Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Overview of AAA on the Broadband Gateway

    The MobileNext Broadband Gateway supports a framework for providing authentication, authorization, and accounting (AAA) services to mobile subscribers. The broadband gateway provides authentication (verifying a subscriber’s username and password), authorization (receiving information about the types of services to deliver to the subscriber), and accounting (accumulating and providing statistics about services delivered to the subscriber) using groups of external RADIUS servers.

    Authentication

    The broadband gateway acts as a client to the RADIUS server when authenticating a mobile subscriber’s username and password. When the broadband gateway receives a Create PDP Context Request or Create Session Request message from a mobile subscriber, it gets the subscriber's authentication information from the message, then sends an Access-Request message to the RADIUS server. The Access-Request message contains attributes such as the subscriber username, password, the ID of the client, and the port ID that the subscriber is accessing.

    Once the RADIUS server receives the Access-Request message, it validates the sending client (the broadband gateway) using a shared secret. After the sending client is validated, the RADIUS server looks up the subscriber in its database. A list of requirements must be met to allow access for the subscriber. If any requirement is not met, the RADIUS server sends an Access-Reject message back to the broadband gateway, indicating that the subscriber’s access request is invalid.

    If the requirements are met, a list of configuration values for the subscriber is placed into an Access-Accept message response. These values include the types of services for which the subscriber is authorized, as well as all necessary values to deliver the services.

    To determine a subscriber’s username, the broadband gateway looks at the Protocol Configuration Options (PCO) received in the Create PDP Context Request or Create Session Request message. If the subscriber’s username is included in the PCO, then that is used for authentication. If the subscriber’s username cannot be determined from the PCO, then the option specified for the user-name parameter in the anonymous-user statement of the access point name (APN) configuration is used instead. This can be an actual username, the APN name, the subscriber’s International Mobile Subscriber Identity (IMSI), or the subscriber's Mobile Station Integrated Services Digital Network (MSISDN) number.

    To determine the subscriber’s password, the broadband gateway does the following:

    • For the Password Authentication Protocol (PAP), the broadband gateway looks for the password in the PCO of the Create PDP Context Request or Create Session Request message. If the password cannot be determined from the PCO, the password specified for the password setting in the anonymous-user statement is used instead.
    • For the Challenge Handshake Authentication Protocol (CHAP), TLVs for the CHAP challenge and CHAP password (concatenation of CHAP ID and CHAP password) both arrive in the PCO. The broadband gateway includes these TLVs in the Access-Request message sent to the RADIUS server.

    If the RADIUS server responds with an Access-Challenge or Access-Reject message, or if no response is received from the RADIUS server, the broadband gateway does not create a session for the subscriber.

    Accounting

    A PDP context configured to use RADIUS accounting causes the broadband gateway to generate an Accounting Start message at the start of service delivery. The broadband gateway sends that message to the RADIUS accounting server, which sends back an acknowledgement that the message has been received. The Accounting Start message contains RADIUS attributes describing the type of service being delivered and the subscriber to which it is being delivered. Subscriber passwords are not carried in accounting messages.

    At the end of service delivery, the broadband gateway generates an Accounting Stop message describing the type of service that was delivered and statistics such as elapsed time, input/output octets, and input/output packets. It sends that message to the RADIUS accounting server, which sends back an acknowledgement that the message has been received.

    During the life of a user session, some information related to the session may change. Upon reception of an Update PDP Context Request message from the Serving GPRS Support Node (SGSN), or upon reception of a Modify Bearer Request or Update Bearer Response from the Serving Gateway (S-GW), the broadband gateway sends an Accounting Request Interim-Update message to the RADIUS server to update information related to this PDP context. You can configure how often Interim-Update messages are sent, and specify which events do or do not trigger them.

    APN-Specific AAA Settings

    AAA services are provided on a per-APN basis. Mobile subscribers gaining access to a given APN receive AAA services as indicated in a defined AAA profile. The AAA profile specifies which sets of RADIUS servers are used for authentication and accounting, how the broadband gateway handles attributes in RADIUS messages it sends and receives, as well as other parameters. You specify the name of the AAA profile to use as part of APN services configuration.

    In the APN services configuration, you can also configure the broadband gateway to allow the RADIUS server to assign addresses to mobile subscribers, override the locally or DHCP-assigned address with a RADIUS-assigned address, or wait for the accounting response from the RADIUS server before sending the Create Session Response or Create PDP Context Response message to the S-GW or SGSN.

    RADIUS-Initiated Dynamic Requests

    You can specify RADIUS servers that can initiate dynamic requests to the broadband gateway. Dynamic requests include change of authorization (CoA) requests, which specify attribute modifications and service changes, and Disconnect requests, which terminate subscriber sessions.

    Support for RADIUS Attributes, Juniper Networks VSAs, and 3GPP VSAs

    The AAA framework on the broadband gateway supports RADIUS attributes and VSAs from Juniper Networks and the 3GPP. The tables in Supported Attributes in Access-Request Messages and Supported Attributes in Access-Accept Messages describe how the broadband gateway processes these attributes and VSAs.

    Published: 2011-11-23