CDMA2000/1xEVDO RADIUS Overview. All Rights Reserved © Alcatel-Lucent 2007 2 | CDMA2000 EVDO Overview Module Objetives Understand the architecture for

CDMA2000/1xEVDORADIUS Overview

2 | CDMA2000 EVDO Overview All Rights Reserved © Alcatel-Lucent 2007

Module Objetives Understand the architecture for CDMA2000 EVDO

Understand the RADIUS protocol to support CDMA2000 EVDO


CDMA2000/1xEVDO It is the packet data access used for CDMA2000 and 1xEVDO

The standards are proposed by 3GPP2

Two main access types: Simple IP service –

to connect to the visited network (when roaming) and Internet,

either with IPv4 or IPv6

and NO mobility beyond base stations (RN) belonging to the same Provider Network

Mobile IP service A Mobile IP tunnel will be established between the serving PDSN (FA) and the

Home Agent (HA)

The user appears to be connected to his/her visited network/intranet

Only IPv4 is allowed

Mobility can be achieved even between different PDSN belonging to different Providers Network

–The user maintains his/her IP address, assigned by the Home network


Simple IP Service (IPv4 & IPv6) A Mobile Station (MS) is assigned an IP address (IPv4 or IPv6 /64 prefix)

and is provided IP routing service by an access provider network.

The MS retains its IP address as long as it is served by a radio network (RN) that has connectivity to the address assigning PDSN. Handovers are possible between RN’s belonging to the same PDSN

There is no IP address mobility beyond this PDSN.

Mobile Station (MS)

Radio Network (RN = PCF)

PDSN

User’s IP traffic (IPv4 or IPv6)

PPP (IP address assignment)

Radio Interface R-P interface (A10) (GRE tunnel)

End Host

Access Provider Network(Visited Network) Internet


Protocol Stack for Simple IP service


RADIUS Authentication & Accounting The user will be authenticated by the Home RADIUS server (HAAA)

Where his/her user profile is stored

The IP address assigned must be routable (and assigned) in the Visited Network by the PDSN who first assigned it to the user

Optionally some proxy-radius (broker) servers might be used to interconnect the V-AAA and the H-AAA

Mobile Station (MS)

RADIUS client(PDSN)

Visited Network Home Network

Visited RADIUS(VAAA)

Broker RADIUS(BAAA)

Home RADIUS(BAAA)


RADIUS attributes for Simple IP service

User authentication can either be with CHAP (preferred) or PAP

As the RADIUS Access-Request is sent before IPCP (v4) or IPv6CP, the RADIUS server doesn’t know if the MS (user) will use IPv4 or IPv6 It can send 1 IPv4 and 1 IPv6 prefix, and let the user choose which one

to use

Based on Acct Start packet, the unused IP should be released


Fast Handoff with Simple IP As the IP address is only routable by the PDSN which originally

assigned it, it must receive all of the user’s packets via R-P interface for its managed RN’s (PCF-to-PCF Handoff)

via P-P interface for other PDSN managed RN’s (PDSN-to-PDSN Handoff)

As soon as the MS goes dormant or disconnects, a new PPP session will be established to the PDSN belonging to that RN=PCF

Mobile Station (MS)

Radio Network (RN = PCF)

PDSN 1(serving)

End HostAccess Provider Network(Visited Network)

Internet

PDSN 2(target)

R-P interface

R-P

R-P

P-P interface


Protocol Stack for Simple IP with Fast Handovers

PDSN 1PDSN 2


Mobile IP With Mobile IP the user is able to maintain a persistent IP address

even when handing off between RNs connected to different PDSNs.

Mobile IPv4 provides the user IP routing service to: a public IP network and/or

a private network securing the traffic

Mobile IP is based on tunnels between a PDSNs (Foreign Agent=FA) and a Home Agent (HA) The PDSN is always located in the Visited Network (=Serving Network)

The HA can be located in a remote Home Network (when roaming)


Mobile IPv4 architecture

Mobile Station (MS)

PDSN(Foreign Agent=FA)



Broker RADIUS(BAAA)

Home RADIUS(BAAA)

Home Agent=HA

Mobile IPv4 tunnel

The HA will: assign IP address to the user in the Home Network

route user’s traffic: upstream to the destination IP address in the End system

downstream, will tunnel it to the PDSN (registered care-of-address)

The PDSN will tunnel all user traffic, without analyzing or routing it


Home Agent selection The user has the option during Mobile IP handshaking (RRQ message) to:

select one specific Home Agent (HA)

select one specific IP address in the Home Network (Home Address) To keep previous address in a different PDSN

For dynamic assignment, the Home RADIUS server will do the assignment The HA assignment in the Access-Request coming from the PDSN

The Home Address IP assignment in the Access-Request coming from the HA


Reference Model for Mobile IP access

IISS--883355--CC


Protocol Stack for Mobile IP Bearer Data


Protocol Stack for Mobile IP Control & IKE


General User Authentication The user authentication is done with Mobile IP AAA extensions

MN-NAI = Used to identify the User with a Network Address Identifier (=User-Name)

MN-FA, MN-AAA or MN-HA extension, which has 2 fields (SPI & authenticator): SPI (Security Prefix Index)- It is an identifier to a security association (key)

used between the user (MN) and the AAA (or HA), to “sign” the message–There is a special value of CHAP_SPI(=2), meaning there is only 1 key shared

between the MN and the HA or AAA

Authenticator field: “signature” of the message (MD5) using the secret key specified in SPI

General PPP authentication (PAP or CHAP) is not recommended with Mobile IP, as it represents double authentication with twice the amount of RADIUS packets and extra delays


Access-Accept3GPP2-Home-Agent-Address=3.3.3.3[3GPP2-Pre-Shared-Secret=987CDA..88][3GPP2-Key-Id= 444422225555]3GPP2-Session-Term-Capability=Dynamic-AuthService-Type=Framed-UserFramed-Protocol=PPPFramed-IP-Address=3.3.3.333GPP2-Reverse-Tunnel-Spec=Required

Access-Request [email protected]=09ba7x…8Chap-Challenge=abcdef123..9Nas-IP-Address=2.2.2.2[3GPP2-FA-Address=2.2.2.2]3GPP2-Home-Agent-Address=0.0.0.0Framed-IP-Address=3.3.3.33|0.0.0.03GPP2-Security-Level=IPSEC_FOR_REG[3GPP2-Pre-Shared-Secret-Request=TRUE]3GPP2-Correlation-Id=Calling-Station-Id=1-555-123456

RADIUS packet coming from the PDSN

Mobile Station (MS)PDSN

(Foreign Agent=FA)



Broker RADIUS(BAAA)

Home RADIUS(BAAA)

Home Agent=HA

2.2.2.2

3.3.3.33.3.3.33

MIP RRQ (Registration Request)Home Agent=0.0.0.0 | 3.3.3.3Home Addr.=0.0.0.0 | 3.3.3.33Care-Of-Address=<to be added by the FA>[email protected]={SPI=CHAP_SPI,Auth=09ba7x…8}MN-HA={SPI=1000,Auth=8888..77}


Special RADIUS Auth attributes for Mobile IP (I)

From/To the PDSN 3GPP2-FA-Address – IP address of the PDSN (FA).

If not included, the PDSN IP Address should come in the Nas-IP-Address AVP

Framed-IP-Address: Home Address (static or dynamic=0.0.0.0) requested/assigned to the user

3GPP2-Home-Agent-Address: Home Agent requested by the user Static or dynamic (0.0.0.0) to be assigned by the RADIUS server

3GPP2-Security-Level, to know if IPsec will be used for the tunnel Values: IPSEC_FOR_REG, IPSEC_FOR_TUNNELS,

IPSEC_FOR_BOTH,NO_IP_SECURITY

3GPP2-Pre-Shared-Secret-Request, if IPsec is used, to request the IKE preshared key (if X.509 is not used)

3GPP2-Pre-Shared-Secret & 3GPP2-Key-Id= 444422225555 For the RADIUS server to pass the IKE pre-shared Key, if X.509 is not used


Special RADIUS Auth attributes for Mobile IP (II) 3GPP2-Session-Term-Capability – For the AAA server and PDSN to

inform if they support Session Termination Capabilities (Disconnect (40) RADIUS packet)

3GPP2-Correlation-Id

Nas-Port-Type – to indicate the air technology used CDMA2000 (22)

1xEV (24), also known as HSPD (High Speed Rate Packet Data)


Re-authentication As in Mobile IP the Registration is only valid for a Lifetime, the

user might have to re-register his/her Home IP address with the Home Agent (HA) A user session might imply several RADIUS Access-Requests in

different moments in time

In the re-registration, the Home IP address (=Framed-IP-Address AVP) and Home Agent (=3GPP2-Home-Agent-Address AVP) will be set by the user, with the values previously assigned In the 1st authentication, those fields can be to 0.0.0.0, meaning that

the RADIUS server should assign them.


IPsec for the tunnel between PDSN and HA

For extra security, the data in the tunnel can be encrypted and/or authenticated.

In IPsec, the tunnel EndPoints must be authenticated, by: X.509 digital certificates

Dynamic pre-shared IKE secret distributed by the Home RADIUS Server

Statically configured IKE pre-shared secret.

Many users’ traffic can be transported over the same tunnel


Access-Response (2) 3GPP2-MN-HA-Key=123123123123

RADIUS packets coming from the HA (I) If the MN “signs” packets, the HA must know the key (for that

SPI) used by the user, to be able to verify the MIP packets In MIP, it is done with the MN-HA extension

Mobile Station (MS)




Broker RADIUS(BAAA)

Home RADIUS(BAAA)

Home Agent=HA2.2.2.2

Access-Request(1)Nas-Ip-Address=3.3.3.33GPP2-Foreign-Agent-Address=2.2.2.2User-Name=mobile1@home.net3GPP2-MN-HA-SPI=1000

3.3.3.3

3.3.3.33

MIP RRQ (Registration Request)Home Agent= 3.3.3.3Home Addr.= 3.3.3.33Care-Of-Address=2.2.2.2Lifetime=3600MN-NAI=mobile1@home1.netMN-AAA={SPI=CHAP_SPI,Auth=09ba7x…8}MN-HA={SPI=1000,Auth=8888..77}


Access-Response (2) 3GPP2-S-Secret = xxxxx3GPP2-S-Secret-Lifetime=3600

RADIUS packet coming from the HA (II) If the HA has to establish an IPsec tunnel with the PDSN(FA), it

must request the IKE Pre-Shared key for that PDSN (=FA)

Mobile Station (MS)




Broker RADIUS(BAAA)

Home RADIUS(BAAA)

Home Agent=HA2.2.2.2 Access-Request(1)

3GPP2-S-Secret-Request=TRUENas-Ip-Address=3.3.3.33GPP2-Foreign-Agent-Address=2.2.2.2

3.3.3.33.3.3.33


Accounting The accounting information is generated by the PDSN, and

forwarded to the visited, broker and home RADIUS server.

The accounting information is also called Usage Data Record (UDR)

The PDSN closes a UDR when any of the following events occur: An existing R-P or P-P connection is closed.

Handovers between PCF’s, or between PDSN’s, etc

The PDSN determines the packet data session associated with the correlation ID has ended.


Special RADIUS Acct attributes Acct-Session-ID

Unique accounting ID created by the Serving PDSN that allows start and stop RADIUS records from a single R-P connection or P-P connection to be matched

3GPP2-Correlation-ID Unique accounting ID created by the Serving PDSN for each packet data

session that allows multiple accounting events for each associated R-P connection or P-P connection to be correlated.

3GPP2-Session-Continue (in Acct STOP) When set to ‘true’ means it is not the end of a Session.

An Accounting Stop is immediately followed by an Account Start Record from the same PDSN or a different one

The new Acct Start will have the same 3GPP2-Correlation-ID, but different Acct-Session-Id

3GPP2-Beginning-Session (in Acct START) When set to ‘true’ means new packet data session is established


Hand-overs (I) For Radio Networks (Base Stations) belonging to the same PDSN

No special procedure is needed, as the tunnel is still valid (between the same PDSN and HA) A different R-P tunnel will be used (GRE)

A RADIUS Acct Stop and an Acct Start will be generated with different Acct-Session-Id AVP’s and different 3GPP2-R-P-Connection-ID, but same 3GPP2-Correlation-Id

Valid for Simple IP service and Mobile IP service

For Radio Networks (Base Stations) belonging to the different PDSN’s The RADIUS server must know the user was previously attached to another PDSN, and must

sent a RADIUS Disconnect (40) packet to the former PDSN to remove his/her context

The ‘former’ PDSN will send an Acct STOP, and the “new” PDSN will send an Acct START, with the same 3GPP2-Correlation-Id


Hand-overs (II)Authentication

Mobile Station (MS)

PDSN 1

Home Network


Broker RADIUS(BAAA)

Home RADIUS(BAAA)

Home Agent=HA

Disconnect-Request (40)Nas-IP-Address=2.2.2.2

User-Name=Calling-Station-Id=1-555-1234563GPP2-Correlation-Id=xxxx

3GPP2-Disconnect-Reason=MS-Mobility-Detection

2.2.2.2

Access-Request (1)Nas-IP-Addres=2.3.4.5…..

3.3.3.33.3.3.33 PDSN 22.3.4.5

1

2

3

Disconnect-Ack (41)

4

Access-Accept (2)…..


Hand-overs (II)Accounting

Mobile Station (MS)

PDSN 1

Home Network


Broker RADIUS(BAAA)

Home RADIUS(BAAA)

Accounting-Request (4)Nas-IP-Address=2.2.2.2User-Name=mobile@home1.netCalling-Station-Id=1-555-123456Acct-Session-Id=11113GPP2-Session-Continue=TRUE3GPP2-Correlation-Id=12389Acct-Input-Octets=67867867Acct-Output-Octets=78978

2.2.2.2

3.3.3.33 PDSN 22.3.4.5

1

4

Accounting-Request (4)Nas-IP-Address=2.3.4.52User-Name=mobile@home1.netCalling-Station-Id=1-555-123456Acct-Session-Id=22223GPP2-Beginning-Session=FALSE3GPP2-Correlation-Id=12389


IP reachability service (IRS) So that users (either with Simple IP or Mobile IP), can always be

reachable even with dynamic IP address assignment,

the RADIUS server must (de)register in Dynamic DNS his/her IP

This registration is done upon receiving the Accounting START message The TTL will be 0, so that DNS clients don’t cache that FQDN to IP

The deregistration will be done upon receiving the Accounting STOP Only if 3GPP2-Session-Continue=FALSE, otherwise, the user is handing

over to another PDSN

Account-Request (4)[email protected]=StartFramed-IP-Address=3.3.3.333GPP2-IP-Technology=Mobile3GPP2-Begin-Session=TRUE

DNS-Update (Add)Add Record=mobile1 A 3.3.3.33TTL=0Zone=home1.net

PDSN Home RADIUS

DNS server


Prepaid users For pre-paid users, a Credit Control server:

can be consulted to authorize the connection (Access-Request)

must be informed of the traffic tx/rx by the user (Account-Request)

may disconnect users based on traffic use (Disconnect-Request)

It was added in IS-835-C

PDSN VAAA [BAAA]

HAAACC serverAccess-Request

Acct-Request

Disconnect-Request


QoS profiles In 1xEV, rev A, it was added the possibility to define QoS profiles

for the users

This is done with new AVPs returned by the HAAA in the Access-Accept packet: 3GPP2-Max-Bandwidth-For-Best-Effort-Traffic

3GPP2-Authorized-QoS-Profile-Ids

3GPP2-Granted-QoS-Parameters

Traffic-Class – Unknown, Conversational, Streaming, Interactive, Background"

VitalAAA support for IS-835-C


Sample IS-835-C PF There is a sample PF that can handle all type of RADIUS requests

VitalAAA can behave as: Visited AAA (VAAA) & Broker AAA (BAAA)

To proxy Auth/Acct requests to BAAA or HAAA, based on realm–Proxy Disconnect-Requests to PDSN coming from HAAA or BAAA, based on Nas-IP-

Address

Additionally for Acct, it also writes to disk the acct data

Home AAA (HAAA), receiving requests both from the HA & PDSN


Auth Sample PF for Acct PDSN Overview:

write accounting record to a detail file

if start record and begin session request DHCP if IPv4 address from allocated range

add DNS records

if stop record and not continue release DHCP if IPv4 address from allocated range

delete DNS records

update DHCP if address from allocated range

HA Overview: write accounting record to a detail file

Dynamic Auth Overview: Get routes from cache

Forward request to next hop


Auth Sample PF for Auth (I)PDSN overview (I)

if Service-Type is Authorize-Only if 3GPP2-PrePaid-Acct-Quota is present

proxy request to PrePaid Server

else discard

else read user from file ignoring information for Home Agent

authenticate user and process check items

if 3GPP2-PrePaid-Acct-Capability is present proxy request to PrePaid Server

query USS to see if sessions for different PDSNs exist

for each old session–send disconnect message

if new PDSN supports disconnect messages–add record for new session to USS


Auth Sample PF for Auth (II)PDSN overview (II) if HA address was sent in request

copy address to reply

else dynamically assign HA address

if MnAddress was sent in request if dynamically to be assigned

–request one in DHCP server

else discard

if PDSN requests pre-shared secret for IKE if user is authorized for IKE

–generate keys


Auth Sample PF for Auth (III)PDSN overview (III) query USS to see if sessions for different PDSNs exist

for each old session send disconnect message

if new PDSN supports disconnect messages add record for new session to USS


Auth Sample PF for Auth (III):HA overview

If asking for S-Secret return S-Secret and S-Secret-Lifetime

else if CHAP credentials sent

if MN-HA-SPI sent–check SPI and CHAP

else–check CHAP

else if MN-HA-SPI sent

–check SPI

else–drop request


VitalAAA plug-in support for IS-835-C (I) To proxy requests (RADIUS plug-in):

Auth&Acct - Pre-paid server for credit control (HAAA)

Auth&Acct – regular requests from PDSN to HAAA (VAAA & BAAA)

DynAuth – to proxy Disconnect-Requests towards the PDSN (HAAA,VAAA&BAAA)

To assign dynamic IP addresses to users: IPv4: DHCP, ADDRESS or STATESERVER (IPAMv2)

IPv6: DHCPv6 or STATESERVER (IPAMv2)

To generate pre-shared key for IKE in PDSN, according to the formula: K = HMAC-MD5 (Home RADIUS IP address | FA IP address | timestamp,

‘S’)

ReadKeyCache & Hmac plug-ins


VitalAAA plug-in support for IS-835-C (II) To know if a user was connected in a different PDSN, to be able

to send a Disconnect-Request to the “old” PDSN StateServer & QueryUss plug-in, with an USS index based on the User-

Name

To send/proxy Disconnect-Requests to the PDSN A cache mechanism in the engine that stores the proxy server (VAAA

or BAAA) that forwarded a request from a specific PDSN

ReadCache plug-in to be able to read that cache, and know which BAAA is able to proxy a packet towards a specific PDSN

ReadClient, to be able to read the secret of the proxy-radius server or PDSN

Radius plug-in, to proxy or generate the Disconnect packet


VitalAAA plug-in support for IS-835-C (II) To write accounting data (UDR):

To text file in different formats: Classic, WriteDelimitedFile, WriteFixedFile

To a database: JDBC

For IP Reachability Service (IRS) UpdateDns, to add/delete a Dynamic DNS record, optionally with DSN

security

Storage of users’ profiles SQL database: JDBC plug-in

LDAP directory server: LDAP plug-in

local text files: ReadUserFile plug-in

Storage of RADIUS servers serving a realm Local text file: ReadDelimitedFile or ReadColumnarFile plug-in

SQL database or LDAP server: JDBC or LDAP plug-ins


PF example for key generation for PDSN (I)

According to the standard the key must be: K = HMAC-MD5 (Home RADIUS IP address | FA IP address | timestamp,

‘S’)#------------------------------------------------------------------------------# Warning:# If you listen on the wildcard interface packet.Destination-Address will# be 0.0.0.0, you must listen on a specific address for the key to be correct#------------------------------------------------------------------------------getPreSharedSecret1 Method-Type=ReadKeyCache Method-On-Success=getPreSharedSecret2

ReadKeyCache-KeyName = "${request.3GPP2-FA-Address[fromIpAddr,toHex]:request.NAS-IP-Address[fromIpAddr,toHex]}${reply.3GPP2-Home-Agent-IP-Address[fromIpAddr,toHex]}"

ReadKeyCache-KeyTimeout = "3600"ReadKeyCache-KeySize = "32"ReadKeyCache-Map = <<

${user.3GPP2-S-Secret} = ${Key};${reply.3GPP2-Key-Id}:="${packet.Destination-Address[fromIpAddr,toHex]}${request.3GPP2-FA-Address[fromIpAddr,toHex]:request.NAS-IP-Address[fromIpAddr,toHex]}${Lifetime[fromDate]}";>>

ReadKeyCache-EntrySkew = "30"

…


PF example for key generation for PDSN (II)

…#------------------------------------------------------------------------------# Create a pre-shared secret from Key ID and S-Secret#------------------------------------------------------------------------------getPreSharedSecret2 Method-Type=Hmac

Hmac-Key = "${user.3GPP2-S-Secret}"Hmac-Text = "${reply.3GPP2-Key-Id}"Hmac-Output = "${reply.3GPP2-Pre-Shared-Secret}"Hmac-Hash = "MD5"


Example to proxy Disconnect-Requests (I):Cache information

The internal cache stores the IP address where the RADIUS packet came from, and the NAS-Identifier, Nas-IP-Address or Nas-IPv6-Address By default, that cache is called NAS_Routes

That name can be changed in the server_properties file

key=nas2 Idle-Timeout=0 Entry-Timeout=0 Client_Address=1.2.3.4 Client_Address=1.2.3.5key=2.3.4.5 Idle-Timeout=0 Entry-Timeout=0 Client_Address=2.3.4.5key=3.4.5.6 Idle-Timeout=0 Entry-Timeout=0 Client_Address=4.4.4.4 Client_Address=5.5.5.5...

key=nas2 Idle-Timeout=0 Entry-Timeout=0 Client_Address=1.2.3.4 Client_Address=1.2.3.5key=2.3.4.5 Idle-Timeout=0 Entry-Timeout=0 Client_Address=2.3.4.5key=3.4.5.6 Idle-Timeout=0 Entry-Timeout=0 Client_Address=4.4.4.4 Client_Address=5.5.5.5...

Name=NAS_Routes


Example to proxy Disconnect-Requests (II):Reading the proxy server for a PDSN

# ------------------------------------------------------------------------------# Check to see if we have a reverse routing record.# Records contain one or more addresses of clients that have sent requests for a given NAS.# Route records automatically collected if server property Cache_NAS_Routes = TRUE# ------------------------------------------------------------------------------

proxyDynamicAuth Method-Type=ReadCache Method-On-Success=proxyDynamicAuthLoop Method-On-Failure=tryNasIpAddress

ReadCache-CacheName = "${server.NAS_Routes_Cache_Name}"ReadCache-SearchKey = "${request.NAS-Identifier:request.NAS-IP-Address:request.NAS-IPv6-Address}"ReadCache-Map = "${user.Client-Address} = ${Client-Address};"ReadCache-NewUser = "FALSE"

tryNasIpAddress Method-Type=ReadCache Method-On-Success=proxyDynamicAuthLoop Method-On-Failure=tryNasIpV6Address

ReadCache-CacheName = "${server.NAS_Routes_Cache_Name}"ReadCache-SearchKey = "${request.NAS-IP-Address:request.NAS-IPv6-Address}"ReadCache-Map = "${user.Client-Address} = ${Client-Address};"ReadCache-NewUser = "FALSE"

tryNasIpV6Address Method-Type=ReadCache Method-On-Success=proxyDynamicAuthLoop Method-On-Failure=nakUnrouteable

ReadCache-CacheName = "${server.NAS_Routes_Cache_Name}"ReadCache-SearchKey = "${request.NAS-IPv6-Address:\"missing\"}"ReadCache-Map = "${user.Client-Address} = ${Client-Address};"ReadCache-NewUser = "FALSE"


Example to proxy Disconnect-Requests (III):Reading information for each proxy-server

proxyDynamicAuthLoop Method-Type=BranchBranch-Case = <<

0 nakUnrouteable* readServerData>>

Branch-SearchKey = "${user.Client-Address[COUNT]}"

readServerData Method-Type=ReadClient Method-On-Success=sendDynamicAuth Method-On-Failure=nakUnrouteable

ReadClient-SearchKey = "${user.Client-Address[FIRST]}"ReadClient-Map = <<

${user.Server-Address} := ${va.user.Client-Address[FIRST]};${user.Server-Secret} := ${Client-Secret};${user.Server-Dictionary} := ${Client-Dictionary:"#default"};${user.Server-CharSet} := ${Radius_CharSet:va.server.Radius_CharSet};${user.Server-Timeout} := ${Client_Timeout:va.server.Client_Timeout};${user.Server-Retries} := ${Dynamic-Auth-Retries:"0"};${user.Dynamic-Auth-Port} := ${Dynamic-Auth-Port:"3799"};DELETE ${user.Client-Address[FIRST]};>>sendDynamicAuth Method-Type=Radius Method-On-Error=proxyDynamicAuthLoop

Radius-ServerAddress = "${user.Server-Address}:${user.Dynamic-Auth-Port}" …


Example to add/delete entries in DDNS It can be done either for A (IPv4) or AAAA (IPv6) records

A KeyName and KeyData must be provided to the DNS server to be able to update DNS records

xdelIPv4DnsRecord Method-Type=UpdateDns Method-On-Success=doneUpdateDns-ServerAddress = "10.30.0.41"UpdateDns-KeyName = "key1"UpdateDns-KeyData = "111111111111111111111w=="UpdateDns-Zone = "${packet.User-Realm}."UpdateDns-DeleteRecord = "${packet.Base-User-Name} A ${request.Framed-IP-Address}"

delIPv6DnsRecord Method-Type=UpdateDns Method-On-Success=done UpdateDns-ServerAddress = "10.30.0.41" UpdateDns-KeyName = "key1" UpdateDns-KeyData = "111111111111111111111w==" UpdateDns-Zone = "${packet.User-Realm}." UpdateDns-DeleteRecord = "${packet.Base-User-Name} AAAA ${packet.Framed-IPv6-Address[first]}"

Documents

CDMA2000/1xEVDO RADIUS Overview. All Rights Reserved © Alcatel-Lucent 2007 2 | CDMA2000 EVDO Overview Module Objetives Understand the architecture for