS
Section RADIUS in the Flexi ISN environment: Clarification about switching back to the
primary server from the secondary Information added about the Accounting To Authentication Server option.
Section Authentication operations: validation information has been updated.
Section Configuration parameters: the following parameters have been added: Switchover time, Tunneling in Authentication, Tunneling in Accounting, and Accounting To
Authentication Server.
Section Message flow: the figures have been modified.
1.7
10
Id:0900d805807522e4
DN70119375
Issue 5-3 en
Introduction
2 Introduction
This document specifies the interface between the Flexi ISN and its counterpart server
for delivering subscriber identification, the remote authentication dial-in user service
(RADIUS) server. This document is mainly based on RFC 2865 [6] and RFC 2866 [7],
together with 3GPP standard TS 29.061 [3].
2.1
About
The main sections of this document are:
Overview
This specifies the delivery of subscriber identification, the reference model, and the
interfaces between the Flexi ISN and the RADIUS server.
Data elements
This specifies the data elements for RADIUS authentication and accounting supported by the Flexi ISN.
Additional features
This specifies some new attributes and additional features supported by the Flexi
ISN.
Retrieving service components
This specifies the service aware features in RADIUS; user profile fetching during
authentication and dynamically by using the CoA message.
It is not within the scope of this document to specify the Nokia proprietary RADIUS specification between the Flexi ISN and Nokia Online Service Controller (OSC), used in the
Intelligent Content Delivery (ICD) system.
2.2
Audience
Users of this document should have a basic knowledge of the Flexi ISN, wireless networks, the Internet, RADIUS, and RADIUS accounting and authentication protocol.
DN70119375
Issue 5-3 en
Id:0900d805806888ed
11
billing
access control
personalisation of services
The Flexi ISN supports these activities during request processing when it resolves subscriber identifiers by using RADIUS accounting protocol (RFC 2866 [7]).The interface
protocol is further explained in Section Interface protocol.
The Flexi ISN also uses authentication packets provided by RFC 2865 [6].
RADIUS is transported by means of User Datagram Protocol (UDP), where the UDP
destination port field is number 1812 for RADIUS Authentication messages, and number
1813 is for RADIUS Accounting messages.
g The interface between the Flexi ISN and the Traffic Analyser (TA) is based on
Internet Protocol (IP) and RADIUS. This is, however, not described here, because
the Flexi ISN-TA interface is invisible to the Flexi ISN. Nokia TA listens to RADIUS
Accounting Start, Stop, Interim Update, On, and Off messages sent by the Flexi ISN.
For the use of advanced features in Nokia TA, the RADIUS 3GPP Accounting mode
needs to be enabled.
3.1
12
Client/Server model
A Flexi ISN operates as a client of RADIUS. The client is responsible for passing
user information to designated RADIUS servers, and then acting on the response
that is returned.RADIUS servers are responsible for receiving user connection
requests, authenticating the user, and then returning all configuration information
necessary for the client to deliver a service to the user.
Network security
Transactions between the client and the RADIUS server are authenticated through
the use of a shared secret, which is never sent over the network. In addition, any
user passwords are sent encrypted between the client and the RADIUS server to
eliminate the possibility that someone snooping on an unsecured network could
determine a user's password.When a user password is present, it is hidden using a
method based on RSA Message Digest Algorithm version 5 (MD5).
Flexible authentication mechanisms
The RADIUS server can support a variety of methods to authenticate a user. When
it is provided with the user name and the original password given to the user, it can
support PPP PAP or CHAP, UNIX login, and other authentication mechanisms
Extensible protocols
All transactions are comprised of variable length Attribute-Length-Value 3-tuples.
New attribute values can be added without disturbing existing implementations of
the protocol.
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
3.2
In the Backup mode, the Flexi ISN forwards requests to a secondary server if the
primary server is down or unreachable. In the Backup mode, the Flexi ISN also remembers the IP address of the RADIUS server that responded separately for each primary
PDP context, in other words during one session. If the Accounting To Authentication
Server option is enabled and authentication is used, accounting for the PDP context will
be transmitted to the authentication server where the PDP context was authenticated (if
authentication and accounting have all the same properties except the port number,
which is the fixed value 1813, not read from the configuration). This functionality is supported for any primary/secondary server combination, but not for the 3rd - 7th accounting servers.
In the Semi Redundancy mode, the difference is that the Flexi ISN sends the request to
the primary and secondary servers at the same time. If one of the servers responds, the
accounting process continues normally, since a single server's response is considered
success. There are no switchovers between the primary and secondary server in this
mode because requests are always sent to both servers. No retransmission timeouts
are performed if a response is received from either of the two accounting servers in
order to speed-up the PDP context activation. Retransmissions are sent to both servers
if they are out of service or no response is received. If the retransmission timeout setting
expires; alarms are raised for both servers for notification of out of service.
In the Redundancy mode, requests are sent simultaneously to both servers and Flexi
ISN treats them separately. As soon as a response is sent from one server to Flexi ISN,
the PDP context activation procedure continues. Flexi ISN will continue sending retrans-
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
13
missions to the other server until it receives a response or the retransmission timeout
setting expires. In case of no response, an alarm is raised indicating that this server is
out of service. Flexi ISN will continue to send requests to both RADIUS servers on subsequent PDP Context Activations. Alarms are raised for both servers if they are out of
service.
There are five extra RADIUS accounting servers (also known as 'fire and forget' servers)
to which accounting messages are sent if those servers are configured in the accounting
profile that the access point in use is pointing. It is important to note that the primary and
secondary servers have different characteristics and supported features than the fire
and forget servers. All accounting messages that are sent to the primary or secondary
accounting server are sent to these servers only once, after a response from the primary/secondary server has been received. This means that there is no retransmission
to these servers. Note that if there is no reply to an Accounting Start message for a PDP
context from the primary or secondary accounting servers, nothing will be sent to
accounting servers 3 to 7 for the PDP context. The content of the accounting messages
is slightly different for fire and forget messages. The Accounting To Authentication
Server functionality does not cover fire and forget servers.
The Flexi ISN does not expect any Accounting-Response messages from the extra
RADIUS accounting servers for the sent Accounting-Requests. Note that if there is no
reply to an Accounting Start message for a PDP context from the primary or secondary
accounting servers, nothing will be sent to the extra RADIUS accounting servers regarding the PDP context.
g Accounting messages are sent to 'fire and forget' servers, after the response of
either the primary or the secondary server, as described above, but only for the "primary" connection of the primary PDP context. On the other hand, in case of "secondary" connections the accounting messages are not forwarded to 'fire and forget'
servers, so this functionality cannot be used in Service Access Points.
3.2.1
Authentication operations
When the Flexi ISN has obtained the authentication information from the user, it creates
an Access-Request containing attributes such as the user's name, the user's password,
the ID of the client, and the Port ID that the user is accessing.
The Access-Request is submitted to the RADIUS server via the network. If no response
is returned within a certain length of time, the request is re-sent a number of times. The
Flexi ISN can also forward requests to an alternate server (secondary server) if the
primary server is down or unreachable.
Once the RADIUS server receives the request, it validates the sending Flexi ISN. The
Flexi ISN must have a shared secret with the RADIUS server, otherwise it will silently
discard the request. If the Flexi ISN is valid, the RADIUS server consults a database of
users to find the user whose name matches the request.
If any condition is not met, the RADIUS server sends an Access-Reject response indicating that this user request is invalid.
If all conditions are met and the RADIUS server wishes to issue a challenge to which the
user must respond, the RADIUS server sends an Access-Challenge response. It may
include a text message to be displayed by the GGSN/ISN to the user prompting for a
response to the challenge, and may include a State attribute. The client could then
resubmit its original Access-Request with a new request ID, with the User-Password
attribute replaced by the response (encrypted), and including the State attribute from
the Access-Challenge, if any.
14
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Flexi ISN does not support the challenge/ response, and treats this challenge as though
it received an Access-Reject and sends a new Access-Request. Flexi ISN does not
support this, because there is no way the Flexi ISN can communicate with the user.
If all conditions are met, the list of configuration values for the user is placed into an
Access-Accept response. These values include the type of service (for example: SLIP,
PPP, Login User) and all the necessary values to deliver the desired service.
3.2.2
Accounting operations
The Flexi ISN supports and sends the following RADIUS Accounting messages to the
RADIUS accounting server:
Accounting Start
This is used when a PDP context is created.
Accounting Stop
This is used when a PDP context is deleted.
Accounting ON
This is sent to the RADIUS server at the time the access point becomes active so
that the IP addresses (that have possibly been left hanging) can be released.
Accounting OFF
This is sent to the RADIUS server at the time the access point becomes inactive so
that the IP addresses can be released.
Accounting Interim-Update
This is sent to the RADIUS server when the PDP context is updated.
3.2.3
Configuration parameters
The RADIUS configuration in the Flexi ISN is located in the RADIUS profiles configuration. For instructions on configuring the RADIUS interface, see Access Points in Nokia
Siemens Networks Flexi ISN.
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
15
Parameter
Numeric ID
Values
0 - 2147483647
Description
Some RADIUS servers
cannot handle access
point names and require a
numeric value for identification.
The Numeric ID parameter will be inserted to the
Called-Station-ID.
If the value 0 is inserted,
no attribute will be sent.
Profile Name
(string)
RowStatus
Client IP Address
IPv4 address
Type
Retransmission Timeouts
(Default) 2 4 8
RADIUS retransmission
timeouts in seconds.
Enabled / Disabled
RoutingInstance
routing instance
IPv4 address
Normal (IPv4)
GRE Tunnel (IPv4)
IP over IP (IPv4)
16
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Description
IPv4 address
IPv4 address
IPv4 address
1 min to 30 min
Table 1
DN70119375
Issue 5-3 en
Values
Id:0900d80580773b2c
17
Parameter
Values
Primary/Secondary
Authentication Server IP
Address
IPv4 address
Port Number
0 65535
(default) 1812
Primary/Secondary
(string)
Authentication Server Key
Description
(string)
User Authentication
Method
Radius
(Routing Instance h
Config (Default) h Flexi
ISN Configuration h
Access Point
Configuration h Access
Points)
18
Description
Enabled
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Values
IP Address Generation
Method
Description
GGSN
DHCP
Radius
Simple Authentication
IMSI SGSN
IMSI SGSN-3GPP
Enabled / Disabled
(Routing Instance h
Config (Default) h Flexi
ISN Configuration h
Access Point
Configuration h Access
Points)
Authentication Operation
Dynamic Tunnels
(Routing Instance h
Config (Default) h Flexi
ISN Configuration h
Access Point
Configuration h Access
Points)
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
19
Parameter
Values
Primary/Secondary Accounting
Server IP Address
IPv4 address
Port Number
0 - 65535
(default) 1813
Primary/Secondary Accounting
Server Key
(string)
Description
(string)
Third/Fourth/Fifth/ Sixth/Seventh
Table 3
20
Description
IPv4 address
0 - 65535
(default) 1813
(string)
(string)
WAP Gateway
WAP Gateway,
server optional
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Values
Description
Table 3
DN70119375
Issue 5-3 en
3GPP
Sub-attributes that
comply with the 3GPP
standard and some Nokia
vendor-specific attributes will be included in
Accounting Request
packets. In addition, the
Acct-InputGigawords and AcctOutput-Gigawords
attributes are also
included.
3GPP, server
optional
Id:0900d80580773b2c
21
Parameter
Secondary Account Server Mode
Values
Backup
Description
A fully configured timeout
sequence is tried with a
primary server and then
with a secondary server if
the primary does not
respond.
If no responses are
received at all from the
primary Accounting
server within a retransmission timeout, an alarm
is raised for the primary
server and then there is a
switch to secondary
Accounting server. At the
particular case that the
retransmission timeout is
reached for primary
Accounting server for
some Radius Accounting
requests (for example,
due to capacity issues),
but at the same time Flexi
receives responses from
the same server for other
pending Accounting
Requests, there is still a
switch to secondary
Accounting server, but no
alarm is raised for the
primary server, since
there is no indication that
it is inactive.
Semi Redundancy
Table 3
22
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Description
Redundancy
Interim Accounting
Enabled / Disabled
Enabled / Disabled
Table 3
DN70119375
Issue 5-3 en
Values
Id:0900d80580773b2c
23
Parameter
RADIUS Accounting Mode
(Routing Instance h Config
(Default) h Flexi ISN
Configuration h Access Point
Configuration h Access Points)
Table 3
24
Values
Description
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Parameter
Accounting To Authentication
Server
Table 3
DN70119375
Issue 5-3 en
Values
Description
ON/OFF/STOP
STOP
No 'RADIUS accounting
ON or OFF' messages
are sent but possible
'RADIUS accounting
STOP' messages are
sent if the access point
status is changed from
'Active' to 'Not in service'.
Disabled / Enabled
If this parameter is
enabled and if authentication is used, accounting for the PDP context
will be transmitted to the
RADIUS server that has
the same configuration
parameters, except for
the port number (fixed
value 1813).
Id:0900d80580773b2c
25
Parameter
Description
Disconnect Server IP
Address 1 / 2 / 3 / 4
IPv4 address
(string)
Disconnect Server
Description 1 / 2 / 3 / 4
(string)
Table 4
3.3
Values
Interface protocol
The interface between the Flexi ISN and the RADIUS server must follow the rules
defined in RFC 2865 [6] and RFC 2866 [7], including those for handling retransmissions
and request acknowledgements.
3.3.1
Message flow
RADIUS message flow, basic case, RADIUS message flow, change PDP context
parameters and RADIUS message flow, disconnect by RADIUS server represent the
RADIUS message flows between a Flexi ISN and an authentication, authorization and
accounting (AAA) server.
26
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Figure 1
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
27
Figure 2
g When CoA contains a Nokia-TREC-Index that results to a new QoS for the PDP
context, Flexi ISN triggers an Update PDP Context Request with the new QoS (see
Section Determining TREC through RADIUS).
28
Id:0900d80580773b2c
DN70119375
Issue 5-3 en
Figure 3
DN70119375
Issue 5-3 en
Id:0900d80580773b2c
29
RADIUS license
4 RADIUS license
Some RADIUS features require a valid license to be enabled.The following configuration
options require the RADIUS addition license:
The following functionalities require the Network Based QoS Control license:
30
Id:0900d8058068af46
DN70119375
Issue 5-3 en
Data elements
5 Data elements
The attributes defined in this section comply with the same basic attribute formats given
in RFC 2865 [6] and RFC 2866 [7].
5.1
Identifier
Length
Authenticator
Attributes:
Length
Value
Type
Table 5
5.1.1
Code
The code (the field in the first octet of a packet) identifies the type of the RADIUS packet.
If a packet is received with an invalid code field, it is discarded (length, 1 octet).The
codes are the following:
Code 1: Access-Request
The Access-Request code (1) is sent by the Flexi ISN to the RADIUS server. It conveys
the information used to determine whether a user is allowed to access a specific network
access server and if there are any special requests for that user. The Access-Request
code must be transmitted when wishing to authenticate a user and must contain a
User-Name attribute and either a User-Password or CHAP-Password attribute.Upon
receipt of an Access-Request from a valid client, an appropriate reply must be transmitted.
Code 2: Access-Accept
The Access-Accept code (2) is sent by the RADIUS server and provides the specific
configuration information necessary to begin the delivery service to the user.If all the
attribute values received in an Access-Request are acceptable, the RADIUS implementation must transmit a packet with the Code field set to 2 (Access-Accept).On reception
of an Access-Accept, the Identifier field is matched with a pending Access-Request.
Additionally, the Response Authenticator field must contain the correct response for the
pending Access-Request.
Code 3: Access-Reject
The RADIUS server transmits the Access-Reject code (3) if any value for the received
attributes is not acceptable.
Code 4: Accounting-Request
The Accounting-Request code (4) is sent by the Flexi ISN to the RADIUS server and
conveys information used to provide accounting for a service.The server must transmit
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
31
Data elements
5.1.2
Identifier
The identifier aids in matching requests and replies (length, 1 octet).
5.1.3
Length
The length indicates the length of the packet, including the Code, Identifier, Length,
Authenticator, and Attributes (length, 2 octets). The minimum length is 20 and the
maximum is 4096.The Flexi ISN silently discards packets received with an invalid
length.
5.1.4
Authenticator
The authenticator is used to authenticate the reply from the RADIUS server and to
authenticate the messages between the Flexi ISN and the RADIUS server (length, 16
octets, the most significant octet is transmitted first).There are two types of authenticators:
32
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Request Authenticator
In Access-Request packets, the authenticator value is a 16 octet random number called
the Request Authenticator. The value should be unpredictable and unique in the lifetime
of a secret (the password shared by the client and the RADIUS server). Since it is
expected that the same secret may be used to authenticate the servers in different geographic regions, the Request Authenticator field should display global and temporal
uniqueness (RFC 2865 [6]).In Accounting-Request packets, the authenticator value is a
16-octet MD5 checksum, called the Request Authenticator (RFC 2866 [7]).The authenticator value in Disconnect-Request packets and the Change-of-Authorization-Request
packets is encoded the same way as the authenticator value in Accounting-Request
packets (RFC 3576 [12]).
Response Authenticator
The Authenticator field in Access-Accept, Access-Reject, and Access-Challenge
packets is called the Response Authenticator, and contains a one-way MD5 hash calculated over a stream of octets consisting of:
the RADIUS packet, beginning with the Code field, including the Identifier, the
Length, the Request Authenticator field from the Access-Request packet
the response attributes, followed by the shared secret (RFC 2865 [6]).
5.2
Attributes
RADIUS attributes carry the specific authentication, authorisation, information, and configuration details for the request and reply.The attribute format is shown in Table 6:
Type
Table 6
DN70119375
Issue 5-3 en
Length
Value
Attribute format
Type
The Type field is one octet. The Flexi ISN ignores attributes with an unknown type.
Length
The Length field is one octet, and it indicates the length of this attribute including the
Type, Length, and Value fields.The Flexi ISN ignores attributes with an invalid
length.
Value
The Value field is zero or more octets and contains information specific to the attribute. The Type and Length field determine the format and length of the Value field.
Id:0900d8058068b02b
33
Data elements
g None of the types in RADIUS terminate with a null character (NUL, /0, hex00). In
particular, the types 'text' and 'string' in RADIUS do not terminate with a NUL. The
Value field's length is determined by the Length field and does not use a terminator.
The format of the Value field is one of the five data types:
Text
1-253 octets containing UTF-8 encoded 10646 characters. Texts of zero length must
not be sent.
String
1-253 octets containing binary data (values 0 through 255 decimal, inclusive).
Strings of zero length must not be sent.
Address
A 32 bit value, the most significant octet first.
Integer
A 32 bit unsigned value, the most significant octet first.
Time
A 32 bit unsigned value, the most significant octet first - in seconds since 00:00:00
UTC, January 1, 1970.
Table 7 shows the list of attributes used by the Flexi ISN, the Type number, Length,
Value format, and a short description.
34
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
User-Name
Type
Value
format
Definition
Sent or
received
and used
String
greater than
or equal to 1
octet(s)
sent,
received
and used
User-Password
sent
DN70119375
Issue 5-3 en
According to
RFC 2865
Id:0900d8058068b02b
sent
35
Data elements
Attribute name
Type
Value
format
Definition
Sent or
received
and used
NAS-IP-Address
Address, 4
octets
sent,
received
and used
NAS-Port
Integer 4
octets
sent
4 octets,
Possible
values
according to
RFC 2865
36
Framed-Protocol
4 octets
Framed-IP-address
Address, 4
octets
Id:0900d8058068b02b
sent,
received
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Value
format
Definition
Sent or
received
and used
Class
25
String,
greater than
or equal to 1
octet(s)
Vendor-Specific
26
According to
RFC 2865
Vendor-specific attribute(s).
See Section Vendorspecific attribute encoding.
sent,
received
and used
Session-Timeout
27
Integer, 4
octets
A 32-bit unsigned
integer with the
maximum number of
seconds that a user
should be allowed to
remain connected by
the Flexi ISN.
Idle-Timeout
28
Integer, 4
octets
A 32-bit unsigned
received
integer with the
and used
maximum number of
consecutive seconds of
idle time that a user
should be permitted
before being disconnected by the Flexi ISN.
Called-Station-ID
30
String
greater than
or equal to 1
octet(s)
received
and used
Calling-Station-ID
DN70119375
Issue 5-3 en
31
String
greater than
or equal to 1
octet(s)
Id:0900d8058068b02b
sent
37
Data elements
Attribute name
Type
Value
format
Definition
Sent or
received
and used
NAS-Identifier
32
String
greater than
or equal to 1
octet(s)
Proxy-State
33
String
greater than
or equal to 1
octet(s)
sent,
received
and used
If some Proxy-State
attributes are received
in a Disconnect- or
CoA-Request, the Flexi
ISN returns the attribute(s) unmodified (in
same order) in the
Response message.
Acct-Status-Type
40
4 octets
Possible
values:
1, Start
2, Stop
3,
InterimUpdate
7,
Accounting On
8,
Accounting Off
Indicates whether an
Accounting-Request
marks the beginning of
the user service
(START) or the end
(STOP). This is used by
the Flexi ISN:
Acct-Input-Octets
(1)
38
42
Integer, 4
octets
Id:0900d8058068b02b
sent
sent
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Value
format
Definition
Sent or
received
and used
Acct-Output-Octets
(1)
43
Integer, 4
octets
Acct-Session-Id
44
String, 16
octets
sent
DN70119375
Issue 5-3 en
Acct-Authentic
45
Integer, 4
octets
sent
Acct-Session-Time
46
Integer, 4
octets
sent
Acct-Input-Packets
(1)
47
Integer, 4
octets
Acct-OutputPackets (1)
48
Integer, 4
octets
Id:0900d8058068b02b
39
Data elements
Attribute name
Acct-TerminateCause
Type
49
Value
format
Integer, 4
octets
Definition
Acct-Multi-SessionId
40
50
String, 16
octets
Id:0900d8058068b02b
Sent or
received
and used
sent
1 (User Request) =
Context termination
related to SGSN or
NAS.
3 (Lost Service) =
Context termination
related to an access
point.
4 (Idle Timeout) =
An idle time-out in
Flexi ISN caused
the context termination
5 (Session Timeout)
= A session timeout in the Flexi ISN
caused the context
termination.
6 (Admin Reset) = A
Disconnect
Request terminated the context.
10 (NAS Request) =
A network-initiated
context termination
(default value). See
Section Acct-Terminate-Cause.
A backbone wide
unique hexadecimal
coded ASCII string. A
unique accounting ID to
make it easy to link
together multiple
related sessions.
sent,
received
and used
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Value
format
Sent or
received
and used
Acct-Link-Count (1)
51
Integer, 4
octets
Acct-Input-Gigawords (1)
52
Integer, 4
octets
sent
Acct-Output-Gigawords (1)
53
Integer, 4
octets
sent
Event-Timestamp
55
Time, 4
octets
This message is
included in a packet to
record the time when
something with or in the
session occurred (for
example, a deactivation), in seconds, since
January 1, 1970 00:00
UTC. (RFC 2869)
sent,
received
and used
Chap-Challenge
60
String,
greater than
or equal to 5
octets
NAS-Port-Type
61
4 octets
Possible
values:
5, virtual
DN70119375
Issue 5-3 en
Definition
Id:0900d8058068b02b
sent
41
Data elements
Attribute name
Tunnel-Type
Type
64
Value
format
3 octets
Possible
values:
Definition
Sent or
received
and used
3, L2TP
7, IP-IP
10, GRE
Tunnel-ClientEndpoint
66
String or
Address,
greater than
or equal to 1
octet(s)
Tunnel-ServerEndpoint
67
String or
Address,
greater than
or equal to 1
octet(s)
Tunnel-Password
69
Tunnel-Assignment- 82
ID
According to
RFC 2868
Contains a password to
be used to authenticate
to a remote server
received
and used
String,
received
and used
greater than
or equal to 1
octet(s)
Tunnel-Preference
83
3 octets
according to
RFC 2868
received
and used
Tunnel-Client-AuthID
90
Text, greater
than or equal
to 1 octet(s)
received
and used
Error-Cause
101
4 octets
sent
Possible
values:
404, Invalid
Request
42
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Attribute name
Data elements
Type
Primary-DNSServer (vendor-proprietary)
135
Secondary-DNSServer (vendor-proprietary)
136
Value
format
Address,
4 octets
Address,
4 octets
String,
Charging-Id
225
(vendor- proprietary)
Integer,
Integer,
8 octets
4 octets
4 octets
Definition
Sent or
received
and used
received
and used
received
and used
sent
sent
GGSN-IP-Address
227
(vendor- proprietary)
SGSN-IP Address
228
(vendor- proprietary)
Table 7
Address,
4 octets
Address,
4 octets
sent
sent
1) This attribute is not included in messages sent in the 'fire and forget' mode. In this
mode the message is sent once and no reply is noticed.
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
43
Data elements
5.2.1
Type = 26 (Vendor-Specific)
1 octet
Length = 6 + (a + 2) + (b + 2) + n
4 octets
Vendor-Id: 94 (Nokia)
311 (Microsoft)
10415 (3GPP)
28458 (Nokia-Siemens-Networks)
1 octet
Vendor-Type
1 octet
Vendor-Length = a + 2
a octet(s)
Vendor-Value
1 octet
Vendor-Type
1 octet
Vendor-Length = b + 2
b octet(s)
Vendor-Value
n octets
Vendor-Type
up to
Vendor-Length
Some RADIUS servers may require configuration or patching before being able to
support this encoding.It is, however, configurable in the Flexi ISN to choose how the
sub-attributes should be encoded. The configuration parameter Encode VendorSpecific Attributes Separately is described in Section Configuration parameters. When this option is chosen each vendor-specific sub-attribute is encoded into a
separate vendor-specific attribute. The encoding looks like the following:
1 octet
Type = 26 (Vendor-Specific)
1 octet
Length = 8 + n
4 octets
Vendor-Id: 94 (Nokia)
311 (Microsoft)
10415 (3GPP)
28458 (Nokia-Siemens-Networks)
44
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
1 octet
Vendor-Type
1 octet
Vendor-Length = n + 2
n octet(s)
Vendor-Value
Nokia-UserProfile
Type
Value format
String,
greater than or
equal to1 octet(s)
DN70119375
Issue 5-3 en
Nokia-ServiceName
Nokia-Service-ID
String,
greater than or
equal to 1 octet(s)
Integer,
Definition
Sent or
received
and used
A list of services
separated by a
space character.
Includes one
primary service
flag (*) and can
include an OCS
prepaid flag ($).
received
and used
received
and used
1 4 octets
String,
received
and used
The password.
received
and used
received
and used
Nokia-ServiceUsername
Nokia-ServicePassword
Nokia-ServicePrimary-Indicator
0 octets
Nokia-ServiceCharging-Type
Integer,
greater than or
equal to 1 octet(s)
String,
greater than or
equal to 1 octet(s)
2 octets
Id:0900d8058068b02b
45
Data elements
Attribute name
Type
Nokia-ServiceEncryptedPassword
Nokia-SessionAccess-Method
10
Nokia-SessionCharging-Type
11
Nokia-OCS-ID1
12
Value format
String
as defined in
Section User
profile fetching.
1 octet
as defined in
Section Nokia
vendor-specific
attribute NokiaSession-AccessMethod.
1 octet
as defined in
Section Charging
profile fetching
through RADIUS.
Integer,
2 octets
Nokia-OCS-ID2
13
Integer,
2 octets
Nokia-TREC-Index
14
Integer,
1 octet
Nokia-RequestedAPN
46
15
String,
greater than or
equal to1 octet(s)
Definition
Sent or
received
and used
This attribute
contains an
encrypted
password for the
service.
received
and used
This attribute
defines the
access method
for the user
session.
sent
This attribute
sent,
defines the
received
charging type for and used
the user session.
The identification received
number of the
and used
OCS server that
should be used
in the first place.
The identification received
number of the
and used
OCS server that
should be used
in the second
place.
This attribute
defines the
TREC for the
PDP context.
received
and used
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
Type
MS-Primary-DNSServer
28
MS-SecondaryDNS-Server
29
Value
format
Address,
4 octets
Address,
4 octets
Definition
Sent or
received and
used
received and
used
received and
used
3GPP-IMSI
Type
Value format
Text,
1 15 octets
3GPP-Charging-Id
Integer,
4 octets
3GPP-PDP-Type
4 octets,
Possible values:
Definition
Sent or
received
and used
sent
The charging ID
for this PDP
context. The
Flexi ISN generates this 3GPP
charging ID for
both virtual and
normal PDP
contexts with
one exception. If
the Flexi ISN
acts as a NAS
server and the
charging ID
selection is set
to NAS Client,
the charging ID
will be the NAS
clients charging
ID and not the
Flexi ISNs
3GPP charging
ID.
sent
sent
0, IPv4
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
47
Data elements
Attribute name
Type
3GPP-ChargingGateway-Address
3GPP-GPRS-Negotiated-Qos-Profile
Value format
Address,
4 octets
Text,
11, 27, or 33
octets
Definition
Sent or
received
and used
The charging
gateway IP
address defined
in the Flexi ISN
configuration
sent
sent
48
Address,
4 octets
Id:0900d8058068b02b
The SGSN IP
address that is
used by the GTP
control plane for
the handling of
control messages. It may be
used to identify
the PLMN to
which the user is
attached
sent
DN70119375
Issue 5-3 en
Data elements
Attribute name
DN70119375
Issue 5-3 en
Type
Value format
Address,
Definition
Sent or
received
and used
3GPP-GGSNAddress
3GPP-IMSI-MCCMNC
Text, 5 or 6
octets
3GPP-GGSN-MCCMNC
Text,
The MCC-MNC
of the network
the Flexi ISN
belongs to. The
used MCC-MNC
will be marked in
the Home PLMN
ID table.
sent
3GPP-NSAP
10
sent
4 octets
5 or 6 octets
1 octet
Id:0900d8058068b02b
49
Data elements
Attribute name
Type
3GPP-SessionStop-Indicator
11
3GPP-SelectionMode
12
3GPP-ChargingCharacteristics
13
Value format
1 octet,
Fixed value FF
(Hex)
Text,
1 octet
Text,
4 octets
Definition
Sent or
received
and used
Indicates that
sent
the last PDP
context of a
session is
released and
that the PDP
session has
been terminated.
The fixed value
is FF (Hex).
Contains the
selection mode
for this PDP
context received
in the Create
PDP Context
Request
message.
sent
This attribute
sent
contains the
charging characteristics for this
PDP context
received in the
Create PDP
Context Request
Message (only
available in
3GPP R99 and
later releases).
Note: If the
charging type
flags are not set
from the HLR,
then the Flexi
ISN sets the
post-paid flag.
50
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
Type
3GPP-SGSN-MCCMNC
18
3GPP-IMEISV
20
Value format
Text,
5 or 6 octets
Text,
16 octets
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
Definition
Sent or
received
and used
sent
51
Data elements
Attribute name
3GPP-RAT-Type
Type
21
Value format
1 octet,
Possible values:
1, UTRAN
2, GERAN
3, WLAN*
4-255
<spare>
Definition
This attribute
indicates which
radio access
technology
(RAT) is currently serving
the user equipment. The RAT
is received from
the SGSN.
Sent or
received
and used
sent
52
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
Attribute name
Value format
Definition
Sent or
received
and used
3GPP-UserLocation-Info
22
1-m octets, m
depends on the
Geographic
Location Type
This attribute
sent
contains information about the
user's geographical location. The
value of this attribute is copied
without changes
from the GTP
information
element User
Location Information that is
received from
the SGSN. The
Geographic
Location Type is
defined in 3GPP
specification
29.060 [2].
3GPP-MSTimeZone
23
2 octets
Indicates the
time zone that
the user is currently located in.
The value of this
attribute is
copied without
changes from
the GTP information element
MS Time Zone
that is received
from SGSN. MS
Time Zone is
defined in 3GPP
specification
29.060 [2].
DN70119375
Issue 5-3 en
Type
sent
Id:0900d8058068b02b
53
Data elements
Attribute name
NSN-Tunnel-UserAuth-Method
Type
Value
format
Integer,
3 octets
Definition
Sent or
received
and used
received
and used
Integer,
1 octet
received
and used
5.2.2
54
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
5.2.2.1
Access Request
ID
DN70119375
Issue 5-3 en
Data elements
Attribute name
Simple
authentication
IMSI SGSN
IMSI SGSN3GPP
User-Name
Yes
Yes
Yes
User-Password (1)
Yes
Yes
Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed-Protocol
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
50
Acct-Multisession-Id
Yes
Yes
Yes
60
Yes
Yes
61
NAS-Port-Type
Yes
Yes
224
IMSI
Yes
228
SGSN-IP-Address
Yes
26/94/15
Nokia-RequestedAPN
Yes
26/10415/1
3GPP-IMSI
Yes
26/10415/2
3GPP-Charging-Id
Yes
26/10415/3
3GPP-PDP Type
Yes
26/10415/4
3GPP-ChargingGateway-Address
Yes
26/10415/5
3GPP-GPRS-Negotiated-QoS-Profile
Yes
26/10415/6
3GPP-SGSNAddress
Yes
26/10415/7
3GPP-GGSNAddress
Yes
26/10415/8
3GPP-IMSI-MCCMNC
Yes
26/10415/9
3GPP-GGSN- MCCMNC
Yes
26/10415/10
3GPP-NSAPI
Yes
Yes
Id:0900d8058068b02b
55
Data elements
ID
Simple
authentication
IMSI SGSN3GPP
3GPP-SelectionMode
Yes
26/10415/13
3GPP-ChargingCharacteristics
Yes
26/10415/18
3GPP-SGSN-MCCMNC(3)
Yes
26/10415/20
3GPP-IMEISV (4)
Yes
26/10415/21
3GPP-RAT-Type
Yes
26/10415/22
3GPP-UserLocation-Info(4)
Yes
26/10415/23
3GPP-MSTimeZone (4)
Yes
The User-Password is not sent when using CHAP as the authentication type.
Sent only when using CHAP as the authentication type.
Sent only if the PDP context request contained the RAI.
Sent only if received from the SGSN.
Access Accept
ID
56
IMSI SGSN
26/10415/12
1.
2.
3.
4.
5.2.2.2
Attribute name
Attribute name
Framed-IP-Address
25
Class
27
Session-Timeout
28
Idle-Timeout
64
Tunnel-type
66
Tunnel-Client-Endpoint
67
Tunnel-Server-Endpoint
69
Tunnel-Password
82
Tunnel-Assignment-Id
83
Tunnel-Preference
90
Tunnel-Client-Auth-Id
135
Primary-DNS-Server
136
Secondary-DNS-Server
26/94/2
Nokia-UserProfile
26/94/3
Nokia-Service-Name
26/94/4
Nokia-Service-ID
26/94/5
Nokia-Service-Username
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
ID
Attribute name
26/94/6
Nokia-Service-Password
26/94/7
Nokia-Service-Primary-Indicator
26/94/8
Nokia-Service-Charging-Type
26/94/9
Nokia-Service-Encrypted-Password
26/94/11
Nokia-Session-Charging-Type
26/94/12
Nokia-OCS-ID1
26/94/13
Nokia-OCS-ID2
26/94/14
Nokia-TREC-Index (1)
26/311/28
MS-Primary-DNS-server
26/311/29
MS-Secondary-DNS-Server
26/28458/1
NSN-Tunnel-User-Auth-Method
26/28458/2
NSN-Tunnel-Override-Username
The particular application of this AVP depends on the Network Based QoS Control
license. Without this license this AVP applies only for non real-time traffic classes (since
it replaces the default TREC id configured in the Flexi ISN Access Point). With this
license it applies for all traffic classes.
5.2.2.3
DN70119375
Issue 5-3 en
Attribute name
User-Name (1)
Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed Protocol
Yes
Yes
Yes
Framed-IP-Address
Yes
Yes
Yes
25
Class
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
45
Acct-Authentic
Yes
Yes
Yes
50
Acct-Multisession-Id Yes
Yes
Yes
51
Acct-Link-Count
Yes
Yes
Yes
Id:0900d8058068b02b
57
Data elements
ID
58
Attribute name
61
NAS-Port-Type
Yes
Yes
224
IMSI
Yes
225
Charging-ID
Yes
226
Prepaid-Ind
Yes
227
GGSN-IP-Address
Yes
228
SGSN-IP-Address
Yes
26/94/10
Nokia-SessionAccess-Method
Yes
26/94/11
Nokia-SessionCharging-Type
Yes
26/94/15
Nokia-RequestedAPN
Yes
Yes
26/10415/ 3GPP-IMSI
1
Yes
26/10415/ 3GPP-Charging-Id
2
Yes
Yes
26/10415/ 3GPP-Charging4
Gateway-Address
Yes
26/10415/ 3GPP-GPRS-Nego5
tiated-QoS-Profile
Yes
26/10415/ 3GPP-SGSN6
Address
Yes
26/10415/ 3GPP-GGSN7
Address
Yes
26/10415/ 3GPP-IMSI-MCC8
MNC
Yes
Yes
26/10415/ 3GPP-NSAPI
10
Yes
Yes
26/10415/ 3GPP-Charging13
Characteristics
Yes
26/10415/ 3GPP-SGSN-MCC18
MNC
Yes
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
ID
Data elements
Attribute name
Yes
26/10415/ 3GPP-RAT-Type
21
Yes
26/10415/ 3GPP-User22
Location-Info (3)
Yes
26/10415/ 3GPP-MS23
TimeZone (3)
Yes
5.2.2.4
DN70119375
Issue 5-3 en
Attribute name
3GPP and
3GPP, server
optional
User-Name (1)
Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed Protocol
Yes
Yes
Yes
Framed-IP-Address
Yes
Yes
Yes
25
Class
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
42
Acct-Input-Octets
Yes
Yes
43
Acct-Output-Octets
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
45
Acct-Authentic
Yes
Yes
Yes
46
Acct-Session-Time
Yes
Yes
47
Acct-Input-Packets
Yes
Yes
48
Acct-OutputPackets
Yes
Yes
Id:0900d8058068b02b
59
Data elements
ID
60
Attribute name
3GPP and
3GPP, server
optional
50
Acct-Multisession-Id
Yes
Yes
Yes
51
Acct-Link-Count
Yes
Yes
Yes
52
Acct-Input-Gigawords
Yes
53
Acct-Output-Gigawords
Yes
55
Event-Timestamp
Yes
Yes
Yes
61
NAS-Port-Type
Yes
Yes
Yes
224
IMSI
Yes
225
Charging-ID
Yes
226
Prepaid-Ind
Yes
227
GGSN-IP-Address
Yes
228
SGSN-IP-Address
Yes
26/94/10
Nokia-SessionAccess-Method
Yes
26/94/11
Nokia-SessionCharging-Type
Yes
26/94/15
Nokia-RequestedAPN
Yes
26/10415/1
3GPP-IMSI
Yes
26/10415/2
3GPP-Charging-Id
Yes
26/10415/3
3GPP-PDP Type
Yes
26/10415/4
3GPP-ChargingGateway-Address
Yes
26/10415/5
3GPP-GPRS-Negotiated-QoS-Profile
Yes
26/10415/6
3GPP-SGSNAddress
Yes
26/10415/7
3GPP-GGSNAddress
Yes
26/10415/8
3GPP-IMSI-MCCMNC
Yes
26/10415/9
3GPP-GGSN- MCCMNC
Yes
Yes
26/10415/10 3GPP-NSAPI
Yes
Yes
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
ID
Data elements
Attribute name
3GPP and
3GPP, server
optional
26/10415/13 3GPP-ChargingCharacteristics
Yes
Yes
26/10415/21 3GPP-RAT-Type
Yes
Yes
Yes
5.2.2.5
DN70119375
Issue 5-3 en
Attribute name
WAP GW and
WAP GW,
server
optional
IPaddress
release
User-Name (1)
Yes
Yes
Yes
NAS-IP-Address
Yes
Yes
Yes
NAS-Port
Yes
Yes
Yes
Service-Type
Yes
Yes
Yes
Framed Protocol
Yes
Yes
Yes
Framed-IP-Address
Yes
Yes
Yes
25
Class
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
31
Calling-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
42
Acct-Input-Octets
Yes
Yes
43
Acct-Output-Octets
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
45
Acct-Authentic
Yes
Yes
Yes
46
Acct-Session-Time
Yes
Yes
47
Acct-Input-Packets
Yes
Yes
Id:0900d8058068b02b
61
Data elements
ID
62
Attribute name
WAP GW and
WAP GW,
server
optional
IPaddress
release
48
Acct-OutputPackets
Yes
49
Acct-TerminateCause
Yes
Yes
Yes
50
Acct-Multisession-Id
Yes
Yes
Yes
51
Acct-Link-Count
Yes
Yes
Yes
52
Acct-Input-Gigawords
Yes
53
Acct-Output-Gigawords
Yes
61
NAS-Port-Type
Yes
224
IMSI
Yes
225
Charging-ID
Yes
226
Prepaid-Ind
Yes
227
GGSN-IP-Address
Yes
228
SGSN-IP-Address
Yes
26/94/15
Nokia-RequestedAPN
Yes
26/10415/
1
3GPP-IMSI
Yes
26/10415/
2
3GPP-Charging-Id
Yes
26/10415/
3
3GPP-PDP Type
Yes
26/10415/
4
3GPP-ChargingGateway-Address
Yes
26/10415/
5
3GPP-GPRS-Negotiated-QoS-Profile
Yes
26/10415/
6
3GPP-SGSNAddress
Yes
26/10415/
7
3GPP-GGSNAddress
Yes
26/10415/
8
3GPP-IMSI-MCCMNC
Yes
26/10415/
9
3GPP-GGSN- MCCMNC
Yes
Id:0900d8058068b02b
Yes
Yes
Yes
Yes
DN70119375
Issue 5-3 en
ID
WAP GW and
WAP GW,
server
optional
IPaddress
release
Yes
26/10415/
11
Yes
26/10415/
12*
3GPP- SelectionMode
Yes
26/10415/
13
3GPP-ChargingCharacteristics
Yes
26/10415/
18
3GPP-SGSN-MCCMNC (2)
Yes
26/10415/
21
3GPP-RAT-Type
Yes
26/10415/
22
3GPP-UserLocation-Info (3)
Yes
26/10415/
23
3GPP-MSTimeZone (3)
Yes
WAP GW and
WAP GW,
server optional
IP
address
release
3GPP and
3GPP, server
optional
NAS-IP-Address
Yes
Yes
Yes
30
Called-Station-Id
Yes
Yes
Yes
32
NAS-Identifier
Yes
Yes
Yes
40
Acct-Status-Type
Yes
Yes
Yes
44
Acct-Session-Id
Yes
Yes
Yes
61
NAS-Port-Type
Yes
Yes
Yes
Disconnect Request
ID
1
DN70119375
Issue 5-3 en
3GPP-NSAPI
ID
5.2.2.7
Attribute name
26/10415/
10
1.
2.
3.
4.
5.2.2.6
Data elements
Attribute name
User-Name
Id:0900d8058068b02b
63
Data elements
ID
Attribute name
NAS-IP-Address
Service-Type
32
NAS-Identifier
33
Proxy-State
44
Acct-Session-Id *
50
Acct-Multisession-Id *
55
Event-Timestamp
5.2.2.8
Disconnect ACK
ID
5.2.2.9
Attribute name
33
Proxy-State (1)
49
Acct-Terminate-Cause
55
Event-Timestamp
Disconnect NAK
ID
Attribute name
33
Proxy-State (1)
55
Event-Timestamp
5.2.2.10
64
Attribute name
User-Name
NAS-IP-Address
Service-Type
32
NAS-Identifier
33
Proxy-State
44
Acct-Session-Id *
50
Acct-Multisession-Id *
55
Event-Timestamp
26/94/3
Nokia-Service-Name
Id:0900d8058068b02b
DN70119375
Issue 5-3 en
Data elements
ID
Attribute name
26/94/4
Nokia-Service-ID
26/94/5
Nokia-Service-Username
26/94/6
Nokia-Service-Password
26/94/7
Nokia-Service-Primary-Indicator
26/94/8
Nokia-Service-Charging-Type
26/94/9
Nokia-Service-Encrypted-Password
26/94/14
Nokia-TREC-Index **
* : The request must contain at least one of these attributes.**: This AVP requires AcctSession-Id to be present in CoA. Otherwise Nokia-TREC-Index is ignored by Flexi ISN.
5.2.2.11
Attribute name
33
Proxy-State (1)
55
Event-Timestamp
5.2.2.12
Attribute name
33
Proxy-State (1)
55
Event-Timestamp
101
Error-Cause
DN70119375
Issue 5-3 en
Id:0900d8058068b02b
65
Additional features
6 Additional features
Flexi ISN supports a few features not specified in the basic RADIUS documents RFC
2865 [6] and RFC 2866 [7]. This section provides a list of those features and information
about attributes related to the features.
6.1
g The DNS server address may be received also via other sources (for example,
PPP).
The specific attribute format is:
Field Name
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
12
Vendor-Id
4 octets
311 (Microsoft)
Vendor-Type
1 octet
28 (MS-Primary-DNS-Server)
29 (MS-Secondary-DNS-Server)
Vendor-Length
1 octet
IPv4-Address
4 octet
The 3GPP standard TS 29.061 [3] requires that the DNS server addresses are specified
according to RFC 2548 [5].
Other vendor-specific DNS address definitions
RADIUS servers use also their own vendor-specific DNS attributes. Thus, even if the
Flexi ISN supports the attributes described in the previous section, the RADIUS server
may use its own vendor-specific DNS attributes. At least Ascend and Cisco have defined
their own vendor-specific DNS attributes. The main difference between Cisco's and
Microsoft's approach is that Cisco uses non-standardised attribute identifiers instead of
using the recommended Vendor-Specific attribute [1]. The Flexi ISN supports
Cisco's attributes Primary-DNS-Server and Secondary-DNS-Server in the
Access-Accept message. See the attribute table in Section Attributes.
66
Id:0900d805807522ee
DN70119375
Issue 5-3 en
6.2
Additional features
RADIUS Disconnect
The basic RADIUS does not contain any message that could be used to terminate PDP
contexts from a RADIUS server. Some vendors have defined three RADIUS messages
for this purpose (RFC 2882 [11]):
The messages are explained in detail in RFC 3576 [12]. The support for disconnect
request is required in TS 29.061 [3].
Flexi ISN as RADIUS server
The RADIUS protocol defined in RFC 2865 [6] and RFC 2866 [7] does not allow unsolicited messages sent from the RADIUS server to the GGSN. The Disconnect-Request
is always sent from the RADIUS server to the GGSN. Thus, the roles of the GGSN and
the RADIUS server must be reversed. The GGSN is able to receive RADIUS packets
sent to UDP ports 1700 and 3799 and acts like a RADIUS server when DisconnectRequest is received. The response messages Disconnect-ACK and Disconnect-NAK
are sent from the port and to the port from which the Disconnect-Request was received.
When the GGSN receives the Disconnect-Request, it checks if the request can be fulfilled and sends a response message Disconnect-ACK (PDP context successfully terminated) or Disconnect-NAK (request failed).Previously the Flexi ISN accepted
Disconnect-Requests sent only by a known RADIUS Accounting server, now the
RADIUS server can also be a known Authentication server, that is, the RADIUS server
must be found in the Flexi ISN configuration database as primary or secondary Authentication or Accounting server. Additionally, there is the possibility to name four separate
Disconnect servers if some other RADIUS server than the primary or secondary Authentication or Accounting server is wished to be used. See RADIUS Disconnect configuration table in Section Configuration parameters. Also the configured OSC servers are
valid Disconnect servers as long as the RADIUS interface towards OSC is enabled.See
also the common information for Disconnect- and CoA-Requests:
6.2.1
Disconnect-Request
The Authenticator field of the Disconnect-Request packet is calculated in the same way
as for an Accounting-Request packet. For more information, see Section Authenticator.
The Disconnect-Request must contain at least one of the following attributes (TS 29.061
[3]):
When the Flexi ISN sends a disconnect message (that means that it is acting as a NAS
server), it includes only the Acct-Session-Id attribute and not the Acct-MultiSession-Id. But when the Flexi ISN (acting either as a NAS server or NAS client)
receives a Disconnect-Request, it can handle it properly when either the Acct-
DN70119375
Issue 5-3 en
Id:0900d805807522ee
67
Additional features
Session-Id attribute or Acct-Multi-Session-Id is included.The DisconnectRequest may optionally contain one of the following attributes:
Username. The user name provided by the user (extracted from the Create PDP
Context Request message) or PPP authentication phase (if PPP PDP type is used).
If no username is available, a generic username configurable on a per APN basis is
present. If the Username has been sent in the Access-Accept message, this user
name is used in preference to the above
Framed-IP-Address. The user's IP address.
More optional attributes are listed in RFC 3576 [12].Flexi ISN is able to map the received
attributes to a unique PDP context or to a whole user session. The procedure allows
several connections to be disconnected with one request (for example, all connections
of one user) or only one PDP context may be terminated.Note that Flexi ISN is able to
receive Acct-Multi-Session-Id and is able to terminate a whole session at once.
6.2.2
Disconnect-ACK
The Disconnect-ACK packet is sent when the Disconnect-Request has been received
and the whole session or the PDP context was terminated. The Flexi ISN sends the
packet as soon as the Delete PDP Context Request has been sent to the SGSN. There
is no need to wait for the response from the SGSN before Disconnect-ACK is sent to the
RADIUS server. TS 29.061 [3] and RFC 3576 [12] do not specify the content of the Disconnect-ACK. The Flexi ISN implementation sends the Event-Timestamp attribute for
security reasons and the Acct-Terminate-Cause attribute with the value 6 (AdminReset) in this message.
6.2.3
Disconnect-NAK
The Disconnect-NAK packet is sent when the Disconnect-Request has been received
and the PDP context was not terminated (for example, the PDP context was not found).
TS 29.061 [3] and RFC 3576 [12] do not specify the content of the Disconnect-NAK. The
Flexi ISN implementation sends the Event-Timestamp attribute in this message.
6.3
68
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
included in the Accounting Stop message, it should also be included in the interim
update message.
6.4
Acct-Input-Gigawords. This attribute indicates how many times the Acct-InputOctets counter has wrapped around 232 while this service has been provided, and
can only be present in Accounting-Request records where the Acct-StatusType is set to Stop or Interim-Update.
Field Name
Length
Value
Type
1 octet
52
Length
1 octet
Value
4 octets
Acct-Output-Gigawords. The attribute indicates how many times the AcctOutput-Octets counter has wrapped around 232 while this service has been provided, and can only be present in Accounting-Request records where the AcctStatus-Type is set to Stop or Interim-Update.
Field Name
Length
Value
Type
1 octet
53
Length
1 octet
Value
4 octets
Although TS 29.061 [3] does not use these two attributes, they are clearly needed
whenever the above-mentioned counters wrap around. The Flexi ISN uses these two
attributes.
6.5
DN70119375
Issue 5-3 en
Length
Value
Type
1 octet
64
Length
1 octet
Id:0900d805807522ee
69
Additional features
Field Name
Length
Value
Tag
1 octet
Value
3 octets
Length
Value
Type
1 octet
66
Length
1 octet
Tag
1 octet
Value
String
If for some reason the Flexi ISN does not accept the received IP address, the Flexi ISN
behaves as though an Access-Reject had been received.
Tunnel-Client-Endpoint
This attribute indicates the address of the initiator end of the tunnel. The TunnelClient-Endpoint is not mandatory in the Access-Accept packet, so the Flexi ISN is
prepared for the case where the attribute is missing.
70
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
Field Name
Length
Value
Type
1 octet
67
Length
1 octet
Tag
1 octet
Value
String
If for some reason the Flexi ISN does not accept the received IP address, the Flexi ISN
behaves as though an Access-Reject had been received.
Tunnel-Assignment-ID
Field Name
Length
Value
Type
1 octet
82
Length
1 octet
Tag
1 octet
Value
String
Some tunnelling protocols, such as L2TP, allow for sessions between the same two
tunnel endpoints to be multiplexed over the same tunnel, and also for a given session
to use its own dedicated tunnel. This attribute provides a mechanism for RADIUS to be
used to inform the tunnel initiator (for example, LAC) whether to assign the session to a
multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing
multiplexed tunnels to be assigned to different multiplexed tunnels. The TunnelAssignment-ID attribute is of significance only to RADIUS and the tunnel initiator. The
ID assigned by the tunnel initiator, the Flexi ISN, is not conveyed to the tunnel
peer.When the Tunnel-Assignment-ID attribute is received, the Flexi ISN should
assign a session to a tunnel in the following manner:
DN70119375
Issue 5-3 en
If this attribute is present and a tunnel exists between the specified endpoints with
the specified ID, the session should be assigned to that tunnel. An existing tunnel
can be re-used only if the same service blade is used.
If this attribute is present and no tunnel exists between the specified endpoints with
the specified ID, a new tunnel should be established for the session and the specified ID should be associated with the new tunnel.
Id:0900d805807522ee
71
Additional features
If this attribute is not present, then the session is assigned to an unnamed tunnel. If an
unnamed tunnel does not yet exist between the specified endpoints, it is established and
used for this and subsequent sessions established without the Tunnel-AssignmentID attribute. The Flexi ISN must not assign a session for which a TunnelAssignment-ID attribute was not specified to a named tunnel (that is, one that was
initiated by a session specifying this attribute).
Tunnel-Preference
If more than one set of tunnelling attributes is returned by the RADIUS server to the Flexi
ISN, this attribute should be included in each set to indicate the relative preference
assigned to each tunnel. Accordingly, when there are multiple dynamic tunnelling configurations sets and the highest priority fails, the second highest will be tried.Note:
Tunnel failure can only be detected on L2TP tunnels. For IPIP and GRE the highest
priority is always used unconditionally.
Field Name
6.5.1
Length
Value
Type
1 octet
83
Length
1 octet
Tag
1 octet
Value
3 octets
72
Length
Value
Type
1 octet
69
Length
1 octet
Tag
1 octet
Salt
2 octets
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Field Name
Additional features
Length
String
Value
The plaintext String field consists of
three logical sub-fields:
Data-Length (1 octet)
Password sub-fields
Padding sub-field (optional)
Tunnel-Client-Auth-ID
The attribute specifies the name used by the tunnel initiator during the authentication
phase of tunnel establishment.
Field Name
Length
Type
1 octet
90
Length
1 octet
Tag
1 octet
String
6.5.2
Value
The String field contains the authentication name of the tunnel initiator.
DN70119375
Issue 5-3 en
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
12
Vendor-Id
4 octets
28458 (Nokia-Siemens-Networks)
Vendor-Type
1 octet
1 (NSN-Tunnel-User-Auth-Method)
Vendor-Length
1 octet
Tag
1 octet
Id:0900d805807522ee
73
Additional features
Field Name
Integer
Length
3 octets
Value
The Integer field defines the User
Authentication method.
1 = L2TP PAP
2 = L2TP PAP with MSISDN
3 = L2TP PAP with APN
4 = L2TP PAP with IMSI
5 = L2TP CHAP
6 = L2TP CHAP with MSISDN
7 = L2TP CHAP with APN
8 = L2TP CHAP with IMSI
9 = L2TP Proxy Authentication
NSN-Tunnel-Override-Username
The attribute changes the user authentication in dynamic tunnels when credentials are
received from the terminal. When the attribute is set to Enabled (1) the credentials from
the terminal override the ones previously used. The authentication fails if the received
password is "password".
Field Name
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
10
Vendor-Id
4 octets
28458 (Nokia-Siemens-Networks)
Vendor-Type
1 octet
2 (NSN-Tunnel-Override-Username)
Vendor-Length
1 octet
Tag
1 octet
Integer
1 octet
6.5.3
74
The Flexi ISN supports dynamic tunnels in all APN types (RFC 2868 [9]).
Arbitrary dynamic tunnelling configurations are supported (RFC 2868 [9]).
The RADIUS server may return an arbitrary tunnelling configuration. If the RADIUS
server is unreliable, the Flexi ISN does not allow this. If, however, the RADIUS
server can be trusted, the Flexi ISN allows those tunnelling configurations, which are
not predefined in the Flexi ISN.
Id:0900d805807522ee
DN70119375
Issue 5-3 en
6.6
Additional features
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
10 (Nokia-Session-Access-Method)
Vendor-Length
1 octet
Value
1 octet
6.7
DN70119375
Issue 5-3 en
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
11 (Nokia-Session-Charging-Type)
Vendor-Length
1 octet
Id:0900d805807522ee
75
Additional features
Field Name
Value
Length
1 octet
Value
The Value field contains the
charging profile.
0 = prepaid
1 = post-paid
2 = post-paid with credit control
3 = prepaid with credit card
4 = HLR
5 = wallet specific
6 = wallet specific without credit
control
7= hot billing
Note that online charging (OCS
interface) is disabled if values 1, 6,
or 7 are received, or if value 4 is
received and the current charging
characteristics does not have the
Prepaid bit set.
6.8
Nokia-OCS-ID1
Field Name
76
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
10
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
12 (Nokia-OCS-ID1)
Vendor-Length
1 octet
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
Field Name
Value
Length
2 octets
Nokia-OCS-ID2
Field Name
6.9
Value
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
10
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
13 (Nokia-OCS-ID2)
Vendor-Length
1 octet
Value
2 octets
6.10
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
14 (Nokia-TREC-Index)
Vendor-Length
1 octet
Value
1 octet
Nokia-Requested-APN
Usage of this attribute requires a licence.The Nokia-Requested-APN attribute indicates the name of the access point to which the user equipment requested connecting.
DN70119375
Issue 5-3 en
Id:0900d805807522ee
77
Additional features
The value is copied from the access point name (APN) that is received from the SGSN
in the Create PDP Context request. Note that the requested APN may be different from
the negotiated APN (that is sent in the Called-Station-Id attribute). When the
requested APN is an alias to a physical access point, the negotiated APN contains the
name of the physical access point. Also the user profile may override the requested
APN. In this case the negotiated APN contains the name of the access point specified
in the user profile.The Nokia-Requested-APN attribute is encoded as follows:
Field Name
6.11
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
15 (Nokia-Requested-APN)
Vendor-Length
1 octet
Value
String
Transmission window
This section outlines the implementation and basic functionality of RADIUS transmission
windows and waiting queues in the Flexi ISN. A transmission window contains a set of
RADIUS requests that are currently being handled between the RADIUS client (the Flexi
ISN) and the RADIUS server (the AAA server). The standard defines that a transmission
window can have a maximum size of 256 simultaneous requests. This value is valid in
entry, medium and large configurations and applicable for each service blade (SB). In
the Capacity Extender (CE) and Dual-Chassis (DC) configurations, a value of 1785
simultaneous requests has been chosen for the whole system in order to avoid congestions in RADIUS servers. This means that the transmission window for each service
blade is reduced to 1785/13 = 137 simultaneous requests, where 13 is the number of
SBs in the DC. Each RADIUS request inside a transmission window is identified by a
unique RADIUS ID. Note that in DC and with high loads, a transmission window of 256
simultaneous requests for each SB would result in a total of 3328 simultaneous requests
for each RADIUS server, which is considered a very high value.The Flexi ISN creates
its own, independent transmission window, of 256 requests each, for every uniquely
defined connection between the RADIUS client and the RADIUS server. In the Capacity
Extender and Dual-Chassis configurations the value of the requests is 137. The functionality is available for all types of RADIUS servers; multiple independent transmission
windows are possible for both RADIUS authentication and RADIUS accounting connections. When a new RADIUS request is sent out, it will use a certain transmission window
according to the destination. A connection between the RADIUS client and the RADIUS
server is defined by the following parameters:
78
server address
server port
client address
tunnel endpoint address (if configured)
routing instance
(client port, unique, and fixed for each Flexi ISN service blade, see below)
Id:0900d805807522ee
DN70119375
Issue 5-3 en
Additional features
For a RADIUS connection to get its own transmission window, the value for at least one
of the above listed parameters must be different from those in other existing configurations. The parameters are defined mainly in the access point configuration. If two or
more configurations end up being the same, the RADIUS request message for those
access points will use a shared transmission window (to the same shared RADIUS
server). Each service blade of the Flexi ISN uses a fixed unique source port (the client
port) for an outgoing request. This means that there is a separate transmission window
from each service blade to a given destination. The number of the simultaneous
requests depends on the configuration:
In the Flexi ISN basic configuration there are: 2 service blades x 256 = 512 simultaneous requests to the same destination.
In the full Flexi ISN configuration there are: 4 service blades x 256 = 1024 (in the
one-blade GGSN the number was 256).
In the Capacity Extender and Dual-Chassis configurations there are: 13 service
blades x 137 = 1785 (approximately) simultaneous requests to the same destination.
When the number of requests to be sent is large, the transmission window size limits the
rate at which the requests are sent. On the other hand, some RADIUS servers have difficulties handling a big burst of simultaneous RADIUS messages, so the transmission
window acts as a protection mechanism as well.If the given transmission window is full
(that is, there are no free IDs left), the RADIUS request will be temporarily stored to one
of the transmission-window-specific waiting queues. Once any of the ongoing procedures is finished, that request is removed from the transmission window and a pending
request is inserted into the transmission window from a waiting queue. The pending
authentication requests have one waiting queue for each transmission window, which is
emptied in FIFO order. The pending accounting requests have multiple waiting queues
for each transmission window. The queues are sorted by the accounting message type
and the access point index, and they are emptied in a round-robin fashion.
6.12
DN70119375
Issue 5-3 en
Id:0900d805807522ee
79
Additional features
Figure 4
RADIUS proxy
A RADIUS server can function as both a forwarding server and a remote server. One
forwarding server can forward to another forwarding server to create a chain of proxies.This means that if there are any Proxy-State attributes in the Disconnect-Request
or CoA-Request received from the RADIUS server, the Flexi ISN will include those
Proxy-State attributes in its response to the server.The Flexi ISN can copy up to 10
Proxy-State attributes from the request to the response packet. The attributes are
copied in order, without modifying the attributes.
6.13
80
The following attributes, if included, must match in order for a Disconnect- or CoARequest to be successful, otherwise a Disconnect- or CoA-NAK is sent.
NAS-IP-Address
NAS-Identifier
User-Name
Acct-Session-Id or Acct-Multi-Session-Id (must be included in the
message)
When the Event-Timestamp (55) attribute is present in a Disconnect- or CoARequest, the Flexi ISN checks that the Event-Timestamp attribute is current
within a time window of 300 seconds. If the Event-Timestamp attribute is not
current, then the message is silently discarded.
Id:0900d805807522ee
DN70119375
Issue 5-3 en
6.14
Additional features
The Service-Type (6) attribute is used for feature activation (for example, a usage
model similar to that supported in Diameter). The Flexi ISN responds to Disconnector CoA-Request including a unsupported Service-Type attribute with a Disconnect- or CoA-NAK.
Acct-Terminate-Cause
The Acct-Terminate-Cause attribute indicates how the session was terminated. Below
is list of values supported by the Flexi ISN and descriptions of reasons that could have
caused the context termination:
DN70119375
Issue 5-3 en
1, User Request
Context termination related to an SGSN or NAS.
the SGSN cannot be reached or is down
the SGSN has been restarted
an update PDP Context request to the SGSN has failed
an SGSN has suddenly changed its GTP version
the SGSN or NAS has created a new PDP context with the same IMSI and
NSAPI as an already existing PDP context
the SGSN assigned the TEID user plane of an already existing PDP context to
a new PDP context
an error indication message from the SGSN
a delete PDP context request from an SGSN
a RADIUS Accounting Stop, Accounting Off (=going down), or Accounting On
(=restarted) message received from NAS
the NAS did not supply an essential attribute
NAS accounting timeout, no accounting message received for the NAS context
the NAS configuration has been changed or deleted
the NAS context has the same accounting session ID as an already existing
context
3, Lost Service
Context termination related to an access point.
an access point was critically reconfigured
an access point was disabled
the access point name does not match any existing and enabled access point
4, Idle Timeout
An idle time-out in the Flexi ISN caused the context termination.
5, Session Timeout
A session time-out in the Flexi ISN caused the context termination.
6, Admin Reset
A Disconnect Request terminated the context.
Disconnect Request message from a standard RADIUS interface.
a Disconnect Request message from the RADIUS-OCS interface.
10, NAS Reset, default value
A network-initiated context termination.
Id:0900d805807522ee
81
Additional features
6.15
82
Id:0900d805807522ee
DN70119375
Issue 5-3 en
AP mode:
Normal
AP mode:
RADIUS
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Dynamic IP address
allocation
CoA- Request
SessionTimeout (27)
Idle-Timeout
(28)
Dynamic tunneling
parameters
Access-Accept
Framed-IPAddress (8
Defining session
timeouts
DN70119375
Issue 5-3 en
Additional features
Tunnel-Type
(64)
Tunnel-ClientEndpoint (66)
Tunnel-ServerEndpoint (67)
TunnelPassword (69)
Tunnel-Assignment-Id (82)
Tunnel-Preference (83)
Tunnel-ClientAuth-Id (90)
Primary-DNSServer (135)
SecondaryDNS-Server
(136)
MS-PrimaryDNS-Server
(26/311/28)
MS-SecondaryDNS-Server
(26/311/29)
Id:0900d805807522ee
83
Additional features
Access-Accept
Yes
1. Old method
Yes
CoA- Request
AP mode:
Normal
Yes
AP mode:
RADIUS
Yes
Yes
Nokia-Userprofile (26/94/2)
2. Retrieving service
components
Nokia-ServiceName (26/94/3)
Nokia-Service-Id
(26/94/4)
Nokia-ServiceUsername
(26/94/5)
Nokia-ServicePassword
(26/94/6)
Nokia-ServicePrimary-Indicator (26/94/7)
Nokia-ServiceCharging-Type
(26/94/8)
Nokia-ServiceEncryptedPassword
(26/94/9)
Charging profile
fetching
Yes
Yes
Yes
Yes
Yes
Nokia-TRECIndex (26/94/14)
Table 8
84
Yes
Nokia-OCS-Id1
(26/94/12)
Nokia-OCS-Id2
(26/94/13)
Yes
Nokia-SessionCharging-Type
(26/94/11)
Defining OCS
servers
Yes
Id:0900d805807522ee
DN70119375
Issue 5-3 en
7.1
Nokia-Service-Name
Nokia-Service-Id
Nokia-Service-Username
Nokia-Service-Password
Nokia-Service-Primary-Indicator
Nokia-Service-Charging-Type
Nokia-Service-Encrypted-Password
The specific attribute format for Nokia vendor-specific service attributes is shown in
Table 9:
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
85
Field Name
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
3 (Nokia-Service-Name)
4 (Nokia-Service-ID)
5 (Nokia-Service-Username)
6 (Nokia-Service-Password)
7 (Nokia-Service-Primary-Indicator)
8 (Nokia-Service-Charging-Type)
9 (Nokia-Service-Encrypted-Password)
Vendor-Length
1 octet
Tag
1 octet
Value
N octet
Table 9
Field Name
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet
Value
1-247 octets
Table 10
86
Length
Nokia-Service-Name
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
Field Name
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
4-7
Tag
1 octet
Value
1-4 octets
Table 11
Nokia-Service-ID
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet
Value
1-247 octets
Table 12
Nokia-Service-Username
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet
Value
1-247 octets
Table 13
DN70119375
Issue 5-3 en
Length
Nokia-Service-Password
Id:0900d8058068cfe6
87
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet
Value
0 octets
Table 14
Nokia-Service-Primary-Indicator
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
Tag
1 octet
Value
2 octets
Wallet-Id
1 octet
Charging-Type
1 octet
Table 15
88
Nokia-Service-Charging-Type
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
Field Name
Length
Value
Vendor-Type
1 octet
Vendor-Length
1 octet
greater than 5
Tag
1 octet
Value
3 247 octets
Salt
1 octet
String
1 octet
Data-Length (1 octet)
Password
Padding (optional, 1 15
octets)
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
89
Field Name
Length
Value
Construct a plaintext version of the
String field by concatenating the
Data-Length and Password subfields. If necessary, pad the resulting string until its length (in octets) is
an even multiple of 16. Zero octets
(0x00) should be used for padding.
Call this plaintext P.
Call the shared secret S, the
pseudo-random 128-bit Request
Authenticator (from the corresponding Access-Request packet) R,
and the contents of the Salt field A.
Break P into 16 octet chunks p(1),
p(2)...p(i), where i = len(P)/16. Call
the cipher text blocks c(1), c(2)...c(i)
and the final cipher text C. Intermediate values b(1), b(2)...b(i) are
required. Encryption is performed in
the following manner ('+' indicates
concatenation):
b(1) = MD5(S + R + A) c(1) = p(1)
xor b(1)
C = c(1)
b(2) = MD5(S + c(1))
c(2) = p(2)
xor b(2)
C = C + c(2)
.
Nokia-Service-Encrypted-Password
Nokia vendor-specific attributes can be included in Access-Accept and Change-ofAuthorization messages.The required attributes for retrieving service components successfully are:
90
Nokia-Service-Name or Nokia-Service-Id
Nokia-Service-Primary-Indicator for one service to describe which service
will be used as the primary service.
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
7.2
The used destination port for CoA-Request messages is UDP port 3799. For responses,
the source and destination ports are reversed. The packet format consists of the fields:
Code, Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV)
format (RFC 3576 [12]). All fields hold the same meaning as those described in RADIUS
RFC 2865 [6]. The Authenticator field is calculated in the same way as specified for an
Accounting-Request (RFC 2866 [7]).Unlike RADIUS as defined in RFC 2865 [6], the
responsibility for retransmission of CoA-Request messages lies with the RADIUS server
(RFC 3576 [12]).The RADIUS codes for the CoA messages are assigned as follows
(RFC 3576 [12]):
7.2.1
CoA-Request (43)
CoA-ACK (44)
CoA-NAK (45)
CoA-Request
To retrieve service components through the CoA-Request the Nokia vendor-specific
attributes defined in Section User profile fetching, must be used. The CoA-Request must
contain at least one of the following attributes to be successful in service components
retrieving:
Additionally, the Nokia vendor-specific service attributes must be included in the CoARequest. The required service attributes are Nokia-Service-Name or NokiaService-Id. The Nokia-Service-Primary-Indicator must be given to one service.Flexi ISN is able to map received attributes to a unique service. This procedure
allows a service to be activated or terminated dynamically. The received attributes in the
Change-of-Authorization message will together contain a new replacing profile. This
makes terminating a service simple; the service that should be terminated is left out of
the replacing profile.
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
91
g The charging type (wallet ID and wallet charging type) of an already active service
cannot be changed in the updated user profile. This will lead to session termination.
Example 1
isp_service, default_service, and news_service are activated.news_service will be terminated.A new replacing user profile is sent containing the attributes for isp_service and
default_service.In this case the Nokia-Service-Name or Nokia-Service-Id attribute for the remaining services is enough.
Example 2
isp_service and news_service are activated.A new service, default_service, will be activated.A new replacing user profile is sent containing attributes for isp_service,
news_service, and default_service.In this case all possible Nokia service attributes for
default_service must be included. Additionally, the Nokia-Service-Name or NokiaService-Id attribute for already active services (isp_service and news_service) are
included in the user profile.
7.2.2
CoA-ACK
The CoA-ACK packet is sent when the CoA-Request has been received and the user
profile was read successfully. The Flexi ISN implementation sends the EventTimestamp attribute for security reasons in CoA-ACK.
7.2.3
CoA-NAK
The CoA-NAK packet is sent when the CoA-Request has been received and the service
component retrieving failed (for example, the required attributes are not included in
CoA-Request, the primary indicator is missing, the required service is not found, the
user session is not found, and the RADIUS server is not reliable).The Flexi ISN implementation sends the Event-Timestamp attribute for security reasons and the ErrorCause attribute with the value 404 (Invalid Request) in this message.
7.3
92
Length
Value
Type
1 octet
26 (Vendor-Specific)
Length
1 octet
Vendor-Id
4 octets
94 (Nokia)
Vendor-Type
1 octet
2 (Nokia-UserProfile)
Vendor-Length
1 octet
Id:0900d8058068cfe6
DN70119375
Issue 5-3 en
Field Name
Value
Length
N octet
Value
Encoded as a string
List of services and primary/prepaid
flag (as defined below).
Service lists are separated by space character. One of the services will be marked
with a '*' to be considered the primary service.
The Service Aware profile from RADIUS may contain an indicator that the session
is OCS prepaid. The indicator is a single dollar sign ('$'). It is placed in the list of
active services as if it was an additional service.
The order does not matter.
DN70119375
Issue 5-3 en
Id:0900d8058068cfe6
93
References
8 References
1. 1.RADIUS Attributes. Cisco web documentation http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/scradatb.htm
2. 3GPP TS 29.060 GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface
(Release 6), V6.6.0, (2004-09)
3. 3GPP TS 29.061 Interworking between the Public Land Mobile Network (PLMN)
supporting Packet Based Services and Packet Data Networks (PDN), V5.9.1 (200506)
4. 3GPP TS 32.015 Telecommunications management; Charging management; 3G
call and event data for the Packet Switched (PS) domain, v3.12.0, 2003
5. RFC 2548 Microsoft Vendor-specific RADIUS Attributes, G. Zorn
http://www.ietf.org/rfc/rfc2548.txt
6. RFC 2865 Remote Authentication Dial In User Service (RADIUS). C. Rigney, et al
http://www.ietf.org/rfc/rfc2865.txt
7. RFC 2866 RADIUS Accounting. C. Rigney http://www.ietf.org/rfc/rfc2866.txt
8. RFC 2867 RADIUS Tunnel Accounting Support, G.Zorn et al.
http://www.ietf.org/rfc/rfc2867.txt
9. RFC 2868 RADIUS Attributes for Tunnel Protocol Support, G.Zorn et al.
http://www.ietf.org/rfc/rfc2868.txt
10. RFC 2869 RADIUS Extensions, C. Rigney et al. http://www.ietf.org/rfc/rfc2869.txt
11. RFC 2882 Network Access Servers Requirements: Extended RADIUS Practices, D.
Mitton http://www.ietf.org/rfc/rfc2882.txt
12. RFC 3576 Dynamic Authorization Extensions to Remote Authentication Dial-In User
Service (RADIUS), Murtaza S. Chiba et al. http://www.ietf.org/rfc/rfc3576.txt
94
Id:0900d8058068c3dc
DN70119375
Issue 5-3 en
Abbreviations
9 Abbreviations
DN70119375
Issue 5-3 en
AAA
APN
ASCII
CDR
CE
Capacity Extender
CHAP
CoA
Change-of-Authorization
DC
Dual-Chassis
DNS
FIFO
FQDN
G-CDR
GGSN CDR
GGSN
GPRS
GRE
GTP
HLR
ICD
IE
Information Element
IMEISV
IMSI
IP
Internet Protocol
IP-IP
IP in IP Tunnel Protocol
L2TP
LAC
MCC
MD5
MNC
MSISDN
NAS
OCS
OSC
PAP
PCO
PDP
PLMN
PPP
Point-to-Point Protocol
Id:0900d805807522e0
95
Abbreviations
96
QoS
Quality of Service
RADIUS
RAI
RAT
RFC
RSA
Rivest-Shamir-Adleman
SB
Service Blade
SGSN
SLIP
TA
Traffic Analyzer
TREC
Treatment Class
TRW
Transmission Window
UDP
UE
User Equipment
Id:0900d805807522e0
DN70119375
Issue 5-3 en