Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    RADIUS Authentication/Authorization and Accounting Data Flow

    Following is an overview of the SIC authentication, dynamic authorization, and accounting data flow processes. Figure 1 depicts the various functions involved in these processes.

    Figure 1: Data Flow

     Data Flow

    The SIC internal functions include:

    • Authentication route manager—The authentication route manager distributes RADIUS access requests to a downstream AAA RADIUS server (authentication target) based on the configured authentication routes. The SIC does not authenticate requests by itself. It proxies access requests to a downstream AAA RADIUS server. You can have multiple downstream AAA RADIUS servers in different realms. The SIC needs to send the access request to the correct RADIUS server based on the configured authentication routes, which are usually based on realm information.
    • Accounting route manager—The accounting route manager distributes accounting requests to accounting targets, which could be either a downstream AAA RADIUS server or the SSR, based on configured accounting routes. Similar to RADIUS authentication, there may be multiple RADIUS accounting servers in different realms. The SIC needs to forward accounting requests to the correct RADIUS server based on the configured accounting routes. The SSR is just another accounting target to which the accounting route manager can direct accounting requests.
    • SRC route manager—Because accounting requests may be destined to the COA path or the SSR path, the SIC needs a route manager to distribute accounting traffic to the two paths based on some routing information. The route manager receives routing information from the SRC Diameter server after the Diameter connection is established with the SIC. The routing information is configured in the SRC CLI under [shared network nas-group name routes]. When the SIC receives a RADIUS access or accounting request, the request is sent to the SRC route manager, which matches the request against each route received from SRC Diameter servers. If a route is matched, the request is sent to the COA path. If the request is an access request but no route is matched, the SIC still sends the request to the downstream AAA servers. However, the access response from the AAA servers is returned to the NAS. If the request is an accounting request and no route is matched, the request is distributed to the SSR path.

    COA Authentication Data Flow

    The SIC needs to be in the RADIUS authentication path to insert the RADIUS class attribute in the Access-Accept response. The class attribute contains the encoded Diameter session ID as well as other information. The Diameter session ID is used to correlate service accounting requests to the SAE user session.

    The numbers in the following procedure correlate to the numbers in Figure 1.

    • 1.1 A RADIUS access request is received by the SIC.
    • 1.2 The SRC route manager locates the responsible SRC Diameter server by using the routes configured under [shared network nas-group name routes]. Regardless of whether the SRC route manager finds a matching route, the SIC always sends the authentication request to a downstream AAA RADIUS server. The request is sent to the SIC authentication route manager to find the correct downstream AAA RADIUS server responsible for the request.
    • 1.3 The authentication route manager locates the downstream AAA RADIUS server by using configured authentication routes and sends the request to the RADIUS server for authentication.
    • 1.4 The SIC receives the authentication response from the downstream AAA RADIUS server. If no matching route is found in step 1.2 or the response is Access-Reject, the SIC sends the response to the NAS.
    • 1.5 If an Access-Accept message is received from the downstream RADIUS server, the SIC sends an AA-Request (AAR) to the SRC Diameter server (through the SIC Diameter server), which owns the route matching the request.
    • 1.6 The SRC Diameter server forwards the AAR to SAE by using CORBA.
    • 1.7 The SAE creates the user session based on the AAR, activates activate-on-login (AOL) services for the user session, and returns AA-Answer (AAA) to the SRC Diameter server. The AAA message contains the service template name and arguments for the AOL services.
    • 1.8 The SRC Diameter server sends the AA-Answer message to the SIC in a Diameter message.
    • 1.9 The SIC Diameter server translates the service activation requests in the Diameter AA-Answer message to RADIUS attributes based on the configured device model. The SIC sends an Access-Accept RADIUS response to the NAS with the class attribute that contains the encoded Diameter session ID. Depending on the configuration, there may be multiple rounds between the SIC and SAE to exchange service activation information before the SIC sends the Access-Accept response to NAS.

    COA Accounting Data Flow

    After a subscriber is authenticated, the NAS sends an Accounting-Request (ACR) message for the user session and for every service that is activated. The accounting requests must contain the class attribute returned with the Access-Accept response.

    The numbers in the following procedure correlate to the numbers in Figure 1.

    • 2.1 The SIC receives an ACR message from the NAS.
    • 2.2 The SRC route manager locates the responsible SRC Diameter server by using the routes configured under [shared network nas-group name routes]. When the SRC route manager locates a match, it sends the request as an ACR message to the SRC Diameter server (through the SIC Diameter server) corresponding to the route. If the SRC route manager does not find a match, the request is sent to the SSR path (see SIC Accounting Data Flow (Accounting Target=Proxy)).
    • 2.3 The SRC Diameter server forwards the ACR message to the SAE in CORBA.
    • 2.4 The SAE updates the user session with accounting information in the ACR message and sends an Accounting-Answer (ACA) message to the SRC Diameter server.
    • 2.5 The SRC Diameter server forwards the ACA message to the SIC Diameter server.
    • 2.6 The SIC receives the ACA message and needs to send the accounting request to the responsible downstream AAA RADIUS server. The SIC looks up the RADIUS server in the accounting route manager based on the configured accounting routes. The accounting route manager forwards the request to the downstream AAA RADIUS server. If accounting routes are not properly configured, the accounting route manager can forward the accounting request to the SSR. This is typically not desirable.
    • 2.7 The downstream AAA RADIUS server sends an accounting response to the SIC.
    • 2.8 The SIC sends the accounting response to the NAS.

    SIC Accounting Data Flow (Accounting Target=Proxy)

    • 3.1 The SIC receives an accounting request from the NAS.
    • 3.2 The SRC route manager cannot locate a match (either because no SRC Diameter server is connected or because the connected SRC Diameter servers do not have any route matching the request), so it sends the accounting request to the accounting route manager.
    • 3.3 The accounting route manager sends the request to a downstream AAA RADIUS server which can be another SIC.

    Note: If SRC routes configured under [shared network nas-group name routes] for the SRC nas-group, and the SIC accounting routes are configured properly, the SIC can process accounting requests by using either a downstream AAA server.

    Modified: 2016-12-29