ON THIS PAGE
Diameter Base Protocol
Diameter Base Protocol Overview
The Diameter protocol is defined in RFC 3588, Diameter Base Protocol, and provides an alternative to RADIUS that is more flexible and extensible. The Diameter base protocol provides basic services to one or more applications (also called functions) that runs in a different Diameter instance. The individual application provides the extended AAA functionality. Applications that use Diameter include Gx-Plus, JSRC, NASREQ, PTSP, and S6a. Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.
Diameter peers communicate over a reliable TCP transport layer connection by exchanging Diameter messages that convey status, requests, and acknowledgments by means of standard Diameter AVPs and application-specific AVPs. The Diameter transport layer configuration is based on Diameter network elements (DNEs); multiple DNEs per Diameter instance are supported. Currently only the predefined master Diameter instance is supported, but you can configure alternative values for many of the master Diameter instance values.
Each DNE consists of a prioritized list of peers and a set of routes that define how traffic is forwarded. Each route associates a destination with a function (application), a function partition, and a metric. When an application sends a message to a routed destination, all routes within the Diameter protocol instance are examined for a match. When the best route to the destination has been selected, the message is forwarded by means of the DNE that includes that route.
Multiple routes to the same destination can exist within a given DNE and in different DNEs. In the case of multiple routes that match a request for forwarding, the best route is selected as follows:
The route with the lowest metric is selected.
In the event of a tie, the route with the highest specification score is selected.
In the event of another tie, then the names of the DNEs are compared in lexicographical order. The route in the DNE with the lowest value is selected. For example, dne-austin has a lower value than dne-boston.
If the routes are tied within the same DNE, then the route names are compared in lexicographical order. The route with the lowest value is selected.
The specification score of a route is 0 by default. Points are added to the score as follows:
If the destination realm matches the request, add 1.
If the destination host matches the request, add 2.
If the function matches the request, add 3.
If the function partition matches the request, add 4.
Multiple routes to the same destination can exist within a given DNE and in different DNEs. In the case of multiple routes that match a request for forwarding, Diameter selects the best route as follows:
Diameter compares the metric of the routes and selects the route with the lowest metric.
If multiple routes have the same lowest metric, then Diameter selects the most-qualified route. Diameter evaluates multiple attributes of the route to determine a score that reflects how specifically each route matches the request. By default, the score of a route is 0. Points are added to the score as follows:
If the destination realm matches the request, add 1.
If the destination host matches the request, add 2.
If the function matches the request, add 3.
If the function partition matches the request, add 4.
If multiple routes are equally qualified, then Diameter compares the names of the DNEs in lexicographical order and selects the route in the DNE that has the lowest value. For example, dne-austin has a lower value than dne-boston.
If the routes are tied within the same DNE, then Diameter compares the route names in lexicographical order and selects the route with the lowest value.
When the state of any DNE changes, the route lookup for all destinations is reevaluated. All outstanding messages to routed destinations are rerouted as needed, or discarded.
To configure a Diameter network element, include the network-element statement at the [edit diameter] hierarchy level, then
include the route statement at the [edit diameter
network-element element-name forwarding] hierarchy level.
To configure a route for the DNE, include the destination (optional), function (optional), and metric statements at the [edit diameter network-element element-name forwarding route dne-route-name] hierarchy level.
Specify the Diameter peers associated with the DNE by including
one or more peer statements at the [edit diameter
network-element element-name] hierarchy
level.
Set the priority for each peer with the priority statement
at the [edit diameter network-element element-name peer peer-name] hierarchy level.
Diameter requires you to configure information about the origin
node; this is the endpoint node that originates Diameter for the Diameter
instance. Include the host and realm statements
at the [edit diameter] hierarchy level to configure the
Diameter origin.
You can optionally configure one or more transports to specify the source (local) address of the transport layer connection.
To configure a Diameter transport, include the transport statement at the [edit diameter] hierarchy level. Then
include the address statement at the [edit diameter
transport transport-name] hierarchy level.
You can optionally specify a logical system and routing instance
for the connection by including the logical-system and routing-instance statements at the [edit diameter transport transport-name] hierarchy level. By default, Diameter
uses the default logical system and default routing instance (using
the main inet.0 routing table). The logical system and routing instance
for the transport connection must match that for the peer, or a configuration
error is reported.
Each Diameter peer is specified by a name. Peer attributes include
address and the destination TCP port used by active connections to
this peer. To configure a Diameter peer, include the peer statement at the [edit diameter] hierarchy level, and
then include the address and connect-actively statements at the [edit diameter peer peer-name] hierarchy level.
To configure the active connection, include the port and transport statements at the [edit diameter peer peer-name connect-actively] hierarchy level. The
assigned transport identifies the transport layer source address used
to establish active connections to the peers. transport statements.
Benefits of Using Diameter
Diameter enables a lower load on the network and servers by reporting usage information at a much lower frequency compared to RADIUS. RADIUS involves periodic updates independent of usage changes. Diameter applications such as Gx enable you to set thresholds with correlating pushes of usage statistics from the router to the PCRF. The PCRF can then make appropriate adjustments to services and costs.
Wireless services and charging are typically performed with Diameter applications, but wireline services have generally used a RADIUS-based infrastructure. Customers with both wireline and wireless offerings can reduce the complexity and cost of maintaining separate infrastructures by migrating their wireline operations to their existing Diameter-based wireless infrastructure.
Applications that run over Diameter tend to be stateful (some may be either, such as NASREQ), whereas RADIUS is not stateful.
Multiple application protocols can run over Diameter, such as NASREQ, Gx, Gy, JSRC, and S6a.
Larger attribute space than RADIUS, which enables a greater number of standard and vendor-specific attributes (AVPs) than RADIUS. Diameter also supports the RADIUS standard attributes, reserving AVPs 1 through 255 for them.
Messages Used by Diameter Applications
Junos OS supports the following Diameter applications:
JSRC—A Juniper Networks Diameter application registered with the IANA (http://www.iana.org) as Juniper Policy-Control-JSRC, with an ID of 16777244. It communicates with the SAE (remote SRC peer).
PTSP—A Juniper Networks Diameter application registered with the IANA (http://www.iana.org) as Juniper JGx, with an ID of 16777273. It communicates with the SAE (remote SRC peer). Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.
Gx-Plus—An application that extends the 3GPP Gx interface for wireline use cases. 3GPP Gx is registered with the IANA (http://www.iana.org). It communicates with a PCRF.
If data for a particular AVP included in a message is not available to the router, Gx-Plus simply omits the AVP from the message it sends to the PCRF. If the PCRF determines it has insufficient information to make a determination, it may deny the request. The Diameter answer messages include the Result-Code AVP (AVP 268); the values of this AVP convey success, failure, or errors to the requestor.
NASREQ—A Diameter-based authentication, authorization, and accounting protocol defined in RFC 7155. Junos OS supports authentication and authorization only.
Juniper Networks has also registered the Juniper-Session-Recovery application (16777296) and two new command codes (8388628 for Juniper-Session-Events and 8388629 for Juniper-Session-Discovery) with the IANA (http://www.iana.org).
Table 1 describes Diameter messages the applications use.
Diameter Message |
Code |
Application |
Description |
|---|---|---|---|
AA-Request (AAR) |
265 |
JSRC, NASREQ, PTSP |
Request from the application to the SAE at new subscriber login or during SAE-application synchronization. The request can be one of three types: address-authorization, provisioning-request, or synchronization. |
AA-Answer (AAA) |
265 |
JSRC, NASREQ, PTSP |
Response from the SAE to the application’s AA-Request message. |
Abort-Session-Request (ASR) |
274 |
JSRC, NASREQ, PTSP |
Request from the SAE to the application to log out a provisioned subscriber. |
Abort-Session-Answer (ASA) |
274 |
JSRC, NASREQ, PTSP |
Response from the application to the SAE’s ASR message. If the application sends the logout request to AAA, the ASA message includes a success notification (ACK). If the logout failed, the ASA message includes a failure notification (NAK). |
Accounting-Request (ACR) |
271 |
JSRC, PTSP |
Request from the SAE to the application or from the application to the SAE for statistics. |
Accounting-Answer (ACA) |
271 |
JSRC, PTSP |
Response to the ACR message to provide statistics for each installed policy (service). |
Capability Exchange Request (CER) |
257 |
Gx-Plus |
Request from one peer to another when the peers establish a transport connection; initiates the capability negotiation. The CER announces the peer’s identity and capabilities, such as applications and security mechanisms supported. |
Capability Exchange Answer (CEA) |
257 |
Gx-Plus |
Response to the CER message to announce this peer’s capabilities. If this peer has no capabilities in common with the peer that sent the CER, then it must set the Result-Code AVP to DIAMETER_NO_COMMON_APPLICATION and should drop the connection. Otherwise, the CEA details establish common capabilities between the peers and enable them to further establish communication. |
Credit-Control-Request (CCR) |
272 |
Gx-Plus |
Request from Gx-Plus to the PCRF at subscriber login, logout, or update. An initial request (CCR-I) is sent when a subscriber logs in and AAA is requested to activate the subscriber’s session. Gx-Plus retries the CCR-I message if a CCA-I message is not received from the PCRF within 10 seconds. The CCR-I message is retried up to 3 times. The CCR-I message includes the Diameter AVP Subscription-Id
attribute (443) with the Subscription-Id-Type Diameter AVP sub-attribute
(450) set to 4 (END_USER_PRIVATE) and the Subscription-Id-Data Diameter
AVP sub-attribute (444) set to If no CCA-I is received after the 4 CCR-I messages have been sent—the first message plus 3 retries—then Gx-Plus starts sending CCR-N messages. CCR-N messages are retried forever until a success or failure response is received from the PCRF. CCR-N messages include the Juniper-Provisioning-Source AVP (AVP code 2101) set to local to notify the PCRF that the router has the authority to make a local decision regarding subscriber service activation. An update request (CCR-U) message is sent when a usage threshold is reached. The CCR-U reports the actual usage for all statistics. The PCRF may return a CCA-U message that includes new monitoring thresholds, service activations, service deactivations. If the PCRF times out on the CCR-U report, the router sets the threshold default to 10 minutes. When the change in threshold values is less than the minimum, the values are adjusted to the minimums. For example, the minimum increase for duration is 10 minutes. A CCR-U is also sent to report the status of service activation or deactivation. When a monitored service is deactivated separate from a subscriber logout, the CCR-U indicates that the service is no longer active and includes the service’s usage data. A termination request (CCR-T) is sent at subscriber logout to inform the PCRF that a provisioned subscriber session is being terminated. CCR-T messages are retried forever until a success response is received from the PCRF. When a monitored service is deactivated as part of the subscriber logout, the CCR-T message includes monitored usage data for the service, such as bytes used. |
Credit-Control-Answer (CCA) |
272 |
Gx-Plus |
Reply from the PCRF to a CCR message. In response to a CCR-I, the PCRF returns a CCA-I message that indicates success (DIAMETER_SUCCESS) or failure (DIAMETER AUTHORIZATION REJECTED) depending on whether the subscriber has sufficient credit for the requested services. All other responses are ignored and the CCR-I is retried. In response to a CCR-T, the PCRF returns a CCA-T message that indicates a successful termination with a value of 2001 (DIAMETER SUCCESS) in the Result-Code AVP. All other responses are ignored and the CCR-T is retried. A CCA-N is a response to a CCR-N. |
Juniper-Session-Discovery-Request (JSDR) |
8388629 |
Gx-Plus |
Discovery request from the PCRF to Gx-Plus to discover subscriber sessions on the router. |
Juniper-Session-Discovery-Answer (JSDA) |
8388629 |
Gx-Plus |
Reply from router to a JSDR message; describes session information. The Result-Code AVP includes one of the following values, or an error value:
|
Juniper-Session-Event-Request (JSER) |
8388628 |
Gx-Plus |
Request from router to PCRF regarding events that take place on the router. Notifies the PCRF of certain events on the router by including the Juniper-Event-Type AVP (AVP code 2103). Events reported include cold or warm boots, explicit discovery requests, substantial configuration changes, non-response or error response from PCRF, and exhaustion of fault-tolerant resources. |
Juniper-Session-Event-Answer (JSEA) |
8388628 |
Gx-Plus |
Reply from PCRF to a JSER message. |
Push-Profile-Request (PPR) |
288 |
JSRC, PTSP |
Request from the SAE to the router to activate or deactivate services for a subscriber. |
Push-Profile-Answer (PPA) |
288 |
JSRC, PTSP |
Response from the router to the SAE’s PPR message. Includes success or failure notification for each of the service activation or deactivation commands in the request. |
Re-Auth-Request (RAR) |
258 |
Gx-Plus |
Audit request from the PCRF to router to determine whether a specific subscriber is still present. The router updates the monitoring key and threshold values when they are received in the RAR. |
Re-Auth-Answer (RAA) |
258 |
Gx-Plus |
Reply from router to a RAR message; indicates whether the subscriber is active. The Result-Code AVP includes one of the following values:
|
Session-Resource-Query (SRQ) |
277 |
JSRC, PTSP |
Request from the router to the SAE or from the SAE to the router to initiate synchronization between router and the SAE. |
Session-Resource-Reply (SRR) |
277 |
JSRC, PTSP |
Response to the SRQ message to begin synchronization. |
Session-Termination-Request (STR) |
275 |
JSRC, NASREQ, PTSP |
Notification from the router to the SAE that a provisioned subscriber has logged out. |
Session-Termination-Answer (STA) |
275 |
JSRC, NASREQ, PTSP |
Response from the SAE to the router’s STR message. Includes success or failure notification. |
Diameter AVPs and Diameter Applications
Diameter conveys information by including various attribute-value pairs (AVPs) in Diameter messages, in the same way that RADIUS conveys information in both standard IETF RADIUS attributes and vendor-specific attributes (VSAs). Table 2 lists the standard Diameter AVPs used in interactions with the supported Diameter applications. Diameter reserves AVP attribute numbers 0 through 255 for RADIUS attributes that are implemented in Diameter; the Diameter attribute numbers are the same as for the corresponding standard RADIUS attributes. Attributes numbered higher than 255 have no corresponding standard RADIUS attribute. Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.
Attribute Number |
Diameter AVP |
Application |
Description |
Type |
|---|---|---|---|---|
1 |
User-Name |
Gx-Plus, JSRC, NASREQ |
Specifies the username. For a subscriber managed by AAA, the value is the subscriber’s login name. For a static interface, the value is the interface name, which is used as the subscriber’s login name. |
UTF8String |
2 |
User-Password |
NASREQ |
Specifies the password of the user to be authenticated or the user's input in a multi-round authentication exchange. |
OctetString |
4 |
NAS-IP-Address |
NASREQ |
Specifies the IP address of the NAS that is authenticating the user. |
IPAddress |
6 |
Service-Type |
NASREQ |
Specifies the type of service the user has requested or the type of service to be provided. One such AVP may be present in an authentication or authorization request or response. A NAS is not required to implement all of these service types. |
Enumerated |
8 |
Framed-IP-Address |
Gx-Plus, JSRC, NASREQ, PTSP |
Identifies the IPv4 address configured for the subscriber. This is the same value as for RADIUS Framed-IP-Address attribute [8]. |
OctetString |
9 |
Framed-IP-Netmask |
NASREQ |
Identifies the four octets of the IPv4 netmask. |
OctetString |
11 |
Filter-ID |
NASREQ |
Specifies the name of the filter list for a user. It is intended to be human readable. Zero or more Filter-Id AVPs may be sent in an authorization answer message. |
UTF8String |
12 |
Framed-MTU |
NASREQ |
Specifies the maximum transmission unit (MTU) to be configured for the user, when it is not negotiated by some other means (such as PPP). |
Unsigned32 |
22 |
Framed-Route |
NASREQ |
Specifies the 7-bit US-ASCII routing information. |
UTF8String |
25 |
Class |
NASREQ |
Returns state information from a Diameter server to the access device. |
OctetString |
27 |
Session-Timeout |
NASREQ |
Specifies the maximum number of seconds of service provided to the user before termination of the session. |
Unsigned32 |
28 |
Idle-Timeout |
NASREQ |
Specifies the maximum number of consecutive seconds of idle connection allowable to the user before termination of the session or before a prompt is issued. |
Unsigned32 |
32 |
NAS-Identifier |
NASREQ |
Specifies the identity of the NAS that provides service to the user. |
DiamIdent |
44 |
Acct-Session-ID |
NASREQ |
Specifies the contents of the RADIUS Acct-Session-Id attribute. |
OctetString |
50 |
Acct-Multi-Session-ID |
NASREQ |
Links multiple related accounting sessions, where each session has a unique Session-Id but the same Acct-Multi-Session-Id AVP. |
UTF8String |
55 |
Event-Timestamp |
Gx-Plus, JSRC, PTSP |
Specifies the time of the event that triggered the message in which this AVP is included. Time is indicated in seconds since January 1, 1900, 00:00 UTC. |
Time |
60 |
CHAP-Challenge |
NASREQ |
Specifies the PPP Challenge-Handshake Authentication Protocol (CHAP) challenge sent by the NAS to the CHAP peer. |
OctetString |
61 |
NAS-Port-Type |
NASREQ |
Specifies the type of the port on which the NAS is authenticating the user. |
Enumerated |
62 |
Port-Limit |
NASREQ |
Specifies the maximum number of ports the NAS provides to the user. |
Unsigned32 |
78 |
Configuration-Token |
NASREQ |
Indicates the type of user profile used. |
OctetString |
85 |
Acct-Interim-Interval |
JSRC, PTSP |
Specifies the number of seconds between each interim accounting update for this session. The router uses the following guidelines for interim accounting:
|
Unsigned32 |
87 |
NAS-Port-Id |
Gx-Plus, JSRC, NASREQ, PTSP |
Identifies the port of the NAS that authenticates the user. This is the same value as for RADIUS NAS-Port-Id attribute [87]. |
UTF8String |
88 |
Framed-Pool |
NASREQ |
Specifies the name of an assigned address pool to use to assign an address for the user. If a NAS does not support multiple address pools, the NAS disregards this AVP. Address pools are usually used for IP addresses but can be used for other protocols if the NAS supports pools for those protocols. |
OctetString |
97 |
Framed-IPv6-Prefix |
NASREQ |
Specifies the IPv6 prefix configured for the user. |
OctetString |
99 |
Framed-IPv6-Route |
NASREQ |
Specifies the US-ASCII routing information configured for the user on the NAS. |
UTF8String |
100 |
Framed-IPv6-Pool |
NASREQ |
Specifies the name of an assigned pool to use to assign an IPv6 prefix for the user. If the access device does not support multiple prefix pools, it must disregard this AVP. |
OctetString |
258 |
Auth-Application-ID |
NASREQ |
Specifies support of the Authentication and Authorization portion of an application. |
Unsigned32 |
263 |
Session-ID |
Gx-Plus, JSRC, NASREQ, PTSP |
Specifies the subscriber session identifier. The router assigns the value to uniquely identify a subscriber session. |
UTF8String |
264 |
Origin-Host |
NASREQ |
Specifies the host that originates a Diameter message. |
DiamIdent |
268 |
Result-Code |
Gx-Plus, JSRC, NASREQ, PTSP |
Indicates whether a request completed successfully. Provides an error code if the request failed. The following classes are recognized by Diameter:
Unrecognized classes, which begin with numerals 6–9 or 0, are handled as permanent failures. JSRC and PTSP support the following values; all non-success values are treated as permanent failures:
JSRC also supports the following value, which is treated as a permanent failure:
Gx-Plus supports the following values for errors in a PCRF response; when these values are received or the response is malformed or unrecognizable, the request is retried.
|
Unsigned32 |
269 |
Product-Name |
Gx-Plus |
Specifies the value for the Product-Name field in Capability
Exchange Request (CER) and Capability Exchange Answer (CEA) messages.
The value is always JUNOS unless a different name is configured with
the If you change the product name, the router disconnects all existing connections to Diameter peers and reconnects using the new name. |
UTF8String |
277 |
Auth-Session-State |
JSRC, NASREQ, PTSP |
Indicates whether AAA session state is maintained.
|
Enumerated |
279 |
Failed-AVP |
NASREQ |
Specifies debugging information in cases where a request is rejected or not fully processed due to erroneous information in a specific AVP. The value of the Result-Code AVP provides information on the reason for the Failed-AVP AVP. |
Grouped |
281 |
Error-Message |
NASREQ |
Specifies a human-readable error message that may accompany a Result-Code AVP. The Error-Message AVP is not intended to be useful in real-time; do not expect network entities to parse the message. |
UTF8String |
283 |
Destination-Realm |
NASREQ |
Specifies the Diameter realm to which the Diameter message is routed. |
DiamIdent |
293 |
Destination-Host |
NASREQ |
Specifies the host to which a Diamter message is routed. |
DiamIdent |
295 |
Termination-Cause |
JSRC, NASREQ, PTSP |
Indicates the reason why a session was terminated on the access device.
|
Enumerated |
296 |
Origin-Realm |
NASREQ |
Identifies the Diameter realm of the originator of a Diameter message. |
DiamIdent |
402 |
CHAP-Auth |
NASREQ |
Specifies the information necessary to authenticate a user using CHAP. |
Grouped |
415 |
CC-Request-Number |
Gx-Plus |
Identifies a request within a session. The combination of Session-Id and CC-Request-Type is globally unique. The number is incremented for each request during the course of a session. The number is reset when a router high availability event takes place. |
Unsigned32 |
416 |
CC-Request-Type |
Gx-Plus |
Specifies the type of credit control request:
|
Enumerated |
431 |
Granted-Service-Unit |
Gx-Plus |
Contains the amount that can be provided of one or more of the following requested units specified by the client: CC-Input-Octets, CC-Output-Octets, CC-Time, or CC-Total-Octets. Included in CCA-I messages, and may be included in CCA-U messages. |
Grouped |
443 |
Subscription-Id |
Gx-Plus |
Contains the following sub-attributes that do no appear alone:
|
Grouped |
446 |
Used-Service-Unit |
Gx-Plus |
Contains the amount of the requested units that have been actually used; measured from 4 when the service is activated. The units are one or more of the following requested units specified by the client: CC-Input-Octets, CC-Output-Octets, CC-Time, or CC-Total-Octets. Included in CCR-U messages. |
Grouped |
480 |
Accounting-Record-Type |
JSRC, PTSP |
Specifies the type of account record for service accounting:
|
Enumerated |
1001 |
Charging-Rule-Install |
Gx-Plus, NASREQ |
Requests the installation of the rule (activation of the service) designated by the included Charging-Rule-Name AVP (1005). This AVP has a vendor ID of 10415 (3GPP). |
Grouped |
1002 |
Charging-Rule-Remove |
Gx-Plus |
Requests the removal of the rule (deactivation of the service) designated by the included Charging-Rule-Name AVP (1005). This AVP has a vendor ID of 10415 (3GPP). |
Grouped |
1005 |
Charging-Rule-Name |
Gx-Plus, NASREQ |
Specifies the name of a specific rule that has been installed, modified, or removed. |
OctetString |
1066 |
Monitoring-Key |
Gx-Plus |
Specifies which of the monitoring structures to use. Included in Charging-Rule-Install AVP (1001). The MX router does not support aggregation of statistics across services, so the value of this AVP must be different for each service. This AVP has a vendor ID of 10415 (3GPP). |
OctetString |
1067 |
Usage-Monitoring-Information |
Gx-Plus |
Sets monitoring thresholds. When service statistics match at least one of the granted service values, the router sends a CCR-U report with the current statistics to the PCRF. Includes the Monitoring-Key AVP (1066) and the Granted-Service-Unit AVP (431). This AVP has a vendor ID of 10415 (3GPP). |
Grouped |
Juniper Networks AVPs are used in addition to the standard Diameter AVPs. These AVPs have a vendor ID (enterprise number) of 2636 or 4874, and are similar in concept to RADIUS vendor-specific attributes (VSAs). Table 3 lists the Juniper Networks AVPs that the supported Diameter applications use.
Attribute Number |
Diameter AVP |
Vendor ID |
Application |
Description |
Type |
|---|---|---|---|---|---|
213 |
Interface-Set-Targeting-Weight |
4874 |
NASREQ |
Specify a weight for an interface set to associate it and its member links with an aggregated Ethernet member link for targeted distribution. |
Unsigned32 |
214 |
Interface-Targeting-Weight |
4874 |
NASREQ |
Specify a weight for an interface to associate it with an interface set and thus with the set’s aggregated Ethernet member link for targeted distribution. When an interface set does not have a weight, then the interface weight value for the first authorized subscriber interface is used for the set. |
Unsigned32 |
2004 |
Juniper-Service-Bundle |
2636 |
JSRC |
Specifies the name of the service bundle. |
OctetString |
2010 |
Juniper-DHCP-Options |
2636 |
JSRC |
Specifies the client’s DHCP options. |
OctetString |
2011 |
Juniper-DHCP-GI-Address |
2636 |
JSRC |
Specifies the DHCP relay agent’s IP address. |
OctetString |
2020 |
Juniper-Policy-Install |
2636 |
JSRC, PTSP |
Specifies policies to be activated for the subscriber. Includes Juniper-Policy-Name and Juniper-Policy-Definition |
Grouped |
2021 |
Juniper-Policy-Name |
2636 |
JSRC, PTSP |
Defines the name of a policy decision. |
OctetString |
2022 |
Juniper-Policy-Definition |
2636 |
JSRC, PTSP |
Defines a policy decision. Includes Juniper-Policy-Name, Juniper-Template-Name, and Juniper-Substitution. |
Grouped |
2023 |
Juniper-Template-Name |
2636 |
JSRC, PTSP |
Specifies the profile name defined by the router. PTSP
supports only the |
UTF8String |
2024 |
Juniper-Substitution |
2636 |
JSRC, PTSP |
Defines the substitution attributes. Includes Juniper-Substitution-Name and Juniper-Substitution-Value. |
OctetString |
2025 |
Juniper-Substitution-Name |
2636 |
JSRC, PTSP |
Defines the name of the variable to be replaced. |
OctetString |
2026 |
Juniper-Substitution-Value |
2636 |
JSRC, PTSP |
Defines the value of the variable to be replaced. |
OctetString |
2027 |
Juniper-Policy-Remove |
2636 |
JSRC, PTSP |
Specifies policies to be deactivated for the subscriber. Includes Juniper-Policy-Name. |
Grouped |
2035 |
Juniper-Policy-Failed |
2636 |
JSRC, PTSP |
Specifies the name of the policy activation or deactivation that failed. |
OctetString |
2038 |
Juniper-Policy-Success |
2636 |
JSRC, PTSP |
Specifies the name of the policy activation or deactivation that succeeded. |
OctetString |
2046 |
Juniper-Logical-System |
2636 |
JSRC, PTSP |
Specifies the logical system. |
UTF8String |
2047 |
Juniper-Routing-Instance |
2636 |
JSRC, PTSP |
Specifies the routing instance. |
UTF8String |
2048 |
Juniper-Jsrc-Partition |
2636 |
JSRC, PTSP |
Specifies the logical system and routing instance for the subscriber or request. Includes Juniper-Logical-System and Juniper-Routing-Instance |
Grouped |
2050 |
Juniper-Request-Type |
2636 |
JSRC, PTSP |
Describes the type of request:
|
Enumerated |
2051 |
Juniper-Synchronization-Type |
2636 |
JSRC, PTSP |
Describes the type of synchronization:
|
Enumerated |
2052 |
Juniper-Synchronization |
2636 |
JSRC, PTSP |
Describes the state of synchronization:
|
Enumerated |
2053 |
Juniper-Acct-Record |
2636 |
JSRC, PTSP |
Specifies the statistics data for each policy installed for this subscriber. Includes Juniper-Policy-Name. |
Grouped |
2054 |
Juniper-Acct-Collect |
2636 |
JSRC, PTSP |
Specifies whether to collect accounting data for the installed policy (service) when included in the Juniper-Policy-Install AVP:
|
Enumerated |
2058 |
Juniper-State-ID |
2636 |
JSRC, PTSP |
Specifies the value assigned to each synchronization
cycle for the purpose of identifying which messages to discard. All
solicited requests containing the same Note:
For solicited synchronization requests, the SRQ message
contains the incremented |
Unsigned32 |
2100 |
Juniper-Virtual-Router |
2636 |
Gx-Plus, JSRC |
Specifies the name of the virtual router associated with the session. |
UTF8String |
2101 |
Juniper-Provisioning-Source |
2636 |
Gx-Plus |
Specifies the provisioning source for the session in CCR-N and JSDA messages:
|
Enumerated |
2102 |
Juniper-Provisioning-Descriptor |
2636 |
Gx-Plus |
Defines the group used in JSDA messages that includes the session ID, and optionally Juniper-Provisioning-Source and subscriber data. |
Grouped |
2103 |
Juniper-Event-Type |
2636 |
Gx-Plus |
Communicates the event type in JSER messages:
|
Enumerated |
2104 |
Juniper-Discovery-Descriptor |
2636 |
Gx-Plus |
Defines the group used in JSDR and JSDA messages that includes parameters of a discovery request: discovery type, request string, verbosity, max results. |
Grouped |
2105 |
Juniper-Discovery-Type |
2636 |
Gx-Plus |
Specifies the discovery subcommand for JSDR and JSDA messages:
|
Enumerated |
2106 |
Juniper-Verbosity-Level |
2636 |
Gx-Plus |
Specifies the verbosity level for JSDR and JSDA messages:
|
Enumerated |
2107 |
Juniper-String-A |
2636 |
Gx-Plus |
Specifies a generic string that is interpreted according to the context. |
UTF8String |
2108 |
Juniper-String-B |
2636 |
Gx-Plus |
Specifies a generic string that is interpreted according to the context. |
UTF8String |
2109 |
Juniper-String-C |
2636 |
Gx-Plus |
Specifies a generic string that is interpreted according to the context. |
UTF8String |
2110 |
Juniper-Unsigned32-A |
2636 |
Gx-Plus |
Specifies a generic, unsigned 32-bit integer that is interpreted according to the context. |
Unsigned32 |
2111 |
Juniper-Unsigned32-B |
2636 |
Gx-Plus |
Specifies a generic, unsigned 32-bit integer that is interpreted according to the context. |
Unsigned32 |
2112 |
Juniper-Unsigned32-C |
2636 |
Gx-Plus |
Specifies a generic, unsigned 32-bit integer that is interpreted according to the context. |
Unsigned32 |
2200 |
Juniper-IPv6-Ndra-Prefix |
2636 |
JSRC |
If available in the subscriber’s session database IPv6Prefix entry, this AVP is included in AAR provisioning request messages sent to the SAE. This AVP is used only when you enable JSRC dual-stack support. |
IPv6Prefix |
2201 |
Juniper-Framed-IPv6-Netmask |
2636 |
JSRC |
If available in the subscriber’s session database IPv6Address entry, this AVP is included in AAR provisioning request messages sent to the SAE. This AVP is used only when you enable JSRC dual-stack support. |
IPv6Address |
2202 |
Juniper-Agent-Circuit-Id |
2636 |
JSRC |
Identifies the subscriber by access node and subscriber line. If available in the subscriber's session database entry, this AVP is included in AAR provisioning request messages sent to the SAE. This AVP is used only when you enable JSRC dual-stack support. |
OctetString |
2203 |
Juniper-Agent-Remote-Id |
2636 |
JSRC |
Identifies the subscriber on the access node. If available in the subscriber's session database entry, this AVP is included in AAR provisioning request messages sent to the SAE. This AVP is used only when you enable JSRC dual-stack support. |
OctetString |
2204 |
Juniper-Acct-IPv6-Input-Octets |
2636 |
JSRC |
Number of IPv6 octets received on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero. This AVP is used only when you enable JSRC dual-stack support. |
Unsigned64 |
2205 |
Juniper-Acct-IPv6-Output-Octets |
2636 |
JSRC |
Number of IPv6 octets sent on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero. This AVP is used only when you enable JSRC dual-stack support. |
Unsigned64 |
2206 |
Juniper-Acct-IPv6-Input-Pkts |
2636 |
JSRC |
Number of IPv6 packets received on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero. This AVP is used only when you enable JSRC dual-stack support. |
Unsigned64 |
2207 |
Juniper-Acct-IPv6-Output-Pkts |
2636 |
JSRC |
Number of IPv6 packets sent on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero. This AVP is used only when you enable JSRC dual-stack support. |
Unsigned64 |
Tekelec AVPs are used only for Gx-Plus. These AVPs have an enterprise number of 21274. Table 4 lists the Tekelec AVPs. These four variables are used to provide substitution values for user-defined CoS service variables.
Attribute Number |
Diameter AVP |
Application |
Description |
Type |
|---|---|---|---|---|
5555 |
Tekelec-Charging-Rule-Argument-Name |
Gx-Plus |
Defines the name of the service variable to be replaced. |
OctetString |
5556 |
Tekelec-Charging-Rule-Argument-Value |
Gx-Plus |
Defines the value of the service variable to be replaced. |
OctetString |
5557 |
Tekelec-Charging-Rule-Argument |
Gx-Plus |
Defines the substitution attributes used to replace service variables. Includes Tekelec-Charging-Rule-Argument-Name AVP (5555) and Tekelec-Charging-Rule-Argument-Value AVP (5556). |
Grouped |
5558 |
Tekelec-Charging-Rule-With-Arguments |
Gx-Plus |
Requests the installation of the rule (activation of the service) designated by the included Charging-Rule-Name AVP (1005). Requested service variable substitutions are provided by the optionally included Tekelec-Charging-Rule-Argument AVP (5557). |
Grouped |
Configuring Diameter
You configure Diameter by specifying the endpoint origin, the remote peers, the transport layer connection, and network elements that associate routes with peers. Only the master Diameter instance is currently supported. You can configure alternative values for this Diameter instance only in the context of the default routing instance.
To configure Diameter base protocol:
Configuring the Origin Attributes of the Diameter Instance
You can configure the identifying characteristics of the endpoint node that originates Diameter messages for the Diameter instance. The hostname is supplied as the value for the Origin-Host AVP by the Diameter instance. The realm is supplied as the value for the Origin-Realm AVP by the Diameter instance.
To configure the origin attributes for a Diameter instance:
Configuring Diameter Peers
You can configure the peers to which Diameter sends messages. Diameter uses the default logical system and routing instance. Port 3868 is used for active connections to peers by default.
To configure a remote peer for a Diameter instance:
For example, the following configuration for peer p3 specifies an IPv4 address, the routing instance ri8, destination port 49152, transport t6, an origin of host 1 in example.com, and includes the Origin-State AVP in messages.
[edit diameter] user@host# edit peer p3 [edit diameter peer p3] user@host# set address 192.168.23.10 user@host# set routing-instance ri8 user@host# set connect-actively port 49152 user@host# set connect-actively transport t6 user@host# set peer-origin host host1 realm example.com user@host# set send-origin-state-id
Configuring the Diameter Transport
You can configure one or more transports for a Diameter instance to set the IPv4 or IPv6 address for the local connection, and optionally configure a logical system or routing instance context. Diameter uses the default logical system and routing instance. The logical system and routing instance for the transport connection must match that for the peer, or a configuration error is reported. Multiple peers can share the same transport.
To configure a transport for a Diameter instance:
For example, the following configuration for transport t1 specifies an IPv6 address, logical system ls5, and routing instance ri10.
[edit diameter] user@host# edit transport t1 [edit diameter transport t1] user@host# set address 2001:db8::113:200 user@host# set logical-system ls5 user@host# set routing-instance ri10
Configuring Diameter Network Elements
A Diameter network element (DNE) consists of associated applications (called functions in the CLI), a list of prioritized peers, and a set of forwarding rules. The forwarding rules define individual routes through a set of associated destinations, applications, and metrics. At least one DNE must be configured per chassis to start the Diameter process (jdiameterd).
Before you configure Diameter network elements, perform the following task:
Define the Diameter peers. See Configuring Diameter Peers.
To configure a Diameter network element:
Example: Configure S6a Application
This example shows how to configure diameter-based authentication S6a application on your SRX Series Firewall to retrieve authentication information from the subscriber server.
Requirements
This example uses the following hardware:
Any SRX Series Firewall
Before you begin, read Diameter Base Protocol Overview.
Overview
In this example, You create S6a partition and specify the endpoint
origin, the remote peers, and the network elements that associate
routes with peers to control diameter forwarding of S6a messages.
You also create S6a partition to Only the master Diameter instance
is currently supported. You can configure alternative values for the master Diameter instance only in the context of the default
routing instance.
Configuration
- Configure Access Profile and Diameter Application Parameters
- Configure Redundant Ethernet Interfaces
- Configure Security Zones and Security Policies to permit the S6a Diameter Application
Configure Access Profile and Diameter Application Parameters
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set access-profile s6a_test authentication-order s6a set access profile s6a_test authentication-order s6a set access s6a partition partition_name set access s6a partition partition_name destination-realm zzz.com set access s6a partition partition_name destination-host s6b.zzz.com set access s6a partition partition_name diameter-instance master set access s6a partition partition_name max-outstanding-requests 40 set access s6a partition partition_name response-timeout 20 set diameter origin realm zzz.com set diameter origin host s6a.zzz.com set diameter network-element ne3 set diameter network-element peer p3 set diameter network-element peer p3 priority 100 set diameter network-element ne3 forwarding route r0 set diameter network-element ne3 forwarding route r0 metric 100 set diameter peer p3 address 192.0.0.244 set diameter peer p3 connect-actively port 63101
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure access profile and diameter application parameters:
Specify the access profile to use for authentication order.
[edit access-profile] user@host# set s6a_test
Specify the order in which authentication methods are used.
[edit access profile] user@host# set s6a_test authentication-order s6a
Create the partition or specify the name of an existing partition.
[edit access] user@host# set s6a partition partition_name
Configure the destination realm for the s6a partition.
[edit access] user@host# set s6a partition partition_name destination-realm zzz.com
Configure the destination host for the s6a partition.
[edit access] user@host# set s6a partition partition_name destination-host s6b.zzz.com
Specify the Diameter instance for the s6a partition.
[edit access] user@host# set s6a partition partition_name diameter-instance master
Note:Currently, only the default Diameter instance,
master, is supported.Set a limit on the number of outstanding requests.
[edit access] user@host# set s6a partition partition_name max-outstanding-requests 40
Configure the amount of time in seconds before the s6a stops attempting to send a subscriber logout message.
[edit access] user@host# set s6a partition partition_name response-timeout 20
Include the name of the realm that originates the Diameter message.
[edit diameter] user@host# set origin realm zzz.com
Include the name of the host that originates the Diameter message.
[edit diameter] user@host# set origin host s6a.zzz.com
Specify the name of the network element.
[edit diameter] user@host# set network-element ne3
Associate a Diameter peer with the network element.
[edit diameter] user@host# set network-element peer p3
Set the priority for the peer.
[edit diameter] user@host# set network-element peer p3 priority 100
Specify a route that is reachable through the network element based on the forwarding rules that you define.
[edit diameter] user@host# set network-element ne3 forwarding route r0
Specify a metric for the route.
[edit diameter] user@host# set network-element ne3 forwarding route r0 metric 100
Specify the IP address of the Diameter peer.
[edit diameter] user@host# set peer p3 address 192.0.0.244
Specify the port that Diameter uses for active connections to the peer.
[edit diameter] user@host# set peer p3 connect-actively port 63101
Results
From configuration mode, confirm your configuration
by entering the show access and show diameter commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show access
s6a {
partition partition_name {
destination-realm zzz.com;
destination-host s6b.zzz.com;
diameter-instance master;
max-outstanding-requests 40;
response-timeout 20;
}
}
[edit]
user@host# show diameter
origin {
realm zzz.com;
host s6a.zzz.com;
}
network-element ne3 {
forwarding {
route r0 {
metric 100;
}
}
}
peer p3 {
address 192.0.0.244;
connect-actively {
port 63101;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configure Redundant Ethernet Interfaces
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set interfaces ge-0/0/0 gigether-options redundant-parent reth0 set interfaces ge-0/0/1 gigether-options redundant-parent reth1 set interfaces ge-7/0/0 gigether-options redundant-parent reth0 set interfaces ge-7/0/1 gigether-options redundant-parent reth1 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 192.0.0.254/8 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 198.51.100.254/8
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure redundant Ethernet interfaces:
Configure redundant Ethernet interfaces.
[edit interfaces] user@host# set ge-0/0/0 gigether-options redundant-parent reth0 user@host# set ge-0/0/1 gigether-options redundant-parent reth1 user@host# set ge-7/0/0 gigether-options redundant-parent reth0 user@host# set ge-7/0/1 gigether-options redundant-parent reth1 user@host# set reth0 redundant-ether-options redundancy-group 1 user@host# set reth0 unit 0 family inet address 192.0.0.254/8 user@host# set reth1 redundant-ether-options redundancy-group 1 user@host# set reth1 unit 0 family inet address 198.51.100.254/8
Results
From configuration mode, confirm your configuration
by entering the show interfaces command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show interfaces
ge-0/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/1 {
gigether-options {
redundant-parent reth1;
}
}
ge-7/0/0 {
gigether-options {
redundant-parent reth0;
}
}
ge-7/0/1 {
gigether-options {
redundant-parent reth1;
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.0.0.254/8;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 198.51.100.254/8;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configure Security Zones and Security Policies to permit the S6a Diameter Application
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set security zones security-zone Outside host-inbound-traffic system-services all set security zones security-zone Outside host-inbound-traffic protocols all set security zones security-zone Outside interfaces reth1.0 set security zones security-zone Inside host-inbound-traffic system-services all set security zones security-zone Inside host-inbound-traffic protocols all set security zones security-zone Inside interfaces reth0.0 set security policies from-zone Inside to-zone Outside policy policy0 match source-address any set security policies from-zone Inside to-zone Outside policy policy0 match destination-address any set security policies from-zone Inside to-zone Outside policy policy0 match application any set security policies from-zone Inside to-zone Outside policy policy0 then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure security policies and zones:
Set system services and protocols on reth1.0 interface.
[edit security] user@host# set zones security-zone Outside host-inbound-traffic system-services all user@host# set zones security-zone Outside host-inbound-traffic protocols all user@host# set zones security-zone Outside interfaces reth1.0
Set system services and protocols on reth0.0 interface.
[edit security] user@host# set zones security-zone Inside host-inbound-traffic system-services all user@host# set zones security-zone Inside host-inbound-traffic protocols all user@host# set zones security-zone Inside interfaces reth0.0
Configure the security policies.
[edit security ] user@host# set policies from-zone Inside to-zone Outside policy policy0 match source-address any user@host# set policies from-zone Inside to-zone Outside policy policy0 match destination-address any user@host# set policies from-zone Inside to-zone Outside policy policy0 match application any user@host# set policies from-zone Inside to-zone Outside policy policy0 then permit
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security policies
from-zone Inside to-zone Outside {
policy policy0 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
[edit]
user@host# show security zones
security-zone Outside {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.0;
}
}
security-zone Inside {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth0.0;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying the S6a Status
Purpose
To confirm that the configuration is working properly, perform these tasks:
Action
From operational mode, enter the show network-access
s6a state, show network-access s6a statistics, and show network-access s6a statistics extensive commands to check
the network access state and statistics of s6a application.
user@host> show network-access s6a state S6a state: Component Value active-configuration yes queue-state normal request-count 0
user@host> show network-access s6a statistics S6a general counters: Counter ............Value aia-grant ..........1
user@host> show network-access s6a statistics extensive S6a general counters: Counter Value air 0 air-retry 0 air-failures 0 aia 0 aia-grant 0 aia-deny 0 aia-timeout 0 aia-failure 0 aia-late-response 0 aia-parse-errors 0 aia-drops-no-session 0 aia-drops-bad-orealm 0 aia-drops-bad-ohost 0 aia-drops-no-result 0 aia-drops-other 0 aia-bad-result 0 aia-bad-data 0 rx-unsupported-resp-cmd 0 rx-bad-experimental-result 0 rx-bad-authentication-info 0 rx-bad-utran-vector 0 rx-bad-eutran-vector 0 rx-bad-geran-vector 0 rx-parse-errors 0 S6a diameter event counters: Diameter event Value bad data message 0 good data message 0 bad flags 0 bad fixed destination 0 bad routed destination 0 tx is over limit 0 bad end-to-end id 0 no peer for tx 0 peer down while waiting for answer 0 timeout while waiting for answer 0 tx timeout 0 tx try limit 0 tx failure 0 discarded 0 received answer is over limit 0 tx failure: no memory 0 base-app-tx-timeout 0 base-app-rx-timeout 0 base-app-tx-discard 0 base-app-rx-discard 0
Meaning
The show network-access s6a state, show network-access s6a statistics, and show network-access
s6a statistics extensive commands shows the S6a application
state and the statistics of the retrieved authentication information
from the subscribed server.