PDIF Service Configuration Mode Commands


PDIF Service Configuration Mode Commands
 
 
The PDIF Service Configuration Mode is used to configure the properties required for a mobile station to interface with a PDIF.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
aaa attribute
Sets the system attributes for AAA messages.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
aaa attribute { 3gpp2-bsid string | 3gpp2-service-option integer | calling-station-id integer |3gpp2-serving-pcf<ip-address> }
no aaa attribute
default aaa attribute 3gpp2-service-option integer
no
Removes a previously configured AAA attribute.
default
Returns the specified aaa attribute to the original default system settings.
3gpp2-bsid string
Specifies the base-station ID and consists of the SID + NID + CELLID.
string must contain 12 hexadecimal upper-case ASCII characters.
3gpp2-service-option integer
Default: 4095
Specifies the radius attribute value when sending authentication and accounting messages.
integer can be configured to any value in the range 0 - 32767
calling-station-id integer
Calling station phone number.
integer can be configured to any value from 1 - 15 numbers.
3gpp2-serving-pcf
Use this command to generate attribute values without creating a new ASR 5000 image.
Usage
If the RADIUS protocol is being used, accounting messages can be sent over a AAA interface to the RADIUS server.
3gpp2-serving-pcf attribute value (if configured) is sent in both RADIUS authentication and accounting messages. If the attribute value is not configured (or explicitly 'not configured' using no command), radius attributes are still included with just type and length. This is because inclusion/exclusion of radius attributes are still controlled through the dictionary, not with CLI.
Example
The following command identifies the base station ID:
aaa attribute 3gpp2-bsid 0ab23289acb3
 
aaa authentication
Sets the aaa authentication for first and second phase authentication when multiple authentication is configured on the system.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
aaa authentication { { first-phase | second-phase } | { context-name name aaa-group name } }
no aaa authentication { first-phase | second-phase }
no aaa authentication { first-phase | second-phase }
Removes any existing authentication configuration.
first-phase context-name name aaa-group name
Specifies the context name and the aaa group name configured in the context for the first authentication phase.
context-name name: Context where aaa server group is defined. name must be a string of size 1-79.
aaa-group name: Name of the aaa-group to be used for authentication. name must be a string of size 1-63.
second-phase context-name name aaa-group name
Specifies the context name and the aaa group name configured in the context for the second authentication phase.
context-name name: Context where aaa server group is defined. name must be a string of size 1-79.
aaa-group name: Name of the aaa-group to be used for authentication. name must be a string of size 1-63.
Usage
Two phase-authentication happens in IKEv2 setup for setting up the IPSec session. The first authentication uses Diameter AAA EAP method and second authentication uses RADIUS AAA authentication. The same AAA context may be used for both authentications. PDIF service allows you to specify only a single AAA group, which could normally be used for the first authentication method.
A given AAA group only supports either Diameter or RADIUS authentication. If the NAI in the first authentication is different from NAI in the second authentication each NAI can point to a different domain profile in the PDIF. Each domain profile may be configured with each AAA group, one for Diameter and the other for RADIUS.
Example
Use the following to configure first-phase authentication for an aaa group named aaa-10 in the pdif context:
first-phase context-name pdif aaa-group aaa-10
 
bind
Binds the service IP address to crypto template and configures the number of sessions the PDIF can support.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
bind address address { crypto-template string } [ max-sessions number ]
no bind
no
Removes a previously configured binding.
address
Specifies the IP address of the service.
crypto-template string
Specifies the name of the crypto template to be bound to the service.
string is any value from 0 - 127 alpha and/or numeric characters.
max-sessions number
Default is 3000000
Specifies the maximum number of sessions to be supported by the service.
number can be any integer value from 0 - 3000000
Usage
Binds the IP address used as the connection point for establishing the IKEv2 sessions to the crypto template. It can also define the number of sessions the PDIF can support.
Example
The following command binds a service with the ip address 13.1.1.1 to the crypto template T1 and sets the maximum number of sessions to 2000000:
bind address 13.1.1.1 crypto-template T1 max-sessions 2000000
 
default
Sets or restores the default condition for the selected parameter.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
default { { aaa attribute 3gpp2-service-option } | duplicate-session-detection | hss { failure-handling mac-address-validation-failure | mac-address-validation | update-profile } | ip source-violation { drop-limit | period } | setup-timeout | subscriber name | username mac-address-stripping } }
aaa attribute 3gpp2-service-option
Configures the default value to 4095.
aaa authentication
duplicate-session-detection
Configures the default to be NAI-based.
hss { failure-handling mac-address-validation-failure | mac-address-validation | update-profile }
Configures the HSS server defaults:
failure-handling mac-address-validation-failure: By default, the MAC address is validated by IMS-Sh interface.
mac-address-validation: By default, validating the MAC address is disabled.
update-profile: By default, updating the PDIF profile is disabled.
ip source-violation ( drop-limit | period }
Configures IP source-violation detection defaults.
drop-limit: Default number of ip source violations permitted in detection period before the call is dropped is10.
period: Default detection period is 120 seconds.
setup-timeout
Default call setup time limit is 60 seconds.
subscriber name
Configures the default subscriber name. name is a string of 1-127 characters.
username mac-address-stripping
Default is to disable stripping the MAC address from the username.
Usage
Configures the default settings for a given parameter.
Example
Use the following example to configure the default call setup time limit:
default setup-timeout
 
duplicate-session-detection
Configures the PDIF to detect duplicate call sessions using old IMSI or NAI addresses and clear old call information.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
[ no | default ] duplicate-session-detection { imsi-based | nai-based }
no
Stops duplicate session detection.
default
Configures the default setting, which is NAI-based detection.
imsi-based
Configures the PDIF to detect duplicate call sessions based on the IMSI address.
nai-based
Configures the PDIF to detect duplicate call sessions based on the NAI address. This is the default setting.
Usage
If an MS leaves the Wi-Fi coverage area and subsequently comes back online, it may initiate a new session setup procedure. After both the device authentication with HSS and the subscriber authentication with AAA server are completed, PDIF runs the internal mechanism to see whether there was any other session bound with the same IMSI. If an old session is detected, PDIF starts clearing this old session by sending a proxy-MIP Deregistration request to the HA. PDIF resumes new session setup by sending a proxy-MIP registration request. When the old session is aborted, PDIF sends Diameter STR messages and RADIUS Acct STOP messages to corresponding AAA servers.
PDIF allows duplicate session detection based on either the NAI or IMSI addresses. When detecting based on NAI, it is the first-phase (device authentication) NAI that is used.
Example
The following command configures duplicate session detection to use IMSI addressing:
duplicate-session-detection imsi
 
end
Exits the current mode and returns to the Exec Mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Change the mode back to the Exec Mode.
 
exit
Exits the current mode and returns to the previous mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Returns to the previous mode.
 
hss
Configures the HSS server parameters.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
hss { failure-handling { { mac-address-validation-failure | update-profile } action { terminate | continue } } | update-profile | mac-address-validation }
[ no | default ] hss { failure-handling | update-profile | mac-address-validation }
no
Removes a previously configured HSS profile.
default
Resets the defaults for this command.
failure-handling mac-address-validation-failure
Configures the way the HSS server is to handle errors.
If HSS returns a list of MAC addresses and if PDIF fails to match the subscriber MAC address against the list, then the session is always terminated.
action { continue | terminate }
Configures the action to be performed depending on the failure type.
continue: Ignore a mac-address-validation-failure and continue the session.
terminate: Terminate the session on a mac-address-validation-failure.
mac-address-validation
Default: disabled
If mac-address-validation is enabled, the PDIF queries the HSS server for a list of MAC addresses associated with the Mobile Directory Number (MDN).
update-profile
Default: disabled.
Update the HSS server with the subscriber profile.
Usage
An HSS server is used to provide MAC address validation and store part of the subscriber profile. This command enables or disables validation and profile updates, and configures how the system responds to failures: terminate or continue a session.
An ims-sh-service and Diameter interface needs to be configured to communicate with the HSS server.
Example
The following example enables mac-address validation:
hss mac-address-validation
 
ims-sh-service
Associates the IMS-Sh-service parameters.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
ims-sh-service name name
no ims-sh-service name name
no
Removes a previously configured IMS-Sh-service.
name
Names the IMS-Sh-service in the pdif-service context.
Usage
This command is used to name the IMS-Sh-service.
Example
The following command names the IMS-Sh-service ims1:
ims-sh-service name ims1
 
ip source-violation
Sets the parameters for IP source validation. Source validation is useful if packet spoofing is suspected or for verifying packet routing and labeling within the network.
Source validation requires the source address of received packets to match the IP address assigned to the subscriber (either statically or dynamically) during the session.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
ip source-violation { clear-on-valid-packet | drop-limit num | period secs }
no ip source-violation clear-on-valid-packet
clear-on-valid-packet
Default: disabled
Configures the service to reset the reneg-limit and drop-limit counters after receipt of a properly addressed packet.
drop-limit num
Default: 10
Sets the number of allowed source violations within a detection period before forcing a call disconnect. If num is not specified, the value is set to the default.
num can be any integer value from 1 to 1000000.
period secs
Default: 120
The length of time, in seconds, for a source violation detection period to last.
If secs is not specified, the value is set to the default.
secs can be any integer value from 1 to1000000.
Usage
This function is intended to allow the operator to configure a network to prevent problems such as when a user gets handed back and forth between two PDIFs a number of times during a handoff scenario.
This function operates in the following manner:
When a subscriber packet is received with a source address violation, the system increments the IP source-violation drop-limit counter and starts the timer for the IP-source violation period. Every subsequent packet received with a bad source address during the IP-source violation period causes the drop-limit counter to increment.
For example, if the drop-limit is set to 10, after 10 source violations, the call is dropped. The period timer continues to count throughout this process.
Example
The following command sets the drop limit to 15 and leaves the other values at their defaults:
ip source-violation drop-limit 15
 
mobile-ip
Sets the MIP FA context for the specific PDIF service.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
mobile-ip foreign-agent context string [ fa-service string ]
no mobile-ip
no
Removes previously configured parameters.
foreign-agent context string
Provides the context name in which the FA is configured. string is any value in the range 1 - 79 alpha and/or numeric characters.
fa-service string
Designates the name of the FA service in the FA context. string is any value in the range 1 - 79 alpha and/or numeric characters.
Usage
Shows in which context the FA is located and names the FA service.
Example
This command configures MIP for the FA context named fa1:
mobile-ip foreign-agent context fa1
 
setup-timeout
Configures the maximum time allowed to set up a session.
Product
PDIF
Privilege
Security-Administrator, Administrator
Syntax
setup-timeout integer
default setup-timeout
default
Default session setup timer: 60 seconds.
setup-timeout integer
This command manually sets the session setup timer. integer is a value in the range 2 - 300 seconds.
Usage
PDIF clears both user session and tunnels if a call does not initiate successfully before the timer expires.
Example
The following command sets the setup-timeout to the default 30 seconds:
default setup-timeout
 
username
Configures mac-address-stripping on a username coming in from a mobile station session.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
username mac-address-stripping
[ default | no ] username mac-address-stripping
no
Returns the configuration to the default condition.
default
Configures the parameter default, which is disabled.
mac-address-stripping
Configures mac-address stripping from the Network Access Identifier (NAI).
Usage
When enabled, PDIF strips the MAC address from a mobile username NAI before sending to the RADIUS AAA server.
Example
The following example disables mac-address-stripping.
no username mac-address-stripping
 
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883