IPWorks AAA Parameter Description

Contents

1Introduction
1.1Prerequisites
1.1.1Documents
1.2Related Information

2
Basic Concept

3
Object Format

4
Conceptual Overview
4.1AAA
4.2AAA CUDB
4.3AVP

5
Managed Objects
5.1AAAIPPool
5.2AAAIPv6PrefixPool
5.3AAAPolicy
5.4AAAProxyRule
5.5AAARealm
5.6AAAServer
5.7AAASession
5.8AAASubnet
5.9AAAtempIdentityKey
5.10AAAUser
5.11AAANSDUser
5.12AAAUserGroup

6
Appendix
6.1Example of Configuring 3GPP-User-Location-Info

Reference List

1   Introduction

This document describes the AAA objects and fields managed by IPWorks CLI (ipwcli).

Scope

This document covers the following topics:

Target Groups

This document is intended for personnel configuring and fine tuning the IPWorks. It is assumed that readers of this document are familiar with basic concepts and operations of CLI. For details, refer to Command Line Interface User Guide for IPWorks SS, Reference [1].

1.1   Prerequisites

Not Applicable.

1.1.1   Documents

Not Applicable.

1.2   Related Information

Trademark information, typographic conventions, definition and explanation of acronyms and terminology can be found in the following documents:

2   Basic Concept

This section describes the following:

The MOM presents a view of manageable resources in the IPWorks, and attributes and actions associated with the resources.

A Managed Object (MO) is an entity presented to the user for the purpose of controlling the aspects of a function. The object carries attributes that reflect the behavior of the function.

The MOs are identified by means of a naming attribute, also called the Relative Distinguished Name (RDN). The ID part of this attribute is defined when the MO is created, and cannot be changed afterwards. A Local Distinguished Name (LDN) is a sequence of RDNs, which forms a unique name within the node.

3   Object Format

Aliases The alternative names of an object.
Key The key is an identifier of an object. The combination of the key field values must be unique for an object.
Required The required field indicates that the field must be configured, otherwise the CLI generates an error.

4   Conceptual Overview

This section discusses some of the concepts that are required for managing AAA and AAA objects.

4.1   AAA

The IPWorks AAA server can act as a proxy server between a Radius client (NAS) and the Home AAA Server. It forwards the authentication, authorization, accounting or other Change-of-Authorization (CoA), and Disconnect Messages (DM) to the corresponding target. Proxy servers are commonly used for roaming.

IPWorks AAA supports the session management. A session is related to a series of related radius message exchange, and it is used to record and update the key information according to different radius messages from NAS for user. When authentication or authorization turns to success for a user, a session will be created with status init. Accounting-Start message will be used to activate and update the session. The related sessions will be destroyed if the message is Accounting-Stop/On/Off. DM will destroy the related sessions as well. There are two ways to handle the abnormal sessions:

AAA server also supports Dynamic Authorization (DA), which allows dynamic changes to a user session. This includes support for disconnecting users and changing authorizations applicable to a user session, which is implemented by disconnect and CoA packets. AAA server sends out CoA and disconnect request messages to NAS and waits for the response from it. So AAA server acts as a Dynamic Authorization Client (DAC) and NAS acts as a Dynamic Authorization Server (DAS).

AAA Server can allocate the IPv4 address, or IPv6 prefix, or both to the user.

Note:  
"AAA server IPv6 support" function is fully restricted in IPWorks system currently. This function will be supported in future release.

IPv4 address allocation from the IP address pool

Allocate IPv4 address from the IP address pool after successful authentication or authorization. The IP allocation strategy for each user can be adopted in the following ways:

The "Framed-IP-Address" attribute in Access-Request message is the hint address that the AAA server must consider in allocating an IP address.

IPv6 address allocation from the IP address pool

Allocate IPv6 prefix from the IP address pool after successful authentication or authorization. The IP allocation strategy for each user can be adopted in the following ways:

The "Framed-IPv6-Prefix" attribute in Access-Request message is the hint address that the AAA server must consider in allocating an IPv6 prefix.

Figure 1 shows a typical cluster configuration of AAA server. End-user subscribers communicate with an NAS client through the access network. After receiving Radius requests from the NAS clients, the local AAA server handles requests itself, or proxy requests to the remote AAA server. NDB Cluster stores the AAA Server configuration data and user session data. When user detached from the network, CSV files are generated if accounting function is enabled.

Figure 1   IPWorks AAA Server Cluster

4.2   AAA CUDB

IPWorks supports both monolithic AAA and Data Layered Architecture (DLA) AAA. Monolithic AAA stores user data in the local data node. DLA AAA stores user data in Centralized User Data Base (CUDB).

Figure 2 shows a typical cluster configuration of AAA server when CUDB is configured.

Figure 2   AAA Servers in Cluster with CUDB Configuration

4.3   AVP

Attribute-Value Pair (AVP) is adopted to represent data for IPWorks AAA. Attributes carry the specific authentication, authorization, accounting information and configuration details for the request and reply. Values for specific attributes must comply with the format of those attributes. The following attributes and formats are defined for IPWorks AAA:

Attributes

Formats

Note:  
The formats described above and in the following tables are the input formats for CLI.

Table 1    Attributes Compliant with RFC 2548

Attribute

Format

Comment

MS-MPPE-Send-Key

String

  

MS-MPPE-Recv-Key

String

  

MS-Primary-DNS-Server

IPv4

  

MS-Secondary-DNS-Server

IPv4

  

MS-Primary-NBNS-Server

IPv4

  

MS-Secondary-NBNS-Server

IPv4

  
Table 2    Attributes Compliant with RFC 2865

Attribute

Format

Comment

User-Name

String

  

User-Password

String

  

CHAP-Password

String

  

NAS-IP-Address

IPv4

  

NAS-Port

Integer

  

Service-Type

Enumeration

For special setting about Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), refer to Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), Reference [18]. The value for "Authorize Only" is 17.

Framed-Protocol

Enumeration

  

Framed-IP-Address

IPv4

  

Framed-IP-Netmask

IPv4

  

Framed-Routing

Enumeration

  

Filter-Id

String

  

Framed-MTU

Integer

  

Framed-Compression

Enumeration

  

Login-IP-Host

IPv4

  

Login-Service

Enumeration

  

Login-TCP-Port

Integer

  

Reply-Message

String

  

Callback-Number

String

  

Callback-Id

String

  

Framed-Route

String

  

Framed-IPX-Network

Integer

  

State

String

For the special setting about Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), refer to Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), Reference [18].

Class

String

  

Vendor-Specific

String

  

Session-Timeout

Integer

Time

Idle-Timeout

Integer

Time

Termination-Action

Enumeration

  

Called-Station-Id

String

  

Calling-Station-Id

String

  

NAS-Identifier

String

  

Proxy-State

String

For the special setting about Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), refer to Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), Reference [18].

Login-LAT-Service

String

  

Login-LAT-Node

String

  

Login-LAT-Group

String

  

Framed-AppleTalk-Link

Integer

  

Framed-AppleTalk-Network

Integer

  

Framed-AppleTalk-Zone

String

  

CHAP-Challenge

String

  

NAS-Port-Type

Enumeration

  

Port-Limit

Integer

  

Login-LAT-Port

String

  
Table 3    Attributes Compliant with RFC 2866

Attribute

Format

Comment

Acct-Status-Type

Enumeration

  

Acct-Delay-Time

Integer

Time

Acct-Input-Octets

Integer

  

Acct-Output-Octets

Integer

  

Acct-Session-Id

String

  

Acct-Authentic

Enumeration

  

Acct-Session-Time

Integer

Time

Acct-Input-Packets

Integer

  

Acct-Output-Packets

Integer

  

Acct-Terminate-Cause

Enumeration

  

Acct-Multi-Session-Id

String

  

Acct-Link-Count

Integer

  
Table 4    Attributes Compliant with RFC 2867

Attribute

Format

Comment

Acct-Tunnel-Connection

String

  

Acct-Tunnel-Packets-Lost

Integer

  
Table 5    Attributes Compliant with RFC 2868

Attribute

Format

Comment

Tunnel-Type

Integer

  

Tunnel-Medium-Type

Integer

  

Tunnel-Client-Endpoint

'tag string'

tag is decimal ASCII.


For example, Tunnel-Client-Endpoint='01 aaa.test'.

Tunnel-Server-Endpoint

'tag string'

tag is decimal ASCII.


For example, Tunnel-Server-Endpoint='01 DDDD'.

Tunnel-Password

'tag salt salt string'

tag and salt are decimal ASCII.


string is the unencrypted password.


For example, Tunnel-Password='01 11 12 023456abcdef1234123456abcdef1234'.

Tunnel-Private-Group-ID

'tag string'

tag is decimal ASCII.


For example, Tunnel-Private-Group-ID='01 AAAA'.

Tunnel-Assignment-ID

'tag string'

tag is decimal ASCII.


For example, Tunnel-Assignment-ID='01 1234asd'.

Tunnel-Preference

Integer

  

Tunnel-Client-Auth-ID

'tag string'

tag is decimal ASCII.


For example, Tunnel-Client-Auth-ID='01 BBBB'.

Tunnel-Server-Auth-ID

'tag string'

tag is decimal ASCII.


For example, Tunnel-Server-Auth-ID='01 CCCC'.

Table 6    Attributes Compliant with RFC 2869

Attribute

Format

Comment

Acct-Input-Gigawords

Integer

  

Acct-Output-Gigawords

Integer

  

Event-Timestamp

Integer

  

ARAP-Password

'val1 val2 val3 val4'

val is integer.


For example, ARAP-Password='11 12 13 14'.

ARAP-Features

'val1 val2 val3 val4 val5'

val is integer.


For example, ARAP-Features='11 12 13 14 15'.

ARAP-Zone-Access

Integer

  

ARAP-Security

Integer

  

ARAP-Security-Data

String

  

Password-Retry

Integer

  

Prompt

Integer

  

Connect-Info

String

  

Configuration-Token

String

  

EAP-Message

String

  

Message-Authenticator

String

For special setting about Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), refer to Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS), Reference [18].

ARAP-Challenge-Response

String

  

Acct-Interim-Interval

Integer

  

NAS-Port-Id

String

  

Framed-Pool

String

  
Table 7    Attributes Compliant with RFC 3162

Attribute

Format

Comment

NAS-IPv6-Address

IPv6

  

Framed-Interface-Id

String

  

Framed-IPv6-Prefix

IPv6

  

Login-IPv6-Host

IPv6

  

Framed-IPv6-Route

String

  

Framed-IPv6-Pool

String

  
Table 8    Attributes Compliant with RFC 4372

Attribute

Format

Comment

Chargeable-User-Identity

String

A switch to control the reply of Chargeable-User-Identity (CUI) in Access-Accept is available. For detailed information, refer to the section CUI Switch in Configure Radius AAA , Reference [5]

Table 9    Attributes Compliant with RFC 4675

Attribute

Format

Comment

Egress-VLANID

Integer

  

Ingress-Filters

Integer

  

Egress-VLAN-Name

String

  

User-Priority-Table

String

  
Table 10    Attributes Compliant with RFC 4818

Attribute

Format

Comment

Delegated-IPv6-Prefix

IPv6

  
Table 11    Attributes Compliant with RFC 4849

Attribute

Format

Comment

NAS-Filter-Rule

String

  
Table 12    Attributes Compliant with RFC 5176

Attribute

Format

Comment

Error-Cause

Integer

  
Table 13    Attributes Compliant with 3GPP TS 29.061 Version 8.2.0 Release 8

Attribute

Format

Comment

3GPP-Allocate-IP-Type

Integer

  

3GPP-IMSI

String

  

3GPP-Charging-ID

Integer

  

3GPP-PDP-Type

Integer

  

3GPP-CG-Address

IPv4

  

3GPP-GPRS-Negotiated-QoS-Profile

String

  

3GPP-SGSN-Address

IPv4

  

3GPP-GGSN-Address

IPv4

  

3GPP-IMSI-MCC-MNC

String

  

3GPP-GGSN-MCC-MNC

String

  

3GPP-NSAPI

String

  

3GPP-Session-Stop-Indicator

Bit String

The value is 11111111.

3GPP-Selection-Mode

String

  

3GPP-Charging-Characteristics

String

  

3GPP-CG-IPv6-Address

IPv6

  

3GPP-SGSN-IPv6-Address

IPv6

  

3GPP-GGSN-IPv6-Address

IPv6

  

3GPP-IPv6-DNS-Servers

'ipv6 ipv6 ipv6'

A list of IPv6 addresses.


For example, 3GPP-IPv6-DNS-Servers=CDCD:910A:2222:5498:8475:1111:3900:2020.

3GPP-SGSN-MCC-MNC

String

  

3GPP-Teardown-Indicator

Octet string

0 or 1

3GPP-IMEISV

String

  

3GPP-RAT-Type

type

decimal ASCII


For example, 3GPP-RAT-Type=101.

3GPP-User-Location-Info

String(dec dec dec ...')

For an example on how to configure it in IPWorks, see Section 6.1

3GPP-MS-TimeZone

'timezone daylightSavingTime'

decimal ASCII


For example, 3GPP-MS-TimeZone='56 50'.

3GPP-CAMEL-Charging-Info

'dec dec dec dec ...'

decimal ASCII


For example, 3GPP-CAMEL-Charging-Info=123.

3GPP-Packet-Filter

N/A

  

3GPP-Negotiated-DSCP

code

decimal ASCII


For example, 3GPP-Negotiated-DSCP=100.

Table 14    Vendor-specific Attributes

Attribute

Format

Comment

ERICSSON-Prim-Rule-Space-Name

String

  

ERICSSON-Sec-Rule-Space-Name

String

  

ERICSSON-ACG-ID

String

  

ERICSSON-Authorization-Code

'dec dec dec dec'

decimal ASCII


For example, ERICSSON-Authorization-Code='81 82 83 84'.

Offload_Indication

String

  

GTP-Tunnel-Data

String

  
Note:  
  • IPWorks AAA supports dynamic AVP configuration to allow users add any vendor-specific AVP according their requirement.
  • In the directory /etc/ipworks/aaa/dict , users can configure the dict-customized.xml file. The dict-customized.xml file shows the format of the vendor-specific AVPs and users can use perl dict-customized-verify.pl verify_logic dict-customized.xml to verify the format.

Table 15    Built-in Attributes

Attribute

Format

Comment

System-Time

Integer

The format of System-Time follows the time specification as per section 3.3 in Internet Message FormatInternet Message Format, Reference [20].

Arrive-Time

N/A

For sequence CSV record

Acct-Start-Time

N/A

For session CSV record

Acct-End-Time

N/A

For session CSV record

5   Managed Objects

This section describes the AAA objects and fields.

5.1   AAAIPPool

A pool stores some IP addresses for AAA server.

Key Name
Required Name, Subnet, AddressRange

5.2   AAAIPv6PrefixPool

A pool stores some IPv6 prefix addresses for AAA server.

Key Name
Required Name, PrefixRange

5.3   AAAPolicy

The policy is a rule based authorization for AAA Server. It is used for authorization. When an Access-Request message comes, if it matches the policy check rule, it will be treated as a successful autherization, otherwise it will fail. If it is a successful autherization, the policy reply rule will be added to the Access-Accept message.

Aliases AAAPolicy
Key Name
Required Name

5.4   AAAProxyRule

The rules that apply to a realm. The rules include the checklist and change list for Access-Request and Access-Accept messages.

Aliases AAAProxyRule
Key Name
Required Name

5.5   AAARealm

The configured policy for a realm.

Aliases AAARealm
Key Name
Required Name, AuthDest, AcctDest

5.6   AAAServer

The Authentication Authorization Accouting Server running on the network.

Aliases AAAServers
Key Name
Required Name

5.7   AAASession

The dynamic session in the AAA server. The session is related to a series of related Radius message exchanging, and it is used to record and update the key information according to different Radius messages. When authentication or authorization turns to success for a user, a session will be created with init status. Accounting-Start message will be used to activate and update the session. The related sessions will be destroyed if the message is Accounting-Stop, Accounting-On, or Accounting-Off. DM will destroy the related sessions as well.

Aliases AAASession
Key UniqueSessionId
Required UniqueSessionId,NasIpAddr,NasId,NasType,AcctSessionId,Class

5.8   AAASubnet

A subnet represents a contiguous set of addresses. Subnets can be split into other subnets, creating a hierarchy of subnets.

Key Name
Required Name, Address, Mask, MaskLength

5.9   AAAtempIdentityKey

Aliases AAAtempIdentityKey
Required KeyValue, suspendedKeyNumber

5.10   AAAUser

The AAA user information.

Aliases AAAUser
Key Username
Required Username, Password

5.11   AAANSDUser

The AAA Non-Sim Device User information.

Aliases AAANSDUser
Key Name
Required Name, IMSI, MSISDN, userStatus

5.12   AAAUserGroup

The user group.

Aliases AAAGroup
Key Name
Required Name

6   Appendix

6.1   Example of Configuring 3GPP-User-Location-Info

When the users get the network information, for example, if the Geographic Location type is SAI(1),the MCC is 460, the Mobile Networks Code(MNC) is 13,LAC is 1007, and SAC is 0001, then users must perform the following steps:

  1. Convert the network information to the 3GPP-User-Location-Info octet string hex.

    For the detailed algorithm, refer to 3GPP TS 29601 and 3GPP TS 29274.

    For example:

    Users get the 3GPP-User-Location-Info octet string 0164f03103ef0001 according to the following table.

    Geographic Location Type

    MCC digit 2

    MCC digit 1

    MNC digit 3

    MCC digit 3

    MNC digit 2

    MNC digit 1

    Location Area Code (LAC)

    Service Area Code (SAC)

    01

    6

    4

    f

    0

    3

    1

    03ef

    0001

  2. Convert the hex to format string ('dec dec dec...').

    Configure the 3GPP-User-Location-Info as '1 100 240 49 3 239 0 1' ’01 64 f0 31 03 ef 00 01’ => '1 100 240 49 3 239 0 1'.


Reference List

IPWorks Documents
[1] Command Line Interface User Guide for IPWorks SS.
[2] Glossary of Terms and Acronyms.
[3] Trademark Information.
[4] Typographic Conventions.
[5] Configure Radius AAA.
Standards
[6] Microsoft Vendor-specific RADIUS Attributes.
[7] Remote Authentication Dial In User Service (RADIUS).
[8] RADIUS Accounting.
[9] RADIUS Accounting Modifications for Tunnel Protocol Support.
[10] RADIUS Attributes for Tunnel Protocol Support.
[11] RADIUS Extensions.
[12] RADIUS and IPv6.
[13] Diameter Base Protocol.
[14] Chargeable User Identity.
[15] RADIUS Attributes for Virtual LAN and Priority Support.
[16] RADIUS Delegated-IPv6-Prefix Attribute.
[17] RADIUS Filter Rule Attribute.
[18] Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS).
[19] 3GPP TS 29.061 Version 8.2.0 Release 8.
[20] Internet Message Format.
[21] Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.


Copyright

© Ericsson AB 2017, 2018. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List
All trademarks mentioned herein are the property of their respective owners. These are shown in the document Trademark Information.

    IPWorks AAA Parameter Description