IPWorks AAA Server-AAA Clients Gi Interface

1	Introduction
1.1	Prerequisites
1.2	Related Information
2	Interface Overview
2.1	Interface Role
2.2	Services
2.3	Encapsulation and Addressing
3	Procedures
3.1	Authentication/Authorization
3.2	Accounting
3.3	Disconnect
3.4	Change-of-Authorization
3.5	Proxy
4	Information Model
4.1	Authentication/Authorization
4.2	Accounting Messages
4.3	Dynamic Authorization Extension Messages
5	Information Elements
5.1	3GPP Vendor Specific Sub Attributes
5.2	Access-Control-Group Sub Attributes
5.3	Radius-Supported-VSA Related Messages
5.4	Suggested-Rule-Space Sub Attributes
6	Error Handling
7	Formal Syntax
8	Related Standards
Reference List

1 Introduction

This document describes the (GGSN-to-PDN) Gi interface between the IPWorks AAA Server and the AAA Clients.

Scope

Interface Overview
Procedures
Information Model
Information Elements
Error Handling
Formal Syntax
Related Standards

Target Groups

This document is intended for personnel needing to understand the logical entity, including interfaces and protocols, of the IPWorks.

1.2 Related Information

Trademark information, typographic conventions, definition and explanation of acronyms and terminology can be found in the following documents:

2 Interface Overview

This section describes the interface between the IPWorks AAA Server and the AAA Clients, as shown in Figure 1.

Figure 1 Gi Interface Overview

2.1 Interface Role

This section describes the role of the Gi interface in the GPRS network.

2.2 Services

This section describes the services the Gi interface offers.

The services offered by the Gi interface are shown in Table 1.

Table 1 Offered Services
Offered Service	Description
Authentication, Authorization, and Accounting	IPWorks AAA Server uses the RADIUS protocol to realize the authentication, authorization, and accounting functionalities. These functionalities are widely used in the fixed, mobile access networks, and some other scenarios. IPWorks AAA Server uses the RADIUS protocol to communicate with the Network Access Server (NAS), which is based on the IETF and 3GPP Standard, see the references from Reference [5] to Reference [13] and it supports the Ericsson GGSN 2009A Gi interface as well, see Reference [4].

2.3 Encapsulation and Addressing

This section describes what lower level protocol this Gi interface uses as described in Figure 2.

Figure 2 Protocol Stack

3 Procedures

This section describes the procedures used in connection with the offered and used interfaces of IPWorks.

3.1 Authentication/Authorization

IPWorks AAA server Authentication/Authorization interface is based on RFC 2865, which is carried over UDP/IP.

The IPWorks AAA Server listens on port 1812 by default, and it can be configured when necessary.

Figure 3 describes the authentication and authorization procedure:

Figure 3 IPWorks AAA Server Authentication and Authorization

The detailed procedure is listed as follows:

The RADIUS client (NAS) creates an Access-Request and sends to the AAA Server.
The Access-Request includes the following attributes:
- User Name
- Password
- Client Identity
- Other Attributes
The AAA server receives Access-Request from NAS and replies NAS with Access-Accept or Access-Reject according to the validation result.

3.2 Accounting

The AAA Accounting is known as RADIUS Accounting specified in RFC 2866, UDP/IP is used as the transport layer protocol.

The AAA Accounting listens on port 1813 by default, and it can be configured when necessary.

Figure 4 describes the accounting procedure:

Figure 4 IPWorks AAA Server Accounting Procedure

The detailed procedure is listed as follows:

The RADIUS Client (NAS) sends Accounting-Request to the IPWorks AAA server.
- NAS generates an Accounting Start packet in the beginning of the service delivery.
- NAS sends an Accounting Stop packet to the AAA server at the end of the service delivery.
- NAS continually sends an Accounting interim-update packet to the AAA Server to update the accounting information during the service delivery period.
- When a startup/shutdown happens in the NAS, it triggers an Accounting on/off packet to the AAA Server and the AAA Server releases the relevant resources.
Upon successfully recording/processing the Accounting Request from NAS client, the AAA Server sends the Accounting-Response ACK to the client, otherwise, it does not send back ACK to the client.

3.3 Disconnect

The DAS is the entity receiving CoA-Request or Disconnect-Request packets, which is a NAS or a RADIUS proxy.

The protocol used between DAS and IPWorks AAA is based on RFC 5176, which is over UDP/IP. The default destination UDP port of DAS to listen for either Disconnect Request or CoA Request is 3799, and it can be configured when necessary.

Figure 5 describes the disconnect procedure:

Figure 5 IPWorks AAA Server Disconnect Procedure

IPWorks AAA Server sends a Disconnect-Request to DAS/NAS to terminate the user sessions on a NAS.
The DAS/NAS responds to the Disconnect-Requestsent by the AAA Server with a Disconnect-ACK/NAK if DAS/NAS is able/unable to terminate all the related sessions.

3.4 Change-of-Authorization

The protocol of Change-of-Authorization (CoA) is the same as Disconnect, see Section 3.2.

Figure 6 describes the Change-of-Authorization procedure:

Figure 6 IPWorks AAA Server CoA Procedure

IPWorks AAA Server sends CoA-Request to DAS/NAS, which contains information for dynamically changing session authorizations.
The DAS/NAS replies the AAA server with a COA-ACK/NAK if DAS/NAS is able/unable to change the authorization for the related user sessions.

3.5 Proxy

As a Proxy Server, IPWorks AAA Server acts as both RADIUS Server and Client, except the interface with RADIUS Client (NAS), it’s able to forward these messages (as specified above) to remote AAA Home Server as well.

Figure 7 IPWorks AAA Proxy Server Procedure

4 Information Model

This section describes the information model, including mandatory and optional parameters of each service operation.

The presence of an information element is defined in the P column as follows:

M Mandatory
C Conditional
O Optional

4.1 Authentication/Authorization

This section describes the content of messages (Access-Request, Access-Accept, Access-Reject) involved in the Authentication/Authorization procedure.

The procedure follows the basic RADIUS Message format as specified in RFC 2865. The attributes that IPWorks AAA supports in this message are specified in RFC 2865, RFC 2868, RFC 3162 and 3GPP TS 29.061 as well as in the Ericsson GGSN 2009A Gi Interface.

4.1.1 Access-Request Message

The Access-Request message is sent from RADIUS Client (NAS) to IPWorks AAA Server.

Table 2 describes the significant attributes for the Access-Request Message:

Table 2 Access-Request Message
Attr #	Element	Type	P	Description
1	Username	String	M	It indicates the name of the user to be authenticated.
2	User-Password	String	C	Users must provide the user password if PAP is used. ⁽¹⁾
3	CHAP-Password	String	C	Users must provide the user password if CHAP is used. ⁽¹⁾
4	NAS-IP-Address	Address(IPv4)	M	It is the IP address of the NAS for communication with the RADIUS Server.
5	NAS-Port	String	O	It is a configurable value for Access-Request.
32	NAS-Identifier	String	M	It is the hostname of the NAS for communication with the RADIUS server.
6	Service-Type	Integer	M	It indicates the type of service for this user.
7	Framed-Protocol	Integer	M	It indicates the type of protocol for this user.
8	Framed-IP-Address	Address(IPv4)	C	It is the IP address allocated for this user.⁽²⁾
97	Framed-IPv6-Prefix	Address(IPv6)	C	It is the IPv6 address prefix allocated for this user.⁽³⁾
30	Called-Station-Id	String	O	It is the phone number the user called or the identifier for the target network.
30	Called-Station-Id	String	O
31	Calling-Station-Id	String	O	It is the phone number where the call came from.
44	Acct-Session-Id	String	O	It is the user session identifier.
60	CHAP-Challenge	String	C	CHAP-Challenge is mandatory if CHAP is used.⁽⁴⁾
60	CHAP-Challenge	String	C	CHAP-Challenge is mandatory if CHAP is used.⁽⁴⁾
61	NAS-Port-Type	Integer	M	It is the type of physical port used by NAS.
61	NAS-Port-Type	Integer	M	It is the type of physical port used by NAS.
26/10415	3GPP Vendor-Specific	See Reference [11]	O	See Reference [11] for the sub attributes description.

(1) User Password is present when PAP is used.

(2) IPWorks AAA considers it as a hint address when allocating an IP address.

(3) IPWorks AAA considers it as a hint IPv6 prefix when allocating an IPv6 prefix.

(4) Challenge is present when CHAP is used.

4.1.2 Access-Accept Message

The Access-Accept message is sent to RADIUS Client (NAS) from IPWorks AAA Server.

Table 3 describes only the significant attributes for the Access-Accept Message:

Table 3 Access-Accept Message
Attr #	Element	Type	P	Description
6	Service-Type	Integer	O	It indicates the type of service for this user.
7	Framed-Protocol	Integer	O	It indicates the type of protocol for this user.
8	Framed-IP-Address	Address(IPv4)	O	IT is the IP address allocated for this user, if the RADIUS server is used to allocate an IP address.
9	Framed-IP-Netmask	Address(IPv4)	O	It is the netmask for the user IP address, if the RADIUS server is used to allocate IP netmask.
9	Framed-IP-Netmask	Address(IPv4)	O
25	Class	String	O	It is the identifier to be used in all subsequent accounting messages.
27	Session-Timeout	Integer	O	It is the timeout value for the session
28	Idle-Timeout	Integer	O	It is the timeout value for idle session
30	Called-Station-Id	String	O	It is the phone number the user called or the identifier for target network.
30	Called-Station-Id	String	O
88	Framed-Pool	String	O	It is the name of a local pool to be used for address allocation.
97	Framed-IPv6-Prefix	Address(IPv6)	O	It might contain IPv6 address prefixes.
100	Framed-IPv6-Pool	String	O	It is the name of a local pool to be used for address allocation.
100	Framed-IPv6-Pool	String	O
26/311	MS-Primary-DNS-server	Address(IPv4)	O	It contains the primary DNS server address
26/311	MS-Primary-DNS-server	Address(IPv4)	O	It contains the primary DNS server address
26/311	MS-Secondary-DNS-Server	Address(IPv4)	O	It contains the secondary DNS server address
26/311	MS-Secondary-DNS-Server	Address(IPv4)	O	It contains the secondary DNS server address
26/311	MS-Primary-NBNS-Server	Address(IPv4)	O	It contains the primary NetBios name server address
26/311	MS-Primary-NBNS-Server	Address(IPv4)	O	It contains the primary NetBios name server address
26/311	MS-Secondary-NBNS-Server	Address(IPv4)	O	It contains the secondary NetBios server address
26/311	MS-Secondary-NBNS-Server	Address(IPv4)	O	It contains the secondary NetBios server address
26/10923	Suggested-Rule-Space	See Table 15	O	See Table 15 for the sub attributes description.
26/10923	Suggested-Rule-Space	See Table 15	O	See Table 15 for the sub attributes description.
26/10923	Access-control-group	See Table 13	O	See Table 13 for the sub attributes description.
26/10923	Access-control-group	See Table 13	O	See Table 13 for the sub attributes description.
26/10415	3GPP Vendor-Specific	See Table 12	O	See Table 12 for the sub attributes description.

4.1.3 Access-Reject Message

The Access-Reject message is sent to RADIUS Client (NAS) from IPWorks AAA Server.

Table 4 describes the significant attributes for the Access-Reject Messages:

Table 4 Access-Reject Message
Attr #	Element	Type	P	Description
18	Reply-Message	Text	O	The text is displayed to the user.

4.2 Accounting Messages

This section describes the content of IPWorks AAA Accounting Messages.

The message format follows the standard RADIUS protocol as specified in Reference [6], and the attributes supported by these messages are specified in Reference [6] , Reference [7], Reference [10] and Reference [13].

4.2.1 Accounting-Request (Start) Message

The Accounting-Request (Start) message is sent from RADIUS Client (NAS) to IPWorks AAA Server.

Table 5 describes the significant attributes for the Accounting-Request (Start) Message:

Table 5 Accounting-Request (Start) Message
Attr #	Element	Type	P	Description
1	User-Name	String	C	It indicates the name of the user to be authenticated.
4	NAS-IP-Address	Address(IPv4)	M	It is the NAS IP Address for communication with AAA Server
5	NAS-Port	String	O	It is A configurable value for Accounting-Requests
32	NAS-Identifier	String	M	It is the hostname of the NAS for communication with the AAA server
6	Service-Type	Integer	M	It indicates the type of service for this user.
7	Framed-Protocol	Integer	M	It indicates the type of protocol for this user.
8	Framed-IP-Address	Address(IPv4)	C	It is the User IP Address. ⁽¹⁾
97	Framed-IPv6-Prefix	Address(IPv6)	C	It is the User IPv6 prefix ⁽¹⁾.
25	Class	String	C	Received in the access accept. ⁽²⁾
30	Called-Station-Id	String	O	It is the phone number the user called or the identifier for target network.
30	Called-Station-Id	String	O
31	Calling-Station-Id	String	O	It is the phone number that the call came from.
40	Acct-Status-Type	Integer	M	It is the type of accounting message, in this message, the content is 1 (Start).
41	Acct-Delay-Time	Integer	M	It indicates how long the NAS has been trying to send this record for, and can be subtracted from the time of arrival on the AAA server to find the approximate time in seconds of the event generating this Accounting-Request.
44	Acct-Session-Id	String	M	It is the user session identifier.
45	Acct-Authentic	Integer	M	It is the authentication method, 1(RADIUS) or 2(LOCAL).
46	Acct-Session-Time	Integer	O	It is the number of seconds that the user has received service.
61	NAS-Port-Type	Integer	M	It is the type of physical port used by NAS.
26/10415	3GPP Vendor-Specific	See Table 12	O	See Table 12 for the sub attributes description.

(1) Either IPv4 address or IPv6 prefix is present.

(2) The presence of this attribute is conditional upon it being received in the Access-Accept message.

4.2.2 Accounting-Request (Stop) Message

The Accounting-Request (Stop) message is sent from RADIUS Client (NAS) to IPWorks AAA Server.

Table 6 describes the significant attributes for the Accounting-Request (Stop) Message:

Table 6 Accounting-Request (Stop) Message
Attr #	Element	Type	P	Description
1	User-Name	String	C	It indicates the name of the user to be authenticated.
4	NAS-IP-Address	Address(IPv4)	M	The NAS IP Address for communication with AAA Server
5	NAS-Port	String	O	It is a configurable value for Accounting-Requests
32	NAS-Identifier	String	M	It is the hostname of the NAS for communication with the AAA server
6	Service-Type	Integer	M	It indicates the type of service for this user.
7	Framed-Protocol	Integer	M	It indicates the type of protocol for this user.
8	Framed-IP-Address	Address(IPv4)	C	It is the User IP Address.⁽¹⁾
97	Framed-IPv6-Prefix	Address(IPv6)	C	User IPv6 prefix. ⁽¹⁾
25	Class	String	C	It is received in the access accept. ⁽²⁾
30	Called-Station-Id	String	O	It is the phone number the user called or the identifier for target network.
30	Called-Station-Id	String	O
31	Calling-Station-Id	String	O	It is the phone number where the call came from.
40	Acct-Status-Type	Integer	M	It is the type of accounting message, in this message, the content is 2 (Stop).
41	Acct-Delay-Time	Integer	M	It indicates how long the NAS has been trying to send this record for, and can be subtracted from the time of arrival on the AAA server to find the approximate time in seconds of the event generating this Accounting-Request.
42	Acct-Input-Octets	Integer	O	It indicates how many octets have been received over the course of this service being provided.
43	Acct-Output-Octets	Integer	O	It indicates how many octets have been sent in the course of delivering this service.
44	Acct-Session-Id	String	M	It is the User session identifier.
45	Acct-Authentic	Integer	M	It is the authentication method, 1(RADIUS) or 2(LOCAL)
46	Acct-Session-Time	Integer	O	It is the number of seconds that the user has received service.
47	Acct-Input-Packets	Integer	O	This attribute indicates how many packets have been received over the course of this service being provided to a user.
48	Acct-Output-Packets	Integer	O	It indicates how many packets have been sent in the course of delivering this service to a user.
49	Acct-Terminate-Cause	Integer	M	It indicates how the session was terminated.
61	NAS-Port-Type	Integer	M	It is the type of physical port used by NAS.
26/10415	3GPP Vendor-Specific	See Table 12	O	See Table 12 for the sub attributes description. bbf

(1) Either IPv4 address or IPv6 prefix is present.

(2) The presence of this attribute is conditional upon it being received in the Access-Accept message.

4.2.3 Accounting-Request (On) Message

The Accounting-Request (On) message is sent from RADIUS Client (NAS) to IPWorks AAA Server.

Table 7 describes the significant attributes for the Accounting-Request (On) Message:

Table 7 Accounting-Request (On) Message
Attr #	Element	Type	P	Description
4	NAS-IP-Address	Address(IPv4)	M	It is the NAS IP Address for communication with AAA Server
30	Called-Station-Id	String	C	It is the phone number the user called or the identifier for the target network.
30	Called-Station-Id	String	C
32	NAS-Identifier	String	M	It is the hostname of the NAS for communication with the AAA server
40	Acct-Status-Type	Integer	M	It is the type of accounting message, in this message, the content is 7 (Accounting-On).
44	Acct-Session-Id	String	M	It is the user session identifier.

4.2.4 Accounting-Request (Off) Message

The Accounting-Request (Off) message is sent from RADIUS Client (NAS) to IPWorks AAA Server.

Table 8 describes the significant attributes for the Accounting-Request (Off) Message:

Table 8 Accounting-Request (Off) Message
Attr #	Element	Type	P	Description
4	NAS-IP-Address	Address(IPv4)	M	It is the NAS IP Address for communication with AAA Server
30	Called-Station-Id	String	C	It is the phone number the user called or the identifier for the target network.
30	Called-Station-Id	String	C
32	NAS-Identifier	String	M	It is the hostname of the NAS for communication with the AAA server
40	Acct-Status-Type	Integer	M	It is the type of accounting message, in this message, the content is 8 (Accounting-Off).
44	Acct-Session-Id	String	M	It is the user session identifier.

4.2.5 Accounting-Request (Interim-Update) Message

The Accounting-Request (Interim-Update) message is sent from RADIUS Client (NAS) to IPWorks AAA Server.

Table 9 describes the significant attributes for the Accounting-Request (Interim-Update) Message:

Table 9 Accounting-Request (Interim-Update) Message
Attr #	Element	Type	P	Description
1	User-Name	String	C	It indicates the name of the user to be authenticated.
4	NAS-IP-Address	Address(IPv4)	M	It is the NAS IP Address for communication with AAA Server
5	NAS-Port	String	O	It is a configurable value for Accounting-Requests
32	NAS-Identifier	String	M	It is the hostname of the NAS for communication with the AAA server
6	Service-Type	Integer	M	It indicates the type of service for this user.
7	Framed-Protocol	Integer	M	It indicates the type of protocol for this user.
8	Framed-IP-Address	Address(IPv4)	C	It is the User IP Address.
97	Framed-IPv6-Prefix	Address(IPv6)	C	It is the User IPv6 prefix.
25	Class	String	C	It is received in the access accept.
30	Called-Station-Id	String	O	It is the phone number the user called or the identifier for the target network.
30	Called-Station-Id	String	O
31	Calling-Station-Id	String	O	It is the phone number where the call came from.
40	Acct-Status-Type	Integer	M	It is the type of accounting message, in this message, the content is 3 (Interim-Update).
41	Acct-Delay-Time	Integer	M	It indicates how long the NAS has been trying to send this record for, and can be subtracted from the time of arrival on the AAA server to find the approximate time in seconds of the event generating this Accounting-Request.
42	Acct-Input-Octets	Integer	O	It indicates how many octets have been received over the course of this service being provided.
43	Acct-Output-Octets	Integer	O	It indicates how many octets have been sent in the course of delivering this service.
44	Acct-Session-Id	String	M	It is the user session identifier.
45	Acct-Authentic	Integer	M	It is the authentication method, 1(RADIUS) or 2(LOCAL)
46	Acct-Session-Time	Integer	O	It is the number of seconds that the user has received service.
47	Acct-Input-Packets	Integer	O	It indicates how many packets have been received over the course of this service being provided to a user.
48	Acct-Output-Packets	Integer	O	It indicates how many packets have been sent in the course of delivering this service to a user.
61	NAS-Port-Type	Integer	M	It is the type of physical port used by NAS.
26/10415	3GPP Vendor-Specific	See Table 12	O	See Table 12 for the sub attributes description.

4.2.6 Accounting-Response Message

The Accounting-Response message is sent to RADIUS Client (NAS) from the IPWorks AAA Server.

Accounting-Response Message is not required to have any attributes in it.

4.3 Dynamic Authorization Extension Messages

The section describes the messages used for dynamic authorization extension to RADIUS, which is defined in Reference [12].

4.3.1 Disconnect-Request Message

The Disconnect-Request message is sent to Dynamic Authorization Server (that is, NAS) from IPWorks AAA Server.

The IPWorks AAA supported attributes for this message is specified in RFC 2865, RFC 3162, RFC 5176, and 3GPP TS 29.061.

Table 10 describes the significant attributes for the Disconnect-Request Message:

Table 10 Disconnect-Request Message
Attr #	Element	Type	P	Description
8	Framed-IP-Address	Address(IPv4)	C	It is the user IP address⁽¹⁾


97	Framed-IPv6-Prefix	String	C	It is the user IPv6 prefix ⁽¹⁾
44	Acct-Session-Id	String	M	It is the user session identifier
26/10415	3GPP Vendor-Specific	See Table 12	O	See Table 12 for the sub attributes description.

(1) Either an IPv4 or an IPv6 address or prefix is present. If no such address is available to the RADIUS-server, the value 0.0.0.0 is used.

4.3.2 Disconnect-ACK/NAK

The Disconnect-ACK/NAK message is sent from Dynamic Authorization Server (that is, NAS) to IPWorks AAA Server.

As there are not any specific requirement for these messages, the content of these messages follows the message content and format specified in RFC 5176.

4.3.3 Change-Of-Authorization (CoA) Request

The Change-Of-Request message is sent to Dynamic Authorization Server (that is, NAS) by IPWorks AAA Server.

The IPWorks AAA supported attributes for this message is specified in RFC 5176 and Ericsson GGSN 2009A Gi interface.

Table 11 describes the significant attributes for CoA Request:

Table 11 Change-Of-Authorization Message
Attr #	Element	Type	P	Description
44	Acct-Session-Id	String	M	User session identifier
26/10923	Access-control-group	String	M	Sub attributes according to Table 13

5 Information Elements

5.1 3GPP Vendor Specific Sub Attributes

Table 12 describes the sub attributes of the 3GPP Vendor-Specific attribute of the Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update), and Disconnect Request messages.

The definition of these attributes can be found in 3GPP TS 29.061.

Table 12 3GPP Vendor Specific Sub Attributes
Sub Attr #	Sub Attribute Name	Description	Presence	Associated Attribute (Location of Sub Attr)
1	3GPP-IMSI	IMSI for this user	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
2	3GPP-Charging-Id	The charging ID for this PDP Context (along with the GGSN-Address, constitutes a unique identifier for the PDP context)	Optional-Configurable	Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
3	3GPP-PDP Type	Type of PDP context, such as IP or PPP	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
4	3GPP-CG-Address	Charging Gateway IP address	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
5	3GPP-GPRS-QoS-Negotiated-Profile	QoS profile applied by the GGSN	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
6	3GPP-SGSN-Address	The SGSN IP address that is used by the GTP control plane for the handling of control messages. It is used to identify the PLMN to which the user is attached.	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
7	3GPP-GGSN-Address	The GGSN IP address that is used by the GTP control plane for the context establishment. It is the same as the GGSN IP address used in the G-CDRs	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
8	3GPP-IMSI-MCC-MNC	The MCC and MNC extracted from the IMSI of the user (first five or six digits, as applicable from the presented IMSI)	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
9	3GPP-GGSN- MCC-MNC	The MCC-MNC of the network to which the GGSN belongs to	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Interim-Update)
10	3GPP-NSAPI	Identifies a particular PDP context for the associated PDN and MSISDN or IMSI from creation to deletion	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop) Accounting-Request (Interim-Update)
11	3GPP- Session-Stop-Indicator	Indicates to the RADIUS server that the last PDP context of a session is released and that the PDP session has been terminated	Optional-Configurable	Accounting-Request (Stop)
12	3GPP- Selection-Mode	Contains the Selection mode for this PDP Context received in the Create PDP Context Request Message	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
13	3GPP-Charging-Characteristics	Contains the charging characteristics for this PDP Context. This is either received from the SGSN in the Create PDP Context Request Message (only available in R99 and later releases) or from the RADIUS server in the Access-Accept message.	Optional-Configurable	Access-Accept, Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
17	3GPP-IPv6-DNS-Servers	A list of IPv6 addresses of DNS servers	Optional	Access-Accept
18	3GPP-SGSN-MCC-MNC	Specifies the Mobile Country Code (MCC) and Mobile Network Code (MNC), that is PLMN ID, of the SGSN. PLMN ID information is available in the following prioritized order: If a PLMN ID is received from the SGSN, this value is used. If a PLMN ID has been configured for the SGSN, this value is used. If a PLMN ID has been provided from a RADIUS server, this value is used. If a PLMN ID has been provided from a RADIUS server with RADIUS Assisted Selection of APN (RAAS), this value is used. If no information on PLMN ID is available, this AVP is omitted.	Optional-Configurable	Access-Request, Access-Accept, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)





19	3GPP-Teardown-Indicator	Indicates to the GGSN that all PDP contexts for this particular user and sharing user sessions need to be deleted.	Optional	Disconnect Request
20	3GPP-IMEISV	International Mobile Equipment Id and its Software Version	Optional-Configurable	Access-Request, Accounting-Request (Start)
21	3GPP-RAT-Type	Indicates which radio access technology is serving the UE. If a RAT type is received from the SGSN, this value is used. Otherwise, RAT type information is taken from a preconfigured table in the GGSN and then this value is used. If no information on RAT type is available, this AVP is omitted.	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
22	3GPP-User-Location-Info	Indicate details of where the UE is located (for example, SAI or CGI)	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
23	3GPP-MS-TimeZone	Indicate the offset between universal time and local time in steps of 15 minutes of where the MS currently resides.	Optional-Configurable	Access-Request, Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
25	3GPP-Packet-Filter	Exactly one packet filter used for this PDP context. If more than one filter is to be sent, one VSA per filter must be used.	Optional-Configurable	Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)
26	3GPP-Negotiated-DSCP	DSCP used to mark the IP packets of this PDP context on the Gi interface	Optional-Configurable	Accounting-Request (Start), Accounting-Request (Stop), Accounting-Request (Interim-Update)

5.2 Access-Control-Group Sub Attributes

Table 13 describes the sub attributes of the Access-control-group attribute in the Access-Accept and Change-of-Authorization messages.

Table 13 Access-Control-Group Subattributes
Sub Attr #	Subattribute Name	Description	Presence	Content	Associated Attribute (Location of Subattr)
33	Access-control-group-id	Gx Access-control-group ID (4 Octets)	Mandatory	OctetString(4)	Access-Accept, Change-of-Authorization
34	Autorization-code	Ericsson proprietary Gx+ cause code.	Optional	OctetString(4)	Access-Accept, Change-of-Authorization

5.3 Radius-Supported-VSA Related Messages

This section describes the Vendor Specific AVPs(VSAs) related messages supported by IPWorks AAA Radius Server when communicating with Ericsson Network Gateway by using Redback (RB) VSAs and Broadband Forum (BBF) VSAs.

Note:: The RB Vendor-Id=2352. BBF Vendor-Id=3561. More BBF related information can be found in RFC 4679.

5.3.1 Access-Request Radius Message

5.3.1.1 PPP Circuit Type

The format of Point to Point Protocol (PPP) Access-Request packet is listed as follows:

Access-Request ::= <RADIUS Header>
                { User-Name }
                { User-Password | CHAP-Password }
                [ Called-Station-Id ]
                [ Calling-Station-Id ]
                { Framed-Protocol }
                { NAS-Identifier }
                { NAS-IP-Address}
                { NAS-Port }
                { NAS-Port-Id }
                { NAS-Port-Type }
                { RB-Medium-Type }
                { RB-MAC-Address }
                { RB-NAS-Real-Port }
                { RB-OS-Version }
                { RB-Platform-Type }
                { Service-Type }
                [ State ]
                *[AVP]

Note:

PPP Access-Request packets are used by the following access methods:

PPP over Ethernet (PPPoE)

5.3.1.2 DHCP Circuit Type

The format of Dynamic Host Configuration Protocol (DHCP) Access-Request packet is listed as followings:

Access-Request ::= <RADIUS Header>
                 { User-Name }
                 [ Called-Station-Id ]
                 [ Calling-Station-Id ]	
	               { Framed-Protocol }
                 { NAS-Identifier }
                 { NAS-IP-Address}
                 { NAS-Port }
                 { NAS-Port-Id }
                 { NAS-Port-Type }
                 { RB-Agent-Circuit-Id }
                 { RB-Agent-Remote-Id }
                 { RB-Medium-Type }
                 { RB-MAC-Address }
                 { RB-NAS-Real-Port }
                 { RB-OS-Version }
                 { RB-Platform-Type }
                 { Service-Type }
                 [ State ]
                 *[AVP]

Note:

DHCP Access-Request packets are used by the following access methods:

IP over Ethernet (IPoE)
WiFi

5.3.1.3 EAP Authentication

The format of Extensible Authentication Protocol (EAP) is listed as follows:

Access-Request ::= <RADIUS Header>
                { User-Name }
                [ Called-Station-Id ]
                [ Calling-Station-Id ]
                { Framed-Protocol }
                { NAS-Identifier }
                { NAS-IP-Address}
                { NAS-Port }
                { NAS-Port-Id }
                { NAS-Port-Type }
                { Service-Type }
                { EAP-Message }
                { Message-Authenticator }
                [ Chargeable-User-Identity ]
                [ State ]
                { RB-Medium-Type }
                { RB-MAC-Address }
                { RB-NAS-Real-Port }
                { RB-OS-Version }
                { RB-Platform-Type }
                *[AVP]

Where:

Calling-Station-Id: User’s MAC address
User-Name: User’s IMSI in full format: MCC+MNC+MSIN@realm
Chargeable-User-Identity: Not sent from Ericsson Broadband Network Gateway (BNG) to the Service-Aware Policy Controller (SAPC).
The SAPC adds Chargeable-User-Identity (containing the null character, that is ‘\0’) when proxying Access-Request to the AAA server.

5.3.2 Access-Accept Radius Message

Any RADIUS attribute returned by an external AAA RADIUS server which is not listed in the subsections must be configured within a default profile so that the SAPC can generate the correct CoA-Request for the user session.

5.3.2.1 PPP Circuit Type

The format of PPP Access-Accept packet is listed as follows:

Access-Accept ::= <RADIUS Header>
                [ Class ]
                { Framed-IP-Address | Framed-IPv6-Prefix}
                [ Framed-IP-Netmask ]
                * [ Framed-Route | Framed-IPv6-Route]
                [ Port-Limit ]
                { RB-Context-Name }
                *[AVP]

5.3.2.2 DHCP Circuit Type

The format of DHCP Access-Accept packet is listed as follows:

Access-Accept ::= <RADIUS Header>
                [ Framed-IP-Address]
                [ Framed-IPv6-Prefix]
                [ Framed-IP-Netmask ]
                * [ Framed-Route ]
                [ Port-Limit ]
                [ Filter-Id ]
                [ Idle-Timeout ]
                { RB-Context-Name }
                [ RB-ATM-Profile-Name ]
                [ RB-Deactivate-Service-Name ]
                *[ RB-Dynamic-Qos-Param ]
                [ RB-Forward-Policy ]
                [ RB-HTTP-Redirect-Profile-Name | RB-HTTP-Redirect
                [ RB-IGMP-Service-Profile-Name ]
                [ RB-Mcast-MaxGroups ]
                [ RB-Mcast-Receive ]
                [ RB-Mcast-Send ]
                [ RB-NAT-Profile-Name ]
                [ RB-Qos-Metering-Profile-Name ]
                [ RB-Qos-Policing-Profile-Name ]
                [ RB-Qos-Queuing-Profile-Name ]
                [ RB-Qos-Rate-Inbound ]
                [ RB-Qos-Rate-Outbound ]
                [ RB-Service-Name ]
                [ RB-Service-Options ]
                [ RB-Service-Parameter ]
                { RB-Context-Name }
                { RB-DHCP-Max-Leases}
                [ Session-Timeout ]
                *[AVP]

5.3.2.3 EAP Authentication

The format of EAP Access-Accept packet is listed as follows:

Access-Accept ::= <RADIUS Header>
                [ EAP-Message ]
                [ Message-Authenticator ]
                [ Framed-IP-Netmask ]
                * [ Framed-Route ]
                [ Port-Limit ]
                [ Chargeable-User-Identity ]
                * [ Vendor-Specific ]
                [ State ]
                *[AVP]

Where:

Chargeable-User-Identity is sent from AAA server to the SAPC, and proxied back from the SAPC to Ericsson BNG and it contains the user's MSISDN.

5.3.3 Accounting-Request Radius Message

The format of Accounting-Request packet is listed as follows:

Accounting-Request ::= <RADIUS Header>
                     <Standard Accounting Attributes>
                     [ RB-Acct-Input-Octets-64 ]
                     [ RB-Acct-Output-Octets-64 ]
                     [ RB-Acct-Reason ]
                     [ RB-Agent-Circuit-Id ]
                     [ RB-Agent-Remote-Id ]
                     [ RB-Assigned-IP-Address ]
                     [ RB-ATM-Profile-Name ]
                     { RB-Context-Name }
                     * [ RB-Dynamic-Qos-Param ]
                     [ RB-Forward-Policy ]
                     [ RB-HTTP-Redirect-Profile-Name |
                      RB-HTTP-Redirect-URL ]
                     [ RB-IGMP-Service-Profile-Name ]
                     * [ RB-IPv6-DNS ]
                     * [ RB-IPv6-Profile ]
                     { RB-MAC-Address }
                     [ RB-Mcast-MaxGroups ]
                     [ RB-Mcast-Receive ]
                     [ RB-Mcast-Send ]
                     [ RB-Medium-Type ]
                     { RB-NAS-Real-Port }
                     [ RB-NAT-Profile-Name ]
                     { RB-OS-Version }
                     { RB-Platform-Type }
                     [ RB-Qos-Metering-Profile-Name ]
                     [ RB-Qos-Policing-Profile-Name ]
                     [ RB-Qos-Queuing-Profile-Name ]
                     [ RB-Qos-Rate-Inbound ]
                     [ RB-Qos-Rate-Outbound ]
                     [ RB-Service-Name ]
                     [ RB-Service-Options ]
                     [ RB-Service-Parameter ]
                     *[ RB-Session-Traffic-Limit ]
                     [ RB-vCPE-Device-Policy ]
                     [ RB-vCPE-Id ]
                     [ RB-vCPE-MAC-IP-Pairs ]
                     [ RB-vCPE-Profile ]
                     [ RB-vCPE-Transport-Policy ]
                     *[AVP]

5.3.4 Radius Supported RB and BBF Attributes

Table 14 shows the Radius supported RB and BBF attributes:

Table 14 Radius Supported RB and BBF Attributes
#	VSA Name	Sent in Access- Request	Sent in Acct- Request	Received in Access- Response	Description
1	Client-DNS-Pri	No	Yes	Yes	IP address of the primary DNS server for this subscriber’s connection.
2	Client-DNS-Sec	No	Yes	Yes	IP address of the secondary DNS server for this subscriber’s connection.
3	DHCP-Max-Leases	No	Yes	Yes	Integer. The maximum number of DHCP addresses this subscriber can allocate to hosts. The value range is from 1 to 255.
4	Context-Name	No	Yes	Yes	It binds the subscriber session to specified context, overriding the structured username. This information is only interpreted when global AAA is enabled.
5	Bridge-Group	No	No	Yes	String. Bridge group name; It attaches a subscriber to the named bridge group.
6	BG-Aging-Time	No	No	Yes	String. bg-name:val; It configures the bridge aging time for the subscriber attached to the named bridge group.
7	BG-Path-Cost	No	No	Yes	String. bg-name:val; It configures the bridge path cost for the subscriber attached to the named bridge group.
8	BG-Span-Dis	No	No	Yes	String. bg-name:val; It disables spanning tree for subscriber attaching to the named bridge group. The `val` argument can be either of the following values: 1=TRUE 0=FALSE
9	BG-Trans-BPDU	No	No	Yes	String. bg-name:val; It sends transparent spanning tree bridge protocol data units (BPDUs) for a subscriber attached to the named bridge group. The `val` argument can be either of the following values: 1=TRUE 0=FALSE
14	Source-Validation	No	Yes	Yes	Integer. It enables the source validation for a subscriber according to one of the following values: 1=TRUE 0=FALSE
15	Tunnel-Domain	No	No	Yes	Integer. It binds the subscriber to a tunnel based on the domain name portion of the username according to one of the following values: 1=TRUE 0=FALSE
16	Tunnel-Local-Name	No	No	Yes	String. It defines the local hostname provided to the remote peer during the tunnel setup.
17	Tunnel-Remote-Name	No	No	Yes	String. It defines an alias for the remote peer name.
18	Tunnel-Function	No	Yes	Yes	Integer. It determines this tunnel configuration as a LAC-only endpoint or an LNS endpoint according to one of the following values: 1=LAC only 2=LNS only
19	Tunnel_Flow_Control	Yes	Yes	No	Integer. It specifies using the data message sequencing for the L2TP peer (LAC or LNS) in the L2TP data channel.
20	Tunnel_Static	Yes	Yes	No	Integer. It specifies the static routes configured for a given tunnel.
21	Tunnel-Max-Sessions	No	Yes	Yes	Integer. It limits the number of sessions per tunnel using this tunnel configuration.
22	Tunnel-Max-Tunnels	No	Yes	Yes	Integer. It limits the number of tunnels that can be initiated using this tunnel configuration.
23	Tunnel-Session-Auth	No	No	Yes	Integer. It specifies the authentication method to use during PPP authentication, according to one of the following values: 1=CHAP 2=PAP 3=CHAP-PAP
24	Tunnel-Window	No	No	Yes	Integer. It configures the receive window size for incoming L2TP messages.
25	Tunnel-Retransmit	No	No	Yes	Integer. It specifies the number of times the router retransmits a control message.
26	Tunnel-Cmd-Timeout	No	No	Yes	Integer. It specifies the number of seconds for the timeout interval between the control message retransmissions.
27	PPPOE-URL	No	Yes	Yes	String in PPPoE URL format. It defines the PPPoE URL that is sent to the remote PPPoE client in the PADM packet.
28	PPPOE-MOTM	No	Yes	Yes	String. It defines the PPPoE MOTM message that is sent to the remote PPPoE client in the PADM packet.
29	Tunnel-Group	No	Yes	Yes	Integer. It indicates whether this record is a tunnel group with a list of member peers: 1=TRUE 0=FALSE
30	Tunnel-Context	No	Yes	Yes	String. Context name. It is used in a DNIS peer record and this attribute specifies the context where the named peer should be found.
31	Tunnel-Algorithm	No	No	Yes	Integer. It specifies the session distribution algorithm used to choose between the peer configurations in the RADIUS response. This VSA instructs the router on how to interpret standard RADIUS attribute 83, Tunnel-Preference, according to one of the following values: 1=Priority 2=Load-Balance 3=Weighted round-robin
32	Tunnel-Deadtime	No	No	Yes	Integer. It specifies the number of minutes during which no sessions are attempted to an L2TP peer when the peer is down.
33	Mcast-Send	No	Yes	Yes	Integer. It defines whether the subscriber can send multicast packets, according to one of the following values: 1=NO SEND 2=SEND 3=UNSOLICITED SEND
34	Mcast-Receive	No	Yes	Yes	Integer. It defines whether the subscriber can receive multicast packets, according to one of the following values: 1=NO RECEIVE 2=RECEIVE
35	Mcast-MaxGroups	No	Yes	Yes	Integer. It specifies the maximum number of multicast groups of which the subscriber can be a member.
36	Ip-Address-Pool-Name	No	Yes	Yes	String. Name of the interface or IP pool used to assign an IP pool address to the subscriber.
37	Tunnel-DNIS	No	Yes	Yes	Integer. L2TP peer parameter specifying if incoming sessions from this peer are to be switched based on the incoming DNIS AVP if present or on the incoming DNIS AVP only (terminated if no DNIS AVP is present): 1 = DNIS 2 = DNIS ONLY
38	Medium-Type	Yes	Yes	No	Integer. It contains the medium type of the circuit. The system sets this value to DSL for CLIPS and PPP subscribers.
39	PVC-Encapsulation-Type	No	No	Yes	Integer. Encapsulation type to be applied to the circuit: 2 = Routed 1483 4 = ATM multi 5 = Bridged 1483 6 = ATM PPP 7 = ATM PPP serial 8 = ATM PPP NLPID 9 = ATM PPP auto 10 = ATM PPPoE 12 = ATM PPP LLC 22 = Ethernet IPoE 23 = Ethernet PPPoE 24 = Ethernet dot1q 26 = Ethernet dot1q pppoe 31 = Ethernet dot1q tunnel pppoe 32 = Ethernet dot1q multi 33 = Ethernet dot1q tunnel multi
40	PVC-Profile-Name	No	No	Yes	String. Name of the ATM profile that is assigned to the subscriber record, a named profile, or the default profile, using the shaping profile command (in subscriber configuration mode), to use for this circuit.
42	Bind-Type	No	No	Yes	Integer. Binding type to be applied to this circuit: 1 = authentication 3 = interface 4 = subscriber 14 = autosubscriber CCOD (circuit creation on demand) circuits support only subscriber bind types.
43	Bind-Auth-Protocol	No	No	Yes	Integer. Authentication protocol to use for this circuit: 1 = PAP 2 = CHAP 4 = CHAP PAP 5 = AAA-PPP-CHAP-WAIT-PAP 7 = PAP CHAP
44	Bind-Auth-Max-Sessions	No	No	Yes	Integer. It is the maximum number of PPPoE sessions allowed to be created for this circuit. It also specifies the same for PPPoE sessions tunneled with Ethernet encapsulation over L2TP on the LNS.
45	Bind-Bypass-Bypass	No	No	Yes	String. Name of the bypass being bound.
46	Bind-Auth-Context	No	No	Yes	String. It is the bind authentication context name. It also specifies the same for PPPoE sessions tunneled with Ethernet encapsulation over L2TP on the LNS.
47	Bind-Auth-Service-Grp	No	No	Yes	String. It is the bind authentication service group name. It also specifies the same for PPPoE sessions tunneled with Ethernet encapsulation over L2TP on the LNS.
48	Bind-Bypass-Context	No	No	Yes	String. Bind bypass context name.
49	Bind-Int-Context	No	No	Yes	String. It is the bind interface context name. It also specifies the same for IP bridging sessions tunneled with Ethernet encapsulation over L2TP on the LNS.
50	Bind-Tun-Context	No	No	Yes	String. Bind tunnel context name.
51	Bind-Ses-Context	No	No	Yes	String. Bind session context name.
52	Bind-Dot1q-Slot	No	No	Yes	Integer. Bind 802.1Q slot number.
53	Bind-Dot1q-Port	No	No	Yes	Integer. Bind 802.1Q port number.
54	Bind-Dot1q-Vlan-Tag-Id	No	No	Yes	Integer. Bind 802.1Q VLAN tag ID.
55	Bind-Int-Interface-Name	No	No	Yes	String. It is the bind interface name. It also specifies the same for IP bridging sessions tunneled with Ethernet encapsulation over L2TP on the LNS.
56	Bind-L2TP-Tunnel-Name	No	No	Yes	String. Bind L2TP tunnel name.
57	Bind-L2TP-Flow-Control	No	No	Yes	Integer. Bind L2TP flow control.
58	Bind-Sub-User-At-Context	No	No	Yes	String. Bind subscriber context name.
59	Bind-Sub-Password	No	No	Yes	String. Bind subscriber password.
60	Ip-Host-Addr	No	No	Yes	String in the form `A.B.C.D hh:hh:hh:hh:hh:hh`. IP host address and MAC address. A space is required to separate the IP address from the MAC address.
61	Ip_Tos_Field	No	No	Yes	Integer. It specifies the value of the IP ToS field. Used for soft QoS: 0 = normal 1 = min-cost only 2 = max-reliability only 3 = max-reliability plus min-cost 4 = max-throughput only 5 = max-throughput plus min-cost 6 = max-throughput plus max-reliability 7 = max-throughput plus max-reliability plus min-cost 8 = min-delay only 9 = min-delay plus min-cost 10 = min-delay plus max-reliability 11 = min-delay plus max-reliability plus min-cost 12 = min-delay plus max-throughput 13 = min-delay plus max-throughput plus min-cost 14 = min-delay plus max-throughput plus max-reliability 15 = min-delay plus max-throughput plus max-reliability plus min-cost
62	NAS-Real-Port	Yes	Yes	No	Integer. It indicates the port number of the physical circuit on which the session was received. The format (in bits) is: `SSSSPPPPCCCCCCCCCCCCCCCCCCCCCCCC` Where: S = Slot P = Port C = Circuit (for ATM, 8-bits of VPI, and 16-bits of VCI)
63	Tunnel-Session-Auth-Ctx	No	Yes	Yes	String. It is the L2TP peer parameter that specifies the name of the context in which all incoming PPP over L2TP sessions should be authenticated, regardless of the domain specified in the username.
64	Tunnel-Session-Auth-Service-Grp	No	Yes	Yes	String. It is the L2TP peer parameter that specifies the service group (service access control list [ACL]) to be used for all incoming PPP over L2TP sessions.
67	Tunnel-Police-Rate	No	Yes	Yes	4-byte integer. It is the L2TP or GRE peer parameter that specifies the policing rate for a tunnel in kbps. The valid value range is from 10 to 1,250,000 kbps. If this parameter is configured, the Tunnel-Police-Burst amust also be configured.
68	Tunnel-Police-Burst	No	Yes	Yes	4-byte integer. It is the L2TP or GRE peer parameter that specifies the policing burst for a tunnel in bytes. The valid value range is from 0 to 1,562,500,000 bytes. If this parameter is configured, the Tunnel-Police-Rate must also be configured.
69	Tunnel-L2F-Second-Password	No	Yes	Yes	String. It is L2F peer parameter that specifies the password string used to authenticate the L2F remote peer.
70	ACL-Definition	No	Yes	Yes	String. It is used to define the ACL definitions in the RADIUS database. The ACL-Name attribute is the username and the Service-Type attribute must be set to Access-Control-List. The data content of this attribute contains ACL definitions similar to the command-line interface (CLI).
71	PPPoE-IP-Route-Add	No	Yes	Yes	String. It allows the PPPoE subscriber routing table to be populated in terms of what routes to be installed if multiple PPPoE sessions exist. A more granular set of routes can be achieved when multiple sessions are active to the client. The format is `h.h.h.h nn g.g.g.g m`. Where: `h.h.h.h`=IP address of destination host or network. `nn`=optional netmask size in bits (if not present, defaults to 32). `g.g.g.g`=IP address of gateway. m=Number of hops for this route. If the first byte of VSA 71 is 121 (classless static route), this VSA is used to handle the DHCP option 121.
72	TTY-Level-Start	No	No	Yes	Integer. It indicates the starting privilege level for the administrator. The value range is from 0 to 15 and the value must be less than or equal to the value of `TTY-Level-Max`.
73	TTY-Level-Max	No	No	Yes	Integer. It indicates the maximum privilege level for the administrator. The value range is from 0 to 15, and the value must be greater than or equal to the value of `TTY-Level-Start`.
74	Tunnel-Checksum	No	Yes	Yes	Integer. It enables GRE checksums. When enabled, a checksum is computed for each outgoing GRE packet. This allows the remote system to verify the integrity of each packet. Incoming packets that fail the checksum are discarded. A value of 1 equals enabled. Any other value for this attribute equals disabled.
75	Tunnel-Profile	No	No	Yes	String. It attaches a profile to the tunnel. It is used when configuring a tunnel from a RADIUS server. A Tunnel-Profile attribute in a subscriber record is ignored.
78	Tunnel-Client-VPN	No	Yes	Yes	String. Name of the target context (a virtual private network [VPN]) on the client side of the tunnel. It is required for GRE. If omitted, the system automatically sets the value equal to the value set for the Tunnel-Server-VPN attribute.
79	Tunnel-Server-VPN	No	Yes	Yes	String. Name of the target context (VPN) on the server side of the tunnel.
85	Tunnel-Hello-Timer	No	No	Yes	Integer. Hello timer (in seconds) representing the time the tunnel is silent before it transmits a hello message. It is configured using the hello-timer command (in L2TP peer configuration mode).
86	Redback-Reason	No	Yes	No	Integer. If the NetOp Policy Manager (PM) sends the router (through SNMP) a non-zero clear reason while trying to clear (bounce) the subscriber session, this clear reason value is sent to the RADIUS server in the RADIUS accounting Stop packet in this VSA.
87	Qos_Policing	No	Yes	Yes	String. It attaches a QoS policing policy to the subscriber session.
88	Qos_Metering	No	Yes	Yes	String. It attaches a QoS metering policy to the subscriber session.
89	Qos_Queuing	No	Yes	Yes	String. It attaches a QoS queuing policy of any type supported by the circuit to the subscriber session.
90	Igmp_Svc_Prof_Id	No	Yes	Yes	String. Name of the IGMP service profile that is applied to the subscriber session.
91	Sub_Profile_Name	No	Yes	Yes	Name of the subscriber profile that is applied to the subscriber session.
92	Forward-Policy	No	Yes	Yes	String. It attaches an in or out forward policy to the subscriber session. The forward policy is in the following format: `in:forward-policy-name out:forward-policy-name`
94	Reauth-String	No	No	Yes	String. The format is: `ID-type;subID;attr-num;attr-value; attr-num;attr-value;` . When the ID-type is 1, the subID is read as a RADIUS accounting session ID. When the ID-type is 2, the subID is read as a name. The semicolon `(;)` acts as a delimiter. `Attr-num` is an integer that identifies a RADIUS attribute. For example, standard RADIUS attribute 11 (Filter-Id) for an access control list (ACL) or vendor VSA 87 (Qos_Policing) for a QoS policing policy. (vendor VSAs include the Ericsson prefix, 2352.) `Attr-value` is the value of the RADIUS attribute specified by `attr-num`.
95	Reauth-More	No	No	Yes	Integer. 0 or 1 (False or True).
96	Agent-Remote-Id	Yes	Yes	No	String. It is used for two types of subscriber sessions: Incoming CLIPS sessions to the router from a DHCP relay network. This is suboption 2 in a DHCP option 82 packet. PPPoE sessions. Sent by the PPP client in the PADR. This attribute can also be set through the radius attribute `calling-station-id` and radius attribute `nas-port-id` commands in the context configuration mode.
97	Agent-Circuit-Id	Yes	Yes	No	String. It is used for two types of subscriber sessions: CLIPS sessions coming into the router by way of a DHCP relay network. This is suboption 1 in a DHCP option 82 packet PPPoE sessions. It is sent by the PPP client in the PADR. This attribute can also be set through the radius attribute `calling-station-id` and radius attribute `nas-port-id` commands in the context configuration mode.
98	Platform-Type	Yes	Yes	No	Integer. It indicates the Ericsson product family from which the RADIUS access request is sent. The supported values are listed as follows: 2=PLATFORM_TYPE_SE800 3=PLATFORM_TYPE_SE400
99	Client_NBNS_Pri	No	Yes	Yes	IP address. It configures the IP address of a primary NetBios Name Server (NBNS) that the subscriber must use.
100	Client_NBNS_Sec	No	Yes	Yes	IP address. It configures the IP address of a secondary NBNS that the subscriber must use.
101	Shaping-Profile-Name	No	Yes	Yes	String. Name of the ATM shaping profile.
104	IP-Interface-Name	No	Yes	Yes	String. Interface name. It binds a subscriber to the specified interface. This VSA is used in conjunction with VSA 3, DHCP-Max-Leases. This attribute can also be set through the ip interface name command (in subscriber configuration mode).
105	NAT-Policy-Name	No	Yes	Yes	String. NAT policy name. It attaches the specified NAT policy to a subscriber.
107	HTTP-Redirect-Profile-Name	No	Yes (alive/ and stop records only)	Yes	String of up to 32 characters. HTTP redirect profile name.
108	Bind-Auto-Sub-User	No	No	Yes	String. Subscriber name prefix as specified by the bind auto-subscriber command (in ATM PVC, CLIPS PVC, or dot1q PVC configuration mode). The prefix is included in the automatically generated subscriber name. For more information about this command and the format for the automatically generated subscriber name, see Configuring Bindings.
109	Bind-Auto-Sub-Context	No	No	Yes	String. Name of context in which the subscriber is bound with the bind auto-subscriber command (in ATM PVC, CLIPS PVC, or dot1q PVC configuration mode). For more information about this command, see Configuring Bindings.
110	Bind-Auto-Sub-Password	No	No	Yes	String. Password prefix as specified by the bind auto-subscriber command (in ATM PVC, CLIPS PVC, or dot1q PVC configuration mode). The prefix is included in the automatically generated subscriber password. For more information about this command and the format for the automatically generated subscriber password, see Configuring Bindings.
111	Circuit-Protocol-Encap	No	Yes	Yes	Integer. Circuit encapsulation for CCOD child circuit. The supported values are listed as follows: 27 = PPPoE encapsulation 34 = PPPoE multiencapsulation 35 = PPPoE tunnel multiencapsulation
112	OS-Version	Yes	Yes	No	String. Software version number.
113	Session-Traffic-Limit	No	Yes	Yes	String. It specifies that inbound or outbound traffic to be limited. Use the `in: limit and out: limit` format where limits are independent and in Kbytes. The limit values set for inbound and outbound traffic are independent of each other. It specifies that inbound, outbound, or aggregated traffic to be limited. Use the `in: limit, out: limit or aggregate: limit` format where limits are in Kilobytes (KB). The limit value set for aggregate traffic is the total sum of both inbound and outbound traffic. When configuring Session-Traffic-Limit, users can configure the limit for either of the following options: Inbound traffic outbound traffic Both Aggregate traffic Users cannot configure the limit for aggregate traffic and for inbound or outbound traffic.
114	QoS-Reference	No	Yes	Yes	String. It specifies the node name, the node-name index, the group name, and the group-name index. A colon (:) separates the node-name index from the group name.
125	DHCP-Vendor-Class-Id	Yes	Yes	No	String. DHCP option 60 value.
127	DHCP-Vendor-Encap-Options	No	Yes	Yes	String. DHCP option 43 values. The format is: `code:value:code:value` Where: code = DHCP vendor-encapsulation option number value = option data in one of the following formats: IP address type = dot notation Number = decimal integer ASCII string = ASCII characters without quotation marks Binary string = Hex values of bytes separated by commas (“,”) For descriptions of the vendor-encapsulated options found in RFC 2132, DHCP Options and BOOTP Vendor Extension, see the tables in the option command.
128	Acct-Input-Octets-64	No	Yes	No	Integer. 64-bit value for the Acct-Input-Octets standard attribute per RFC 2139.
129	Acct-Output-Octets-64	No	Yes	No	Integer. 64-bit value for the Acct-Output-Octets standard attribute per RFC 2139.
130	Acct-Input-Packets-64	No	Yes	No	Integer. 64-bit value for the Acct-Input-Packets standard attribute per RFC 2139.
131	Acct-Output-Packets-64	No	Yes	No	Integer. 64-bit value for Acct-Output-Packets attribute per RFC 2139.
133	Acct-Mcast-In-Octets-64	No	Yes	No	Integer. 64-bit value for the Acct-Mcast-In-Octets attribute.
134	Acct-Mcast-Out-Octets-64	No	Yes	No	Integer. 64-bit value for the Acct-Mcast-Out-Octets attribute.
135	Acct-Mcast-In-Packets-64	No	Yes	No	Integer. 64-bit value for the Acct-Mcast-In-Packets attribute.
136	Acct-Mcast-Out-Packets-64	No	Yes	No	Integer. 64-bit value for the Acct-Mcast-Out-Packets attribute.
137	LAC-Port	Yes	Yes	No	Integer. It contains the circuit handle for the incoming session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only. The circuit can be virtual for a PPPoE session.
138	LAC-Real-Port	Yes	Yes	No	Integer. It contains the circuit handle for the real circuit of an incoming PPPoE session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only.
139	LAC-Port-Type	Yes	Yes	No	Integer. It contains the port type for the incoming session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only. The port can be virtual for a PPPoE session. The values for port types are listed as follows: 40 = NAS_PORT_TYPE_10BT 41 = NAS_PORT_TYPE_100BT 42 = NAS_PORT_TYPE_DS3_FR 43 = NAS_PORT_TYPE_DS3_ATM 44 = NAS_PORT_TYPE_OC3 45 = NAS_PORT_TYPE_HSSI 46 = NAS_PORT_TYPE_EIA530 47 = NAS_PORT_TYPE_T1 48 = NAS_PORT_TYPE_CHAN_T3 49 = NAS_PORT_TYPE_DS1_FR 50 = NAS_PORT_TYPE_E3_ATM 51 = NAS_PORT_TYPE_IMA_ATM 52 = NAS_PORT_TYPE_DS3_ATM_2 53 = NAS_PORT_TYPE_OC3_ATM_2 54 = NAS_PORT_TYPE_1000BSX 55 = NAS_PORT_TYPE_E1_FR 56 = NAS_PORT_TYPE_E1_ATM 57 = NAS_PORT_TYPE_E3_FR 58 = NAS_PORT_TYPE_OC3_POS 59 = NAS_PORT_TYPE_OC12_POS 60 = NAS_PORT_TYPE_PPPOE
140	LAC-Real-Port-Type	Yes	Yes	No	Integer. It contains the port type for the real circuit of an incoming PPPoE session on an L2TP LAC. This attribute should be present for a subscriber on an L2TP tunnel switch or LNS only. See VSA 139 for port-type values.
142	Session-Error-Code	No	Yes	No	Integer. 32 bits. Stop record only. It communicates the specific error code information between Ericsson devices.
143	Session-Error-Msg	No	Yes	No	String. Stop record only. It describes how the session terminated.
144	Acct_Reason	No	Yes	No	Integer. It is the reason code that describes why the router generates an accounting packet for a particular subscriber to RADIUS. The reason code values are listed as follows: 1 = AAA_LOAD_ACCT_SESSION_UP 2 = AAA_LOAD_ACCT_SESSION_DOWN 3 = AAA_LOAD_ACCT_PERIODIC 7 = AAA_ACCT_RC_SUBSCRIBER_REAUTHOR 16 = AAA_LOAD_ACCT_VOLUME_INGRESS_ EXCEEDED 17 = AAA_LOAD_ACCT_VOLUME_EGRESS_ EXCEEDED 18 = AAA_LOAD_ACCT_IDLE_TIMEOUT 19 = AAA_LOAD_ACCT_TIME_EXCEEDED 28 = AAA_LOAD_ACCT_VOLUME_AGGR_LIMIT_EXCEEDED 34 = AAA_ACCT_RC_V6_UP 35 = AAA_ACCT_RC_V6_DOWN 36 = AAA_ACCT_RC_V4_UP 37 = AAA_ACCT_RC_V4_DOWN 38 = AAA_ACCT_RC_DHCPV6_PD_PREFIX_GRANTED 39 = AAA_ACCT_RC_DHCPV6_PD_PREFIX_RELEASED
145	Mac-Addr	Yes	Yes	No	String. MAC address. The format is 17 octets in hex. The MAC address is sent for all subscriber PPPoE sessions. The supported media includes ATM PVCs, 802.1Q PVCs (tagged or untagged VLANs), and Ethernet ports.
147	Acct-Mcast-In-Octets	No	Yes	No	Integer. Number of inbound multicast octets.
148	Acct-Mcast-Out-Octets	No	Yes	No	Integer. Number of outbound multicast octets.
149	Acct-Mcast-In-Packets	No	Yes	No	Integer. Number of inbound multicast packets.
150	Acct-Mcast-Out-Packets	No	Yes	No	Integer. Number of outbound multicast packets.
151	Reauth-Session-Id	No	No	Yes	String. It identifies the reauthorize session request. The value in this attribute is a string of attributes and values for the identified subscriber.
156	Qos-Rate-Inbound	No	Yes	Yes	String. It changes the inbound QoS rate. The format is rate: `burst:excess-burst`; changing the burst and excess-burst values is optional.
157	Qos-Rate-Outbound	No	Yes	Yes	String. It changes the outbound QoS rate. The format is rate: `burst:excess-burst`; changing the burst and excess-burst values is optional.
158	Route-Tag	No	Yes	Yes	Integer. It assigns a route tag to the subscriber’s IP address (Framed-IP-Route), as well as the subscriber’s route statements (Framed-IP-Route).
164	Dynamic-Policy-Filter	No	Yes	Yes	String. The string consists of a set of ASCII tokens separated by one or more spaces. No other characters are allowed. The tokens are shown in a syntax statement in Section 3.5 section along with descriptions of the keywords and arguments in the syntax table.
165	HTTP-Redirect-URL	No	Yes	Yes	String. URL to which the router redirects HTTP requests.
166	DSL-Actual-Rate-Up	Yes	Yes	No	Integer 32-bit value. The actual DSL rate in the upstream direction.
167	DSL-Actual-Rate-Down	Yes	Yes	No	Integer 32-bit value. The actual DSL rate in the downstream direction.
168	DSL-Min-Rate-Up	Yes	Yes	No	Integer 32-bit value. The minimum DSL rate in the upstream direction.
169	DSL-Min-Rate-Down	Yes	Yes	No	Integer 32-bit value. The minimum DSL rate in the downstream direction.
170	DSL-Attainable-Rate-Up	Yes	Yes	No	Integer 32-bit value. The attainable DSL rate in the upstream direction.
171	DSL-Attainable-Rate-Down	Yes	Yes	No	Integer 32-bit value. The attainable DSL rate in the downstream direction.
172	DSL-Max-Rate-Up	Yes	Yes	No	Integer 32-bit value. The maximum DSL rate in the upstream direction.
173	DSL-Max-Rate-Down	Yes	Yes	No	Integer 32-bit value. The maximum DSL rate in the downstream direction.
174	DSL-Min-Low-Power-Rate-Up	Yes	Yes	No	Integer 32-bit value. The DSL minimum low power rate in the upstream direction.
175	DSL-Min-Low-Power-Rate-Down	Yes	Yes	No	Integer 32-bit value. The DSL minimum low power rate in the downstream direction.
176	DSL-Max-Inter-Delay-Up	Yes	Yes	No	Integer 32-bit value. The maximum DSL interleaving delay in the upstream direction.
177	DSL-Actual-Inter-Delay-Up	Yes	Yes	No	Integer 32-bit value. The actual DSL interleaving delay in the upstream direction.
178	DSL-Max-Inter-Delay-Down	Yes	Yes	No	Integer 32-bit value. The maximum DSL interleaving delay in the downstream direction.
179	DSL-Actual-Inter-Delay-Down	Yes	Yes	No	Integer 32-bit value. The actual DSL interleaving delay in the downstream direction.
180	DSL-Line-State	Yes	Yes	No	Integer 32-bit value. The DSL port state: 1 = SHOWTIME 2 = IDLE 3 = SILENT
181	DSL-L2-Encapsulation	Yes	Yes	No	Integer 32-bit value. The DSL data link protocol and data link encapsulation: The data link bytes are listed as follows: 0 = ATM AAL5 1 = ETHERNET Encapsulation byte 1: 1 = Untagged 2 = Ethernet Encapsulation byte 2: 0 = NA 1 = PPPoA LLC 2 = PPPoA NULL 3 = IPoA LLC 4 = IPoA NULL 5 = Ethernet over AAL5 LLC with FCS 6 = Ethernet over AAL5 LLC without FCS 7 = Ethernet over AAL5 NULL with FCS 8 = Ethernet over AAL5 NULL without FCS
182	DSL-Transmission-System	Yes	Yes	No	Integer 32-bit value. The DSL access-loop types of transmission system are listed as follows: 1 = ADSL1 2 = ADSL2 3 = ADSL2+ 4 = VDSL1 5 = VDSL2 6 = SDSL 7 = UNKNOWN
183	DSL-PPPOA-PPPOE-Inter-Work-Flag	Yes	Yes	No	Integer. PPPoA-to-PPPoE interworking flag.
184	DSL-combined-Line-Info	Yes	Yes	No	String. The value of the TLV described in GSMP Extensions for Layer 2 Control (L2C) Topology Discovery and Line Configuration, section 5.4.1 ,“Topology Discovery.”
185	DSL-Actual-Rate-Down-Factor	Yes	Yes	No	Integer. The rate that can be learned from the DSLAM or from a PPPoE or DHCP tag, depending on the configuration of the access-line rate command (in subscriber configuration mode).
189	Flow_FAC_Profile	No	Yes	No	String. IT specifies the name of a Flow Admission-Control profile. Tttribute is used to apply the flow on the circuit of the configured subscriber. The `Flow_FAC_Profile` attribute can only be configured under the subscriber profile.
190	Service-Name	No	Yes	Yes	String. The name of the service to be activated, together with the following optional fields: `service id`: Used when there is more than one instance of the same service. `service-parameter`: Zero or more parameters formatted as name-value pairs. Names and values are separated by an equals sign (=) with no spaces around it. Pairs are separated by spaces. Users can also specify service parameters in VSA 192. See VSA 192 for formatting details.
191	Service-Options	No	No	Yes	Integer. It specifies whether accounting is enabled for service management: `ACCT-DISABLED = 0x00 ACCT-ENABLED = 0x01`
192	Service-Parameter	No	Yes	Yes	String. Service parameters for a service that is specified in VSA 190, formatted as name-value pairs. Names and values are separated by an equal sign (=) with no spaces around it. Pairs are separated by spaces. If a parameter needs an array, the values in the array are separated by commas (,) with no space between the value and the comma. If the value is a string that includes either spaces or commas, enclose the string in double quotes (“).
193	Service-Error-Cause	No	Yes	No	Integer. It specifies a service management error according to one of the following values: 0 = Service success 401 = Unsupported attribute 402 = Missing attribute 404 = Invalid request 506 = Resource unavailable 550 = Generic service error 551 = Service not found 552 = Service already active 553 = Service accounting disabled 554 = Service duplicate parameter If the RADIUS server does not support this VSA, the 550, 551, and 552, 553, and 554 error codes can be mapped to the standard Error-Cause attribute 550 (other proxy processing error).
194	Deactivate-Service-Name	No	No	No	String. The service profile name of the service to be deactivated together with the following optional fields: `service id`: Used when there is more than one instance of the same service. `service-parameter`: Zero or more parameters formatted as name-value pairs. Names and values are separated by an equals sign (=) with no spaces around it. Pairs are separated by spaces.
195	QoS-Overhead	No	Yes	Yes	String. It attaches a QoS overhead profile to the subscriber session. If the overhead profile is defined in the RADIUS record of the subscriber, the subscriber has the specified overhead profile when the subscriber session comes up.
196	Dynamic-QoS-Param	No	No	Yes	String. The format varies by QoS parameter. For more information, see Section 3.6. Zero or more Dynamic-QoS-Param VSAs can be sent in an Access-Accept or CoA-Request packet to the router.
199	Double_Authentication	No	No	Yes	Integer. The integer value is 1. It indicates that the session needs one more authentication. It is valid only if it is received from a global access response.
201	DHCP-Field	Yes	Yes	No	Binary. It identifies a standard DHCP client field. This generic VSA is used to identify standard DHCP client fields that must be sent in RADIUS authentication or accounting requests. To distinguish each supported DHCP client field, a unique dhcp-sub-field field is used within this VSA to indicate a specific value that corresponds to a specific DHCP client field. Currently, this VSA supports only `dhcp-sub-field` field of type 1, the `giaddr` or gateway address field. A RADIUS server uses the gateway address field to provide static routes to clients based on this address.
202	DHCP-Option	Yes	Yes	No	Binary. It identifies a DHCP client option. This VSA is a generic VSA, which is used to identify various supported DHCP client options that must be sent in RADIUS authentication or accounting requests. To distinguish each supported DHCP client option, a unique `dhcp-sub-type` field is used within this VSA to indicate a specific value that corresponds to a specific DHCP option. Currently, this VSA supports DHCP options 12 (hostname), 61 (client identifier), and 77 (user class).
203	Security-Service	No	Yes	Yes	String configured in RADIUS. It specifies an ASE security profile. Optionally it specifies a preshared key using the following format: `Security-Service="ike preshared-key hex hex-value \| ASCII-value".` The IKE preshared key is only received in an `Acct-Response` message; it is never sent in an `Access-Request` or `Acct-Request` message.
203	Security-Service	No	Yes	Yes	The ASE DPI traffic management policy name is received in the `Access-Request` and sent in the `Acct-Request` in the format: `Security-Service="dpi traffic-management policy policy-name".` To enable DPI security service for a subscriber either through COA or reauthorization at a later point, configure RADIUS to send the Access-Accept message at initial subscriber logon with the following format: `Security-Service="dpi traffic-management enable-coa".`

5.4 Suggested-Rule-Space Sub Attributes

Table 15 describes the sub attributes of the Suggested-Rule-Space attribute in the Access-Accept message.

Table 15 Suggested-Rule-Space Subattributes
Sub Attr #	Subattribute Name	Description	Presence	Content	Associated Attribute (Location of Subattr)
30	Suggested-Primary-Rulespace	Suggested Primary Rule Space	Optional	UTF-8 String	Access-Accept
31	Suggested-Secondary-Rulespace	Suggested Secondary Rule Space	Optional	UTF-8 String	Access-Accept

6 Error Handling

Table 16 describes the behaviors of different error scenarios:

Table 16 Error Handling
Scenario	Return Code
ACCOUNTING_REQUEST and ACCOUNTING_REQUEST Duplicated	discard
ACCOUNTING_REQUES failed to check the accounting request authenticator	discard
PROXY_RESPONSE failed to check the reply authenticator	discard
PROXY_RESPONSE failed to get the proxy message record	discard
DA_RESPONSE failed to get the DA message record	discard
DA_RESPONSE failed to check the reply authenticator for DA message	discard
Failed to validate Message-Authenicator	discard
ACCESS_REQUEST The number of attributes is wrong	ACCESS_REJECT
DM_REQUEST and COA_REQUEST The number of attributes is wrong	ACCESS_REJECT
The number of attributes is wrong for other messages	discard
Access-Request message contains both CHAP-Password and User-Password	discard
Access-Request message contains both ARAP-Password and User-Password	discard
Access-Request message contains both ARAP-Password and CHAP-Password	discard
Access-Request message does not contain a User-Name or a Calling-Station-ID or a Called-station-ID	discard
Access-Request User-Password or CHAP-Password or State is not contained in the message	discard
Access-Request a NAS-IP-Address or a NAS-Identifier or a NAS-IPv6-Address (or all) is not contained in the message	discard
Access-Request EAP-Message existed with no Message-Authenticator contained in the message	discard
Accounting-Request a NAS-IP-Address or a NAS-Identifier (or both) is not contained in the message	discard
an Acct-Status-Type is not contained in the Accounting-Request message	discard
Accounting-Request message does not include Acct-Session-Id	discard
Acct-Status-Type is not set to stop in the Accounting -Request message	discard
Acct-Status-Type is not set to start in the Accounting -Request message	discard
Attribute with wrong length⁽¹⁾	ACCESS_REJECT/discard
unsupported attribute ⁽¹⁾	ACCESS_REJECT/discard
Attribute of string type value error ⁽¹⁾	ACCESS_REJECT/discard
Attribute of integer value error ⁽¹⁾	ACCESS_REJECT/discard
AVP SERVICE_TYPE with wrong attribute ⁽¹⁾	ACCESS_REJECT/discard
Attribute of IPv4 type value error ⁽¹⁾	ACCESS_REJECT/discard

(1) This ACCESS_REJECT scenario is only for the ACCESS_REQUEST, COA_REQUEST and DM_REQUEST messages. The AAA server discards the other types of messages.

7 Formal Syntax

Not Applicable.

8 Related Standards

This section states the related standards and explains any deviations from them.

For details, refer to Standards.

Reference List

IPWorks Library Documents
[1] Trademark Information.
[2] Glossary of Terms and Acronyms.
[3] Typographic Conventions.

PCAT and Other Ericsson Documents
[4] Gi Interface Description, 1/1551-AXB 250 10/4

Standards
[5] Remote Authentication Dial In User Service (RADIUS) - RFC 2865.
[6] RADIUS Accounting - RFC 2866.
[7] RADIUS Accounting Modifications for Tunnel Protocol Support - RFC 2867.
[8] RADIUS Attributes for Tunnel Protocol Support - RFC 2868.
[9] RADIUS Extensions - RFC 2869.
[10] RADIUS and IPv6 - RFC 3162.
[11] Microsoft Vendor-specific RADIUS Attributes - RFC 2548.
[12] Dynamic Authorization Extensions to Remote Authentication Dial In User Service (Radius) - RFC 5176.
[13] Interworking between the Public Land Mobile Network (PLMN) supporting packet based services and Packet Data Networks (PDN) - 3GPP TS 29.061 V8.2.0.

1 Introduction

1.1 Prerequisites

1.2 Related Information

2 Interface Overview

2.1 Interface Role

2.2 Services

2.3 Encapsulation and Addressing

3 Procedures

3.1 Authentication/Authorization

3.2 Accounting

3.3 Disconnect

3.4 Change-of-Authorization

3.5 Proxy

4 Information Model

4.1 Authentication/Authorization

4.1.1 Access-Request Message

4.1.2 Access-Accept Message

4.1.3 Access-Reject Message

4.2 Accounting Messages

4.2.1 Accounting-Request (Start) Message

4.2.2 Accounting-Request (Stop) Message

4.2.3 Accounting-Request (On) Message

4.2.4 Accounting-Request (Off) Message

4.2.5 Accounting-Request (Interim-Update) Message

4.2.6 Accounting-Response Message

4.3 Dynamic Authorization Extension Messages

4.3.1 Disconnect-Request Message

4.3.2 Disconnect-ACK/NAK

4.3.3 Change-Of-Authorization (CoA) Request

5 Information Elements

5.1 3GPP Vendor Specific Sub Attributes

5.2 Access-Control-Group Sub Attributes

5.3 Radius-Supported-VSA Related Messages

5.3.1 Access-Request Radius Message

5.3.1.1 PPP Circuit Type

5.3.1.2 DHCP Circuit Type

5.3.1.3 EAP Authentication

5.3.2 Access-Accept Radius Message

5.3.2.1 PPP Circuit Type

5.3.2.2 DHCP Circuit Type

5.3.2.3 EAP Authentication

5.3.3 Accounting-Request Radius Message

5.3.4 Radius Supported RB and BBF Attributes

5.4 Suggested-Rule-Space Sub Attributes

6 Error Handling

7 Formal Syntax

8 Related Standards

Reference List