View
221
Download
0
Category
Tags:
Preview:
Citation preview
CDMA2000/1xEVDORADIUS Overview
2 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Module Objetives Understand the architecture for CDMA2000 EVDO
Understand the RADIUS protocol to support CDMA2000 EVDO
3 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
CDMA2000/1xEVDO It is the packet data access used for CDMA2000 and 1xEVDO
The standards are proposed by 3GPP2
Two main access types: Simple IP service –
to connect to the visited network (when roaming) and Internet,
either with IPv4 or IPv6
and NO mobility beyond base stations (RN) belonging to the same Provider Network
Mobile IP service A Mobile IP tunnel will be established between the serving PDSN (FA) and the
Home Agent (HA)
The user appears to be connected to his/her visited network/intranet
Only IPv4 is allowed
Mobility can be achieved even between different PDSN belonging to different Providers Network
–The user maintains his/her IP address, assigned by the Home network
4 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Simple IP Service (IPv4 & IPv6) A Mobile Station (MS) is assigned an IP address (IPv4 or IPv6 /64 prefix)
and is provided IP routing service by an access provider network.
The MS retains its IP address as long as it is served by a radio network (RN) that has connectivity to the address assigning PDSN. Handovers are possible between RN’s belonging to the same PDSN
There is no IP address mobility beyond this PDSN.
Mobile Station (MS)
Radio Network (RN = PCF)
PDSN
User’s IP traffic (IPv4 or IPv6)
PPP (IP address assignment)
Radio Interface R-P interface (A10) (GRE tunnel)
End Host
Access Provider Network(Visited Network) Internet
5 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Protocol Stack for Simple IP service
6 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
RADIUS Authentication & Accounting The user will be authenticated by the Home RADIUS server (HAAA)
Where his/her user profile is stored
The IP address assigned must be routable (and assigned) in the Visited Network by the PDSN who first assigned it to the user
Optionally some proxy-radius (broker) servers might be used to interconnect the V-AAA and the H-AAA
Mobile Station (MS)
RADIUS client(PDSN)
Visited Network Home Network
Visited RADIUS(VAAA)
Broker RADIUS(BAAA)
Home RADIUS(BAAA)
7 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
RADIUS attributes for Simple IP service
User authentication can either be with CHAP (preferred) or PAP
As the RADIUS Access-Request is sent before IPCP (v4) or IPv6CP, the RADIUS server doesn’t know if the MS (user) will use IPv4 or IPv6 It can send 1 IPv4 and 1 IPv6 prefix, and let the user choose which one
to use
Based on Acct Start packet, the unused IP should be released
8 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Fast Handoff with Simple IP As the IP address is only routable by the PDSN which originally
assigned it, it must receive all of the user’s packets via R-P interface for its managed RN’s (PCF-to-PCF Handoff)
via P-P interface for other PDSN managed RN’s (PDSN-to-PDSN Handoff)
As soon as the MS goes dormant or disconnects, a new PPP session will be established to the PDSN belonging to that RN=PCF
Mobile Station (MS)
Radio Network (RN = PCF)
PDSN 1(serving)
End HostAccess Provider Network(Visited Network)
Internet
PDSN 2(target)
R-P interface
R-P
R-P
P-P interface
9 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Protocol Stack for Simple IP with Fast Handovers
PDSN 1PDSN 2
10 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Mobile IP With Mobile IP the user is able to maintain a persistent IP address
even when handing off between RNs connected to different PDSNs.
Mobile IPv4 provides the user IP routing service to: a public IP network and/or
a private network securing the traffic
Mobile IP is based on tunnels between a PDSNs (Foreign Agent=FA) and a Home Agent (HA) The PDSN is always located in the Visited Network (=Serving Network)
The HA can be located in a remote Home Network (when roaming)
11 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Mobile IPv4 architecture
Mobile Station (MS)
PDSN(Foreign Agent=FA)
Visited Network Home Network
Visited RADIUS(VAAA)
Broker RADIUS(BAAA)
Home RADIUS(BAAA)
Home Agent=HA
Mobile IPv4 tunnel
The HA will: assign IP address to the user in the Home Network
route user’s traffic: upstream to the destination IP address in the End system
downstream, will tunnel it to the PDSN (registered care-of-address)
The PDSN will tunnel all user traffic, without analyzing or routing it
12 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Home Agent selection The user has the option during Mobile IP handshaking (RRQ message) to:
select one specific Home Agent (HA)
select one specific IP address in the Home Network (Home Address) To keep previous address in a different PDSN
For dynamic assignment, the Home RADIUS server will do the assignment The HA assignment in the Access-Request coming from the PDSN
The Home Address IP assignment in the Access-Request coming from the HA
13 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Reference Model for Mobile IP access
IISS--883355--CC
14 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Protocol Stack for Mobile IP Bearer Data
15 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Protocol Stack for Mobile IP Control & IKE
16 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
General User Authentication The user authentication is done with Mobile IP AAA extensions
MN-NAI = Used to identify the User with a Network Address Identifier (=User-Name)
MN-FA, MN-AAA or MN-HA extension, which has 2 fields (SPI & authenticator): SPI (Security Prefix Index)- It is an identifier to a security association (key)
used between the user (MN) and the AAA (or HA), to “sign” the message–There is a special value of CHAP_SPI(=2), meaning there is only 1 key shared
between the MN and the HA or AAA
Authenticator field: “signature” of the message (MD5) using the secret key specified in SPI
General PPP authentication (PAP or CHAP) is not recommended with Mobile IP, as it represents double authentication with twice the amount of RADIUS packets and extra delays
17 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Access-Accept3GPP2-Home-Agent-Address=3.3.3.3[3GPP2-Pre-Shared-Secret=987CDA..88][3GPP2-Key-Id= 444422225555]3GPP2-Session-Term-Capability=Dynamic-AuthService-Type=Framed-UserFramed-Protocol=PPPFramed-IP-Address=3.3.3.333GPP2-Reverse-Tunnel-Spec=Required
Access-Request User-Name=mobile1@home1.netChap-Password=09ba7x…8Chap-Challenge=abcdef123..9Nas-IP-Address=2.2.2.2[3GPP2-FA-Address=2.2.2.2]3GPP2-Home-Agent-Address=0.0.0.0Framed-IP-Address=3.3.3.33|0.0.0.03GPP2-Security-Level=IPSEC_FOR_REG[3GPP2-Pre-Shared-Secret-Request=TRUE]3GPP2-Correlation-Id=Calling-Station-Id=1-555-123456
RADIUS packet coming from the PDSN
Mobile Station (MS)PDSN
(Foreign Agent=FA)
Visited Network Home Network
Visited RADIUS(VAAA)
Broker RADIUS(BAAA)
Home RADIUS(BAAA)
Home Agent=HA
2.2.2.2
3.3.3.33.3.3.33
MIP RRQ (Registration Request)Home Agent=0.0.0.0 | 3.3.3.3Home Addr.=0.0.0.0 | 3.3.3.33Care-Of-Address=<to be added by the FA>Lifetime=3600MN-NAI=mobile1@home1.netMN-AAA={SPI=CHAP_SPI,Auth=09ba7x…8}MN-HA={SPI=1000,Auth=8888..77}
18 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Special RADIUS Auth attributes for Mobile IP (I)
From/To the PDSN 3GPP2-FA-Address – IP address of the PDSN (FA).
If not included, the PDSN IP Address should come in the Nas-IP-Address AVP
Framed-IP-Address: Home Address (static or dynamic=0.0.0.0) requested/assigned to the user
3GPP2-Home-Agent-Address: Home Agent requested by the user Static or dynamic (0.0.0.0) to be assigned by the RADIUS server
3GPP2-Security-Level, to know if IPsec will be used for the tunnel Values: IPSEC_FOR_REG, IPSEC_FOR_TUNNELS,
IPSEC_FOR_BOTH,NO_IP_SECURITY
3GPP2-Pre-Shared-Secret-Request, if IPsec is used, to request the IKE preshared key (if X.509 is not used)
3GPP2-Pre-Shared-Secret & 3GPP2-Key-Id= 444422225555 For the RADIUS server to pass the IKE pre-shared Key, if X.509 is not used
19 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Special RADIUS Auth attributes for Mobile IP (II) 3GPP2-Session-Term-Capability – For the AAA server and PDSN to
inform if they support Session Termination Capabilities (Disconnect (40) RADIUS packet)
3GPP2-Correlation-Id
Nas-Port-Type – to indicate the air technology used CDMA2000 (22)
1xEV (24), also known as HSPD (High Speed Rate Packet Data)
20 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Re-authentication As in Mobile IP the Registration is only valid for a Lifetime, the
user might have to re-register his/her Home IP address with the Home Agent (HA) A user session might imply several RADIUS Access-Requests in
different moments in time
In the re-registration, the Home IP address (=Framed-IP-Address AVP) and Home Agent (=3GPP2-Home-Agent-Address AVP) will be set by the user, with the values previously assigned In the 1st authentication, those fields can be to 0.0.0.0, meaning that
the RADIUS server should assign them.
21 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
IPsec for the tunnel between PDSN and HA
For extra security, the data in the tunnel can be encrypted and/or authenticated.
In IPsec, the tunnel EndPoints must be authenticated, by: X.509 digital certificates
Dynamic pre-shared IKE secret distributed by the Home RADIUS Server
Statically configured IKE pre-shared secret.
Many users’ traffic can be transported over the same tunnel
22 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Access-Response (2) 3GPP2-MN-HA-Key=123123123123
RADIUS packets coming from the HA (I) If the MN “signs” packets, the HA must know the key (for that
SPI) used by the user, to be able to verify the MIP packets In MIP, it is done with the MN-HA extension
Mobile Station (MS)
PDSN(Foreign Agent=FA)
Visited Network Home Network
Visited RADIUS(VAAA)
Broker RADIUS(BAAA)
Home RADIUS(BAAA)
Home Agent=HA2.2.2.2
Access-Request(1)Nas-Ip-Address=3.3.3.33GPP2-Foreign-Agent-Address=2.2.2.2User-Name=mobile1@home.net3GPP2-MN-HA-SPI=1000
3.3.3.3
3.3.3.33
MIP RRQ (Registration Request)Home Agent= 3.3.3.3Home Addr.= 3.3.3.33Care-Of-Address=2.2.2.2Lifetime=3600MN-NAI=mobile1@home1.netMN-AAA={SPI=CHAP_SPI,Auth=09ba7x…8}MN-HA={SPI=1000,Auth=8888..77}
23 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Access-Response (2) 3GPP2-S-Secret = xxxxx3GPP2-S-Secret-Lifetime=3600
RADIUS packet coming from the HA (II) If the HA has to establish an IPsec tunnel with the PDSN(FA), it
must request the IKE Pre-Shared key for that PDSN (=FA)
Mobile Station (MS)
PDSN(Foreign Agent=FA)
Visited Network Home Network
Visited RADIUS(VAAA)
Broker RADIUS(BAAA)
Home RADIUS(BAAA)
Home Agent=HA2.2.2.2 Access-Request(1)
3GPP2-S-Secret-Request=TRUENas-Ip-Address=3.3.3.33GPP2-Foreign-Agent-Address=2.2.2.2
3.3.3.33.3.3.33
24 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Accounting The accounting information is generated by the PDSN, and
forwarded to the visited, broker and home RADIUS server.
The accounting information is also called Usage Data Record (UDR)
The PDSN closes a UDR when any of the following events occur: An existing R-P or P-P connection is closed.
Handovers between PCF’s, or between PDSN’s, etc
The PDSN determines the packet data session associated with the correlation ID has ended.
25 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Special RADIUS Acct attributes Acct-Session-ID
Unique accounting ID created by the Serving PDSN that allows start and stop RADIUS records from a single R-P connection or P-P connection to be matched
3GPP2-Correlation-ID Unique accounting ID created by the Serving PDSN for each packet data
session that allows multiple accounting events for each associated R-P connection or P-P connection to be correlated.
3GPP2-Session-Continue (in Acct STOP) When set to ‘true’ means it is not the end of a Session.
An Accounting Stop is immediately followed by an Account Start Record from the same PDSN or a different one
The new Acct Start will have the same 3GPP2-Correlation-ID, but different Acct-Session-Id
3GPP2-Beginning-Session (in Acct START) When set to ‘true’ means new packet data session is established
26 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Hand-overs (I) For Radio Networks (Base Stations) belonging to the same PDSN
No special procedure is needed, as the tunnel is still valid (between the same PDSN and HA) A different R-P tunnel will be used (GRE)
A RADIUS Acct Stop and an Acct Start will be generated with different Acct-Session-Id AVP’s and different 3GPP2-R-P-Connection-ID, but same 3GPP2-Correlation-Id
Valid for Simple IP service and Mobile IP service
For Radio Networks (Base Stations) belonging to the different PDSN’s The RADIUS server must know the user was previously attached to another PDSN, and must
sent a RADIUS Disconnect (40) packet to the former PDSN to remove his/her context
The ‘former’ PDSN will send an Acct STOP, and the “new” PDSN will send an Acct START, with the same 3GPP2-Correlation-Id
27 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Hand-overs (II)Authentication
Mobile Station (MS)
PDSN 1
Home Network
Visited RADIUS(VAAA)
Broker RADIUS(BAAA)
Home RADIUS(BAAA)
Home Agent=HA
Disconnect-Request (40)Nas-IP-Address=2.2.2.2
User-Name=Calling-Station-Id=1-555-1234563GPP2-Correlation-Id=xxxx
3GPP2-Disconnect-Reason=MS-Mobility-Detection
2.2.2.2
Access-Request (1)Nas-IP-Addres=2.3.4.5…..
3.3.3.33.3.3.33 PDSN 22.3.4.5
1
2
3
Disconnect-Ack (41)
4
Access-Accept (2)…..
28 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Hand-overs (II)Accounting
Mobile Station (MS)
PDSN 1
Home Network
Visited RADIUS(VAAA)
Broker RADIUS(BAAA)
Home RADIUS(BAAA)
Accounting-Request (4)Nas-IP-Address=2.2.2.2User-Name=mobile@home1.netCalling-Station-Id=1-555-123456Acct-Session-Id=11113GPP2-Session-Continue=TRUE3GPP2-Correlation-Id=12389Acct-Input-Octets=67867867Acct-Output-Octets=78978
2.2.2.2
3.3.3.33 PDSN 22.3.4.5
1
4
Accounting-Request (4)Nas-IP-Address=2.3.4.52User-Name=mobile@home1.netCalling-Station-Id=1-555-123456Acct-Session-Id=22223GPP2-Beginning-Session=FALSE3GPP2-Correlation-Id=12389
29 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
IP reachability service (IRS) So that users (either with Simple IP or Mobile IP), can always be
reachable even with dynamic IP address assignment,
the RADIUS server must (de)register in Dynamic DNS his/her IP
This registration is done upon receiving the Accounting START message The TTL will be 0, so that DNS clients don’t cache that FQDN to IP
The deregistration will be done upon receiving the Accounting STOP Only if 3GPP2-Session-Continue=FALSE, otherwise, the user is handing
over to another PDSN
Account-Request (4)User-Name=mobile1@home1.netAcct-Status-Type=StartFramed-IP-Address=3.3.3.333GPP2-IP-Technology=Mobile3GPP2-Begin-Session=TRUE
DNS-Update (Add)Add Record=mobile1 A 3.3.3.33TTL=0Zone=home1.net
PDSN Home RADIUS
DNS server
30 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Prepaid users For pre-paid users, a Credit Control server:
can be consulted to authorize the connection (Access-Request)
must be informed of the traffic tx/rx by the user (Account-Request)
may disconnect users based on traffic use (Disconnect-Request)
It was added in IS-835-C
PDSN VAAA [BAAA]
HAAACC serverAccess-Request
Acct-Request
Disconnect-Request
31 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
QoS profiles In 1xEV, rev A, it was added the possibility to define QoS profiles
for the users
This is done with new AVPs returned by the HAAA in the Access-Accept packet: 3GPP2-Max-Bandwidth-For-Best-Effort-Traffic
3GPP2-Authorized-QoS-Profile-Ids
3GPP2-Granted-QoS-Parameters
Traffic-Class – Unknown, Conversational, Streaming, Interactive, Background"
VitalAAA support for IS-835-C
33 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Sample IS-835-C PF There is a sample PF that can handle all type of RADIUS requests
VitalAAA can behave as: Visited AAA (VAAA) & Broker AAA (BAAA)
To proxy Auth/Acct requests to BAAA or HAAA, based on realm–Proxy Disconnect-Requests to PDSN coming from HAAA or BAAA, based on Nas-IP-
Address
Additionally for Acct, it also writes to disk the acct data
Home AAA (HAAA), receiving requests both from the HA & PDSN
34 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Sample PF for Acct PDSN Overview:
write accounting record to a detail file
if start record and begin session request DHCP if IPv4 address from allocated range
add DNS records
if stop record and not continue release DHCP if IPv4 address from allocated range
delete DNS records
update DHCP if address from allocated range
HA Overview: write accounting record to a detail file
Dynamic Auth Overview: Get routes from cache
Forward request to next hop
35 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Sample PF for Auth (I)PDSN overview (I)
if Service-Type is Authorize-Only if 3GPP2-PrePaid-Acct-Quota is present
proxy request to PrePaid Server
else discard
else read user from file ignoring information for Home Agent
authenticate user and process check items
if 3GPP2-PrePaid-Acct-Capability is present proxy request to PrePaid Server
query USS to see if sessions for different PDSNs exist
for each old session–send disconnect message
if new PDSN supports disconnect messages–add record for new session to USS
36 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Sample PF for Auth (II)PDSN overview (II) if HA address was sent in request
copy address to reply
else dynamically assign HA address
if MnAddress was sent in request if dynamically to be assigned
–request one in DHCP server
else discard
if PDSN requests pre-shared secret for IKE if user is authorized for IKE
–generate keys
37 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Sample PF for Auth (III)PDSN overview (III) query USS to see if sessions for different PDSNs exist
for each old session send disconnect message
if new PDSN supports disconnect messages add record for new session to USS
38 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Auth Sample PF for Auth (III):HA overview
If asking for S-Secret return S-Secret and S-Secret-Lifetime
else if CHAP credentials sent
if MN-HA-SPI sent–check SPI and CHAP
else–check CHAP
else if MN-HA-SPI sent
–check SPI
else–drop request
39 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
VitalAAA plug-in support for IS-835-C (I) To proxy requests (RADIUS plug-in):
Auth&Acct - Pre-paid server for credit control (HAAA)
Auth&Acct – regular requests from PDSN to HAAA (VAAA & BAAA)
DynAuth – to proxy Disconnect-Requests towards the PDSN (HAAA,VAAA&BAAA)
To assign dynamic IP addresses to users: IPv4: DHCP, ADDRESS or STATESERVER (IPAMv2)
IPv6: DHCPv6 or STATESERVER (IPAMv2)
To generate pre-shared key for IKE in PDSN, according to the formula: K = HMAC-MD5 (Home RADIUS IP address | FA IP address | timestamp,
‘S’)
ReadKeyCache & Hmac plug-ins
40 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
VitalAAA plug-in support for IS-835-C (II) To know if a user was connected in a different PDSN, to be able
to send a Disconnect-Request to the “old” PDSN StateServer & QueryUss plug-in, with an USS index based on the User-
Name
To send/proxy Disconnect-Requests to the PDSN A cache mechanism in the engine that stores the proxy server (VAAA
or BAAA) that forwarded a request from a specific PDSN
ReadCache plug-in to be able to read that cache, and know which BAAA is able to proxy a packet towards a specific PDSN
ReadClient, to be able to read the secret of the proxy-radius server or PDSN
Radius plug-in, to proxy or generate the Disconnect packet
41 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
VitalAAA plug-in support for IS-835-C (II) To write accounting data (UDR):
To text file in different formats: Classic, WriteDelimitedFile, WriteFixedFile
To a database: JDBC
For IP Reachability Service (IRS) UpdateDns, to add/delete a Dynamic DNS record, optionally with DSN
security
Storage of users’ profiles SQL database: JDBC plug-in
LDAP directory server: LDAP plug-in
local text files: ReadUserFile plug-in
Storage of RADIUS servers serving a realm Local text file: ReadDelimitedFile or ReadColumnarFile plug-in
SQL database or LDAP server: JDBC or LDAP plug-ins
42 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
PF example for key generation for PDSN (I)
According to the standard the key must be: K = HMAC-MD5 (Home RADIUS IP address | FA IP address | timestamp,
‘S’)#------------------------------------------------------------------------------# Warning:# If you listen on the wildcard interface packet.Destination-Address will# be 0.0.0.0, you must listen on a specific address for the key to be correct#------------------------------------------------------------------------------getPreSharedSecret1 Method-Type=ReadKeyCache Method-On-Success=getPreSharedSecret2
ReadKeyCache-KeyName = "${request.3GPP2-FA-Address[fromIpAddr,toHex]:request.NAS-IP-Address[fromIpAddr,toHex]}${reply.3GPP2-Home-Agent-IP-Address[fromIpAddr,toHex]}"
ReadKeyCache-KeyTimeout = "3600"ReadKeyCache-KeySize = "32"ReadKeyCache-Map = <<
${user.3GPP2-S-Secret} = ${Key};${reply.3GPP2-Key-Id}:="${packet.Destination-Address[fromIpAddr,toHex]}${request.3GPP2-FA-Address[fromIpAddr,toHex]:request.NAS-IP-Address[fromIpAddr,toHex]}${Lifetime[fromDate]}";>>
ReadKeyCache-EntrySkew = "30"
…
43 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
PF example for key generation for PDSN (II)
…#------------------------------------------------------------------------------# Create a pre-shared secret from Key ID and S-Secret#------------------------------------------------------------------------------getPreSharedSecret2 Method-Type=Hmac
Hmac-Key = "${user.3GPP2-S-Secret}"Hmac-Text = "${reply.3GPP2-Key-Id}"Hmac-Output = "${reply.3GPP2-Pre-Shared-Secret}"Hmac-Hash = "MD5"
44 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Example to proxy Disconnect-Requests (I):Cache information
The internal cache stores the IP address where the RADIUS packet came from, and the NAS-Identifier, Nas-IP-Address or Nas-IPv6-Address By default, that cache is called NAS_Routes
That name can be changed in the server_properties file
key=nas2 Idle-Timeout=0 Entry-Timeout=0 Client_Address=1.2.3.4 Client_Address=1.2.3.5key=2.3.4.5 Idle-Timeout=0 Entry-Timeout=0 Client_Address=2.3.4.5key=3.4.5.6 Idle-Timeout=0 Entry-Timeout=0 Client_Address=4.4.4.4 Client_Address=5.5.5.5...
key=nas2 Idle-Timeout=0 Entry-Timeout=0 Client_Address=1.2.3.4 Client_Address=1.2.3.5key=2.3.4.5 Idle-Timeout=0 Entry-Timeout=0 Client_Address=2.3.4.5key=3.4.5.6 Idle-Timeout=0 Entry-Timeout=0 Client_Address=4.4.4.4 Client_Address=5.5.5.5...
Name=NAS_Routes
45 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Example to proxy Disconnect-Requests (II):Reading the proxy server for a PDSN
# ------------------------------------------------------------------------------# Check to see if we have a reverse routing record.# Records contain one or more addresses of clients that have sent requests for a given NAS.# Route records automatically collected if server property Cache_NAS_Routes = TRUE# ------------------------------------------------------------------------------
proxyDynamicAuth Method-Type=ReadCache Method-On-Success=proxyDynamicAuthLoop Method-On-Failure=tryNasIpAddress
ReadCache-CacheName = "${server.NAS_Routes_Cache_Name}"ReadCache-SearchKey = "${request.NAS-Identifier:request.NAS-IP-Address:request.NAS-IPv6-Address}"ReadCache-Map = "${user.Client-Address} = ${Client-Address};"ReadCache-NewUser = "FALSE"
tryNasIpAddress Method-Type=ReadCache Method-On-Success=proxyDynamicAuthLoop Method-On-Failure=tryNasIpV6Address
ReadCache-CacheName = "${server.NAS_Routes_Cache_Name}"ReadCache-SearchKey = "${request.NAS-IP-Address:request.NAS-IPv6-Address}"ReadCache-Map = "${user.Client-Address} = ${Client-Address};"ReadCache-NewUser = "FALSE"
tryNasIpV6Address Method-Type=ReadCache Method-On-Success=proxyDynamicAuthLoop Method-On-Failure=nakUnrouteable
ReadCache-CacheName = "${server.NAS_Routes_Cache_Name}"ReadCache-SearchKey = "${request.NAS-IPv6-Address:\"missing\"}"ReadCache-Map = "${user.Client-Address} = ${Client-Address};"ReadCache-NewUser = "FALSE"
46 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Example to proxy Disconnect-Requests (III):Reading information for each proxy-server
proxyDynamicAuthLoop Method-Type=BranchBranch-Case = <<
0 nakUnrouteable* readServerData>>
Branch-SearchKey = "${user.Client-Address[COUNT]}"
readServerData Method-Type=ReadClient Method-On-Success=sendDynamicAuth Method-On-Failure=nakUnrouteable
ReadClient-SearchKey = "${user.Client-Address[FIRST]}"ReadClient-Map = <<
${user.Server-Address} := ${va.user.Client-Address[FIRST]};${user.Server-Secret} := ${Client-Secret};${user.Server-Dictionary} := ${Client-Dictionary:"#default"};${user.Server-CharSet} := ${Radius_CharSet:va.server.Radius_CharSet};${user.Server-Timeout} := ${Client_Timeout:va.server.Client_Timeout};${user.Server-Retries} := ${Dynamic-Auth-Retries:"0"};${user.Dynamic-Auth-Port} := ${Dynamic-Auth-Port:"3799"};DELETE ${user.Client-Address[FIRST]};>>sendDynamicAuth Method-Type=Radius Method-On-Error=proxyDynamicAuthLoop
Radius-ServerAddress = "${user.Server-Address}:${user.Dynamic-Auth-Port}" …
47 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007
Example to add/delete entries in DDNS It can be done either for A (IPv4) or AAAA (IPv6) records
A KeyName and KeyData must be provided to the DNS server to be able to update DNS records
xdelIPv4DnsRecord Method-Type=UpdateDns Method-On-Success=doneUpdateDns-ServerAddress = "10.30.0.41"UpdateDns-KeyName = "key1"UpdateDns-KeyData = "111111111111111111111w=="UpdateDns-Zone = "${packet.User-Realm}."UpdateDns-DeleteRecord = "${packet.Base-User-Name} A ${request.Framed-IP-Address}"
delIPv6DnsRecord Method-Type=UpdateDns Method-On-Success=done UpdateDns-ServerAddress = "10.30.0.41" UpdateDns-KeyName = "key1" UpdateDns-KeyData = "111111111111111111111w==" UpdateDns-Zone = "${packet.User-Realm}." UpdateDns-DeleteRecord = "${packet.Base-User-Name} AAAA ${packet.Framed-IPv6-Address[first]}"
Recommended