Gx-Plus for Provisioning Subscribers

 

Gx-Plus for Provisioning Subscribers Overview

Gx-Plus is a Diameter-based application that extends the capability of the Gx interface. The 3rd Generation Partnership Project (3GPP) defined Gx as the online policy interface between the Policy Control and Charging Rules Function (PCRF) and the Policy and Charging Enforcement Function (PCEF), to provide control over policy and flow-based charges for subscribers. The PCRF is a centralized policy decision point that deploys business policy rules to allocate broadband network resources and manages flow-based charges for subscribers and services. The router functions as the PCEF in this environment.

Gx-Plus provides provisioning, activation, and deactivation of services; threshold triggers for service statistics processing; service accounting; subscriber session termination; fault recovery; and event (subscriber login and logout) notifications. The terminology typically used for PCRFs varies slightly from standard Junos OS terminology. The terms listed in Table 1 are interchangeable.

Table 1: Differences Between Gx-Plus and Junos OS Terminology

Gx-Plus

Junos OS

policy

service

rule

service

rule install or installation

service activation or instantiation

rule uninstall

service deactivation

usage monitoring

service accounting

Gx-Plus enables the router acting as a PCEF to exchange Diameter Credit-Control Application (DCCA) messages with a PCRF residing on a server to request credit authorization and service provisioning for authenticated subscribers. When an application requests AAA to activate a subscriber’s session, the router sends a Credit-Control-Request (CCR) message to determine whether the subscriber has credit for the desired services and to request provisioning of those services from the PCRF policy manager.

The PCRF responds with a Credit-Control-Answer (CCA) message that indicates success or failure for credit authorization. If the subscriber has sufficient credit for the requested services, credit is authorized. If the subscriber has insufficient credit for the services, credit authorization fails.

The CCA can include services to be activated for the subscriber. If the response times out, the subscriber is logged in but only default services—if present—are activated for the subscriber. The router interprets the omission of the Result-Code AVP from the CCA as a provisioning authorization failure and does not allow the subscriber to log in.

When a subscriber client application, such as DHCP, sends a subscriber logout notice to AAA, the router in turn sends a CCR message to the PCRF to request subscriber termination. The PCRF acknowledges the logout with a CCA message.

Different Diameter message types exchanged by the router and the PCRF contain different sets of attribute-value pairs (AVPs). If data for an AVP is not available for a request to the PCRF, that AVP is omitted from the message. If the PCRF subsequently has insufficient information to decide on the request, it may deny the request.

Gx-Plus establishes sessions that correspond to IPv4 DHCP sessions on dual-stack IPv6/IPv4 or IPv4-only subscriber interfaces, depending on the access profile. By default, IPv6 information is not communicated to the PCRF. You must explicitly configure Gx-Plus to include IPv6 information. When you do so, Gx-Plus can establish sessions that correspond to DHCPv6 sessions on IPv6-enabled subscriber interfaces and on dual-stack IPv6/IPv4-enabled interfaces.

For dual-stack DHCP subscribers (DHCPv4 and DHCPv6 on the same VLAN), each DHCP session is treated as a separate Gx-Plus session. However, only a single Gx-Plus session exists for dual-stack PPP sessions.

Gx-Plus includes the following fault tolerance and recovery capabilities:

  • Unlimited retries of unacknowledged provisioning requests

  • Unlimited retries of logout requests

  • Router event notification

  • Router discovery

Note

More than one Diameter-based application (function), such as Gx-Plus or JSRC, can run on a router simultaneously.

Benefits of Gx-Plus

  • Extends the 3GPP Gx interface to provide provisioning, activation, and deactivation of services; threshold triggers for service statistics processing; service accounting; subscriber session termination; fault recovery; and event (subscriber login and logout) notifications.

Understanding Gx-Plus Interactions Between the Router and the PCRF

This topic describes the sequences of Diameter messages exchanged by means of Gx-Plus between the Policy Control and Rules Charging Function (PCRF) and the router acting as a Policy and Charging Enforcement Function (PCEF) as they interact to perform the following tasks for subscriber access:

  • Subscriber login

  • Fault tolerance and event notification

  • Subscriber usage thresholds and monitoring

  • Subscriber audit

  • Subscriber logout

Subscriber Login

Gx-Plus provisioning is enabled for subscribers when you include the provisioning-order gx-plus statement at the [edit access profile profile-name] hierarchy level. When an application requests AAA to activate the subscriber's session, the router sends a CCR-I message to the PCRF to request provisioning for the subscriber session. The CCR-I message must include the Juniper-Virtual-Router, Framed-IP-Address, and NAS-Port-ID AVPs. The request is not generated when no IPv4 address has been assigned to the subscriber, when IPv6 is enabled and an IPv6 address has been assigned, or when the NAS-Port-ID is unknown. Starting in Junos OS Release 17.4R1, the CCR-I message includes the Subscription-Id AVP (AVP code 443) with the Subscription-Id-Type AVP set to 4 and Subscription-Id-Data AVP set to reserved.

The PCRF returns a CCA-I message that includes the Result-Code AVP (AVP code 268). The router considers a CCA-I that does not include the Result-Code AVP as a failed response. The CCA-I can return the Charging-Rule-Install AVP (AVP code 1001), which identifies services to be activated.

If the Result-Code value is DIAMETER_SUCCESS (2001), the router communicates to AAA that the requested service is activated. If the Result-Code value is DIAMETER_AUTHORIZATION_REJECTED, the router communicates to AAA that the service activation is not permitted. If the Result-Code AVP has any other value, or is missing, the request is retried. A total of three CCR-I messages can be sent.

If the PCRF does not indicate success or failure, then by default the router continues to send requests, but the retry requests are CCR-N messages (no-response notifications) that include the Juniper-Provisioning-Source AVP (AVP code 2101). This AVP indicates that the router has local decision-making authority to provision services in the absence of a PCRF response to the CCR-I. This AVP is not present in the CCR-I message.

A subscriber login initiates the following sequence of events:

  1. A client application—such as DHCP, PPP, or static subscriber sessions—requests AAA to authenticate the subscriber.

  2. Authentication begins if the subscriber access profile specifies RADIUS authentication. Login continues when the authentication is successful. Login fails when the authentication-order statement in the profile does not specify RADIUS authentication or no authentication. Login also fails when authentication fails.

  3. Default services are activated for the subscriber. Any services that the authentication server includes in the authentication grant are activated. Additionally, a default service may have been configured for the client application.

  4. If the subscriber access profile specifies Gx-Plus provisioning, the router initiates the Gx-Plus message exchange by sending a CCR-I message to the PCRF. The router waits for the PCRF to respond with a CCA-I message within a non-configurable timeout period.

    When the PCRF responds within the timeout period and includes the Charging-Rule-Install AVP in the CCA-I message, subscriber login is delayed while the router deactivates any default services and attempts to activate the specified services.

    • If all the specified services are activated, then the login completes.

    • If any of the services cannot be activated, the router sends the PCRF a CCR-U message with the status of the services (a rule report). The PCRF responds to this message with a CCA-U that can contain a new set of services for activation.

    • The router ignores any default services, even If the CCA-I message does not include any services. In this circumstance, no services are activated.

    If the PCRF does not return a CCA-I within the timeout period, subscriber login completes.

    • The router searches first for services returned from the authentication server and activates any it finds. If no such services are found, then the router activates any locally configured default services. Subscriber login completes when default service activation is successful, but fails when any default service fails to activate. Because default services are not required to be present, login also completes when no default services are found.

    • If login completes (with or without a default service), the router periodically resends the CCR-I message to the PCRF. If the PCRF subsequently returns a CCA-I, the router deactivates the default service, if any, and then activates any services included in the CCA-I. If the message does not include any services, then no service is activated, not even a default service.

    • If any of the services contained in the CCA-I cannot be activated, the router sends the PCRF a CCR-U message with the status of the services (a rule report). The PCRF responds to this message with a CCA-U that can contain a new set of services for activation.

  5. The router begins to monitor session accounting statistics if the CCA-I message includes any threshold triggers for usage monitoring. The Usage-Monitoring-Information AVP (AVP code 1067) contains the threshold triggers in the Granted-Service-Unit AVP (AVP code 431). The triggers are the values granted by the PCRF for the following statistics: duration of the session, input octets count, output octets count, and total octets count.

    1. If the service statistics meet or exceed any of these trigger thresholds during the session, the router sends a CCR-U message to the PCRF with accounting information in the Usage-Monitoring-Information AVP (AVP code 1067). The AVP now contains the Used-Service-Unit AVP (AVP code 446) to report the current values for all four statistics.

    2. In response, the PCRF may return a CCA-U message with the Usage-Monitoring-Information AVP, which can include any of the following: the Granted-Service-Unit AVP with new threshold triggers (absolute values rather than increments to the previous thresholds), the Charging-Rule-Install AVP (AVP code 1001) for service activations, or the Charging-Rule-Remove AVP (AVP code 1002) for service deactivations.

      Note

      The router does not aggregate statistics across services.

  6. When the subscriber logs out, the router sends a CCR-T message (termination notice) to the PCRF, which responds with a CCA-T message.

Fault Tolerance and Event Notification

Although the probability is low, the PCRF and the router can have different values for the number of subscribers. This error can arise from the following scenarios:

  • CCA-I loss: if no CCA-I is delivered to the router, then the PCRF considers a subscriber as provisioned whereas the router considers it not provisioned.

  • CCR-T loss: if no CCR-T is delivered to the PCRF, then the PCRF considers a subscriber to be provisioned whereas the router considers the subscriber not provisioned (logged out).

Loss of messages can be greater during cold boots and high availability events. Unacknowledged CCR-I and CCR-T requests are retransmitted forever until a satisfactory response is received to reduce the incidence of failure, and significant events are reported to Gx-Plus. By default, the number of outstanding requests is limited to 40 to avoid overloading the PCRF. This limit reduces the possibility of losing requests. You can modify this number by including the max-outstanding-requests statement at the [edit access-gx-plus global] hierarchy level.

Gx-Plus does not rely on the connection state between devices to detect router or PCRF outages, because some events do not affect the connection state and others are not detected when there is a Diameter relay or proxy between the devices. Event notifications (JSER messages) are sent when certain events take place on the router. The Juniper-Event-Type AVP (AVP code 2103) in the message describes the event.

Event notifications are retried until Gx-Plus returns a JSEA message with a Result-Code value of DIAMETER_SUCCESS (2001) to acknowledge receipt of the event notification. When retrying notifications, one notification is sent for each outstanding event. No other request are sent as long as there is any outstanding event other than an application watch dog (AWD).

Table 2 lists router events and the subsequent router and PCRF actions.

Table 2: Router Events, Router Actions, and PCRF Actions

Router Event

Router Action

PCRF Action

The router receives no response from the PCRF or an error response.

Send event notification.

Respond to event notification.

The configuration changes.

Significant changes such as the origin host or realm and the Gx-Plus partition destination host or realm also increment the value of the Origin-State-Id AVP.

Send event notification.

Respond to event notification and perform discovery.

The router receives an explicit discovery request from the PCRF.

Send event notification.

Respond to event notification.

The router undergoes a cold boot and all sessions are lost. This can result from a catastrophic failure or power cycle.

Send event notification.

Respond to event notification and clear the database.

The router undergoes a warm boot.

Send event notification.

Respond to event notification and clear the database.

Recovery resources that are needed to continuously retry unacknowledged requests (CCR-N and CCR-T messages) are exhausted. The value of the Origin-State-Id AVP is incremented.

This event is unlikely to occur.

Send event notification.

Respond to event notification and perform discovery.

An important aspect of Gx-Plus fault tolerance is that subscriber login and termination requests are retried (replayed) forever until a satisfactory response is received from the PCRF. In rare circumstances, this can result in a stack of pending requests being replayed over and over.

You can issue the clear network-access gx-plus replay command to clear all pending requests. This command causes Gx-Plus to send a JSER message to PCRF that includes the Juniper-Event-Type AVP (AVP code 2103) with a value of 3 indicating a discovery request. The PCRF then returns a JDER message to initiate discovery of all subscribers. When this discovery completes, all pending subscriber requests are cleared.

PCRF-Generated Discovery

The PCRF runs a discovery process in response to data loss, exhaustion of router resources, operator request, or router request. The JSDR message specifies the level of verbosity desired in the reply from Gx-Plus. The message also specifies whether the request is for data about a particular session or information similar to an SNMP Get-Bulk for all sessions. Gx-Plus returns a JSDA message that indicates complete success, limited success, or an error. In the event of success, the requested data is also returned.

Subscriber Accounting

When the PCRF returns a CCA-I message to the router, the message may contain thresholds for any of several usage statistics for a subscriber session or service session: Duration, input data, output data, or total data for the session. Upon receipt of a threshold, the router begins monitoring the subscriber’s service session activity for that statistic. When the usage statistic reaches the threshold, it triggers the router to send a Gx-Plus usage notification message (CCR-U) to the PCRF. In response, the PCRF may send a CCA-U message to specify a new threshold, activate new services, or deactivate current services.

The PCRF can also send a CCR-U message that explicitly requests usage monitoring for statistics at different levels. The router can monitor usage at the subscriber level or at the service level. The Granted-Service-Unit AVP in the message specifies one or more of the following the statistics:

  • CC-Input-Octets

  • CC-Output-Octets

  • CC-Total-Octets

  • CC-Time

If any other statistics are specified, the router sends the PCRF a CCA message indicating that incorrect statistics were requested. When the specified threshold for a monitored statistic is reached, the router sends a CCR-U that contains the usage report for the statistics. In response, the PCRF sends another CCA-R with new thresholds or a request to activate or deactivate services.

Subscriber Usage Thresholds

Gx-Plus threshold monitoring enables the tracking of session statistics including the duration of session and the number of input bytes, output bytes, and total bytes allowed (granted) and used. Threshold monitoring involves the use of numerous AVPs.

  • Rule-Install AVP—a grouped AVP that can consist of the following two AVPs:

    • Rule-Install-Name AVP—The name of the dynamic-profile to activate, corresponding to a service.

    • Monitoring-Key AVP—(Optional) The name of the monitoring definition, which is part of the CCR/RAR messages, and indicates that Gx-Plus thresholds are enabled. The Monitoring-Key AVP must be unique within the context of the subscriber, but more than one of these keys can be included in the Rule-Install AVP, one per subscriber. For every Monitoring-Key AVP referenced in the Rule-Install AVP, there must be a corresponding Monitoring AVP.

  • Monitoring AVP—The monitoring definition, consisting of the Monitoring-Key AVP and either the Granted-Service-Unit AVP or the Used-Service-Unit AVP:

    • • Monitoring-Key AVP—The name of the monitoring definition.

    • Granted-Service-Unit AVP—A grouped AVP that includes the following session threshold values:

      • Duration AVP—Period of time in seconds allotted to the subscriber before having to ask for an extension.

      • Input-Bytes AVP—Number of input bytes allotted to the subscriber before having to ask for an extension. A value of zero indicates the threshold is turned off.

      • Output-Bytes AVP—Number of output bytes allotted to the subscriber before having to ask for an extension. A value of zero indicates the threshold is turned off.

      • Total-Bytes AVP—Number of input and output bytes in total allotted to the subscriber before having to ask for an extension.

      The Granted-Service-Unit threshold values are somewhat analogous to a lease. In this case, if no threshold values are supplied, then the granted values or “lease” is effectively infinite. The absence of thresholds means no limits are placed on the values.

    • Used-Service-Unit AVP—A grouped AVP that includes the following session threshold values, which are analogous to a kind of lease:

      • Duration AVP—Period of time in seconds that the service has been used.

      • Input-Bytes AVP—Number of input bytes used by the subscriber in this session.

      • Output-Bytes AVP—Number of output bytes used by the subscriber in this session.

      • Total-Bytes AVP—Number of input and output bytes in total used by the subscriber in this session.

No thresholds are enabled if the router acting as a PCEF receives a CCA or RAR message that contains one or more Rule-Install-AVPs, but no Monitoring-Key AVPs.

Consider the following example. The PCEF receives the listed AVPs in a CCA-I message. When the PCEF activates the svc-21-g service, the set of monitored thresholds, thresh-459 becomes active for the service. The instantiated service is granted 600 seconds, 1 billion input bytes, 1 billion output bytes, and a total of 2 billion bytes combined.

  • Rule-Install AVP

    • Rule-Install-Name AVP = svc-21-g

    • Monitoring-Key AVP = thresh-459

  • Monitoring AVP

    • Monitoring-Key AVP = thresh-459

    • Granted-Service-Unit AVP

      • Duration AVP = 600s

      • Input-Bytes AVP = 1,000,000,000

      • Output-Bytes AVP = 1,000,000,000

      • Total-Bytes AVP = 2,000,000,000

If the CCA-I includes the following AVPs and values, everything is the same as above except that no limits are placed on either input bytes or output bytes, just a limit on the total number of bytes. Omitting the Input-Bytes and Output-Bytes AVPs from the Granted-Service-Unit AVP has the same effect.

  • Rule-Install AVP

    • Rule-Install-Name AVP = svc-21-g

    • Monitoring-Key AVP = thresh-459

  • Monitoring AVP

    • Monitoring-Key AVP = thresh-459

    • Granted-Service-Unit AVP

      • Duration AVP = 600s

      • Input-Bytes AVP = 0

      • Output-Bytes AVP = 0

      • Total-Bytes AVP = 2,000,000,000

It does not matter which threshold is met first; the PCEF behaves the same.

  1. It disables the complete set of monitored thresholds for the service. In the examples above, thresh-459 is disabled for service svc-21-g.

  2. Authd sends a threshold report (CCR-U) to the PCRF that includes the Monitoring AVP with the current values for the thresholds; these make up the Used-Service-Unit AVP:

    • Monitoring AVP

      • Monitoring-Key AVP = thresh-459

      • Used-Service-Unit AVP

        • Duration AVP = 600s

        • Input-Bytes AVP = 22,110,000

        • Output-Bytes AVP = 21,161,004

        • Total-Bytes AVP = 43,271,004

  3. authd expects the PCRF to respond to the CCR-U with the Monitoring AVP, supplying new values for the thresholds. To use the lease analogy, the reply should extend the “lease” for the session; for example:.

    • Monitoring AVP

      • Monitoring-Key AVP = thresh-459

      • Granted-Service-Unit AVP

        • Duration AVP = 3600s

        • Input-Bytes AVP = 1,500,000,000

        • Output-Bytes AVP = 2,000,000,000

        • Total-Bytes AVP = 3,500,000,000

If the new Duration AVP supplied by the PCRF is low, it could result in a tight cycle of threshold hits, reports, and updates. Consequently the PCEF ensures that the threshold is of a reasonable duration by adding the new value from the PCRF to the current reported value; this becomes the new duration grant. Using the example above, the (current value + new value) = 600 + 3600 = 4200 seconds.

What happens if the PCRF fails to respond to the CCR-U? Rather than leave the thresholds disabled, the PCEF supplies the Monitoring AVP with a single new value, the duration:

  • Monitoring AVP

    • Monitoring-Key AVP = thresh-459

    • Granted-Service-Unit AVP

      • Duration AVP = current value + minimum-duration

The router has default minimum values for all the threshold AVPs:

  • Input-Bytes minimum - 1,000,000

  • Output-Bytes minimum - 1,000,000

  • Total-Bytes minimum - 1,000,000

  • Duration minimum - 600

Using the example of 600 seconds for the current duration value, if the PCRF does not respond to the CCR-U, the new duration value becomes 600 + 600 = 1200 seconds. There are no thresholds for the byte counts. When the new duration threshold is met, the PCEF generates another CCR-U threshold report for the PCRF.

Subscriber Audit

The PCRF can send a reauthorization request (RAR message) to Gx-Plus at any time to determine whether a particular subscriber is still logged in. You can also manually trigger the PCRF to do so by issuing the clear network-access aaa gx-plus replay command.

The Session-Id AVP identifies the subscriber session. Gx-Plus returns an RAA message to provide status on the subscriber session. When the session is still up (found in the session database) the Result-Code AVP value in the RAA message is DIAMETER_SUCCESS (2001). When the session is not found, the Result-Code value is DIAMETER_UNKNOWN_SESSION_ID (5002). A Result-Code value of DIAMETER_UNABLE_TO_DELIVER (3002) indicates that Gx-Plus is not configured.

Starting in Junos OS Release 17.4R1, the router updates monitored statistics when they are received in the RAR from the PCRF. When Gx-Plus sends an RAA message after receiving an RAR message requesting service activation or deactivation, it also sends a CCR-U message to the PCRF with updated statistics.

Subscriber Logout

When the client application sends a subscriber logout notice to AAA, Gx-Plus sends a CCR-T message to notify the PCRF that the provisioned subscriber session is being terminated. The PCRF returns a CCA-T message that includes the Result-Code AVP. If the Result-Code value is DIAMETER_SUCCESS, Gx-Plus notifies AAA, and AAA notifies the application that the logout is complete. If Gx-Plus does not receive a CCA-T message, or if the Result-Code AVP has any other value or is missing, then the termination request is retried until the CCA-T message is returned with DIAMETER_SUCCESS.

Configuring Gx-Plus

You can configure the Gx-Plus client application to work with a PCRF policy manager residing on a server. The PCRF is a centralized policy decision point that deploys business rules to allocate broadband network resources and manage subscribers and services. AAA on the router (acting as the PCEF) uses Gx-Plus to request service provisioning from the PCRF.

Note

Contact the Juniper Networks Technical Assistance Center (JTAC) for information on supported PCRFs.

To configure Gx-Plus:

  1. Configure the Gx-Plus partition.

    See Configuring the Gx-Plus Partition.

  2. Configure Gx-Plus global attributes: the number of outstanding requests permitted and the inclusion of IPv6 subscribers.

    See Configuring Gx-Plus Global Attributes.

  3. Configure Gx-Plus provisioning for subscribers.

    See Provisioning Subscribers with Gx-Plus.

  4. (Optional) Override PCRF control of a subscriber session to correct services or troubleshoot a problem.

    See Disabling PCRF Control of a Subscriber Session.

  5. (Optional) Configure Gx-Plus event tracing as part of general authentication service tracing operations.

    See Tracing General Authentication Service Processes.

Configuring the Gx-Plus Partition

Gx-Plus works within a specific logical system:routing instance context, called a partition.

Note

Currently, only a single partition is supported; you must configure it within the default logical system:routing instance context.

Before you configure the Gx-Plus partition, perform the following task:

Configuration for the Gx-Plus partition consists of naming the partition and then associating a Diameter instance, the PCRF hostname, and the PCRF realm with the partition.

To configure the Gx-Plus partition:

  1. Create the partition or specify the name of an existing partition.
  2. Specify the Diameter instance for the Gx-Plus partition.Note

    Currently, only the default Diameter instance, master, is supported.

  3. (Optional) Configure the destination host for the Gx-Plus partition.
  4. Configure the destination realm for the Gx-Plus partition.

The following example shows a Gx-Plus partition configuration.

Configuring Gx-Plus Global Attributes

You can configure attributes that apply to all Gx-Plus partitions globally.

When a request from Gx-Plus to the PCRF is not answered or is improperly answered, Gx-Plus keeps retrying the request until it receives an appropriate answer. If the number of requests grows too large, the PCRF can become overloaded and messages can be lost. To reduce this risk, you can set a limit on the number of outstanding requests to the PCRF that Gx-Plus can retry.

By default, Gx-Plus does not include IPv6 subscribers in Gx-Plus provisioning requests to the PCRF. Instead, Gx-Plus only establishes sessions that correspond to IPv4 DHCP sessions on dual-stack IPv6/IPv4 or IPv4-only subscriber interfaces. You must explicitly configure Gx-Plus to include IPv6 information. When you do so, Gx-Plus can establish sessions that correspond to DHCPv6 sessions on IPv6-enabled subscriber interfaces and on dual-stack IPv6/IPv4-enabled interfaces.

To configure Gx-Plus global attributes:

  1. (Optional) Set a limit on the number of outstanding requests.
  2. (Optional) Include IPv6 subscribers in provisioning requests.

For example to limit the number of outstanding requests to 30 and to include IPv6 subscribers:

Provisioning Subscribers with Gx-Plus

You can configure AAA to use Gx-Plus to request provisioning from a PCRF to instantiate services for an authenticated subscriber.

Before you configure Gx-Plus provisioning for subscribers, perform the following task:

  • Create the subscriber access profile at the [edit access profile] hierarchy level.

To configure Gx-Plus provisioning:

  • Specify gx-plus as the provisioning method in the profile.

Disabling PCRF Control of a Subscriber Session

When a subscriber has been provisioned with Gx-Plus, services for that subscriber can be activated and deactivated only by the PCRF. Accordingly, AAA rejects any RADIUS CoA requests for subscribers provisioned by Gx-Plus. Similarly, CLI-based service activation and deactivation do not work while a subscriber is remotely provisioned.

Network administrators without PCRF access or authority may need to override PCRF control on a particular subscriber session to troubleshoot the session or correct the subscriber services. You can disable PCRF control by issuing the request network-access aaa subscriber set session-id command. In response, the router sends a termination notice to the PCRF, but does not actually log out the subscriber.

When you have confirmed that provisioning is disabled, you can then activate or deactivate subscriber services for that session with the request network-access aaa subscriber add session-id and request network-access aaa subscriber delete session-id commands, respectively. These commands fail if provisioning is still enabled.

Another consequence of disabling provisioning for a subscriber session is that RADIUS change of authorization (CoA) messages can modify the session.

Before you begin, determine or verify the ID for the session by displaying the session IDs of all current subscribers with the show subscribers detail or show network-access aaa subscribers command.

To disable control by the PCRF over a subscriber session:

  1. Disable provisioning for the specified subscriber session ID.
  2. (Optional) Verify that provisioning is disabled for the session.

For example, to disable provisioning for subscriber larry:

user@host> show network-access aaa subscribers
user@host> request network-access aaa subscriber set session-id 55 provisioning-state none


user@host> show network-access aaa subscribers session-id 55 detail
Release History Table
Release
Description
Starting in Junos OS Release 17.4R1, the CCR-I message includes the Subscription-Id AVP (AVP code 443) with the Subscription-Id-Type AVP set to 4 and Subscription-Id-Data AVP set to reserved.
Starting in Junos OS Release 17.4R1, the router updates monitored statistics when they are received in the RAR from the PCRF. When Gx-Plus sends an RAA message after receiving an RAR message requesting service activation or deactivation, it also sends a CCR-U message to the PCRF with updated statistics.