RADIUS Prepaid Extensiondraft-lior-radius-prepaid-extensions-05.txt

Avi Lior, Yong Li, Bridgewater SystemsParviz Yegani, Cisco SystemsKuntal Chowdhury Nortel Networks

Requirements

• Provide support for Prepaid User.– Quota management– Usage metering– Session control

• Support Prepaid business models.– Time based, Volume based, “Token” based

(unit less)– Simple rating and complex rating– Session based and single event based.

Key Features

• Quota based.– Quotas are initially exchanged in Access-

Request/Accept; and are refreshed in Authorize-Only exchanges.

• Use RADIUS accounting messages only to record what has happened for audit and billing purposes.

What is New

• Simplified the Architecture model (draft 4)• Added support for Multi-Services (draft 5)

– Functionally aligned with Diameter CC.

• Cleanup and incorporation of comments received on list and privately.– Joel Halpern– Mark Grayson– Nagi Reddy Jonnala– Mike Santoro– Farid Adrangi– Damien Galand– Lothar Reith– Stefaan.de Cnodder

Prepaid Architecture

RADIUS Client

RADIUSServer

Prepaid Client Prepaid Server

RADIUS

Use

r D

evic

e

Router/Gateway Internet

Prepaid attributes carried by RADIUS

NAS

Multi-Services

• Main service or “Access Service”– This is what we traditionally authenticate and

authorize.

• Operators what to differentiate between IP-flows– Some flows are more valuable.– Some flows are metered differently.– Some flows have different QoS.

• Additional flows only require authorization only.

Prepaid for Multi-Services

• Service defined by a Service-ID (string)– A Service can be an IP-Flow defined by IP-tuples.– “Access Service” is the default or initial service. 3GPP2 it

corresponds to the Main-Service-Instance.• Quota allocated

– To one Service at a time; or– A group of Services using Rating-Groups:

• Rating-Group preconfigured in the Service Access Device.• Define the rating (complex rating) and the Services that are

associated with that Rating-Group.

• Pools– Associate quotas assigned to Services or Rating- Groups to

Pools. – Minimize message.– Help when services are not drawing on quotas equally.

Multi-Service ExampleA: A user is Authenticated and Authorized as

prepaid and assigned quota to the “Access Service” of 2MB.

B: NAS wants to Authz another Service (eg VoIP). Sends an Access-Request (AuthOnly) with PPAQ specifying SID =Service-A.

Session-Id needed to tie this Authorize-Only to previous AuthN/AuthZ.

C: PPS replies with Access-Accept with a PPAQ for Service-A containing Volume of 1 MB.

D: “Access Service” and Service-A request more quota. Report what they used.

Update-Reason Quota-RefreshE: PPS authorize more quota to both. Access

Service (+2MB) has 4 MB,Service-A (+1MB) 2MB

F: User logs off. Report used quota. “Access-Service” 3MB, Service-A 1.5 MB. We know that it’s the end because the PPAQ indicates the cause for reporting Update-Reason User-Termination.

NAS/PPC PPS

AuthN/AuthZ “Access Service”

Session-Id, [PPAQ SID=Service-A]

A

B

C[PPAQ QID Service-A, I MB]

Access-Request Authz Only

Access-Accept Authz Only

D

E

F

Access-Request Authz Only

[PPAQ QID 2 MB] [PPAQ QID Service-A, I MB]

Access-Accept Authz Only

[PPAQ QID 4 MB] [PPAQ QID Service-A, 2 MB]

Access-Request Authz Only

[PPAQ QID 3 MB] [PPAQ QID Service-A, I.5 MB]

Access-Accept Authz Only

What is next

• Add support for single event.– Scenarios:

• Single Event Prepaid Authorization with Authentication.

• Single Even Prepaid Authorization only – user has already been authenticated.

• Mapping to Diameter