Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

NASREQ for Authentication and Authorization

Diameter Network Access Server Application (NASREQ)

The Diameter Network Access Server Requirements (NASREQ) protocol is a Diameter-based authentication, authorization, and accounting protocol defined in RFC 7155, Diameter Network Access Server Application. It is an alternative to using RADIUS AAA in a Diameter environment. Junos OS supports the authentication and authorization functions, but not accounting. Authentication is used for the initial subscriber login to verify the subscriber identity. Similarly, authorization is used at login to set up the initial conditions or services or both that may be needed for the subscriber. The NASREQ protocol is not used for re-authentication or re-authorization of subscribers.

Junos OS supports the following NASREQ protocol exchanges:

  • AA-Request/Answer—The authentication/authorization request at login.

  • Session-Termination-Request/Answer—Notification that the subscriber’s session has been terminated.

  • Abort-Session-Request/Answer—Request to terminate the subscriber’s session from a NASREQ server.

Note:

The Auth-Application-Id AVP must be set to a value of 1 in AA-Request, Session-Termination-Request, and Abort-Session-Request messages.

The NASREQ client has two queues, the transmit queue and response queue. The transmit queue stores outbound packets until they are sent to Diameter, and includes requests and responses. The response queue stores packets until Diameter responds to the request, and includes only requests waiting for a response.

The following configuration variables control transmission flow and use of the queues:

  • outstanding-requests—The maximum number of requests (includes AAR and STR) that are sent to Diameter for wireline transmissions—effectively this is the maximum count of requests on the response-queue (the maximum number of in-flight requests for which there has not been a response or timeout); it does not include sent responses.

  • request-retry—The number of times to re-send a given request to Diameter after it times out for its initial request. This value applies only to requests in the response queue.

  • timeout—The number of seconds that an outbound packet remains in the transmit queue before it is declared timed out. Packets that exceed the timeout value are not transmitted. Diameter manages packets that time out after transmission. The timeout value applies to all packets in the transmit queue, including both requests and responses to be sent.

The exchange flow takes place as follows:

  1. A subscriber attempts to log in and authd, acting as the NASREQ client, sends the NASREQ server a Diameter AA-Request (AAR) message that includes information about the subscriber and authentication information.

    • If the number of outstanding requests is less than the configured maximum outstanding request value, then authd sends the request to the NASREQ server for transmission and places the request on the response queue.

    • If the number of outstanding requests is greater than or equal to the configured maximum outstanding request value, then authd stores the request on the transmit queue.

  2. When a response is received from the NASREQ server in the form of a Diameter AA-Answer (AAA) message, authd checks the response queue for a matching request (AAR).

    • If a matching request is found, the request is pulled from the queue and used to process the response.

    • If no matching request is found, the response is ignored and dropped.

When Diameter notifies the NASREQ client that a request has timed out, one of the following actions occurs:

  • If the request is not on the response queue, the timeout is ignored.

  • If the retry counter for this request is less than the configured request-retry value, authd sends the request again and increments the retry counter for that request.

  • If the retry counter for this request is greater than or equal to the configured value, authd processes the request timeout and sends the next request that is on the transmit queue to the NASREQ server.

When the configured timeout period expires, authd removes any expired outbound packets from the transmit queue and processes them as having timed out.

Benefits of Using the Diameter NASREQ Protocol

  • Enables the use of an external NASREQ server to provide authentication and authorization for subscribers, rather than using a RADIUS server. Some customer models might not employ a RADIUS server, or want to stop using a RADIUS server when they move to a Diameter subscriber provisioning model.

Configuring the Diameter Network Access Server Application (NASREQ)

You configure the NASREQ client as an alternative to RADIUS for subscriber authentication and authorization when the subscribers log in.

To configure NASREQ for authentication and authorization:

  1. Specify NASREQ as a Diameter application (function) associated with a network element.
  2. Specify NASREQ as the Diameter network element forwarding function and partition.
  3. Specify NASREQ for subscriber authentication and authorization.
  4. Specify NASREQ for subscriber authorization only (no authentication).
    Note:

    When you configure both authentication-order and authorization-order, the behavior depends on the subscriber type. For DHCP subscribers, authorization-order has precedence over authentication-order. For all other subscriber types, authentication-order has precedence over authorization-order.

  5. Specify the destination identity of the NASREQ partition.
  6. Specify the maximum number of requests to send to the Diameter engine for transmission. This is also the maximum number of requests in the response queue.
  7. Specify the number of times to retry sending a request to the Diameter engine if a timeout is received from Diameter for the request.
  8. Specify the number of seconds an outbound packet remains in the transmit queue before it is declared timed out.

Related Documentation