Nokia Radius PDF

FISNFI40EMED.
06
Nokia Siemens Networks Flexi ISN, Rel.
4.0
Operating Documentation, v.6
RADIUS Interface, Interface Description

DN70119375
Issue 5-3 en
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Nokia Siemens Networks customers only for the purposes of the agreement under which
the document is submitted, and no part of it may be used, reproduced, modified or transmitted
in any form or means without the prior written permission of Nokia Siemens Networks. The
documentation has been prepared to be used by professional and properly trained personnel,
and the customer assumes full responsibility when using it. Nokia Siemens Networks welcomes
customer comments as part of the process of continuous development and improvement of the
documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Nokia Siemens Networks and the customer. However,
Nokia Siemens Networks has made all reasonable efforts to ensure that the instructions
contained in the document are adequate and free of material errors and omissions. Nokia
Siemens Networks will, if deemed necessary by Nokia Siemens Networks, explain issues which
may not be covered by the document.
Nokia Siemens Networks will correct errors in this documentation as soon as possible. IN NO
EVENT WILL Nokia Siemens Networks BE LIABLE FOR ERRORS IN THIS DOCUMENTA-
TION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDI-
RECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED
TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY
OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION
IN IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
The wave logo is a trademark of Nokia Siemens Networks Oy. Nokia is a registered trademark
of Nokia Corporation. Siemens is a registered trademark of Siemens AG.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright Nokia Siemens Networks 2010. All rights reserved
f Important Notice on Product Safety

Elevated voltages are inevitably present at specific points in this electrical equipment.
Some of the parts may also have elevated operating temperatures.
Non-observance of these conditions and the safety instructions can result in personal
injury or in property damage.
Therefore, only trained and qualified personnel may install and maintain the system.
The system complies with the standard EN 60950 / IEC 60950. All equipment connected
has to comply with the applicable safety standards.
2 Id:0900d80580804d96 DN70119375
Issue 5-3 en
Table of Contents
This document has 96 pages.
1 Changes in RADIUS Interface Description . . . . . . . . . . . . . . . . . . . . . . . 7

1.1 Changes in release 4.0 CD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4 Changes in release 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Changes between releases 3.2 and 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.6 Changes between releases 3.1 and 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.7 Changes between releases 3.0 and 3.1 . . . . . . . . . . . . . . . . . . . . . . . . 10
2 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1 About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3 Overview of RADIUS interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.1 Key features of RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2 RADIUS in the Flexi ISN environment . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2.1 Authentication operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2.2 Accounting operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.3 Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Interface protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.3.1 Message flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 RADIUS license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5 Data elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.1 RADIUS interface data format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.1.1 Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.1.2 Identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.1.3 Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.1.4 Authenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.2 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.2.1 Vendor-specific attribute encoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.2.2 Attributes sent and received by Flexi ISN . . . . . . . . . . . . . . . . . . . . . . . 54
5.2.2.1 Access Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.2.2.2 Access Accept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.2.2.3 Accounting Request Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
5.2.2.4 Accounting Request Interim-Update . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.2.2.5 Accounting Request Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
5.2.2.6 Accounting Request On/Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.2.2.7 Disconnect Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
5.2.2.8 Disconnect ACK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2.2.9 Disconnect NAK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2.2.10 Change of Authorisation (CoA) Request . . . . . . . . . . . . . . . . . . . . . . . . 64
5.2.2.11 Change of Authorisation (CoA) ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.2.2.12 Change of Authorisation (CoA) NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6 Additional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
DN70119375 Id:0900d80580804d96 3
Issue 5-3 en
6.1 Support for DNS servers provided by the RADIUS server . . . . . . . . . . . 66

6.2 RADIUS Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.2.1 Disconnect-Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
6.2.2 Disconnect-ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.2.3 Disconnect-NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.3 Accounting Request Interim-Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
6.4 Acct-Input-Gigawords and Acct-Output-Gigawords . . . . . . . . . . . . . . . . 69
6.5 Dynamic tunnelling of APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.5.1 Tunnelling attributes related to authentication . . . . . . . . . . . . . . . . . . . . 72
6.5.2 Tunnelling attributes related to user authentication . . . . . . . . . . . . . . . . 73
6.5.3 Additional requirements related to dynamic tunnelling of APN . . . . . . . . 74
6.6 Nokia vendor-specific attribute Nokia-Session-Access-Method . . . . . . . 75
6.7 Charging profile fetching through RADIUS . . . . . . . . . . . . . . . . . . . . . . . 75
6.8 Defining OCS servers through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.9 Determining TREC through RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.10 Nokia-Requested-APN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6.11 Transmission window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
6.12 Support for RADIUS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
6.13 Checks made on Disconnect-Requests and CoA-Requests; RFC 3576 80
6.14 Acct-Terminate-Cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.15 Values and profiles determined through RADIUS. . . . . . . . . . . . . . . . . . 82
7 Retrieving service components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

7.1 User profile fetching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
7.2 Retrieving service components dynamically . . . . . . . . . . . . . . . . . . . . . . 91
7.2.1 CoA-Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
7.2.2 CoA-ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
7.2.3 CoA-NAK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
7.3 Usage of the old service list fetching attribute . . . . . . . . . . . . . . . . . . . . 92
8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
9 Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4 Id:0900d80580804d96 DN70119375
Issue 5-3 en
List of Figures
Figure 1 RADIUS message flow, basic case . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 2 RADIUS message flow, change PDP context parameters . . . . . . . . . . 28
Figure 3 RADIUS message flow, disconnect by RADIUS server. . . . . . . . . . . . . 29
Figure 4 RADIUS proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
DN70119375 Id:0900d80580804d96 5
Issue 5-3 en
List of Tables
Table 1 Common RADIUS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 2 RADIUS authentication configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 3 RADIUS Accounting configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Table 4 RADIUS Disconnect configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 5 Summary of RADIUS data format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 6 Attribute format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 7 Attributes used by Flexi ISN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 8 Determined values in a RADIUS message . . . . . . . . . . . . . . . . . . . . . . . 84
Table 9 Specific attribute format for Nokia vendor-specific service attributes . . . 86
Table 10 Nokia-Service-Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table 11 Nokia-Service-ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 12 Nokia-Service-Username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 13 Nokia-Service-Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table 14 Nokia-Service-Primary-Indicator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 15 Nokia-Service-Charging-Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table 16 Nokia-Service-Encrypted-Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6 Id:0900d80580804d96 DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Changes in RADIUS Interface Description
1 Changes in RADIUS Interface Description
1.1 Changes in release 4.0 CD4

Changes in content
A new hardware configuration, Capacity Extender, is introduced.
A new vendor specific attribute, 3GPP-IMSI-MCC-MNC, has been added.
Changes in documentation
Section Transmission window has been updated regarding the Capacity Extender con-
figuration.
The new 3GPP-IMSI-MCC-MNC vendor specific attribute has been in Section Vendor-
specific attribute encoding. The same attribute has been added in the tables of the
Access Request, Accounting Request Start, Accounting Request Interim-Update and
Accounting Request Stop Sections.
The descriptions of the following parameters have been updated in Section RADIUS in
the Flexi ISN environment:
Numeric ID
Encode Vendor-Specific Attributes Separately
User Authentication Method
Override User Name Containing APN/MSISDN
IP Address Generation Method
Dynamic Tunnels
Secondary Account Server Mode
RADIUS Accounting Mode
Section RADIUS in the Flexi ISN environment has been updated with a Note.
The lengths value of the attribute NSN-Tunnel-Override-Username in Section Tunnel-
ling attributes related to user authentication has been changed from 12 to 10.

Changes in content
No changes in content
Table RADIUS authentication configuration has been updated.

Changes in content
Document updated with content for Optional Radius Accounting in 3GPP mode feature.
Section Configuration parameters has been updated with values for the RADIUS
Accounting configuration.
DN70119375 Id:0900d805807522e4 7
Issue 5-3 en
Changes in RADIUS Interface Description RADIUS Interface, Interface Description
Section RADIUS license has been updated with information about the Optional Radius
Accounting in 3GPP mode feature.
1.4 Changes in release 4.0

Changes in content
Document updated with content for Network Based QoS feature.
Section Transmission window has been updated with values for the Dual-Chassis con-
figuration.
1.5 Changes between releases 3.2 and 4.0

Changes in content
The new modes Redundancy and Semi Redundancy have been added to the Second-
ary Account Server Mode option.A new Vendor-ID has been defined for Nokia Siemens
Networks (28458 Nokia-Siemens-Networks).The vendor-specific attributes, NSN-
Tunnel-User-Auth-Method and NSN-Tunnel-Override-Username have been
defined to allow the User Authentication method within dynamic L2TP tunnelling when
PAP tokens from PCO IE are not provided by the user equipment. In addition, other
authentication methods are now possible within dynamic L2TP tunnels.Modifications in
the 3GPP-Charging-Id and 3GPP-GGSN-Address attributes due to the new
Charging ID Support feature.The value options None has been removed from the User
Authentication Method parameter.The following configuration parameters have been
removed: Tunneling in Authentication, Tunneling in Accounting.
Section RADIUS in the Flexi ISN environment: Added the two above mentioned modes.
Section Configuration parameters: In Table 3, the modes Redundancy and Semi
Redundancy have been added to the RADIUS Accounting configuration.
Section Vendor-specific attribute encoding: Added the above mentioned Vendor-Id and
attributes.
Section Attributes sent and received by Flexi ISN: Added the above mentioned attri-
butes to table Access Accept.
Section Tunnelling attributes related to user authentication: This new section describes
the new vendor-specific attributes.
Section Additional requirements related to dynamic tunnelling of APN: This section has
been renumbered from 6.5.2.
Section RADIUS in the Flexi ISN environment: Clarification added about switching back
to the primary server from the secondary server. Information added about the Account-
ing To Authentication Server option.
Section Configuration parameters: Added parameters Server switchover time and
Accounting To Authentication Server. Removed parameters Tunnelling in Authentica-
tion, Tunnelling in Accounting.
Section Vendor-specific attribute encoding: The definitions for the following attributes
have been updated: 3GPP-Charging-Id, 3GPP-GGSN-Address.
8 Id:0900d805807522e4 DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Changes in RADIUS Interface Description
Section Disconnect-Request: Added clarification about the use of Acct-Session-Id

and Acct-Multi-Session-Id attributes in disconnect messages.
Section Dynamic tunnelling of APN: In Section Tunnel-Assignment-ID, added clarifica-
tion that an existing tunnel can be re-used only if the same service blade is used.
Section RADIUS in the Flexi ISN environment: Added clarification that if there is no reply
to an Accounting Start message for a PDP context from the primary or secondary
accounting servers, nothing will be sent to the extra RADIUS accounting servers regard-
ing the PDP context.
Section Configuration parameters: In Table 3, the description for the value 'Redundancy'
for the Secondary Account Server Mode parameter has been updated.

Changes in content
New feature:
RADIUS IPS Compatibility
New attributes
3GPP-Charging-Gateway-Address (Section Vendor-specific attribute encod-
ing)
3GPP-GGSN-MCC-MNC (Section Vendor-specific attribute encoding)
3GPP-Selection-Mode (Section Vendor-specific attribute encoding)
Service-Type (Section Attributes)
Framed-Protocol (Section Attributes)
Acct-Authentic (Section Attributes)
Usage enhanced of old attributes:
3GPP-PDP-Type. Now also sent in Access-Request messages if the RADIUS
Authentication Operation is IMSI-SGSN-3GPP.
3GPP-Charging-Characteristics. The attribute is also included in Account-
ing-Requests (Start, Stop, and Interim) if the RADIUS Account Server Operation is
3GPP.
Acct-Terminate-Cause. Now also included in all Stop Accounting-Requests.
New values defined for Acct-Terminate-Cause attribute (Section Acct-Termi-
nate-Cause).
New configuration parameters
Server switchover time
Accounting To Authentication Server
Section Configuration parameters: a new tunnelling parameter have been added (Client
tunnelling IP Address).
Section Message flow: the text has been updated.
Section Attributes: in Table Attributes used by Flexi ISN the descriptions of the Acct-
Input-Octets and Acct-Output-Octets attributes have been modified.
Section Attributes sent and received by Flexi ISN: the structure has been modified and
the tables have been updated.The following new sections have been added:
DN70119375 Id:0900d805807522e4 9
Issue 5-3 en
Changes in RADIUS Interface Description RADIUS Interface, Interface Description
Acct-Terminate-Cause
Values and profiles determined through RADIUS
Section RADIUS in the Flexi ISN environment: Clarification about switching back to the
primary server from the secondary Information added about the Accounting To Authen-
tication Server option.
Section Authentication operations: validation information has been updated.
Section Configuration parameters: the following parameters have been added: Switcho-
ver time, Tunneling in Authentication, Tunneling in Accounting, and Accounting To
Authentication Server.
Section Message flow: the figures have been modified.

Changes in content
New feature:
RADIUS accounting transmission window and queue enhancements (Section
Transmission window
New value allowed for attribute Nokia-Session-Charging-Type.
The ID number for this document is now DN70119375 (previously DN04134636).
10 Id:0900d805807522e4 DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Introduction
2 Introduction
This document specifies the interface between the Flexi ISN and its counterpart server
for delivering subscriber identification, the remote authentication dial-in user service
(RADIUS) server. This document is mainly based on RFC 2865 [6] and RFC 2866 [7],
together with 3GPP standard TS 29.061 [3].
2.1 About
The main sections of this document are:
Overview
This specifies the delivery of subscriber identification, the reference model, and the
interfaces between the Flexi ISN and the RADIUS server.
Data elements
This specifies the data elements for RADIUS authentication and accounting sup-
ported by the Flexi ISN.
Additional features
This specifies some new attributes and additional features supported by the Flexi
ISN.
Retrieving service components
This specifies the service aware features in RADIUS; user profile fetching during
authentication and dynamically by using the CoA message.
It is not within the scope of this document to specify the Nokia proprietary RADIUS spec-
ification between the Flexi ISN and Nokia Online Service Controller (OSC), used in the
Intelligent Content Delivery (ICD) system.
2.2 Audience
Users of this document should have a basic knowledge of the Flexi ISN, wireless net-
works, the Internet, RADIUS, and RADIUS accounting and authentication protocol.
DN70119375 Id:0900d805806888ed 11
Issue 5-3 en
Overview of RADIUS interface RADIUS Interface, Interface Description
3 Overview of RADIUS interface

In the Flexi ISN, subscriber identification is the key to:
billing
access control
personalisation of services
The Flexi ISN supports these activities during request processing when it resolves sub-
scriber identifiers by using RADIUS accounting protocol (RFC 2866 [7]).The interface
protocol is further explained in Section Interface protocol.
The Flexi ISN also uses authentication packets provided by RFC 2865 [6].
RADIUS is transported by means of User Datagram Protocol (UDP), where the UDP
destination port field is number 1812 for RADIUS Authentication messages, and number
1813 is for RADIUS Accounting messages.
g The interface between the Flexi ISN and the Traffic Analyser (TA) is based on
Internet Protocol (IP) and RADIUS. This is, however, not described here, because
the Flexi ISN-TA interface is invisible to the Flexi ISN. Nokia TA listens to RADIUS
Accounting Start, Stop, Interim Update, On, and Off messages sent by the Flexi ISN.
For the use of advanced features in Nokia TA, the RADIUS 3GPP Accounting mode
needs to be enabled.
3.1 Key features of RADIUS

RFC 2865 [6] and RFC 2866 [7] define the following as the key features of the RADIUS
protocol:
Client/Server model
A Flexi ISN operates as a client of RADIUS. The client is responsible for passing
user information to designated RADIUS servers, and then acting on the response
that is returned.RADIUS servers are responsible for receiving user connection
requests, authenticating the user, and then returning all configuration information
necessary for the client to deliver a service to the user.
Network security
Transactions between the client and the RADIUS server are authenticated through
the use of a shared secret, which is never sent over the network. In addition, any
user passwords are sent encrypted between the client and the RADIUS server to
eliminate the possibility that someone snooping on an unsecured network could
determine a user's password.When a user password is present, it is hidden using a
method based on RSA Message Digest Algorithm version 5 (MD5).
Flexible authentication mechanisms
The RADIUS server can support a variety of methods to authenticate a user. When
it is provided with the user name and the original password given to the user, it can
support PPP PAP or CHAP, UNIX login, and other authentication mechanisms
Extensible protocols
All transactions are comprised of variable length Attribute-Length-Value 3-tuples.
New attribute values can be added without disturbing existing implementations of
the protocol.
12 Id:0900d80580773b2c DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Overview of RADIUS interface
3.2 RADIUS in the Flexi ISN environment

A Flexi ISN can use nine RADIUS servers for each access point. Four of the servers are
very important; two pairs consisting of a primary and a secondary RADIUS server. The
remaining five RADIUS servers are extra and optional accounting servers. The first pair
of RADIUS servers is used for authentication and the second pair of RADIUS servers is
used to deliver extra information for external systems (the accounting servers). The
same server may take care of the two functions.
One pair of RADIUS servers consists of a primary server and a secondary server. The
Flexi ISN attempts to communicate first with the primary server; if there is no response,
it communicates with the secondary server. When the Flexi ISN receives a response, it
memorizes the IP address of the RADIUS server that responded. That server will be
used in any further communication where possible.By default, the Flexi ISN tries to
contact the primary server three times and waits for a response for 2, 4, and 8 seconds,
respectively. If a secondary server exists and there is no response from the primary
server, the Flexi ISN tries to contact the secondary server three times, as with the
primary server. The operator can configure the number of attempts and the waiting
times. The same values are used for the primary and secondary servers.
When the Flexi ISN switches from a primary server to a secondary server because of no
response from the primary server, there will be a try with a configurable interval to switch
back to the primary server (RADIUS Switchover Time configuration parameter). This
happens for both the authentication and accounting server pairs independently (an
authentication pair switchover does not affect accounting).
The RADIUS authentication server always operates in the Backup mode.
The RADIUS accounting server can be set to operate in the following three modes:
The Backup mode
The Semi Redundancy mode
The Redundancy mode
In the Backup mode, the Flexi ISN forwards requests to a secondary server if the
primary server is down or unreachable. In the Backup mode, the Flexi ISN also remem-
bers the IP address of the RADIUS server that responded separately for each primary
PDP context, in other words during one session. If the Accounting To Authentication
Server option is enabled and authentication is used, accounting for the PDP context will
be transmitted to the authentication server where the PDP context was authenticated (if
authentication and accounting have all the same properties except the port number,
which is the fixed value 1813, not read from the configuration). This functionality is sup-
ported for any primary/secondary server combination, but not for the 3rd - 7th account-
ing servers.
In the Semi Redundancy mode, the difference is that the Flexi ISN sends the request to
the primary and secondary servers at the same time. If one of the servers responds, the
accounting process continues normally, since a single server's response is considered
success. There are no switchovers between the primary and secondary server in this
mode because requests are always sent to both servers. No retransmission timeouts
are performed if a response is received from either of the two accounting servers in
order to speed-up the PDP context activation. Retransmissions are sent to both servers
if they are out of service or no response is received. If the retransmission timeout setting
expires; alarms are raised for both servers for notification of out of service.
In the Redundancy mode, requests are sent simultaneously to both servers and Flexi
ISN treats them separately. As soon as a response is sent from one server to Flexi ISN,
the PDP context activation procedure continues. Flexi ISN will continue sending retrans-
DN70119375 Id:0900d80580773b2c 13
Issue 5-3 en
missions to the other server until it receives a response or the retransmission timeout
setting expires. In case of no response, an alarm is raised indicating that this server is
out of service. Flexi ISN will continue to send requests to both RADIUS servers on sub-
sequent PDP Context Activations. Alarms are raised for both servers if they are out of
service.
There are five extra RADIUS accounting servers (also known as 'fire and forget' servers)
to which accounting messages are sent if those servers are configured in the accounting
profile that the access point in use is pointing. It is important to note that the primary and
secondary servers have different characteristics and supported features than the fire
and forget servers. All accounting messages that are sent to the primary or secondary
accounting server are sent to these servers only once, after a response from the pri-
mary/secondary server has been received. This means that there is no retransmission
to these servers. Note that if there is no reply to an Accounting Start message for a PDP
context from the primary or secondary accounting servers, nothing will be sent to
accounting servers 3 to 7 for the PDP context. The content of the accounting messages
is slightly different for fire and forget messages. The Accounting To Authentication
Server functionality does not cover fire and forget servers.
The Flexi ISN does not expect any Accounting-Response messages from the extra
RADIUS accounting servers for the sent Accounting-Requests. Note that if there is no
reply to an Accounting Start message for a PDP context from the primary or secondary
accounting servers, nothing will be sent to the extra RADIUS accounting servers regard-
ing the PDP context.
g Accounting messages are sent to 'fire and forget' servers, after the response of
either the primary or the secondary server, as described above, but only for the "pri-
mary" connection of the primary PDP context. On the other hand, in case of "sec-
ondary" connections the accounting messages are not forwarded to 'fire and forget'
servers, so this functionality cannot be used in Service Access Points.
3.2.1 Authentication operations

When the Flexi ISN has obtained the authentication information from the user, it creates
an Access-Request containing attributes such as the user's name, the user's password,
the ID of the client, and the Port ID that the user is accessing.
The Access-Request is submitted to the RADIUS server via the network. If no response
is returned within a certain length of time, the request is re-sent a number of times. The
Flexi ISN can also forward requests to an alternate server (secondary server) if the
primary server is down or unreachable.
Once the RADIUS server receives the request, it validates the sending Flexi ISN. The
Flexi ISN must have a shared secret with the RADIUS server, otherwise it will silently
discard the request. If the Flexi ISN is valid, the RADIUS server consults a database of
users to find the user whose name matches the request.
If any condition is not met, the RADIUS server sends an Access-Reject response indi-
cating that this user request is invalid.
If all conditions are met and the RADIUS server wishes to issue a challenge to which the
user must respond, the RADIUS server sends an Access-Challenge response. It may
include a text message to be displayed by the GGSN/ISN to the user prompting for a
response to the challenge, and may include a State attribute. The client could then
resubmit its original Access-Request with a new request ID, with the User-Password
attribute replaced by the response (encrypted), and including the State attribute from
the Access-Challenge, if any.
14 Id:0900d80580773b2c DN70119375
Issue 5-3 en
Flexi ISN does not support the challenge/ response, and treats this challenge as though
it received an Access-Reject and sends a new Access-Request. Flexi ISN does not
support this, because there is no way the Flexi ISN can communicate with the user.
If all conditions are met, the list of configuration values for the user is placed into an
Access-Accept response. These values include the type of service (for example: SLIP,
PPP, Login User) and all the necessary values to deliver the desired service.
3.2.2 Accounting operations

The Flexi ISN supports and sends the following RADIUS Accounting messages to the
RADIUS accounting server:
Accounting Start
This is used when a PDP context is created.
Accounting Stop
This is used when a PDP context is deleted.
Accounting ON
This is sent to the RADIUS server at the time the access point becomes active so
that the IP addresses (that have possibly been left hanging) can be released.
Accounting OFF
This is sent to the RADIUS server at the time the access point becomes inactive so
that the IP addresses can be released.
Accounting Interim-Update
This is sent to the RADIUS server when the PDP context is updated.
The Accounting-Request (whether for Start or Stop) is submitted to the RADIUS
accounting server via the network.For more information, see RFC 2866 [7].
3.2.3 Configuration parameters

The RADIUS configuration in the Flexi ISN is located in the RADIUS profiles configura-
tion. For instructions on configuring the RADIUS interface, see Access Points in Nokia
Siemens Networks Flexi ISN.
DN70119375 Id:0900d80580773b2c 15
Issue 5-3 en
Parameter Values Description

Numeric ID 0 - 2147483647 Some RADIUS servers
(Routing Instance h Config cannot handle access
(Default) h Flexi ISN point names and require a
Configuration h Access Point numeric value for identifi-
Configuration h Access cation.
Points) The Numeric ID parame-
ter will be inserted to the
Called-Station-ID.
If the value 0 is inserted,
no attribute will be sent.
Profile Name (string) The name of the RADIUS
profile.
RowStatus Active / Not in service The status of the RADIUS
profile.
Client IP Address IPv4 address Defines the actual source
address of RADIUS mes-
sages. The IP address to
be inserted into the NAS-
IP-Address attribute of
RADIUS requests.
Type Normal (IPv4) The type of the access
GRE Tunnel (IPv4) point to be used in the
IP over IP (IPv4) profile. The type is used to
interpret the meaning of
the Tunnel Remote IP
Address parameter.
Retransmission Timeouts (Default) 2 4 8 RADIUS retransmission
timeouts in seconds.
Encode Vendor-Specific Attri- Enabled / Disabled If this variable is set to
butes Separately Enabled, each vendor-
(Routing Instance h Config specific sub-attribute is
(Default) h Flexi ISN encoded into a separate
Configuration h Access Point vendor-specific attribute.
Configuration h Access
Points)
RoutingInstance routing instance The access point belongs
to one of the existing
routing instances. There
is always at least the
default instance.
Tunnel Remote IP Address IPv4 address The default router IP
address or the endpoint of
a GRE, IP-over-IP or
L2TP tunnel.
16 Id:0900d80580773b2c DN70119375
Issue 5-3 en

Secondary Tunnel Address IPv4 address The destination address
of a secondary IP or L2TP
tunnel. When both of the
tunnel destination
addresses are specified,
under normal conditions
load balancing is per-
formed between the
tunnels. When one of the
tunnels fails the other
tunnel is used for all traffic
in the case of GRE/IPIP.
PDP contexts of the failed
tunnel are deleted for
L2TP and new PDP
contexts are created
solely to the tunnel that
functioned.
Tunnel Local IP Address IPv4 address The local tunnel IP
address for an access
point.
Client Tunneling IP Address IPv4 address If the access point type is
GRE Tunnel or IP over IP
and RADIUS authentica-
tion or accounting
messages is configured to
be tunnelled, this IP
address is to be put into
the NAS-IP-Address attri-
bute of the RADIUS
request. This parameter
specifies the actual
source address of the
RADIUS messages.
Server switchover time 1 min to 30 min After the primary RADIUS
server has failed to reply
and the Flexi ISN has
switched over to use the
secondary server, the
Flexi ISN will try the
primary server again after
the time defined here.
Table 1 Common RADIUS configuration
DN70119375 Id:0900d80580773b2c 17
Issue 5-3 en

Primary/Secondary IPv4 address The IP address of the used
Authentication Server IP RADIUS server.
Address
Port Number 0 65535 The port number of the
(default) 1812 RADIUS server.
Primary/Secondary (string) The secret that is used to

Authentication Server Key authenticate the RADIUS
server. No special character ?
should be used.
Description (string) The description of the used
RADIUS server. Optional
User Authentication Radius Authentication is used. The
Method user must provide the user
(Routing Instance h name and the password.
Config (Default) h Flexi Radius With MSISDN Authentication is used. The
ISN Configuration h MSISDN is used as the user
Access Point name and the word password
Configuration h Access as the password.
Points)
Radius With APN Authentication is used. The
access point name is used as
the user name and the word
password as the password.
Override User Name Con- Disabled The user name and password
taining APN/MSISDN is used as described above in
(Routing Instance h User Authentication
Config (Default) h Flexi Method.
ISN Configuration h Enabled When the authentication
Access Point method is RADIUS / L2TP PAP
Configuration h Access / L2TP CHAP with MSISDN /
Points) APN / IMSI, the Flexi ISN's
behavior is modified as follows:
If PAP or CHAP authentication
tokens are received from the
user equipment in the PCO IE,
and the user name token is not
empty, both the user name and
the password from the corre-
sponding tokens will be submit-
ted for authentication. If the
password provided by the user
equipment is 'password', the
authentication will be immedi-
ately rejected.
18 Id:0900d80580773b2c DN70119375
Issue 5-3 en

IP Address Generation GGSN The dynamic IP address allo-
Method cation method. The Flexi ISN
(Routing Instance h uses its own address pool.
Config (Default) h Flexi DHCP The DHCP server allocates the
ISN Configuration h IP address.
Access Point
Radius The RADIUS server allocates
the IP address.
Points)
Authentication Operation Simple Authentication The Access Request message
will be sent with basic attri-
butes only.
IMSI SGSN The IMSI and SGSN IP
address attributes will be
included in the Access
Request message.
IMSI SGSN-3GPP Sub-attributes that comply with
the 3GPP standard will be
included in the Access
Request message.
Dynamic Tunnels Enabled / Disabled When set to Enabled, the Flexi
(Routing Instance h ISN accepts the tunnel defini-
Config (Default) h Flexi tions given by the RADIUS
ISN Configuration h server.
Access Point
Points)
Optional RADIUS Authen- Enabled / Disabled When set to Enabled, the Flexi
tication ISN ignores the cases when
RADIUS authentication fails,
that is, when the RADIUS
authentication server does not
return a response or rejects the
authentication.
Note that in some cases the
authentication can fail even if
this variable is set to Enabled.
The Flexi ISN needs a
response from the RADIUS
authentication server to be
able to continue if the access
point is set to the RADIUS
mode or IP Address
Generation Method is set to
RADIUS.
Table 2 RADIUS authentication configuration
DN70119375 Id:0900d80580773b2c 19
Issue 5-3 en

Primary/Secondary Accounting IPv4 address The IP address of the
Server IP Address used RADIUS server.
Port Number 0 - 65535 The port number of the
(default) 1813 RADIUS server.
Primary/Secondary Accounting (string) The secret that is used to

Server Key authenticate the RADIUS
server.
Description (string) The description of the
used RADIUS server.
Optional
Third/Fourth/Fifth/ Sixth/Seventh These servers can only
be used if a primary
Accounting Server IP Address IPv4 address
and/or a secondary
Port Number 0 - 65535
accounting server has
Accounting Server Key (default) 1813
been configured.
Description (string)
Messages to these
(string) RADIUS servers are sent
in the 'fire and forget'
mode. The message is
sent once and no reply is
noticed.
Account Server Operation WAP Gateway Accounting is used and
the account server is
actually a WAP gateway
that uses the supplied
information for special
purposes. When the con-
nection to the server fails,
the PDP context creation
is rejected.
WAP Gateway, Accounting is used but it
server optional is optional. The PDP
context creation is
accepted even when
there is a failure in the
accounting process. The
WAP gateway may then
offer a limited set of ser-
vices. This option has no
effect on the authentica-
tion process because of
the parameter Optional
RADIUS
Authentication.
Table 3 RADIUS Accounting configuration
20 Id:0900d80580773b2c DN70119375
Issue 5-3 en

IP Address Release Accounting is used and
extra information is sent
to the accounting server
that may be used to
release an allocated IP
address.
3GPP Sub-attributes that
comply with the 3GPP
standard and some Nokia
vendor-specific attri-
butes will be included in
Accounting Request
packets. In addition, the
Acct-Input-
Gigawords and Acct-
Output-Gigawords
attributes are also
included.
3GPP, server Accounting is used but it
optional is optional. The PDP
context creation is
accepted even when
there is a failure in the
accounting process. Sub-
attributes that comply
with the 3GPP standard
and some Nokia vendor-
specific attributes will be
included in Accounting
Request packets. In addi-
tion, the Acct-Input-
Gigawords and Acct-
Output-Gigawords
attributes are also
included.
Table 3 RADIUS Accounting configuration (Cont.)
DN70119375 Id:0900d80580773b2c 21
Issue 5-3 en

Secondary Account Server Mode Backup A fully configured timeout
sequence is tried with a
primary server and then
with a secondary server if
the primary does not
respond.
If no responses are
received at all from the
primary Accounting
server within a retrans-
mission timeout, an alarm
is raised for the primary
server and then there is a
switch to secondary
Accounting server. At the
particular case that the
retransmission timeout is
reached for primary
Accounting server for
some Radius Accounting
requests (for example,
due to capacity issues),
but at the same time Flexi
receives responses from
the same server for other
pending Accounting
Requests, there is still a
switch to secondary
Accounting server, but no
alarm is raised for the
primary server, since
there is no indication that
it is inactive.
Semi Redundancy Both servers are used
simultaneously. A
response from either one
is considered a success.
No retransmission
timeouts are performed
as soon as response is
received from one server.
Only in case that both
servers are out of service
alarms will be raised.
22 Id:0900d80580773b2c DN70119375
Issue 5-3 en

Redundancy Both servers are used
simultaneously but Flexi
ISN treats them sepa-
rately. A response from
either one is considered a
success but Flexi ISN will
keep sending retransmis-
sions to the other server,
until it receives a
response from that server
or the retransmission
timeout setting expires.
Then, an alarm will be
raised indicating that this
server is out of service,
but Flexi ISN will continue
to send requests to both
RADIUS servers on next
PDP context activation.
In case that both servers
are out of service alarms
will be raised too.
Interim Accounting Enabled / Disabled When set to Enabled, the
Flexi ISN sends an
Accounting Request
Interim-Update message
to the RADIUS server
when the PDP context is
updated.
Send Interim When Container Enabled / Disabled This determines whether
Closed a RADIUS interim update
message is sent when a
volume or a time limit in
the access point's
charging limit profile is
reached. RADIUS uses
PDP-context-level values
to measure volume and
time limits. The default
value is 'Disabled'.If this
is set to Enabled, the
Interim Accounting
parameter must also be
enabled.
DN70119375 Id:0900d80580773b2c 23
Issue 5-3 en

RADIUS Accounting Mode Asynchronous/ Syn- In the asynchronous
(Routing Instance h Config chronous mode, the Flexi ISN
(Default) h Flexi ISN sends a PDP context
Configuration h Access Point response to the SGSN
Configuration h Access Points) before an accounting
start reply has been
received. This makes the
PDP context activation
faster.In the synchronous
mode, the Flexi ISN waits
for the accounting start
reply to arrive before
responding to the SGSN.
The PDP context will not
be activated unless the
accounting reply has
been received.This
parameter affects only
the accounting start
message
Notify AP Status Change ON/OFF Changing of the access
point status from 'Active'
to 'Not in service' leads to
the sending of a 'RADIUS
accounting OFF'
message but no 'RADIUS
accounting STOP'
messages are sent.
Changing the access
point status from 'Not in
service' to 'Active' leads
to the sending of a
'RADIUS accounting ON'
message.
24 Id:0900d80580773b2c DN70119375
Issue 5-3 en

ON/OFF/STOP The changing of the
access point status from
`Active` to `Not in service`
leads to the sending of a
`RADIUS accounting
OFF` message and any
possible `RADIUS
accounting STOP` mes-
sages. Changing the
access point status from
`Not in service` to
`Active`, leads to the
sending of a `RADIUS
accounting ON`
message.
STOP No 'RADIUS accounting
ON or OFF' messages
are sent but possible
'RADIUS accounting
STOP' messages are
sent if the access point
status is changed from
'Active' to 'Not in service'.
Accounting To Authentication Disabled / Enabled If this parameter is
Server enabled and if authenti-
cation is used, account-
ing for the PDP context
will be transmitted to the
RADIUS server that has
the same configuration
parameters, except for
the port number (fixed
value 1813).
DN70119375 Id:0900d80580773b2c 25
Issue 5-3 en

Disconnect Server IP IPv4 address Contains the IP address of the
Address 1 / 2 / 3 / 4 RADIUS server from which a dis-
connect message is accepted.
Disconnect Server Secret (string) The secret that is used to
Key 1 / 2 / 3 / 4 authenticate the RADIUS dis-
connect server.
Disconnect Server (string) The description of the used
Description 1 / 2 / 3 / 4 RADIUS disconnect server.
Optional
Table 4 RADIUS Disconnect configuration
3.3 Interface protocol

The interface between the Flexi ISN and the RADIUS server must follow the rules
defined in RFC 2865 [6] and RFC 2866 [7], including those for handling retransmissions
and request acknowledgements.
3.3.1 Message flow

RADIUS message flow, basic case, RADIUS message flow, change PDP context
parameters and RADIUS message flow, disconnect by RADIUS server represent the
RADIUS message flows between a Flexi ISN and an authentication, authorization and
accounting (AAA) server.
26 Id:0900d80580773b2c DN70119375
Issue 5-3 en
Figure 1 RADIUS message flow, basic case
g A Create PDP Context message can be sent before receiving an accounting

response (for example, in the asynchronous accounting mode) The Accounting
Start message will be sent for the primary and the secondary PDP contexts.
DN70119375 Id:0900d80580773b2c 27
Issue 5-3 en
Figure 2 RADIUS message flow, change PDP context parameters
g When CoA contains a Nokia-TREC-Index that results to a new QoS for the PDP
context, Flexi ISN triggers an Update PDP Context Request with the new QoS (see
Section Determining TREC through RADIUS).
28 Id:0900d80580773b2c DN70119375
Issue 5-3 en
Figure 3 RADIUS message flow, disconnect by RADIUS server
DN70119375 Id:0900d80580773b2c 29
Issue 5-3 en
RADIUS license RADIUS Interface, Interface Description
4 RADIUS license
Some RADIUS features require a valid license to be enabled.The following configuration
options require the RADIUS addition license:
Authentication Operation IMSI-SGSN and IMSI-SGSN-3GPP and Account Server
Operation 3GPP, and 3GPP, server optional
Without a license RADIUS authentication works in the SIMPLE Authentication Oper-
ation mode and a Flexi ISN 4.0 configured to use 3GPP or 3GPP server optional
Account Server Operation will not use RADIUS accounting at all.
Mainly this means that all the vendor-specific and Nokia vendor-proprietary attri-
butes require a license. The only exception is the Account Server Operation modes
WAP Gateway and WAP Gateway, server optional, which use the Nokia Siemens
Networks vendor-proprietary attributes.
Interim Accounting
Without a license Interim Accounting is disabled.
Dynamic Tunnels
Without a license Dynamic Tunnels is disabled.
RADIUS Disconnect
Without a license the Flexi ISN silently discards Disconnect Requests.
RADIUS Change-of-Authorization
Without a license the Flexi ISN silently discards Change-of-Authorization Requests.
A proper license is required to be able to choose between the encoding methods
that are available for vendor-specific attributes.
A license is required for receiving Accounting Stop messages when disabling an
access point. Also the option to receive both Accounting Stop and On/Off messages
when disabling or enabling an access point requires a license.
The following functionalities require the Network Based QoS Control license:
Handle the TREC AVP received in the CoA message
Apply the TREC AVP received the Access-Accept message for all traffic classes
(also real-time)
30 Id:0900d8058068af46 DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Data elements
5 Data elements
The attributes defined in this section comply with the same basic attribute formats given
in RFC 2865 [6] and RFC 2866 [7].
5.1 RADIUS interface data format

The RADIUS data format is the format needed for sending required information between
the Flexi ISN and the RADIUS server. Table 5 summarises the RADIUS data format.
The fields are transmitted from left to right. When a reply is generated, the source and
destination ports are reversed.
Code Identifier Length

Authenticator
Attributes: Length Value
Type
Table 5 Summary of RADIUS data format
5.1.1 Code
The code (the field in the first octet of a packet) identifies the type of the RADIUS packet.
If a packet is received with an invalid code field, it is discarded (length, 1 octet).The
codes are the following:
Code 1: Access-Request
The Access-Request code (1) is sent by the Flexi ISN to the RADIUS server. It conveys
the information used to determine whether a user is allowed to access a specific network
access server and if there are any special requests for that user. The Access-Request
code must be transmitted when wishing to authenticate a user and must contain a
User-Name attribute and either a User-Password or CHAP-Password attribute.Upon
receipt of an Access-Request from a valid client, an appropriate reply must be transmit-
ted.
Code 2: Access-Accept
The Access-Accept code (2) is sent by the RADIUS server and provides the specific
configuration information necessary to begin the delivery service to the user.If all the
attribute values received in an Access-Request are acceptable, the RADIUS implemen-
tation must transmit a packet with the Code field set to 2 (Access-Accept).On reception
of an Access-Accept, the Identifier field is matched with a pending Access-Request.
Additionally, the Response Authenticator field must contain the correct response for the
pending Access-Request.
Code 3: Access-Reject
The RADIUS server transmits the Access-Reject code (3) if any value for the received
attributes is not acceptable.
Code 4: Accounting-Request
The Accounting-Request code (4) is sent by the Flexi ISN to the RADIUS server and
conveys information used to provide accounting for a service.The server must transmit
DN70119375 Id:0900d8058068b02b 31
Issue 5-3 en
Data elements RADIUS Interface, Interface Description
an Accounting-Response reply if it successfully records the accounting packet, and

must not transmit a reply if it fails to record the accounting packet.This code must
contain either NAS-IP-Address or NAS-Identifier.
Code 5: Accounting-Response
The Accounting-Response code (5) is sent by the RADIUS server to the client to
acknowledge that the Accounting-Request has been received and recorded success-
fully. There are no required attributes in this package.
Code 11: Access-Challenge

The Access-Challenge code (11) is sent if the RADIUS server wishes to send the user
a challenge requiring a response. Flexi ISN does not support Access-Challenge
messages because there is no way for the Flexi ISN to communicate with the user.
Code 40: Disconnect-Request

For more information, see Section Disconnect-Request.
Code 41: Disconnect-ACK

For more information, see Section Disconnect-ACK.
Code 42: Disconnect-NAK

For more information, see Section Disconnect-NAK.
Code 43: Change-of-Authorization-Request

For more information, see Section CoA-Request.
Code 44: Change-of-Authorization-ACK

For more information, see Section CoA-ACK.
Code 45: Change-of-Authorization-NAK

For more information, see Section CoA-NAK.
5.1.2 Identifier
The identifier aids in matching requests and replies (length, 1 octet).
5.1.3 Length
The length indicates the length of the packet, including the Code, Identifier, Length,
Authenticator, and Attributes (length, 2 octets). The minimum length is 20 and the
maximum is 4096.The Flexi ISN silently discards packets received with an invalid
length.
5.1.4 Authenticator
The authenticator is used to authenticate the reply from the RADIUS server and to
authenticate the messages between the Flexi ISN and the RADIUS server (length, 16
octets, the most significant octet is transmitted first).There are two types of authentica-
tors:
32 Id:0900d8058068b02b DN70119375
Issue 5-3 en
Request Authenticator
In Access-Request packets, the authenticator value is a 16 octet random number called
the Request Authenticator. The value should be unpredictable and unique in the lifetime
of a secret (the password shared by the client and the RADIUS server). Since it is
expected that the same secret may be used to authenticate the servers in different geo-
graphic regions, the Request Authenticator field should display global and temporal
uniqueness (RFC 2865 [6]).In Accounting-Request packets, the authenticator value is a
16-octet MD5 checksum, called the Request Authenticator (RFC 2866 [7]).The authen-
ticator value in Disconnect-Request packets and the Change-of-Authorization-Request
packets is encoded the same way as the authenticator value in Accounting-Request
packets (RFC 3576 [12]).
Response Authenticator
The Authenticator field in Access-Accept, Access-Reject, and Access-Challenge
packets is called the Response Authenticator, and contains a one-way MD5 hash cal-
culated over a stream of octets consisting of:
the RADIUS packet, beginning with the Code field, including the Identifier, the
Length, the Request Authenticator field from the Access-Request packet
the response attributes, followed by the shared secret (RFC 2865 [6]).
The Authenticator field in an Accounting-Response packet is called the Response
Authenticator, and it contains a one-way MD5 hash calculated over a stream of octets
consisting of the Accounting-Response Code, Identifier, Length, the Request Authenti-
cator field from the Accounting-Request packet being replied to, and the response attri-
butes (if any) followed by the shared secret. The resulting 16 octets MD5 hash value is
stored in the Authenticator field of the Accounting-Response packet (RFC 2866 [7]).The
Authenticator value in Disconnect-Ack, Disconnect-Nak, Change-of-Authorization-ACK,
and Change-of-Authorization-NAK packets is encoded the same way as the Account-
ing-Response packet's Authenticator value (RFC 3576 [12]).
5.2 Attributes
RADIUS attributes carry the specific authentication, authorisation, information, and con-
figuration details for the request and reply.The attribute format is shown in Table 6:
Type Length Value
Table 6 Attribute format
Type
The Type field is one octet. The Flexi ISN ignores attributes with an unknown type.
Length
The Length field is one octet, and it indicates the length of this attribute including the
Type, Length, and Value fields.The Flexi ISN ignores attributes with an invalid
length.
Value
The Value field is zero or more octets and contains information specific to the attri-
bute. The Type and Length field determine the format and length of the Value field.
DN70119375 Id:0900d8058068b02b 33
Issue 5-3 en
g None of the types in RADIUS terminate with a null character (NUL, /0, hex00). In
particular, the types 'text' and 'string' in RADIUS do not terminate with a NUL. The
Value field's length is determined by the Length field and does not use a terminator.
The format of the Value field is one of the five data types:
Text
1-253 octets containing UTF-8 encoded 10646 characters. Texts of zero length must
not be sent.
String
1-253 octets containing binary data (values 0 through 255 decimal, inclusive).
Strings of zero length must not be sent.
Address
A 32 bit value, the most significant octet first.
Integer
A 32 bit unsigned value, the most significant octet first.
Time
A 32 bit unsigned value, the most significant octet first - in seconds since 00:00:00
UTC, January 1, 1970.
Table 7 shows the list of attributes used by the Flexi ISN, the Type number, Length,
Value format, and a short description.
34 Id:0900d8058068b02b DN70119375
Issue 5-3 en
Attribute name Type Value Definition Sent or

format received
and used
User-Name 1 String Indicates the name of sent,
greater than the user to be authenti- received
or equal to 1 cated. and used
octet(s) Note that Flexi ISN
does not always check
the user name and
password in the authen-
tication process. The
RADIUS server is
responsible for the
handling of empty
authentication tokens.
The user name can be
the user name received
from the user equip-
ment, the MSISDN, or
the access point name.
For more information,
see configuration
parameters User
Authentication
Method and Override
User Name
Containing
APN/MSISDN in Section
Configuration parame-
ters
User-Password 2 String, 16- The password of the sent
128 octets user according to RFC
2865.
When the User-Name
is either the MSISDN or
the APN the word pass-
word is used as User-
Password.
Chap-Password 3 According to The response value sent
RFC 2865 provided by a PPP
Challenge Handshake
Authentication Protocol
(CHAP) user in
response to the chal-
lenge.
DN70119375 Id:0900d8058068b02b 35
Issue 5-3 en

format received
and used
NAS-IP-Address 4 Address, 4 The IPv4 address of the sent,
octets Flexi ISN in the received
RADIUS interface. and used
NAS-Port 5 Integer 4 If the PDP context was sent
octets created through one of
the multi-access (NAS)
interfaces of the Flexi
ISN, this attribute will
contain the used inter-
face identifier. Other-
wise, this attribute is not
sent.
The value is the
Numeric ID defined in
the NAS configuration.
If the value is 0 (zero),
there will be no attribute
sent in the RADIUS
messages.
Service-Type 6 4 octets, This attribute indicates sent,
Possible the type of service the received
values user has requested, or and used
according to the type of service to be
RFC 2865 provided. The attribute
has the fixed value 2
(Framed). The Flexi ISN
responds to a Discon-
nect- or CoA-Request
including an unsup-
ported Service-Type
attribute with a Discon-
nect or CoA-NAK.
Framed-Protocol 7 4 octets Indicates the framing to sent,
be used for framed received
access. The attribute
has the fixed value "7"
(GPRS PDP Context)
Framed-IP-address 8 Address, 4 The clients IP address. sent,
octets May be used in Access- received
Accept packets. The and used
IPv4 address in network
byte order.
36 Id:0900d8058068b02b DN70119375
Issue 5-3 en

format received
and used
Class 25 String, The class is received sent,
greater than from the Access-Accept received
or equal to 1 message, and it is sent and used
octet(s) in the accounting mes-
sages.
Vendor-Specific 26 According to Vendor-specific attri- sent,
RFC 2865 bute(s). received
See Section Vendor- and used
specific attribute encod-
ing.
Session-Timeout 27 Integer, 4 A 32-bit unsigned received
octets integer with the and used
maximum number of
seconds that a user
should be allowed to
remain connected by
the Flexi ISN.
Idle-Timeout 28 Integer, 4 A 32-bit unsigned received
octets integer with the and used
maximum number of
consecutive seconds of
idle time that a user
should be permitted
before being discon-
nected by the Flexi ISN.
Called-Station-ID 30 String The access point name. sent
greater than Some RADIUS servers
or equal to 1 do not accept a string
octet(s) here. It is possible to
use a numerical value
instead.
When a non-zero value
is set in the configura-
tion parameter
Numeric Id that will
be used. See Section
Configuration parame-
ters.
Calling-Station-ID 31 String The clients MSISDN. sent
greater than
or equal to 1
octet(s)
DN70119375 Id:0900d8058068b02b 37
Issue 5-3 en

format received
and used
NAS-Identifier 32 String Contains a string identi- sent,
greater than fying the Flexi ISN. received
or equal to 1 and used
octet(s)
Proxy-State 33 String This attribute is used sent,
greater than when a proxy server is received
or equal to 1 forwarding messages and used
octet(s) from a server to a client
and back.
If some Proxy-State
attributes are received
in a Disconnect- or
CoA-Request, the Flexi
ISN returns the attri-
bute(s) unmodified (in
same order) in the
Response message.
Acct-Status-Type 40 4 octets Indicates whether an sent
Possible Accounting-Request
values: marks the beginning of
the user service
1, Start
(START) or the end
2, Stop
(STOP). This is used by
3, the Flexi ISN:
Interim-
Update to mark the start of
7, accounting (for
Account- example, upon
ing On booting) when an
access point
8,
becomes active, by
Account-
specifying Account-
ing Off
ing-On
to mark the end of
accounting (for
example, just
before a scheduled
reboot) when an
access point comes
inactive, by specify-
ing Accounting-Off.
Acct-Input-Octets 42 Integer, 4 This attribute indicates sent
(1) octets the number of bytes
transmitted for the user
for a given service from
the MS (uplink).
38 Id:0900d8058068b02b DN70119375
Issue 5-3 en

format received
and used
Acct-Output-Octets 43 Integer, 4 This attribute indicates sent
(1) octets the number of bytes
transmitted for the user
for a given service
towards the MS (down-
link).
Acct-Session-Id 44 String, 16 A unique accounting ID sent,
octets to make it easy to match received
the Start and Stop and used
records in a log file. The
Start and Stop records
for a given session must
have the same Acct-
Session-Id.
The Acct-Session-
Id included in account-
ing ON and OFF
messages is not
unique.
Acct-Authentic 45 Integer, 4 This attribute indicates sent
octets how the user was
authenticated. Possible
values are 1(RADIUS)
and 2(Local).
Acct-Session-Time 46 Integer, 4 This attribute indicates sent
octets for how many seconds
the user has received
the service.
Acct-Input-Packets 47 Integer, 4 This attribute indicates sent
(1) octets how many packets have
been received from the
port while this service
has been provided.
Acct-Output- 48 Integer, 4 This attribute indicates sent
Packets (1) octets how many packets have
been sent to the port
while this service has
been provided.
DN70119375 Id:0900d8058068b02b 39
Issue 5-3 en

format received
and used
Acct-Terminate- 49 Integer, 4 This attribute indicates sent
Cause octets how the session was
terminated. The follow-
ing values are sup-
ported in the Flexi ISN:
1 (User Request) =
Context termination
related to SGSN or
NAS.
3 (Lost Service) =
Context termination
related to an access
point.
4 (Idle Timeout) =
An idle time-out in
Flexi ISN caused
the context termina-
tion
5 (Session Timeout)
= A session time-
out in the Flexi ISN
caused the context
termination.
6 (Admin Reset) = A
Disconnect
Request termi-
nated the context.
10 (NAS Request) =
A network-initiated
context termination
(default value). See
Section Acct-Termi-
nate-Cause.
Acct-Multi-Session- 50 String, 16 A backbone wide sent,
Id octets unique hexadecimal received
coded ASCII string. A and used
unique accounting ID to
make it easy to link
together multiple
related sessions.
40 Id:0900d8058068b02b DN70119375
Issue 5-3 en

format received
and used
Acct-Link-Count (1) 51 Integer, 4 This attribute gives the sent
octets count of links which are
known to have been in a
given multilink session
at the time the account-
ing record is generated.
Acct-Input-Giga- 52 Integer, 4 This attribute indicates sent
words (1) octets how many times the
Acct-Input-Octets
counter has wrapped
around 232 while this
service has been pro-
vided.
Acct-Output-Giga- 53 Integer, 4 This attribute indicates sent
words (1) octets how many times the
Acct-Output-Octets
counter has wrapped
around 232 while this
service has been pro-
vided.
Event-Timestamp 55 Time, 4 This message is sent,
octets included in a packet to received
record the time when and used
something with or in the
session occurred (for
example, a deactiva-
tion), in seconds, since
January 1, 1970 00:00
UTC. (RFC 2869)
Chap-Challenge 60 String, When the challenge is sent
greater than 16 octets long it is
or equal to 5 placed in the Request
octets Authenticator field and
the Challenge Hand-
shake Authentication
Protocol (CHAP-Chal-
lenge) is not used.
According to RFC 2865.
NAS-Port-Type 61 4 octets This attribute indicates sent
Possible the type of the physical
values: port of the Flexi ISN that
is authenticating the
5, virtual user. Always virtual
(value=5).
DN70119375 Id:0900d8058068b02b 41
Issue 5-3 en

format received
and used
Tunnel-Type 64 3 octets The tunnel type used. received
Possible According to RFC 2868. and used
values:
3, L2TP
7, IP-IP
10, GRE
Tunnel-Client- 66 String or This attribute indicates received
Endpoint Address, the address of the initia- and used
greater than tor end of the tunnel.
or equal to 1
octet(s)
Tunnel-Server- 67 String or This attribute indicates received
Endpoint Address, the address of the and used
greater than server end of the tunnel.
or equal to 1
octet(s)
Tunnel-Password 69 According to Contains a password to received
RFC 2868 be used to authenticate and used
to a remote server
Tunnel-Assignment- 82 String, This attribute indicates received
ID greater than to the tunnel initiator the and used
or equal to 1 particular tunnel to
octet(s) which a session is to be
assigned.
Tunnel-Preference 83 3 octets This attribute indicates received
according to the relative preference and used
RFC 2868 assigned to each
tunnel.
Tunnel-Client-Auth- 90 Text, greater This attribute specifies received
ID than or equal the name used by the and used
to 1 octet(s) tunnel initiator during
the authentication
phase of tunnel estab-
lishment.
Error-Cause 101 4 octets The Value field is four sent
Possible octets, containing an
values: integer specifying the
cause of the error (RFC
404, Invalid 3576 [12]).
Request
42 Id:0900d8058068b02b DN70119375
Issue 5-3 en

format received
and used
Primary-DNS- 135 Address, The IPv4 address of the received
Server (vendor-pro- 4 octets primary DNS server. and used
prietary)
Secondary-DNS- 136 Address, The IPv4 address of the received
Server (vendor-pro- 4 octets secondary DNS server. and used
prietary)
IMSI (vendor- propri- 224 String, This attribute contains sent
etary) 8 octets the IMSI of the mobile
station. Its format is a
binary coded decimal
with extra four bits set to
1 for an odd number of
digits (for example, 123
equals hexadecimal
bytes 21 F3)
Charging-Id 225 Integer, This attribute together sent
(vendor- proprietary) 4 octets with the GGSN-IP-
Address forms a
unique ID for GPRS
charging.
Prepaid-Ind (vendor- 226 Integer, This attribute indicates sent
proprietary) 4 octets prepaid service contain-
ing the Charging Char-
acteristics field as
described in 3GPP
specification 32.015.
hot billing = 1
flat rate = 2
prepaid = 4
normal = 8
GGSN-IP-Address 227 Address, The GGSN IP address sent
(vendor- proprietary) 4 octets on the GPRS back-
bone. The IPv4
address.
SGSN-IP Address 228 Address, The SGSN IP address sent
(vendor- proprietary) 4 octets on the GPRS back-
bone. The IPv4
address.
Table 7 Attributes used by Flexi ISN

1) This attribute is not included in messages sent in the 'fire and forget' mode. In this
mode the message is sent once and no reply is noticed.
DN70119375 Id:0900d8058068b02b 43
Issue 5-3 en
Vendor-proprietary attributes implemented in Flexi ISN

Nokia vendor-proprietary RADIUS attributes (224 - 228)
Cisco vendor-proprietary RADIUS attributes (135 and 136)
For more information, see Table 7.
5.2.1 Vendor-specific attribute encoding

The vendor-specific attribute (type 26) is available to allow vendors to support their own
extended attributes.RFC 2865 [6] does not define how the encoding of the string field
should be in the vendor-specific attribute. The Flexi ISN encodes as default the vendor-
specific attributes, as advised in the last paragraph of section 5.26 of RFC 2865,
encoding multiple sub-attributes with the same vendor-id within a single vendor-specific
attribute. The encoding looks like the following:
1 octet Type = 26 (Vendor-Specific)

1 octet Length = 6 + (a + 2) + (b + 2) + n
4 octets Vendor-Id: 94 (Nokia)
311 (Microsoft)
10415 (3GPP)
28458 (Nokia-Siemens-Networks)
1 octet Vendor-Type
1 octet Vendor-Length = a + 2
a octet(s) Vendor-Value
1 octet Vendor-Type
1 octet Vendor-Length = b + 2
b octet(s) Vendor-Value
n octets Vendor-Type
up to Vendor-Length
Some RADIUS servers may require configuration or patching before being able to
support this encoding.It is, however, configurable in the Flexi ISN to choose how the
sub-attributes should be encoded. The configuration parameter Encode Vendor-
Specific Attributes Separately is described in Section Configuration parame-
ters. When this option is chosen each vendor-specific sub-attribute is encoded into a
separate vendor-specific attribute. The encoding looks like the following:
1 octet Type = 26 (Vendor-Specific)

1 octet Length = 8 + n
4 octets Vendor-Id: 94 (Nokia)
311 (Microsoft)
10415 (3GPP)
28458 (Nokia-Siemens-Networks)
44 Id:0900d8058068b02b DN70119375
Issue 5-3 en
1 octet Vendor-Type
1 octet Vendor-Length = n + 2
n octet(s) Vendor-Value
Vendor-specific attributes implemented in Flexi ISN

Nokia vendor-specific attributes (value=94)
Attribute name Type Value format Definition Sent or

received
and used
Nokia-UserProfile 2 String, A list of services received
greater than or separated by a and used
equal to1 octet(s) space character.
Includes one
primary service
flag (*) and can
include an OCS
prepaid flag ($).
Nokia-Service- 3 String, The name of the received
Name greater than or service. and used
equal to 1 octet(s)
Nokia-Service-ID 4 Integer, The identification received
1 4 octets number of the and used
service.
Nokia-Service- 5 String, The user name. received
Username greater than or and used
equal to 1 octet(s)
Nokia-Service- 6 String, The password. received
Password greater than or and used
equal to 1 octet(s)
Nokia-Service- 7 0 octets The Value field received
Primary-Indicator should be empty and used
and is ignored.
The Tag field
shows the
primary service.
Nokia-Service- 8 Integer, The first octet received
Charging-Type 2 octets contains the and used
wallet identifica-
tion number. The
second octet
defines the wallet
charging type.
DN70119375 Id:0900d8058068b02b 45
Issue 5-3 en

received
and used
Nokia-Service- 9 String This attribute received
Encrypted- as defined in contains an and used
Password Section User encrypted
profile fetching. password for the
service.
Nokia-Session- 10 1 octet This attribute sent
Access-Method as defined in defines the
Section Nokia access method
vendor-specific for the user
attribute Nokia- session.
Session-Access-
Method.
Nokia-Session- 11 1 octet This attribute sent,
Charging-Type as defined in defines the received
Section Charging charging type for and used
profile fetching the user session.
through RADIUS.
Nokia-OCS-ID1 12 Integer, The identification received
2 octets number of the and used
OCS server that
should be used
in the first place.
Nokia-OCS-ID2 13 Integer, The identification received
2 octets number of the and used
OCS server that
should be used
in the second
place.
Nokia-TREC-Index 14 Integer, This attribute received
1 octet defines the and used
TREC for the
PDP context.
Nokia-Requested- 15 String, The name of the sent
APN greater than or access point to
equal to1 octet(s) which the mobile
station requested
connection.
Microsoft vendor-specific attributes (value=311)
46 Id:0900d8058068b02b DN70119375
Issue 5-3 en

format received and
used
MS-Primary-DNS- 28 Address, The IPv4 address received and
Server 4 octets of the primary used
DNS server.
MS-Secondary- 29 Address, The IPv4 address received and
DNS-Server 4 octets of the secondary used
DNS server.
3GPP vendor-specific attributes (value=10415). These require a license.

received
and used
3GPP-IMSI 1 Text, The IMSI for this sent
1 15 octets user.
3GPP-Charging-Id 2 Integer, The charging ID sent

4 octets for this PDP
context. The
Flexi ISN gener-
ates this 3GPP
charging ID for
both virtual and
normal PDP
contexts with
one exception. If
the Flexi ISN
acts as a NAS
server and the
charging ID
selection is set
to NAS Client,
the charging ID
will be the NAS
clients charging
ID and not the
Flexi ISNs
3GPP charging
ID.
3GPP-PDP-Type 3 4 octets, The type of PDP sent
Possible values: context.
0, IPv4
DN70119375 Id:0900d8058068b02b 47
Issue 5-3 en

received
and used
3GPP-Charging- 4 Address, The charging sent
Gateway-Address 4 octets gateway IP
address defined
in the Flexi ISN
configuration
3GPP-GPRS-Nego- 5 Text, The QoS profile sent
tiated-Qos-Profile 11, 27, or 33 applied by the
octets Flexi ISN.
<Release indica-
tor> <release
specific QoS IE
UTF-8 encod-
ing>. Flexi ISN
3.0 now
supports also
Release 5-
extended QoS
profiles (release
indicator is 05),
which consist of
33 octets.
3GPP-SGSN- 6 Address, The SGSN IP sent
Address 4 octets address that is
used by the GTP
control plane for
the handling of
control mes-
sages. It may be
used to identify
the PLMN to
which the user is
attached
48 Id:0900d8058068b02b DN70119375
Issue 5-3 en

received
and used
3GPP-GGSN- 7 Address, Usually the Flexi sent
Address 4 octets ISNs IP
address. The
only exception is
when the Flexi
ISN acts as a
NAS server and
the charging ID
selection is set
to NAS Client;
then the GGSN
IP address will
be the NAS
clients GGSN IP
address.
3GPP-IMSI-MCC- 8 Text, 5 or 6 The MCC-MNC sent
MNC octets pair (RAI) of a
users IMSI. This
value is
compared to the
active insertions
in the Home
PLMN ID Config-
uration table and
in the Inbound
Roaming Access
Table. If a match
is found in either
of those, then
the correspond-
ing VSA is sent
to the Radius
server..
3GPP-GGSN-MCC- 9 Text, The MCC-MNC sent
MNC 5 or 6 octets of the network
the Flexi ISN
belongs to. The
used MCC-MNC
will be marked in
the Home PLMN
ID table.
3GPP-NSAP 10 1 octet Identifies a par- sent
ticular PDP
context
DN70119375 Id:0900d8058068b02b 49
Issue 5-3 en

received
and used
3GPP-Session- 11 1 octet, Indicates that sent
Stop-Indicator Fixed value FF the last PDP
(Hex) context of a
session is
released and
that the PDP
session has
been terminated.
The fixed value
is FF (Hex).
3GPP-Selection- 12 Text, Contains the sent
Mode 1 octet selection mode
for this PDP
context received
in the Create
PDP Context
Request
message.
3GPP-Charging- 13 Text, This attribute sent
Characteristics 4 octets contains the
charging charac-
teristics for this
PDP context
received in the
Create PDP
Context Request
Message (only
available in
3GPP R99 and
later releases).
Note: If the
charging type
flags are not set
from the HLR,
then the Flexi
ISN sets the
post-paid flag.
50 Id:0900d8058068b02b DN70119375
Issue 5-3 en

received
and used
3GPP-SGSN-MCC- 18 Text, The MCC and sent
MNC 5 or 6 octets MNC extracted
from the RAI
within the Create
PDP Context
Request or
Update PDP
Context Request
message.
3GPP-IMEISV 20 Text, This attribute sent
16 octets contains the
international
mobile equip-
ment identity
(IMEI) and its
software version
received from
the SGSN.
DN70119375 Id:0900d8058068b02b 51
Issue 5-3 en

received
and used
3GPP-RAT-Type 21 1 octet, This attribute sent
Possible values: indicates which
radio access
1, UTRAN technology
2, GERAN (RAT) is cur-
3, WLAN* rently serving
4-255 the user equip-
<spare> ment. The RAT
is received from
the SGSN.
Note that the
Flexi ISN uses
the following
values for:
253 = Nokia-
WLAN *
254 = NAS
255 = Unspeci-
fied SGSN
This is effective
until the 3GPP
specification
defines new
values for the
spare numbers.
* The selection
between WLAN
and Nokia-
WLAN depends
on how the
GGSN receives
the RAT infor-
mation over
GTP-C. If the
RAT Type infor-
mation element
is received,
WLAN is sent. If
Private Exten-
sion information
element is
received, Nokia-
WLAN is sent.
52 Id:0900d8058068b02b DN70119375
Issue 5-3 en

received
and used
3GPP-User- 22 1-m octets, m This attribute sent
Location-Info depends on the contains infor-
Geographic mation about the
Location Type user's geograph-
ical location. The
value of this attri-
bute is copied
without changes
from the GTP
information
element User
Location Infor-
mation that is
received from
the SGSN. The
Geographic
Location Type is
defined in 3GPP
specification
29.060 [2].
3GPP-MS- 23 2 octets Indicates the sent
TimeZone time zone that
the user is cur-
rently located in.
The value of this
attribute is
copied without
changes from
the GTP infor-
mation element
MS Time Zone
that is received
from SGSN. MS
Time Zone is
defined in 3GPP
specification
29.060 [2].
Nokia Siemens Networks vendor-specific attributes (value=28458).
DN70119375 Id:0900d8058068b02b 53
Issue 5-3 en

format received
and used
NSN-Tunnel-User- 1 Integer, This attribute defines the user received
Auth-Method 3 octets authentication method used and used
with dynamic tunnels. The
attribute contains a tag which
is used to group attributes
referring to the same tunnel.
Possible values are:
L2TP PAP = 1
L2TP PAP with MSISDN = 2
L2TP PAP with APN = 3
L2TP PAP with IMSI = 4
L2TP CHAP = 5
L2TP CHAP with MSISDN = 6
L2TP CHAP with APN = 7
L2TP CHAP with IMSI = 8
L2TP Proxy Authentication =
9
NSN-Tunnel- 2 Integer, This attribute changes the received
Override-Username 1 octet user authentication in and used
dynamic tunnels when cre-
dentials are received from the
terminal. When this attribute
is set to enabled (1) the cre-
dentials from the terminal will
override the ones previously
used. The authentication fails
if the received password is
"password". The attribute
contains a tag which is used
to group attributes referring to
the same tunnel.
Possible values are: Enabled
=1
Disabled = other values
5.2.2 Attributes sent and received by Flexi ISN

Attributes delivered with the messages depend on the value of the configuration param-
eters Authentication Operation and Account Server Operation. The unde-
fined attributes received with the messages are discarded. The following tables contain
the attributes sent and received by the Flexi ISN grouped by the type of the message
and based on different parameter values:
54 Id:0900d8058068b02b DN70119375
Issue 5-3 en
5.2.2.1 Access Request
ID Attribute name Simple IMSI SGSN IMSI SGSN-

authentication 3GPP
1 User-Name Yes Yes Yes
2 User-Password (1) Yes Yes Yes
3 CHAP-Password (2) Yes Yes Yes
4 NAS-IP-Address Yes Yes Yes
5 NAS-Port Yes Yes Yes
6 Service-Type Yes Yes Yes
7 Framed-Protocol Yes Yes Yes
30 Called-Station-Id Yes Yes Yes
31 Calling-Station-Id Yes Yes Yes
32 NAS-Identifier Yes Yes Yes
44 Acct-Session-Id Yes Yes Yes
50 Acct-Multisession-Id Yes Yes Yes
60 CHAP-Challenge (2) Yes Yes Yes
61 NAS-Port-Type Yes Yes Yes
224 IMSI Yes
228 SGSN-IP-Address Yes
26/94/15 Nokia-Requested- Yes
APN
26/10415/1 3GPP-IMSI Yes
26/10415/2 3GPP-Charging-Id Yes
26/10415/3 3GPP-PDP Type Yes
26/10415/4 3GPP-Charging- Yes
Gateway-Address
26/10415/5 3GPP-GPRS-Nego- Yes
tiated-QoS-Profile
26/10415/6 3GPP-SGSN- Yes
Address
26/10415/7 3GPP-GGSN- Yes
Address
26/10415/8 3GPP-IMSI-MCC- Yes
MNC
26/10415/9 3GPP-GGSN- MCC- Yes
MNC
26/10415/10 3GPP-NSAPI Yes
DN70119375 Id:0900d8058068b02b 55
Issue 5-3 en
ID Attribute name Simple IMSI SGSN IMSI SGSN-

authentication 3GPP
26/10415/12 3GPP-Selection- Yes
Mode
Characteristics
26/10415/18 3GPP-SGSN-MCC- Yes
MNC(3)
26/10415/20 3GPP-IMEISV (4) Yes
26/10415/21 3GPP-RAT-Type Yes
26/10415/22 3GPP-User- Yes
Location-Info(4)
26/10415/23 3GPP-MS- Yes
TimeZone (4)
1. The User-Password is not sent when using CHAP as the authentication type.
2. Sent only when using CHAP as the authentication type.
3. Sent only if the PDP context request contained the RAI.
4. Sent only if received from the SGSN.
5.2.2.2 Access Accept
ID Attribute name
8 Framed-IP-Address
25 Class
27 Session-Timeout
28 Idle-Timeout
64 Tunnel-type
66 Tunnel-Client-Endpoint
67 Tunnel-Server-Endpoint
69 Tunnel-Password
82 Tunnel-Assignment-Id
83 Tunnel-Preference
90 Tunnel-Client-Auth-Id
135 Primary-DNS-Server
136 Secondary-DNS-Server
26/94/2 Nokia-UserProfile
26/94/3 Nokia-Service-Name
26/94/4 Nokia-Service-ID
26/94/5 Nokia-Service-Username
56 Id:0900d8058068b02b DN70119375
Issue 5-3 en
ID Attribute name
26/94/6 Nokia-Service-Password
26/94/7 Nokia-Service-Primary-Indicator
26/94/8 Nokia-Service-Charging-Type
26/94/9 Nokia-Service-Encrypted-Password
26/94/11 Nokia-Session-Charging-Type
26/94/12 Nokia-OCS-ID1
26/94/13 Nokia-OCS-ID2
26/94/14 Nokia-TREC-Index (1)
26/311/28 MS-Primary-DNS-server
26/311/29 MS-Secondary-DNS-Server
26/28458/1 NSN-Tunnel-User-Auth-Method
26/28458/2 NSN-Tunnel-Override-Username
The particular application of this AVP depends on the Network Based QoS Control
license. Without this license this AVP applies only for non real-time traffic classes (since
it replaces the default TREC id configured in the Flexi ISN Access Point). With this
license it applies for all traffic classes.
5.2.2.3 Accounting Request Start
ID Attribute name WAP GW and IP address 3GPP and 3GPP,

WAP GW, release server optional
server optional
1 User-Name (1) Yes Yes Yes
7 Framed Protocol Yes Yes Yes
8 Framed-IP-Address Yes Yes Yes
25 Class Yes Yes Yes
40 Acct-Status-Type Yes Yes Yes
45 Acct-Authentic Yes Yes Yes
51 Acct-Link-Count Yes Yes Yes
DN70119375 Id:0900d8058068b02b 57
Issue 5-3 en

server optional
224 IMSI Yes
225 Charging-ID Yes
226 Prepaid-Ind Yes Yes
227 GGSN-IP-Address Yes
26/94/10 Nokia-Session- Yes
Access-Method
Charging-Type
APN
26/10415/ 3GPP-IMSI Yes
1
26/10415/ 3GPP-Charging-Id Yes
2
26/10415/ 3GPP-PDP Type Yes
3
26/10415/ 3GPP-Charging- Yes
4 Gateway-Address
26/10415/ 3GPP-GPRS-Nego- Yes
5 tiated-QoS-Profile
26/10415/ 3GPP-SGSN- Yes
6 Address
26/10415/ 3GPP-GGSN- Yes
7 Address
26/10415/ 3GPP-IMSI-MCC- Yes
8 MNC
26/10415/ 3GPP-GGSN- MCC- Yes
9 MNC (2)
26/10415/ 3GPP-NSAPI Yes
10
26/10415/ 3GPP- Selection- Yes
12 Mode
13 Characteristics
26/10415/ 3GPP-SGSN-MCC- Yes
18 MNC
58 Id:0900d8058068b02b DN70119375
Issue 5-3 en

server optional
26/10415/ 3GPP-IMEISV (3) Yes
20
26/10415/ 3GPP-RAT-Type Yes
21
26/10415/ 3GPP-User- Yes
22 Location-Info (3)
26/10415/ 3GPP-MS- Yes
23 TimeZone (3)
1. Not sent if the username is empty.

5.2.2.4 Accounting Request Interim-Update
ID Attribute name WAP GW and IP address 3GPP and

WAP GW, release 3GPP, server
server optional optional
42 Acct-Input-Octets Yes Yes
43 Acct-Output-Octets Yes Yes
46 Acct-Session-Time Yes Yes
47 Acct-Input-Packets Yes Yes
48 Acct-Output- Yes Yes
Packets
DN70119375 Id:0900d8058068b02b 59
Issue 5-3 en

52 Acct-Input-Giga- Yes
words
53 Acct-Output-Giga- Yes
words
55 Event-Timestamp Yes Yes Yes
224 IMSI Yes
225 Charging-ID Yes
Access-Method
Charging-Type
APN
26/10415/1 3GPP-IMSI Yes
26/10415/2 3GPP-Charging-Id Yes
26/10415/3 3GPP-PDP Type Yes
Gateway-Address
26/10415/5 3GPP-GPRS-Nego- Yes
tiated-QoS-Profile
26/10415/6 3GPP-SGSN- Yes
Address
26/10415/7 3GPP-GGSN- Yes
Address
26/10415/8 3GPP-IMSI-MCC- Yes
MNC
26/10415/9 3GPP-GGSN- MCC- Yes
MNC
26/10415/10 3GPP-NSAPI Yes
26/10415/12 3GPP- Selection- Yes
Mode
60 Id:0900d8058068b02b DN70119375
Issue 5-3 en

Characteristics
26/10415/18 3GPP-SGSN-MCC- Yes
MNC (2)
26/10415/21 3GPP-RAT-Type Yes
26/10415/22 3GPP-User- Yes
Location-Info (3)
26/10415/23 3GPP-MS- Yes
TimeZone (3)

5.2.2.5 Accounting Request Stop
ID Attribute name WAP GW and IPad- 3GPP and 3GPP,

WAP GW, dress server optional
server release
optional
42 Acct-Input-Octets Yes Yes
43 Acct-Output-Octets Yes Yes
46 Acct-Session-Time Yes Yes
47 Acct-Input-Packets Yes Yes
DN70119375 Id:0900d8058068b02b 61
Issue 5-3 en

server release
optional
48 Acct-Output- Yes Yes
Packets
49 Acct-Terminate- Yes Yes Yes
Cause
52 Acct-Input-Giga- Yes
words
53 Acct-Output-Giga- Yes
words
224 IMSI Yes
225 Charging-ID Yes
APN
26/10415/ 3GPP-IMSI Yes
1
26/10415/ 3GPP-Charging-Id Yes
2
26/10415/ 3GPP-PDP Type Yes
3
4 Gateway-Address
26/10415/ 3GPP-GPRS-Nego- Yes
5 tiated-QoS-Profile
26/10415/ 3GPP-SGSN- Yes
6 Address
26/10415/ 3GPP-GGSN- Yes
7 Address
26/10415/ 3GPP-IMSI-MCC- Yes
8 MNC
26/10415/ 3GPP-GGSN- MCC- Yes
9 MNC
62 Id:0900d8058068b02b DN70119375
Issue 5-3 en

server release
optional
26/10415/ 3GPP-NSAPI Yes
10
26/10415/ 3GPP- Session- Yes
11 Stop-Indicator (4)
26/10415/ 3GPP- Selection- Yes
12* Mode
13 Characteristics
26/10415/ 3GPP-SGSN-MCC- Yes
18 MNC (2)
26/10415/ 3GPP-RAT-Type Yes
21
26/10415/ 3GPP-User- Yes
22 Location-Info (3)
26/10415/ 3GPP-MS- Yes
23 TimeZone (3)

4. Sent only for the last context of the PDP session.
5.2.2.6 Accounting Request On/Off
ID Attribute name WAP GW and IP 3GPP and

WAP GW, address 3GPP, server
server optional release optional
5.2.2.7 Disconnect Request
ID Attribute name
1 User-Name
DN70119375 Id:0900d8058068b02b 63
Issue 5-3 en
ID Attribute name
4 NAS-IP-Address
6 Service-Type
32 NAS-Identifier
33 Proxy-State
44 Acct-Session-Id *
50 Acct-Multisession-Id *
55 Event-Timestamp
* : The request must contain at least one of these attributes
5.2.2.8 Disconnect ACK
ID Attribute name
33 Proxy-State (1)
49 Acct-Terminate-Cause
55 Event-Timestamp
5.2.2.9 Disconnect NAK
ID Attribute name
33 Proxy-State (1)
55 Event-Timestamp
Sent only if the request contained the Proxy-State attribute.
5.2.2.10 Change of Authorisation (CoA) Request
ID Attribute name
1 User-Name
4 NAS-IP-Address
6 Service-Type
32 NAS-Identifier
33 Proxy-State
44 Acct-Session-Id *
50 Acct-Multisession-Id *
55 Event-Timestamp
26/94/3 Nokia-Service-Name
64 Id:0900d8058068b02b DN70119375
Issue 5-3 en
ID Attribute name
26/94/4 Nokia-Service-ID
26/94/5 Nokia-Service-Username
26/94/6 Nokia-Service-Password
26/94/7 Nokia-Service-Primary-Indicator
26/94/8 Nokia-Service-Charging-Type
26/94/9 Nokia-Service-Encrypted-Password
26/94/14 Nokia-TREC-Index **
* : The request must contain at least one of these attributes.**: This AVP requires Acct-
Session-Id to be present in CoA. Otherwise Nokia-TREC-Index is ignored by Flexi ISN.
5.2.2.11 Change of Authorisation (CoA) ACK
ID Attribute name
33 Proxy-State (1)
55 Event-Timestamp
Sent only if the request contained the Proxy-State attribute(s)
5.2.2.12 Change of Authorisation (CoA) NAK
ID Attribute name
33 Proxy-State (1)
55 Event-Timestamp
101 Error-Cause
Sent only if the request contained the Proxy-State attribute.
DN70119375 Id:0900d8058068b02b 65
Issue 5-3 en
Additional features RADIUS Interface, Interface Description
6 Additional features
Flexi ISN supports a few features not specified in the basic RADIUS documents RFC
2865 [6] and RFC 2866 [7]. This section provides a list of those features and information
about attributes related to the features.
6.1 Support for DNS servers provided by the RADIUS server

DNS attributes defined in RFC 2548
RFC 2548 [5] defines two vendor-specific sub-attributes, which can be used to define
the DNS server:
MS-Primary-DNS-Server. This sub-attribute is used to indicate the address of
the primary DNS server to be used by the MS. It may be included in the Access-
Accept packets.
MS-Secondary-DNS-Server. This sub-attribute is used to indicate the address of
the secondary DNS server to be used by the MS. It may be included in the Access-
Accept packets.
g The DNS server address may be received also via other sources (for example,
PPP).
The specific attribute format is:
Field Name Length Value

Type 1 octet 26 (Vendor-Specific)
Length 1 octet 12
Vendor-Id 4 octets 311 (Microsoft)
Vendor-Type 1 octet 28 (MS-Primary-DNS-Server)
29 (MS-Secondary-DNS-Server)
Vendor-Length 1 octet 6
IPv4-Address 4 octet IP address of the primary/second-
ary DNS server
The 3GPP standard TS 29.061 [3] requires that the DNS server addresses are specified
according to RFC 2548 [5].
Other vendor-specific DNS address definitions

RADIUS servers use also their own vendor-specific DNS attributes. Thus, even if the
Flexi ISN supports the attributes described in the previous section, the RADIUS server
may use its own vendor-specific DNS attributes. At least Ascend and Cisco have defined
their own vendor-specific DNS attributes. The main difference between Cisco's and
Microsoft's approach is that Cisco uses non-standardised attribute identifiers instead of
using the recommended Vendor-Specific attribute [1]. The Flexi ISN supports
Cisco's attributes Primary-DNS-Server and Secondary-DNS-Server in the
Access-Accept message. See the attribute table in Section Attributes.
66 Id:0900d805807522ee DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Additional features
6.2 RADIUS Disconnect

The basic RADIUS does not contain any message that could be used to terminate PDP
contexts from a RADIUS server. Some vendors have defined three RADIUS messages
for this purpose (RFC 2882 [11]):
Disconnect-Request (type 40)
Disconnect-ACK (type 41)
Disconnect-NAK (type 42)
The messages are explained in detail in RFC 3576 [12]. The support for disconnect
request is required in TS 29.061 [3].
Flexi ISN as RADIUS server

The RADIUS protocol defined in RFC 2865 [6] and RFC 2866 [7] does not allow unso-
licited messages sent from the RADIUS server to the GGSN. The Disconnect-Request
is always sent from the RADIUS server to the GGSN. Thus, the roles of the GGSN and
the RADIUS server must be reversed. The GGSN is able to receive RADIUS packets
sent to UDP ports 1700 and 3799 and acts like a RADIUS server when Disconnect-
Request is received. The response messages Disconnect-ACK and Disconnect-NAK
are sent from the port and to the port from which the Disconnect-Request was received.
When the GGSN receives the Disconnect-Request, it checks if the request can be ful-
filled and sends a response message Disconnect-ACK (PDP context successfully termi-
nated) or Disconnect-NAK (request failed).Previously the Flexi ISN accepted
Disconnect-Requests sent only by a known RADIUS Accounting server, now the
RADIUS server can also be a known Authentication server, that is, the RADIUS server
must be found in the Flexi ISN configuration database as primary or secondary Authen-
tication or Accounting server. Additionally, there is the possibility to name four separate
Disconnect servers if some other RADIUS server than the primary or secondary Authen-
tication or Accounting server is wished to be used. See RADIUS Disconnect configura-
tion table in Section Configuration parameters. Also the configured OSC servers are
valid Disconnect servers as long as the RADIUS interface towards OSC is enabled.See
also the common information for Disconnect- and CoA-Requests:
Proxy-State attribute information in Section Support for RADIUS proxy.
New rules for Disconnect- and CoA-Request reading, Section Checks made on Dis-
connect-Requests and CoA-Requests; RFC 3576.
6.2.1 Disconnect-Request
The Authenticator field of the Disconnect-Request packet is calculated in the same way
as for an Accounting-Request packet. For more information, see Section Authenticator.
The Disconnect-Request must contain at least one of the following attributes (TS 29.061
[3]):
Acct-Session-Id. The user session identifier. The GGSN IP address and
charging ID concatenated in a UTF-8 encoded hexadecimal.
Acct-Multi-Session-Id. An identifier for multiple related sessions.
When the Flexi ISN sends a disconnect message (that means that it is acting as a NAS
server), it includes only the Acct-Session-Id attribute and not the Acct-Multi-
Session-Id. But when the Flexi ISN (acting either as a NAS server or NAS client)
receives a Disconnect-Request, it can handle it properly when either the Acct-
DN70119375 Id:0900d805807522ee 67
Issue 5-3 en
Session-Id attribute or Acct-Multi-Session-Id is included.The Disconnect-

Request may optionally contain one of the following attributes:
Username. The user name provided by the user (extracted from the Create PDP
Context Request message) or PPP authentication phase (if PPP PDP type is used).
If no username is available, a generic username configurable on a per APN basis is
present. If the Username has been sent in the Access-Accept message, this user
name is used in preference to the above
Framed-IP-Address. The user's IP address.
More optional attributes are listed in RFC 3576 [12].Flexi ISN is able to map the received
attributes to a unique PDP context or to a whole user session. The procedure allows
several connections to be disconnected with one request (for example, all connections
of one user) or only one PDP context may be terminated.Note that Flexi ISN is able to
receive Acct-Multi-Session-Id and is able to terminate a whole session at once.
6.2.2 Disconnect-ACK
The Disconnect-ACK packet is sent when the Disconnect-Request has been received
and the whole session or the PDP context was terminated. The Flexi ISN sends the
packet as soon as the Delete PDP Context Request has been sent to the SGSN. There
is no need to wait for the response from the SGSN before Disconnect-ACK is sent to the
RADIUS server. TS 29.061 [3] and RFC 3576 [12] do not specify the content of the Dis-
connect-ACK. The Flexi ISN implementation sends the Event-Timestamp attribute for
security reasons and the Acct-Terminate-Cause attribute with the value 6 (Admin-
Reset) in this message.
6.2.3 Disconnect-NAK
The Disconnect-NAK packet is sent when the Disconnect-Request has been received
and the PDP context was not terminated (for example, the PDP context was not found).
TS 29.061 [3] and RFC 3576 [12] do not specify the content of the Disconnect-NAK. The
Flexi ISN implementation sends the Event-Timestamp attribute in this message.
6.3 Accounting Request Interim-Update

This requires a license.RFC 2866 [7] defines the Account-Request packet, which is
used in the accounting. One of the attributes of the packet is Acct-Status-Type,
which defines the type of the Account-Request. This attribute may have the value
Interim-Update (value 3). The interim updates are used to inform the RADIUS server
about the current accounting status. The interim updates are sent whenever the PDP
context is updated.An interim update is also sent when the volume or time limit value in
the access point's charging limit profile is reached. The time difference between two
interim update messages for reaching a threshold value is 60 seconds. If it is triggered
earlier, the interim update request will not be sent. To use this functionality, the Send
Interim When Container Closed parameter in access point configuration should
be set to Enabled.The content of the interim update message is defined in Section
16.4.8 of TS 29.061 [3].Note that all standard RADIUS attributes in an interim update
message are cumulative. For example, if the optional attribute Acct-Input-Packets
is included, it should contain the total number of packets sent by the user, not just the
packets sent after the previous accounting message.Interim update messages contain
all of the attributes found in an accounting stop message. For example, if the IMSI is
68 Id:0900d805807522ee DN70119375
Issue 5-3 en
included in the Accounting Stop message, it should also be included in the interim
update message.
6.4 Acct-Input-Gigawords and Acct-Output-Gigawords

These attributes require a license.The RFC 2869 [10] defines two attributes:
Acct-Input-Gigawords. This attribute indicates how many times the Acct-Input-
Octets counter has wrapped around 232 while this service has been provided, and
can only be present in Accounting-Request records where the Acct-Status-
Type is set to Stop or Interim-Update.

Type 1 octet 52
Length 1 octet 6
Value 4 octets
Acct-Output-Gigawords. The attribute indicates how many times the Acct-

Output-Octets counter has wrapped around 232 while this service has been pro-
vided, and can only be present in Accounting-Request records where the Acct-
Status-Type is set to Stop or Interim-Update.

Type 1 octet 53
Length 1 octet 6
Value 4 octets
Although TS 29.061 [3] does not use these two attributes, they are clearly needed
whenever the above-mentioned counters wrap around. The Flexi ISN uses these two
attributes.
6.5 Dynamic tunnelling of APN

This requires a license.The Flexi ISN supports different tunnelling protocols (for
example, GRE, L2TP), but the choice between the tunnelling protocols is static. A more
flexible approach is to select the used tunnelling protocol dynamically. When RADIUS
is used, it is possible to provide this functionality. RADIUS has attributes that carry the
tunnelling information between the RADIUS server and the RADIUS client (GGSN)
(RFC 2868 [9]).These attributes are received from the RADIUS server during the
authentication process and are included in Access-Accept packets.
Tunnel-Type
The main RADIUS attribute is Tunnel-Type.

Type 1 octet 64
Length 1 octet 6
DN70119375 Id:0900d805807522ee 69
Issue 5-3 en

Tag 1 octet The tag field is intended to provide
the means for grouping attributes,
which refer to the same tunnel, in
the same packet.
Value 3 octets Defines the tunneling protocol. The
GGSN supports the following
values in the attribute:
L2TP (3)
IP-IP (7)
GRE (10)
If the Tunnel-Type attribute is present in an Access-Request packet sent from a Flexi

ISN, it should be taken as a hint to the RADIUS server as to which tunnelling protocols
are supported by the tunnel endpoint. The RADIUS server may, however, ignore the
hint.
Tunnel-Server-Endpoint
This attribute indicates the address of the server end of the tunnel. The Tunnel-
Server-Endpoint must be included in the Access-Accept packet if the initiation of a
tunnel is desired. The Flexi ISN supports the attribute.

Type 1 octet 66
Length 1 octet greater than or equal to 3
the same packet.
Value String This string is either the fully qualified
domain name (FQDN) of the tunnel
client machine, or it is a dotted-
decimal IP address. Only the
dotted-decimal format for IP
addresses is supported in the Flexi
ISN.
If for some reason the Flexi ISN does not accept the received IP address, the Flexi ISN
behaves as though an Access-Reject had been received.
Tunnel-Client-Endpoint
This attribute indicates the address of the initiator end of the tunnel. The Tunnel-
Client-Endpoint is not mandatory in the Access-Accept packet, so the Flexi ISN is
prepared for the case where the attribute is missing.
70 Id:0900d805807522ee DN70119375
Issue 5-3 en

Type 1 octet 67
the same packet.
Value String This string is either the fully qualified
domain name (FQDN) of the tunnel
client machine, or it is a dotted-
decimal IP address. The Flexi ISN
supports both formats (the dotted-
decimal and FQDN) for the IP
addresses.
If for some reason the Flexi ISN does not accept the received IP address, the Flexi ISN
behaves as though an Access-Reject had been received.
Tunnel-Assignment-ID

Type 1 octet 82
the same packet.
Value String There is no restriction on the format
of the ID
Some tunnelling protocols, such as L2TP, allow for sessions between the same two
tunnel endpoints to be multiplexed over the same tunnel, and also for a given session
to use its own dedicated tunnel. This attribute provides a mechanism for RADIUS to be
used to inform the tunnel initiator (for example, LAC) whether to assign the session to a
multiplexed tunnel or to a separate tunnel. Furthermore, it allows for sessions sharing
multiplexed tunnels to be assigned to different multiplexed tunnels. The Tunnel-
Assignment-ID attribute is of significance only to RADIUS and the tunnel initiator. The
ID assigned by the tunnel initiator, the Flexi ISN, is not conveyed to the tunnel
peer.When the Tunnel-Assignment-ID attribute is received, the Flexi ISN should
assign a session to a tunnel in the following manner:
If this attribute is present and a tunnel exists between the specified endpoints with
the specified ID, the session should be assigned to that tunnel. An existing tunnel
can be re-used only if the same service blade is used.
If this attribute is present and no tunnel exists between the specified endpoints with
the specified ID, a new tunnel should be established for the session and the speci-
fied ID should be associated with the new tunnel.
DN70119375 Id:0900d805807522ee 71
Issue 5-3 en
If this attribute is not present, then the session is assigned to an unnamed tunnel. If an
unnamed tunnel does not yet exist between the specified endpoints, it is established and
used for this and subsequent sessions established without the Tunnel-Assignment-
ID attribute. The Flexi ISN must not assign a session for which a Tunnel-
Assignment-ID attribute was not specified to a named tunnel (that is, one that was
initiated by a session specifying this attribute).
Tunnel-Preference
If more than one set of tunnelling attributes is returned by the RADIUS server to the Flexi
ISN, this attribute should be included in each set to indicate the relative preference
assigned to each tunnel. Accordingly, when there are multiple dynamic tunnelling con-
figurations sets and the highest priority fails, the second highest will be tried.Note:
Tunnel failure can only be detected on L2TP tunnels. For IPIP and GRE the highest
priority is always used unconditionally.

Type 1 octet 83
Length 1 octet 6
the same packet.
Value 3 octets 0x000000 is most preferred and
0xFFFFFF least preferred.
6.5.1 Tunnelling attributes related to authentication

Tunnel-Password
The attribute contains a password to be used to authenticate to a remote server.

Type 1 octet 69
Tag 1 octet The tag field is intended to provide the
means for grouping attributes, which
refer to the same tunnel, in the same
packet.
Salt 2 octets The Salt field is used to ensure the
uniqueness of the encryption key used
to encrypt each instance of the
Tunnel-Password attribute occurring
in a given Access-Accept packet. The
most significant bit (leftmost) of the Salt
field must be set (1). The contents of
each Salt field in a given Access-
Accept packet must be unique.
72 Id:0900d805807522ee DN70119375
Issue 5-3 en

String The plaintext String field consists of
three logical sub-fields:
Data-Length (1 octet)
Password sub-fields
Padding sub-field (optional)
Tunnel-Client-Auth-ID
The attribute specifies the name used by the tunnel initiator during the authentication
phase of tunnel establishment.

Type 1 octet 90
the same packet.
String The String field contains the authen-
tication name of the tunnel initiator.
6.5.2 Tunnelling attributes related to user authentication

NSN-Tunnel-User-Auth-Method
The attribute specifies the user authentication method used with dynamic tunnels.

Length 1 octet 12
Vendor-Id 4 octets 28458 (Nokia-Siemens-Networks)
Vendor-Type 1 octet 1 (NSN-Tunnel-User-Auth-Method)
the same packet.
DN70119375 Id:0900d805807522ee 73
Issue 5-3 en

Integer 3 octets The Integer field defines the User
Authentication method.
1 = L2TP PAP
2 = L2TP PAP with MSISDN
3 = L2TP PAP with APN
4 = L2TP PAP with IMSI
5 = L2TP CHAP
6 = L2TP CHAP with MSISDN
7 = L2TP CHAP with APN
8 = L2TP CHAP with IMSI
9 = L2TP Proxy Authentication
NSN-Tunnel-Override-Username
The attribute changes the user authentication in dynamic tunnels when credentials are
received from the terminal. When the attribute is set to Enabled (1) the credentials from
the terminal override the ones previously used. The authentication fails if the received
password is "password".

Length 1 octet 10
Vendor-Id 4 octets 28458 (Nokia-Siemens-Networks)
Vendor-Type 1 octet 2 (NSN-Tunnel-Override-User-
name)
the same packet.
Integer 1 octet The Integer field enables the
Override Username method.
1 = Enabled
other values = Disabled
6.5.3 Additional requirements related to dynamic tunnelling of APN

The Flexi ISN supports dynamic tunnels in all APN types (RFC 2868 [9]).
Arbitrary dynamic tunnelling configurations are supported (RFC 2868 [9]).
The RADIUS server may return an arbitrary tunnelling configuration. If the RADIUS
server is unreliable, the Flexi ISN does not allow this. If, however, the RADIUS
server can be trusted, the Flexi ISN allows those tunnelling configurations, which are
not predefined in the Flexi ISN.
74 Id:0900d805807522ee DN70119375
Issue 5-3 en
The Flexi ISN includes tunnelling attributes in an Access-Request packet.
6.6 Nokia vendor-specific attribute Nokia-Session-Access-

Method
This attribute requires a licence.The Nokia-Session-Access-Method attribute indi-
cates which access method is chosen to use for the user session. The Nokia-
Session-Access-Method vendor-specific attribute is encoded as follows:

Length 1 octet 9
Vendor-Id 4 octets 94 (Nokia)
Vendor-Type 1 octet 10 (Nokia-Session-Access-Method)
Value 1 octet The Value field contains the access
method.
0 = GPRS (undefined)
1 = SGSN (2G / 3G / unspecified)
2 = WLAN
3 = IP (NAS)
6.7 Charging profile fetching through RADIUS

The vendor-specific attribute Nokia-Session-Charging-Type indicates which
charging type is chosen for the session. It also defines whether online charging (via the
OCS interface) is enabled. With this attribute the charging profile is also fetched from
the RADIUS server during RADIUS authentication. The attribute can be received from
RADIUS during the authentication process even when no user profile is fetched from
RADIUS. The Nokia-Session-Charging-Type vendor-specific attribute is encoded
as follows:

Length 1 octet 9
Vendor-Type 1 octet 11 (Nokia-Session-Charging-Type)
DN70119375 Id:0900d805807522ee 75
Issue 5-3 en

Value 1 octet The Value field contains the
charging profile.
0 = prepaid
1 = post-paid
2 = post-paid with credit control
3 = prepaid with credit card
4 = HLR
5 = wallet specific
6 = wallet specific without credit
control
7= hot billing
Note that online charging (OCS
interface) is disabled if values 1, 6,
or 7 are received, or if value 4 is
received and the current charging
characteristics does not have the
Prepaid bit set.
6.8 Defining OCS servers through RADIUS

The local Flexi ISN configuration makes it possible to define multiple OCS connections,
but cannot completely support subscriber-specific OCS interface selection. Therefore
the used OCS may also be defined and received from the RADIUS server during the
authentication process.The OCS given from RADIUS will be used if it is also listed in the
local configuration of the Flexi ISN, and it will be ignored if there is no existing connection
to such OCS.Two OCS identifiers can be received from the RADIUS server with the
Nokia-specific attributes Nokia-OCS-ID1 and Nokia-OCS-ID2. If the OCS interface
fails, the recovery may use alternate OCS defined by RADIUS.The OCS identifiers can
be received from RADIUS during the authentication process even when no user profile
is fetched from RADIUS, that is, the access point can be in 'Normal', 'GGSN' or 'Radius'
mode. If the Nokia Siemens Networks Profile Server has returned OCS identifiers, the
values coming from the RADIUS server are ignored.The Nokia-OCS-ID1 and Nokia-
OCS-ID2 attributes are encoded as follows:
Nokia-OCS-ID1

Length 1 octet 10
Vendor-Type 1 octet 12 (Nokia-OCS-ID1)
76 Id:0900d805807522ee DN70119375
Issue 5-3 en

Value 2 octets Defines the identification number of
the OCS server that should be used
in the first place. Integer, allowed
range: 1 - 65535
Nokia-OCS-ID2

Length 1 octet 10
Vendor-Type 1 octet 13 (Nokia-OCS-ID2)
Value 2 octets Defines the identification number of
the OCS server that should be used
in the second place. Integer,
allowed range: 1 - 65535
6.9 Determining TREC through RADIUS

The default TREC for the PDP context can be determined through RADIUS during the
authentication process; the access point must be in the Radius mode. This is done with
the Nokia vendor-specific attribute Nokia-TREC-Index. This attribute may be present
in the CoA message. It is applicable when Acct-Session-Id is also present. In this
case the TREC parameters restrict the QoS requested from SGSN for the specific PDP
context.If the result is an updated QoS, then Flexi ISN initiates an Update PDP Context
Request towards SGSN.For more information about TREC, see Quality of Service in
Nokia Siemens Networks Flexi ISN, Release 4.0.The Nokia-TREC-Index attribute is
encoded as follows:

Length 1 octet 9
Vendor-Type 1 octet 14 (Nokia-TREC-Index)
Value 1 octet The Value field contains the TREC
Index. Integer, allowed range: 1-10.
6.10 Nokia-Requested-APN
Usage of this attribute requires a licence.The Nokia-Requested-APN attribute indi-
cates the name of the access point to which the user equipment requested connecting.
DN70119375 Id:0900d805807522ee 77
Issue 5-3 en
The value is copied from the access point name (APN) that is received from the SGSN
in the Create PDP Context request. Note that the requested APN may be different from
the negotiated APN (that is sent in the Called-Station-Id attribute). When the
requested APN is an alias to a physical access point, the negotiated APN contains the
name of the physical access point. Also the user profile may override the requested
APN. In this case the negotiated APN contains the name of the access point specified
in the user profile.The Nokia-Requested-APN attribute is encoded as follows:

Vendor-Type 1 octet 15 (Nokia-Requested-APN)
Vendor-Length 1 octet greater than or equal to 2
Value String Contains the requested access
point name as an UTF-8 string..
6.11 Transmission window

This section outlines the implementation and basic functionality of RADIUS transmission
windows and waiting queues in the Flexi ISN. A transmission window contains a set of
RADIUS requests that are currently being handled between the RADIUS client (the Flexi
ISN) and the RADIUS server (the AAA server). The standard defines that a transmission
window can have a maximum size of 256 simultaneous requests. This value is valid in
entry, medium and large configurations and applicable for each service blade (SB). In
the Capacity Extender (CE) and Dual-Chassis (DC) configurations, a value of 1785
simultaneous requests has been chosen for the whole system in order to avoid conges-
tions in RADIUS servers. This means that the transmission window for each service
blade is reduced to 1785/13 = 137 simultaneous requests, where 13 is the number of
SBs in the DC. Each RADIUS request inside a transmission window is identified by a
unique RADIUS ID. Note that in DC and with high loads, a transmission window of 256
simultaneous requests for each SB would result in a total of 3328 simultaneous requests
for each RADIUS server, which is considered a very high value.The Flexi ISN creates
its own, independent transmission window, of 256 requests each, for every uniquely
defined connection between the RADIUS client and the RADIUS server. In the Capacity
Extender and Dual-Chassis configurations the value of the requests is 137. The func-
tionality is available for all types of RADIUS servers; multiple independent transmission
windows are possible for both RADIUS authentication and RADIUS accounting connec-
tions. When a new RADIUS request is sent out, it will use a certain transmission window
according to the destination. A connection between the RADIUS client and the RADIUS
server is defined by the following parameters:
server address
server port
client address
tunnel endpoint address (if configured)
routing instance
(client port, unique, and fixed for each Flexi ISN service blade, see below)
78 Id:0900d805807522ee DN70119375
Issue 5-3 en
For a RADIUS connection to get its own transmission window, the value for at least one
of the above listed parameters must be different from those in other existing configura-
tions. The parameters are defined mainly in the access point configuration. If two or
more configurations end up being the same, the RADIUS request message for those
access points will use a shared transmission window (to the same shared RADIUS
server). Each service blade of the Flexi ISN uses a fixed unique source port (the client
port) for an outgoing request. This means that there is a separate transmission window
from each service blade to a given destination. The number of the simultaneous
requests depends on the configuration:
In the Flexi ISN basic configuration there are: 2 service blades x 256 = 512 simulta-
neous requests to the same destination.
In the full Flexi ISN configuration there are: 4 service blades x 256 = 1024 (in the
one-blade GGSN the number was 256).
In the Capacity Extender and Dual-Chassis configurations there are: 13 service
blades x 137 = 1785 (approximately) simultaneous requests to the same destina-
tion.
When the number of requests to be sent is large, the transmission window size limits the
rate at which the requests are sent. On the other hand, some RADIUS servers have dif-
ficulties handling a big burst of simultaneous RADIUS messages, so the transmission
window acts as a protection mechanism as well.If the given transmission window is full
(that is, there are no free IDs left), the RADIUS request will be temporarily stored to one
of the transmission-window-specific waiting queues. Once any of the ongoing proce-
dures is finished, that request is removed from the transmission window and a pending
request is inserted into the transmission window from a waiting queue. The pending
authentication requests have one waiting queue for each transmission window, which is
emptied in FIFO order. The pending accounting requests have multiple waiting queues
for each transmission window. The queues are sorted by the accounting message type
and the access point index, and they are emptied in a round-robin fashion.
6.12 Support for RADIUS proxy

The Flexi ISN supports the proxy functionality. With proxy RADIUS, a RADIUS client
(the forwarding server) receives a request from a RADIUS server, forwards the request
to a remote RADIUS client (the Flexi ISN), receives the reply from the remote client (the
Flexi ISN), and sends the reply to the server, possibly with changes to reflect local
administrative policy. A common use for proxy RADIUS is roaming. Roaming permits
two or more administrative entities to allow each other's users to dial in to either entity's
network for service. RFC 2865 [6] and RFC 3576 [12].The proxy functionality is fulfilled
with the Proxy-State (33) attribute. The attribute is sent by a proxy server to another
server or a Flexi ISN when forwarding a request and must be returned unmodified in the
response. When the proxy server receives the response to its request, it removes its
own Proxy-State (the last Proxy-State in the packet) before forwarding the
response to the RADIUS server.For an example, see Figure 4.
DN70119375 Id:0900d805807522ee 79
Issue 5-3 en
Figure 4 RADIUS proxy

A RADIUS server can function as both a forwarding server and a remote server. One
forwarding server can forward to another forwarding server to create a chain of prox-
ies.This means that if there are any Proxy-State attributes in the Disconnect-Request
or CoA-Request received from the RADIUS server, the Flexi ISN will include those
Proxy-State attributes in its response to the server.The Flexi ISN can copy up to 10
Proxy-State attributes from the request to the response packet. The attributes are
copied in order, without modifying the attributes.
6.13 Checks made on Disconnect-Requests and CoA-

Requests; RFC 3576
Here are some hints for what it takes for a successful Disconnect-Request or CoA-
Request. Additionally, the rules given in Section RADIUS Disconnect, for Disconnect
and Section Retrieving service components dynamically for CoA must be followed
before the request can be fulfilled. These checks are common for Disconnect- and CoA-
Requests.
The following attributes, if included, must match in order for a Disconnect- or CoA-
Request to be successful, otherwise a Disconnect- or CoA-NAK is sent.
NAS-IP-Address
NAS-Identifier
User-Name
Acct-Session-Id or Acct-Multi-Session-Id (must be included in the
message)
When the Event-Timestamp (55) attribute is present in a Disconnect- or CoA-
Request, the Flexi ISN checks that the Event-Timestamp attribute is current
within a time window of 300 seconds. If the Event-Timestamp attribute is not
current, then the message is silently discarded.
80 Id:0900d805807522ee DN70119375
Issue 5-3 en
The Service-Type (6) attribute is used for feature activation (for example, a usage
model similar to that supported in Diameter). The Flexi ISN responds to Disconnect-
or CoA-Request including a unsupported Service-Type attribute with a Discon-
nect- or CoA-NAK.
6.14 Acct-Terminate-Cause
The Acct-Terminate-Cause attribute indicates how the session was terminated. Below
is list of values supported by the Flexi ISN and descriptions of reasons that could have
caused the context termination:
1, User Request
Context termination related to an SGSN or NAS.
the SGSN cannot be reached or is down
the SGSN has been restarted
an update PDP Context request to the SGSN has failed
an SGSN has suddenly changed its GTP version
the SGSN or NAS has created a new PDP context with the same IMSI and
NSAPI as an already existing PDP context
the SGSN assigned the TEID user plane of an already existing PDP context to
a new PDP context
an error indication message from the SGSN
a delete PDP context request from an SGSN
a RADIUS Accounting Stop, Accounting Off (=going down), or Accounting On
(=restarted) message received from NAS
the NAS did not supply an essential attribute
NAS accounting timeout, no accounting message received for the NAS context
the NAS configuration has been changed or deleted
the NAS context has the same accounting session ID as an already existing
context
3, Lost Service
Context termination related to an access point.
an access point was critically reconfigured
an access point was disabled
the access point name does not match any existing and enabled access point
4, Idle Timeout
An idle time-out in the Flexi ISN caused the context termination.
5, Session Timeout
A session time-out in the Flexi ISN caused the context termination.
6, Admin Reset
A Disconnect Request terminated the context.
Disconnect Request message from a standard RADIUS interface.
a Disconnect Request message from the RADIUS-OCS interface.
10, NAS Reset, default value
A network-initiated context termination.
DN70119375 Id:0900d805807522ee 81
Issue 5-3 en
6.15 Values and profiles determined through RADIUS

This section clarifies which values and profiles can be defined and received from the
RADIUS server. More information about the attributes and messages mentioned in this
section can be found in several places elsewhere in this document. Table 8 shows the
values that can be determined in a RADIUS message. Also the access point mode that
is required for each value is described. Note that only the attributes that affect the Flexi
ISN functionality are mentioned here. Normal RADIUS 'received and send' attributes are
left out, such as the Class attribute.
82 Id:0900d805807522ee DN70119375
Issue 5-3 en
Profile / value and Access-Accept CoA- Request AP mode: AP mode:

attribute name Normal RADIUS
Dynamic IP address Yes Yes Yes
allocation
Framed-IP-
Address (8
Defining session Yes Yes Yes
timeouts
Session-
Timeout (27)
Idle-Timeout
(28)
Dynamic tunneling Yes Yes Yes
parameters
Tunnel-Type
(64)
Tunnel-Client-
Endpoint (66)
Tunnel-Server-
Endpoint (67)
Tunnel-
Password (69)
Tunnel-Assign-
ment-Id (82)
Tunnel-Prefer-
ence (83)
Tunnel-Client-
Auth-Id (90)
Defining DNS server Yes Yes Yes
Primary-DNS-
Server (135)
Secondary-
DNS-Server
(136)
MS-Primary-
DNS-Server
(26/311/28)
MS-Secondary-
DNS-Server
(26/311/29)
DN70119375 Id:0900d805807522ee 83
Issue 5-3 en
Profile / value and Access-Accept CoA- Request AP mode: AP mode:

attribute name Normal RADIUS
User profile fetching Yes Yes Yes
1. Old method Yes Yes
Nokia-Userpro-
file (26/94/2)
2. Retrieving service
components
Nokia-Service-
Name (26/94/3)
Nokia-Service-Id
(26/94/4)
Nokia-Service-
Username
(26/94/5)
Nokia-Service-
Password
(26/94/6)
Nokia-Service-
Primary-Indica-
tor (26/94/7)
Nokia-Service-
Charging-Type
(26/94/8)
Nokia-Service-
Encrypted-
Password
(26/94/9)
Charging profile Yes Yes Yes
fetching
Nokia-Session-
Charging-Type
(26/94/11)
Defining OCS Yes Yes Yes
servers
Nokia-OCS-Id1
(26/94/12)
Nokia-OCS-Id2
(26/94/13)
Defining the treat- Yes Yes
ment class
Nokia-TREC-
Index (26/94/14)
Table 8 Determined values in a RADIUS message
84 Id:0900d805807522ee DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Retrieving service components
7 Retrieving service components

The Flexi ISN can be configured to fetch the user profile from a RADIUS server in case
the Nokia Subscription Manager is not available in the network. For this purpose the
external RADIUS server (the context access point and the RADIUS server needs to be
so configured) will deliver this information in the Nokia vendor-specific attributes.
The Flexi ISN can fetch the user profile from a RADIUS server during the authentication
process in the Access-Accept message (Section User profile fetching) or dynamically
through the CoA-message (Section Retrieving service components dynamically).
The Flexi ISN must be configured accordingly, that is, the access point must be in the
Radius mode.
The User Profile LDAP/RADIUS licence is required to be able to use this feature.
7.1 User profile fetching

The Nokia vendor-specific attributes listed below should be used for this purpose, and
these attributes will overwrite the old Nokia-User Profile attribute (Section Usage
of the old service list fetching attribute).For the attributes, the same structure is used as
for dynamic tunnelling parameters in RADIUS. A Nokia vendor-specific attribute is
defined for each attribute describing a part of one service. All attributes belonging to a
service in a profile are linked together with a tag.The following Nokia vendor-specific
attributes (as defined below) are used for retrieving service components:
Nokia-Service-Name
Nokia-Service-Id
Nokia-Service-Username
Nokia-Service-Password
Nokia-Service-Primary-Indicator
Nokia-Service-Charging-Type
Nokia-Service-Encrypted-Password
The specific attribute format for Nokia vendor-specific service attributes is shown in
Table 9:
DN70119375 Id:0900d8058068cfe6 85
Issue 5-3 en
Retrieving service components RADIUS Interface, Interface Description

Length 1 octet 9 + N octets of the Value length
Vendor-Type 1 octet 3 (Nokia-Service-Name)
4 (Nokia-Service-ID)
5 (Nokia-Service-Username)
6 (Nokia-Service-Password)
7 (Nokia-Service-Primary-Indicator)
8 (Nokia-Service-Charging-Type)
9 (Nokia-Service-Encrypted-Pass-
word)
Vendor-Length 1 octet 3 + N octets of the Value length
the same packet. The Tag field is
not allowed to be 0 (zero), except in
the Nokia-Service-Charging-
Type attribute.
Value N octet Value of the service attribute.
Table 9 Specific attribute format for Nokia vendor-specific service attributes

Vendor-Type 1 octet 3
Tag 1 octet The Tag field is intended to provide
which refer to the same service, in
not allowed to be 0 (zero).
Value 1-247 octets The Value field (UTF-8 encoded
string) contains the service name.
Table 10 Nokia-Service-Name
86 Id:0900d8058068cfe6 DN70119375
Issue 5-3 en

Vendor-Length 1 octet 4-7
the means for grouping attributes in
the same packet, which refer to the
same service. The Tag field is not
allowed to be 0 (zero).
Value 1-4 octets The Value field contains the service
identification number.
Table 11 Nokia-Service-ID

string) contains the username for
the service.
Table 12 Nokia-Service-Username

string) contains the password for
the service.
Table 13 Nokia-Service-Password
DN70119375 Id:0900d8058068cfe6 87
Issue 5-3 en

same service. Tag field is not
Value 0 octets The Value field should be empty
and is ignored. The Tag field shows
the primary service.
Table 14 Nokia-Service-Primary-Indicator

same service.
If the Tag field = 0, all the services
that did not get their own charging
type will use this one
Value 2 octets The Value field is divided into the
following:
Wallet-Id 1 octet The number of the wallet used by
the subscriber to pay for a given
service.
The Wallet-Id field contains the
wallet identification number (1
127)..
Charging-Type 1 octet The Charging-Type field defines the
wallet charging type used by Wallet-
Id.
0 = prepaid
1 = post-paid
2 = post-paid with credit control
3 = prepaid with credit card
Table 15 Nokia-Service-Charging-Type
88 Id:0900d8058068cfe6 DN70119375
Issue 5-3 en

Vendor-Length 1 octet greater than 5
same service. Tag field is not
Value 3 247 octets The Value field is divided into the
following:
Salt 1 octet The Salt field is used to ensure the
uniqueness of the encryption key
used to encrypt each instance of the
Nokia-Service-Encrypted-
Password attribute. The most signif-
icant bit (leftmost) of the Salt field
must be set.
String 1 octet The plaintext String field consists of
three logical sub-fields:
Data-Length (1 octet)
Password
Padding (optional, 1 15
octets)
The Data-Length sub-field contains
the length of the unencrypted
Password sub-field. The Password
sub-field contains the actual pass-
word. If the combined length (in
octets) of the unencrypted Data-
Length and Password sub-fields is
not an even multiple of 16, then the
Padding sub-field must be present.
The String field follows an encryp-
tion that also the Tunnel-
Password attributes string field
have (RFC 2868), and it must be
encrypted as follows, prior to trans-
mission:
DN70119375 Id:0900d8058068cfe6 89
Issue 5-3 en

Construct a plaintext version of the
String field by concatenating the
Data-Length and Password sub-
fields. If necessary, pad the result-
ing string until its length (in octets) is
an even multiple of 16. Zero octets
(0x00) should be used for padding.
Call this plaintext P.
Call the shared secret S, the
pseudo-random 128-bit Request
Authenticator (from the correspond-
ing Access-Request packet) R,
and the contents of the Salt field A.
Break P into 16 octet chunks p(1),
p(2)...p(i), where i = len(P)/16. Call
the cipher text blocks c(1), c(2)...c(i)
and the final cipher text C. Interme-
diate values b(1), b(2)...b(i) are
required. Encryption is performed in
the following manner ('+' indicates
concatenation):
b(1) = MD5(S + R + A) c(1) = p(1)
xor b(1) C = c(1)
b(2) = MD5(S + c(1)) c(2) = p(2)
xor b(2) C = C + c(2)
. .
. .
. .
b(i) = MD5(S + c(i-1)) c(i) = p(i)
xor b(i) C = C + c(i)
The resulting encrypted String field
will contain
c(1)+c(2)+...+c(i).
Table 16 Nokia-Service-Encrypted-Password
Nokia vendor-specific attributes can be included in Access-Accept and Change-of-
Authorization messages.The required attributes for retrieving service components suc-
cessfully are:
Nokia-Service-Name or Nokia-Service-Id
Nokia-Service-Primary-Indicator for one service to describe which service
will be used as the primary service.
90 Id:0900d8058068cfe6 DN70119375
Issue 5-3 en
7.2 Retrieving service components dynamically

The Change-of-Authorization message is used for activating and terminating services
on the fly. While a PDP context is active, new services may be added or an already
active service may be terminated. When new services have been added, new connec-
tions are activated, if necessary.The RADIUS protocol does not allow unsolicited
messages sent from the RADIUS server to the Flexi ISN, however the CoA-Request is
always sent from the RADIUS server to the Flexi ISN (see the Disconnect-Requests).
Thus, the roles of the Flexi ISN and the RADIUS server must be reversed. The Flexi ISN
acts like a RADIUS server when CoA-Request is received (RFC 3576 [12]).When the
Flexi ISN receives the CoA-Request, it checks if the request can be fulfilled and sends
a response message; CoA-ACK (service components retrieved successfully) or CoA-
NAK (request failed) (RFC 3576 [12]).The Flexi ISN accepts CoA-Requests sent by a
RADIUS Authentication Accounting or Disconnect server configured in a Radius profile;
however the optional RADIUS Accounting servers are not accepted.See also the
common information for Disconnect- and CoA-Requests:
Proxy-State attribute information in Section Support for RADIUS proxy
New rules for Disconnect- and CoA-Request reading, Section Checks made on Dis-
connect-Requests and CoA-Requests; RFC 3576.
The used destination port for CoA-Request messages is UDP port 3799. For responses,
the source and destination ports are reversed. The packet format consists of the fields:
Code, Identifier, Length, Authenticator, and Attributes in Type:Length:Value (TLV)
format (RFC 3576 [12]). All fields hold the same meaning as those described in RADIUS
RFC 2865 [6]. The Authenticator field is calculated in the same way as specified for an
Accounting-Request (RFC 2866 [7]).Unlike RADIUS as defined in RFC 2865 [6], the
responsibility for retransmission of CoA-Request messages lies with the RADIUS server
(RFC 3576 [12]).The RADIUS codes for the CoA messages are assigned as follows
(RFC 3576 [12]):
CoA-Request (43)
CoA-ACK (44)
CoA-NAK (45)
7.2.1 CoA-Request
To retrieve service components through the CoA-Request the Nokia vendor-specific
attributes defined in Section User profile fetching, must be used. The CoA-Request must
contain at least one of the following attributes to be successful in service components
retrieving:
Acct-Session-Id. The user session identifier. The GGSN IP address and
charging ID concatenated in a UTF-8 encoded hexadecimal.
Acct-Multi-Session-Id. An identifier for multiple related sessions.
Additionally, the Nokia vendor-specific service attributes must be included in the CoA-
Request. The required service attributes are Nokia-Service-Name or Nokia-
Service-Id. The Nokia-Service-Primary-Indicator must be given to one ser-
vice.Flexi ISN is able to map received attributes to a unique service. This procedure
allows a service to be activated or terminated dynamically. The received attributes in the
Change-of-Authorization message will together contain a new replacing profile. This
makes terminating a service simple; the service that should be terminated is left out of
the replacing profile.
DN70119375 Id:0900d8058068cfe6 91
Issue 5-3 en
g The charging type (wallet ID and wallet charging type) of an already active service
cannot be changed in the updated user profile. This will lead to session termination.
Example 1
isp_service, default_service, and news_service are activated.news_service will be ter-
minated.A new replacing user profile is sent containing the attributes for isp_service and
default_service.In this case the Nokia-Service-Name or Nokia-Service-Id attri-
bute for the remaining services is enough.
Example 2
isp_service and news_service are activated.A new service, default_service, will be acti-
vated.A new replacing user profile is sent containing attributes for isp_service,
news_service, and default_service.In this case all possible Nokia service attributes for
default_service must be included. Additionally, the Nokia-Service-Name or Nokia-
Service-Id attribute for already active services (isp_service and news_service) are
included in the user profile.
7.2.2 CoA-ACK
The CoA-ACK packet is sent when the CoA-Request has been received and the user
profile was read successfully. The Flexi ISN implementation sends the Event-
Timestamp attribute for security reasons in CoA-ACK.
7.2.3 CoA-NAK
The CoA-NAK packet is sent when the CoA-Request has been received and the service
component retrieving failed (for example, the required attributes are not included in
CoA-Request, the primary indicator is missing, the required service is not found, the
user session is not found, and the RADIUS server is not reliable).The Flexi ISN imple-
mentation sends the Event-Timestamp attribute for security reasons and the Error-
Cause attribute with the value 404 (Invalid Request) in this message.
7.3 Usage of the old service list fetching attribute

The service list information can also be delivered in the Nokia vendor-specific attribute
Nokia-UserProfile (as defined below). If the Nokia-UserProfile attribute is
used in tandem with the Nokia-Service attributes (defined in Section User profile fetch-
ing) the information in the Nokia-UserProfile attribute will be ignored
g This attribute can only be used in the Access-Accept message.

Length 1 octet 8 + N octets of the Value length
Vendor-Type 1 octet 2 (Nokia-UserProfile)
Vendor-Length 1 octet 2 + N octets of the Value length
92 Id:0900d8058068cfe6 DN70119375
Issue 5-3 en

Value N octet Encoded as a string
List of services and primary/prepaid
flag (as defined below).
The value is encoded as defined here:

Service lists are separated by space character. One of the services will be marked
with a '*' to be considered the primary service.
The Service Aware profile from RADIUS may contain an indicator that the session
is OCS prepaid. The indicator is a single dollar sign ('$'). It is placed in the list of
active services as if it was an additional service.
The order does not matter.
Below are some examples of possible values:
$ isp_service *default_service news_service*corporate_access $
weather_service*wap_access $
If the prepaid indicator is present, it forces the session into OCS prepaid mode.
DN70119375 Id:0900d8058068cfe6 93
Issue 5-3 en
References RADIUS Interface, Interface Description
8 References
1. 1.RADIUS Attributes. Cisco web documentation http://www.cisco.com/uni-
vercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt6/scradatb.htm
2. 3GPP TS 29.060 GPRS Tunnelling Protocol (GTP) across the Gn and Gp interface
(Release 6), V6.6.0, (2004-09)
3. 3GPP TS 29.061 Interworking between the Public Land Mobile Network (PLMN)
supporting Packet Based Services and Packet Data Networks (PDN), V5.9.1 (2005-
06)
4. 3GPP TS 32.015 Telecommunications management; Charging management; 3G
call and event data for the Packet Switched (PS) domain, v3.12.0, 2003
5. RFC 2548 Microsoft Vendor-specific RADIUS Attributes, G. Zorn
http://www.ietf.org/rfc/rfc2548.txt
6. RFC 2865 Remote Authentication Dial In User Service (RADIUS). C. Rigney, et al
7. RFC 2866 RADIUS Accounting. C. Rigney http://www.ietf.org/rfc/rfc2866.txt
8. RFC 2867 RADIUS Tunnel Accounting Support, G.Zorn et al.
9. RFC 2868 RADIUS Attributes for Tunnel Protocol Support, G.Zorn et al.
10. RFC 2869 RADIUS Extensions, C. Rigney et al. http://www.ietf.org/rfc/rfc2869.txt
11. RFC 2882 Network Access Servers Requirements: Extended RADIUS Practices, D.
Mitton http://www.ietf.org/rfc/rfc2882.txt
12. RFC 3576 Dynamic Authorization Extensions to Remote Authentication Dial-In User
Service (RADIUS), Murtaza S. Chiba et al. http://www.ietf.org/rfc/rfc3576.txt
94 Id:0900d8058068c3dc DN70119375
Issue 5-3 en
RADIUS Interface, Interface Description Abbreviations
9 Abbreviations
AAA Authentication, Authorization and Accounting
APN Access Point Name
ASCII American Standard Code for Information Interchange
CDR Charging Data Record
CE Capacity Extender
CHAP Challenge Handshake Authentication Protocol
CoA Change-of-Authorization
DC Dual-Chassis
DNS Domain Name Server
FIFO First In First Out
FQDN Fully Qualified Domain Name
G-CDR GGSN CDR
GGSN Gateway GPRS Support Node
GPRS General Packet Radio Service
GRE Generic Routing Encapsulation
GTP GPRS Tunnelling Protocol
HLR Home Location Register
ICD Intelligent Content Delivery
IE Information Element
IMEISV International Mobile Equipment Id and its Software Version
IMSI International Mobile Subscriber Identity
IP Internet Protocol
IP-IP IP in IP Tunnel Protocol
L2TP Layer 2 Tunnel Protocol
LAC Link Access Control
MCC Mobile Country Code
MD5 Message Digest Algorithm
MNC Mobile Network Code
MSISDN Mobile Station ISDN
NAS Network Access Server
OCS Online Charging System
OSC Online Service Controller
PAP Password Authentication Protocol
PCO Packet Configuration Options
PDP Packet Data Protocol
PLMN Public Land Mobile Network
PPP Point-to-Point Protocol
DN70119375 Id:0900d805807522e0 95
Issue 5-3 en
Abbreviations RADIUS Interface, Interface Description
QoS Quality of Service

RADIUS Remote Authentication Dial-in User Service
RAI Routing Area Identity
RAT Radio Access Technology
RFC Request For Comment
RSA Rivest-Shamir-Adleman
SB Service Blade
SGSN Serving GPRS Support Node
SLIP Serial Line IP protocol
TA Traffic Analyzer
TREC Treatment Class
TRW Transmission Window
UDP User Data Protocol
UE User Equipment
96 Id:0900d805807522e0 DN70119375
Issue 5-3 en

Nokia Radius PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nokia Radius PDF

Uploaded by

Copyright:

Available Formats

FISNFI40EMED.

Operating Documentation, v.6

RADIUS Interface, Interface Description

f Important Notice on Product Safety

1 Changes in RADIUS Interface Description . . . . . . . . . . . . . . . . . . . . . . . 7

3 Overview of RADIUS interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

6.1 Support for DNS servers provided by the RADIUS server . . . . . . . . . . . 66

7 Retrieving service components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

1 Changes in RADIUS Interface Description

1.1 Changes in release 4.0 CD4

1.2 Changes in release 4.0 CD3

1.3 Changes in release 4.0 CD2

1.4 Changes in release 4.0

1.5 Changes between releases 3.2 and 4.0

Section Disconnect-Request: Added clarification about the use of Acct-Session-Id

1.6 Changes between releases 3.1 and 3.2

1.7 Changes between releases 3.0 and 3.1

3 Overview of RADIUS interface

3.1 Key features of RADIUS

3.2 RADIUS in the Flexi ISN environment

3.2.1 Authentication operations

3.2.2 Accounting operations

3.2.3 Configuration parameters

Parameter Values Description

Parameter Values Description

Table 1 Common RADIUS configuration

Parameter Values Description

Primary/Secondary (string) The secret that is used to

Parameter Values Description

Table 2 RADIUS authentication configuration

Parameter Values Description

Primary/Secondary Accounting (string) The secret that is used to

Table 3 RADIUS Accounting configuration

Parameter Values Description

Table 3 RADIUS Accounting configuration (Cont.)

Parameter Values Description

Table 3 RADIUS Accounting configuration (Cont.)

Parameter Values Description

Table 3 RADIUS Accounting configuration (Cont.)

Parameter Values Description

Table 3 RADIUS Accounting configuration (Cont.)

Parameter Values Description

Table 3 RADIUS Accounting configuration (Cont.)

Parameter Values Description

Table 4 RADIUS Disconnect configuration

3.3 Interface protocol

3.3.1 Message flow

Figure 1 RADIUS message flow, basic case

g A Create PDP Context message can be sent before receiving an accounting

Figure 2 RADIUS message flow, change PDP context parameters

Figure 3 RADIUS message flow, disconnect by RADIUS server

5.1 RADIUS interface data format

Code Identifier Length

Table 5 Summary of RADIUS data format

an Accounting-Response reply if it successfully records the accounting packet, and

Code 11: Access-Challenge

Code 40: Disconnect-Request

Code 41: Disconnect-ACK

Code 42: Disconnect-NAK

Code 43: Change-of-Authorization-Request

Code 44: Change-of-Authorization-ACK

Code 45: Change-of-Authorization-NAK

Type Length Value