Simple IP Configuration Examples

Example 1: Simple IP Support Using a Single Source and Destination Context

The most simple configuration that can be implemented on the system to support Simple IP data applications requires that two contexts (one source and one destination) be configured on the system as shown below.

Figure 1. Simple IP Support Using a Single Source and Destination Context

The source context will facilitate the packet data serving node (PDSN) service(s) and the R-P and AAA interfaces. The source context will also be configured to provide AAA functionality for subscriber sessions. The destination context will facilitate the packet data network interface(s).

In this configuration, the wireless carrier provides the function of an Internet Service Provider (ISP) to their subscribers. The PDSN service in the source context terminates subscriber point-to-point protocol (PPP) sessions and routes their data traffic through the destination context to and from a packet data network such as the Internet.

Information Required

Prior to configuring the system as shown in this example, there is a minimum amount of information required. The following sections describe the information required to configure the source and destination contexts.

Source Context Configuration

The following table lists the information that is required to configure the source context.

Table 1. Required Information for Source Context Configuration

Required Information	Description
Source context name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the source context will be recognized by the system.
R-P Interface Configuration
R-P interface name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. R-P interfaces are configured in the source context.
IP address and subnet	These will be assigned to the R-P interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured.
Physical port number	This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces.
Physical port description	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the source context and are used to bind logical R-P interfaces.
Gateway IP address	Used when configuring static routes from the R-P interface(s) to a specific network.
PDSN service Configuration
PDSN service name	This is an identification string between 1 and 63 characters (alpha and/or numeric) by which the PDSN service will be recognized by the system. Multiple names are needed if multiple PDSN services will be used. PDSN services are configured in the source context.
UDP port number for R-P traffic	Specifies the port used by the PDSN service and the PCF for communications. The UDP port number and can be any integer value between 1 and 65535. The default value is 699.
Authentication protocols used	Specifies how the system handles authentication: using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any authentication.
Domain alias for NAI-construction	Specifies a context name for the system to use to provide accounting functionality for a subscriber session. This parameter is needed only if the system is configured to support no authentication.
Security Parameter Index Information	PCF IP address: Specifies the IP address of the PCF that the PDSN service will be communicating with. The PDSN service allows the creation of a security profile that can be associated with a particular PCF. Multiple IP addresses are needed if the PDSN service will be communicating with multiple PCFs.
Index: Specifies the shared SPI between the PDSN service and a particular PCF. The SPI can be configured to any integer value between 256 and 4294967295. Multiple SPIs can be configured if the PDSN service is to communicate with multiple PCFs.
Secret: Specifies the shared SPI secret between the PDSN service and the PCF. The secret can be between 1 and 127 characters (alpha and/or numeric). An SPI secret is required for each SPI configured.
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is MD5. A hash-algorithm is required for each SPI configured.
Replay-protection process: Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds. A replay-protection process is required for each SPI configured.
Subscriber session lifetime	Specifies the time in seconds that an A10 connection can exist before its registration is considered expired. The time is expressed in seconds and can be configured to any integer value between 1 and 65534, or the timer can be disabled to set an infinite lifetime. The default value is 1800 seconds.
AAA Interface Configuration
AAA interface name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. AAA interfaces will be configured in the source context.
IP address and subnet	These will be assigned to the AAA interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured.
Physical port number	This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces.
Physical port description	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the source context and are used to bind logical AAA interfaces.
Gateway IP address	Used when configuring static routes from the AAA interface(s) to a specific network.
RADIUS Server Configuration
RADIUS Authentication server	IP Address: Specifies the IP address of the RADIUS authentication server the source context will communicate with to provide subscriber authentication functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS authentication servers are configured within the source context. Multiple servers can be configured and each assigned a priority.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. A shared secret is needed for each configured RADIUS server.
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.
RADIUS Accounting server	IP Address: Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context. A shared secret is needed for each configured RADIUS server.
UDP Port Number: Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
RADIUS attribute NAS Identifier	Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be between 1 and 32 alpha and/or numeric characters and is case sensitive.
RADIUS NAS IP address	Specifies the IP address of the source context’s AAA interface. A secondary IP address interface can optionally be configured.
Default Subscriber Configuration
“Default” subscriber’s IP context name	Specifies the name of the egress context on the system that facilitates the PDN ports. NOTE: For this configuration, the IP context name should be identical to the name of the destination context.

Required Information

Description

Source context name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the source context will be recognized by the system.

R-P Interface Configuration

R-P interface name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be configured.

R-P interfaces are configured in the source context.

IP address and subnet

These will be assigned to the R-P interface.

Multiple addresses and/or subnets are needed if multiple interfaces will be configured.

Physical port number

This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17.

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.

Multiple descriptions are needed if multiple ports will be used.

Physical ports are configured within the source context and are used to bind logical R-P interfaces.

Gateway IP address

Used when configuring static routes from the R-P interface(s) to a specific network.

PDSN service Configuration

PDSN service name

This is an identification string between 1 and 63 characters (alpha and/or numeric) by which the PDSN service will be recognized by the system.

Multiple names are needed if multiple PDSN services will be used.

PDSN services are configured in the source context.

UDP port number for R-P traffic

Specifies the port used by the PDSN service and the PCF for communications. The UDP port number and can be any integer value between 1 and 65535. The default value is 699.

Authentication protocols used

Specifies how the system handles authentication: using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any authentication.

Domain alias for NAI-construction

Specifies a context name for the system to use to provide accounting functionality for a subscriber session. This parameter is needed only if the system is configured to support no authentication.

Security Parameter Index Information

PCF IP address:

Specifies the IP address of the PCF that the PDSN service will be communicating with. The PDSN service allows the creation of a security profile that can be associated with a particular PCF.

Multiple IP addresses are needed if the PDSN service will be communicating with multiple PCFs.

Index:

Specifies the shared SPI between the PDSN service and a particular PCF. The SPI can be configured to any integer value between 256 and 4294967295.

Multiple SPIs can be configured if the PDSN service is to communicate with multiple PCFs.

Secret:

Specifies the shared SPI secret between the PDSN service and the PCF. The secret can be between 1 and 127 characters (alpha and/or numeric).

An SPI secret is required for each SPI configured.

Hash-algorithm:

Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is MD5.

A hash-algorithm is required for each SPI configured.

Replay-protection process:

Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds.

A replay-protection process is required for each SPI configured.

Subscriber session lifetime

Specifies the time in seconds that an A10 connection can exist before its registration is considered expired.

The time is expressed in seconds and can be configured to any integer value between 1 and 65534, or the timer can be disabled to set an infinite lifetime. The default value is 1800 seconds.

AAA Interface Configuration

AAA interface name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be configured.

AAA interfaces will be configured in the source context.

IP address and subnet

These will be assigned to the AAA interface.

Multiple addresses and/or subnets are needed if multiple interfaces will be configured.

Physical port number

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.

Multiple descriptions are needed if multiple ports will be used.

Physical ports are configured within the source context and are used to bind logical AAA interfaces.

Gateway IP address

Used when configuring static routes from the AAA interface(s) to a specific network.

RADIUS Server Configuration

RADIUS Authentication server

IP Address:

Specifies the IP address of the RADIUS authentication server the source context will communicate with to provide subscriber authentication functions.

Multiple addresses are needed if multiple RADIUS servers will be configured.

RADIUS authentication servers are configured within the source context. Multiple servers can be configured and each assigned a priority.

Shared Secret:

The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number:

Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.

RADIUS Accounting server

IP Address:

Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions.

Multiple addresses are needed if multiple RADIUS servers will be configured.

RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority.

Shared Secret:

The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number:

Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.

RADIUS attribute NAS Identifier

Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be between 1 and 32 alpha and/or numeric characters and is case sensitive.

RADIUS NAS IP address

Specifies the IP address of the source context’s AAA interface. A secondary IP address interface can optionally be configured.

Default Subscriber Configuration

“Default” subscriber’s IP context name

Specifies the name of the egress context on the system that facilitates the PDN ports.

NOTE: For this configuration, the IP context name should be identical to the name of the destination context.

Destination Context Configuration

The following table lists the information that is required to configure the destination context.

Table 2. Required Information for Destination Context Configuration

Required Information	Description
Destination context name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system. NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
PDN Interface Configuration
PDN interface name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. PDN interfaces are configured in the destination context.
IP address and subnet	These will be assigned to the PDN interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured.
Physical port number	This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces.
Physical port description(s)	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions will be needed if multiple ports will be used. Physical ports are configured within the destination context and are used to bind logical PDN interfaces.
Gateway IP address(es)	Used when configuring static routes from the PDN interface(s) to a specific network.
IP Address Pool Configuration (optional)
IP address pool name(s)	If IP address pools will be configured in the destination context(s), names or identifiers will be needed for them. The pool name can be between 1 and 31 alpha and/or numeric characters and is case sensitive.
IP pool addresses	An initial address and a subnet, or a starting address and an ending address, are required for each configured pool. The pool will then consist of every possible address within the subnet, or all addresses from the starting address to the ending address. The pool can be configured as public, private, or static.

Required Information

Description

Destination context name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system.

NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.

PDN Interface Configuration

PDN interface name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be configured.

PDN interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the PDN interface.

Multiple addresses and/or subnets are needed if multiple interfaces will be configured.

Physical port number

A single physical port can facilitate multiple interfaces.

Physical port description(s)

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.

Multiple descriptions will be needed if multiple ports will be used.

Physical ports are configured within the destination context and are used to bind logical PDN interfaces.

Gateway IP address(es)

Used when configuring static routes from the PDN interface(s) to a specific network.

IP Address Pool Configuration (optional)

IP address pool name(s)

If IP address pools will be configured in the destination context(s), names or identifiers will be needed for them. The pool name can be between 1 and 31 alpha and/or numeric characters and is case sensitive.

IP pool addresses

An initial address and a subnet, or a starting address and an ending address, are required for each configured pool. The pool will then consist of every possible address within the subnet, or all addresses from the starting address to the ending address.

The pool can be configured as public, private, or static.

How This Configuration Works

The following figure and the text that follows describe how this configuration with a single source and destination context would be used by the system to process a Simple IP data call.

Figure 2. Call Processing Using a Single Source and Destination Context

A subscriber session from the PCF is received by the PDSN service over the R-P interface.
The PDSN service determines which context to use in providing AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.For this example, the result of this process is that PDSN service determined that AAA functionality should be provided by the Source context.
The system communicates with the AAA server specified in the Source context’s AAA configuration to authenticate the subscriber.
Upon successful authentication, the system determines which egress context to use for the subscriber session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.The system determines that the egress context is the destination context based on the configuration of either the Default subscriber’s ip-context name or from the SN-VPN-NAME or SN1-VPN-NAME attributes that is configured in the subscriber’s RADIUS profile.
Data traffic for the subscriber session is routed through the PDN interface in the Destination context.
Accounting information for the session is sent to the AAA server over the AAA interface.

Example 2: Simple IP Using a Single Source Context and Multiple Outsourced Destination Contexts

The system allows the wireless carrier to easily generate additional revenue by providing the ability to configure separate contexts that can then be leased or outsourced to various enterprises or ISPs, each having a specific domain.

In order to support multiple outsourced domains, the system must first be configured with at least one source context and multiple destination contexts as shown in the following figure . The AAA servers could be owned/maintained by either the carrier or the domain. If they are owned by the domain, the carrier will have to receive the AAA information via proxy.

Figure 3. Simple IP Support Using a Single Source Context and Multiple Outsourced Destination Contexts

The source context will facilitate the PDSN service(s), and the R-P interface(s). The source context will also be configured with AAA interface(s) to provide AAA functionality for subscriber sessions. The destination contexts will each be configured to facilitate PDN interfaces. In addition, because each of the destination contexts can be outsourced to different domains, they will also be configured with AAA interface(s) to provide AAA functionality for that domain.

In addition to the source and destination contexts, there are additional system-level AAA parameters that must be configured.

Information Required

Source Context Configuration

The following table lists the information that is required to configure the source context.

Table 3. Required Information for Source Context Configuration

Required Information	Description
Source context name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the source context will be recognized by the system.
R-P Interface Configuration
R-P interface name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. R-P interfaces are configured in the source context.
IP address and subnet	These will be assigned to the R-P interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured.
Physical port number	This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces.
Physical port description	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the source context and are used to bind logical R-P interfaces.
Gateway IP address	Used when configuring static routes from the R-P interface(s) to a specific network.
PDSN service Configuration
PDSN service name	This is an identification string between 1 and 63 characters (alpha and/or numeric) by which the PDSN service will be recognized by the system. Multiple names are needed if multiple PDSN services will be used. PDSN services are configured in the source context.
UDP port number for R-P traffic	Specifies the port used by the PDSN service and the PCF for communications. The UDP port number and can be any integer value between 1 and 65535. The default value is 699.
Authentication protocols used	Specifies how the system handles authentication: using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any authentication.
Domain alias for NAI-construction	Specifies a context name for the system to use to provide accounting functionality for a subscriber session. This parameter is needed only if the system is configured to support no authentication.
Security Parameter Index Information	PCF IP address: Specifies the IP address of the PCF that the PDSN service will be communicating with. The PDSN service allows the creation of a security profile that can be associated with a particular PCF. Multiple IP addresses are needed if the PDSN service will be communicating with multiple PCFs.
Index: Specifies the shared SPI between the PDSN service and a particular PCF. The SPI can be configured to any integer value between 256 and 4294967295. Multiple SPIs can be configured if the PDSN service is to communicate with multiple PCFs.
Secret: Specifies the shared SPI secret between the PDSN service and the PCF. The secret can be between 1 and 127 characters (alpha and/or numeric). An SPI secret is required for each SPI configured.
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is MD5. A hash-algorithm is required for each SPI configured.
Replay-protection process: Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds. A replay-protection process is required for each SPI configured.
Subscriber session lifetime	Specifies the time in seconds that an A10 connection can exist before its registration is considered expired. The time is expressed in seconds and can be configured to any integer value between 1 and 65534, or the timer can be disabled to set an infinite lifetime. The default value is 1800 seconds.
AAA Interface Configuration
AAA interface name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. AAA interfaces will be configured in the source context.
IP address and subnet	These will be assigned to the AAA interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured.
Physical port number	This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces.
Physical port description	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the source context and are used to bind logical AAA interfaces.
Gateway IP address	Used when configuring static routes from the AAA interface(s) to a specific network.
RADIUS Server Configuration
RADIUS Authentication server	IP Address: Specifies the IP address of the RADIUS authentication server the source context will communicate with to provide subscriber authentication functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS authentication servers are configured within the source context. Multiple servers can be configured and each assigned a priority.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. A shared secret is needed for each configured RADIUS server.
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.
RADIUS Accounting server	IP Address: Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context. A shared secret is needed for each configured RADIUS server.
UDP Port Number: Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
RADIUS attribute NAS Identifier	Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be between 1 and 32 alpha and/or numeric characters and is case sensitive.
RADIUS NAS IP address	Specifies the IP address of the source context’s AAA interface. A secondary IP address interface can optionally be configured.
Default Subscriber Configuration
“Default” subscriber’s IP context name	Specifies the name of the egress context on the system that facilitates the PDN ports. NOTE: For this configuration, the IP context name should be identical to the name of the destination context.

Required Information

Description

Source context name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the source context will be recognized by the system.

R-P Interface Configuration

R-P interface name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be configured.

R-P interfaces are configured in the source context.

IP address and subnet

These will be assigned to the R-P interface.

Multiple addresses and/or subnets are needed if multiple interfaces will be configured.

Physical port number

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.

Multiple descriptions are needed if multiple ports will be used.

Physical ports are configured within the source context and are used to bind logical R-P interfaces.

Gateway IP address

Used when configuring static routes from the R-P interface(s) to a specific network.

PDSN service Configuration

PDSN service name

This is an identification string between 1 and 63 characters (alpha and/or numeric) by which the PDSN service will be recognized by the system.

Multiple names are needed if multiple PDSN services will be used.

PDSN services are configured in the source context.

UDP port number for R-P traffic

Specifies the port used by the PDSN service and the PCF for communications. The UDP port number and can be any integer value between 1 and 65535. The default value is 699.

Authentication protocols used

Specifies how the system handles authentication: using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any authentication.

Domain alias for NAI-construction

Specifies a context name for the system to use to provide accounting functionality for a subscriber session. This parameter is needed only if the system is configured to support no authentication.

Security Parameter Index Information

PCF IP address:

Specifies the IP address of the PCF that the PDSN service will be communicating with. The PDSN service allows the creation of a security profile that can be associated with a particular PCF.

Multiple IP addresses are needed if the PDSN service will be communicating with multiple PCFs.

Index:

Specifies the shared SPI between the PDSN service and a particular PCF. The SPI can be configured to any integer value between 256 and 4294967295.

Multiple SPIs can be configured if the PDSN service is to communicate with multiple PCFs.

Secret:

Specifies the shared SPI secret between the PDSN service and the PCF. The secret can be between 1 and 127 characters (alpha and/or numeric).

An SPI secret is required for each SPI configured.

Hash-algorithm:

Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is MD5.

A hash-algorithm is required for each SPI configured.

Replay-protection process:

Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds.

A replay-protection process is required for each SPI configured.

Subscriber session lifetime

Specifies the time in seconds that an A10 connection can exist before its registration is considered expired.

The time is expressed in seconds and can be configured to any integer value between 1 and 65534, or the timer can be disabled to set an infinite lifetime. The default value is 1800 seconds.

AAA Interface Configuration

AAA interface name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be configured.

AAA interfaces will be configured in the source context.

IP address and subnet

These will be assigned to the AAA interface.

Multiple addresses and/or subnets are needed if multiple interfaces will be configured.

Physical port number

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.

Multiple descriptions are needed if multiple ports will be used.

Physical ports are configured within the source context and are used to bind logical AAA interfaces.

Gateway IP address

Used when configuring static routes from the AAA interface(s) to a specific network.

RADIUS Server Configuration

RADIUS Authentication server

IP Address:

Specifies the IP address of the RADIUS authentication server the source context will communicate with to provide subscriber authentication functions.

Multiple addresses are needed if multiple RADIUS servers will be configured.

RADIUS authentication servers are configured within the source context. Multiple servers can be configured and each assigned a priority.

Shared Secret:

The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number:

Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.

RADIUS Accounting server

IP Address:

Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions.

Multiple addresses are needed if multiple RADIUS servers will be configured.

RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority.

Shared Secret:

The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number:

Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.

RADIUS attribute NAS Identifier

RADIUS NAS IP address

Specifies the IP address of the source context’s AAA interface. A secondary IP address interface can optionally be configured.

Default Subscriber Configuration

“Default” subscriber’s IP context name

Specifies the name of the egress context on the system that facilitates the PDN ports.

NOTE: For this configuration, the IP context name should be identical to the name of the destination context.

Destination Context Configuration

The following table lists the information that is required to configure the destination context.

Table 4. Required Information for Destination Context Configuration

Required Information	Description
Destination context name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system. NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.
PDN Interface Configuration
PDN interface name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. PDN interfaces are configured in the destination context.
IP address and subnet	These will be assigned to the PDN interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured.
Physical port number	This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces.
Physical port description(s)	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions will be needed if multiple ports will be used. Physical ports are configured within the destination context and are used to bind logical PDN interfaces.
Gateway IP address(es)	Used when configuring static routes from the PDN interface(s) to a specific network.
IP Address Pool Configuration (optional)
IP address pool name(s)	If IP address pools will be configured in the destination context(s), names or identifiers will be needed for them. The pool name can be between 1 and 31 alpha and/or numeric characters and is case sensitive.
IP pool addresses	An initial address and a subnet, or a starting address and an ending address, are required for each configured pool. The pool will then consist of every possible address within the subnet, or all addresses from the starting address to the ending address. The pool can be configured as public, private, or static.
AAA Interface Configuration
AAA interface name	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. AAA interfaces will be configured in the source context.
IP address and subnet	These will be assigned to the AAA interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured.
Physical port number	This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces.
Physical port description	This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the source context and are used to bind logical AAA interfaces.
Gateway IP address	Used when configuring static routes from the AAA interface(s) to a specific network.
RADIUS Server Configuration
RADIUS Authentication server	IP Address: Specifies the IP address of the RADIUS authentication server the source context will communicate with to provide subscriber authentication functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS authentication servers are configured within the source context. Multiple servers can be configured and each assigned a priority.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context. A shared secret is needed for each configured RADIUS server.
UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.
RADIUS Accounting server	IP Address: Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Multiple addresses are needed if multiple RADIUS servers will be configured. RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority.
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context. A shared secret is needed for each configured RADIUS server.
UDP Port Number: Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.
RADIUS attribute NAS Identifier	Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be between 1 and 32 alpha and/or numeric characters and is case sensitive.
RADIUS NAS IP address	Specifies the IP address of the source context’s AAA interface. A secondary IP address interface can optionally be configured.

Required Information

Description

Destination context name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system.

NOTE: For this configuration, the destination context name should not match the domain name of a specific domain.

PDN Interface Configuration

PDN interface name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be configured.

PDN interfaces are configured in the destination context.

IP address and subnet

These will be assigned to the PDN interface.

Multiple addresses and/or subnets are needed if multiple interfaces will be configured.

Physical port number

A single physical port can facilitate multiple interfaces.

Physical port description(s)

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.

Multiple descriptions will be needed if multiple ports will be used.

Physical ports are configured within the destination context and are used to bind logical PDN interfaces.

Gateway IP address(es)

Used when configuring static routes from the PDN interface(s) to a specific network.

IP Address Pool Configuration (optional)

IP address pool name(s)

IP pool addresses

The pool can be configured as public, private, or static.

AAA Interface Configuration

AAA interface name

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.

Multiple names are needed if multiple interfaces will be configured.

AAA interfaces will be configured in the source context.

IP address and subnet

These will be assigned to the AAA interface.

Multiple addresses and/or subnets are needed if multiple interfaces will be configured.

Physical port number

A single physical port can facilitate multiple interfaces.

Physical port description

This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.

Multiple descriptions are needed if multiple ports will be used.

Physical ports are configured within the source context and are used to bind logical AAA interfaces.

Gateway IP address

Used when configuring static routes from the AAA interface(s) to a specific network.

RADIUS Server Configuration

RADIUS Authentication server

IP Address:

Specifies the IP address of the RADIUS authentication server the source context will communicate with to provide subscriber authentication functions.

Multiple addresses are needed if multiple RADIUS servers will be configured.

RADIUS authentication servers are configured within the source context. Multiple servers can be configured and each assigned a priority.

Shared Secret:

The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS authentication server and the source context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number:

Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812.

RADIUS Accounting server

IP Address:

Specifies the IP address of the RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions.

Multiple addresses are needed if multiple RADIUS servers will be configured.

RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority.

Shared Secret:

The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key that is exchanged between the RADIUS accounting server and the source context.

A shared secret is needed for each configured RADIUS server.

UDP Port Number:

Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813.

RADIUS attribute NAS Identifier

RADIUS NAS IP address

Specifies the IP address of the source context’s AAA interface. A secondary IP address interface can optionally be configured.

System-Level AAA Configuration

The following table lists the information required to configure the system-level AAA parameters.

Table 5. Required Information for System-Level AAA Configuration

Required Information	Description
Subscriber default domain name	Specifies the name of a context that can provide AAA functions in the event that the domain-part of the username is missing or poorly formed. This parameter will be applied to all subscribers if their domain can not be determined from their username regardless of what domain they are trying to access. NOTE: The default domain name can be the same as the source context.
Subscriber Last-resort context	Specifies the name of a context that can provide AAA functions in the event that the domain-part of the username was present but does not match the name of a configured destination context. This parameter will be applied to all subscribers if their specified domain does not match a configured destination context regardless of what domain they are trying to access. NOTE: The last-resort context name can be the same as the source context.
Subscriber username format	Specifies the format of subscriber usernames as to whether or not the username or domain is specified first and the character that separates them. The possible separator characters are: @ % - \ # / Up to six username formats can be specified. The default is username @. NOTE: The username string is searched from right to left for the separator character. Therefore, if there is one or more separator characters in the string, only the first one that is recognized is considered the actual separator. For example, if the default username format was used, then for the username string user1@enterprise@isp1, the system resolves to the username user1@enterprise with domain isp1.

Required Information

Description

Subscriber default domain name

Specifies the name of a context that can provide AAA functions in the event that the domain-part of the username is missing or poorly formed.

This parameter will be applied to all subscribers if their domain can not be determined from their username regardless of what domain they are trying to access.

NOTE: The default domain name can be the same as the source context.

Subscriber Last-resort context

Specifies the name of a context that can provide AAA functions in the event that the domain-part of the username was present but does not match the name of a configured destination context.

This parameter will be applied to all subscribers if their specified domain does not match a configured destination context regardless of what domain they are trying to access.

NOTE: The last-resort context name can be the same as the source context.

Subscriber username format

Specifies the format of subscriber usernames as to whether or not the username or domain is specified first and the character that separates them. The possible separator characters are:

Up to six username formats can be specified. The default is username @.

NOTE: The username string is searched from right to left for the separator character. Therefore, if there is one or more separator characters in the string, only the first one that is recognized is considered the actual separator. For example, if the default username format was used, then for the username string user1@enterprise@isp1, the system resolves to the username user1@enterprise with domain isp1.

How This Configuration Works

The following figure and the text that follows describe how this configuration with a single source and destination context would be used by the system to process a Simple IP data call.

Figure 4. Call Processing Using a Single Source and Destination Context

The system-level AAA settings were configured as follows:Default subscriber domain name = DomainxSubscriber username format = username @No subscriber last-resort context name was configured.The IP context names for the Default subscriber were configured as follows:Within the Source context, the IP context name was configured as Domainx.Within the Domainx context, the IP context name was configured as Domainx.Sessions are received by the PDSN service from the PCF over the R-P interface for subscriber1@Domain1, subscriber2, and subscriber3@Domain37. The PDSN service attempts to determine the domain names for each session.For subscriber1, the PDSN service determines that a domain name is present and is Domain1.For subscriber2, the PDSN service determines that no domain name is present.For subscriber3, the PDSN service determines that a domain name is present and is Domain37.The PDSN service determines which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.For subscriber1, the PDSN service determines that a context is configured with a name that matches the domain name specified in the username string (Domain1). Therefore, Domain1 is used.For subscriber2, the PDSN service determines that Domainx was configured as the subscriber default domain name. Therefore, Domainx was used.For subscriber3, the PDSN service determines that no context was configured that matched the domain name specified in the username string (Domain37). Because no subscriber last-resort context name is configured, the source context is used.The system then communicates with the AAA servers specified in each of the selected context’s AAA configuration to authenticate the subscriber. Upon successful authentication of all three subscribers, the PDSN service determines which destination context to use for each of the subscriber sessions. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.For subscriber1, the PDSN service receives the SN-VPN-NAME or SN1-VPN-NAME attribute equal to Domain1 as part of the authentication accept message from the AAA server on Domain1’s network. Therefore, Domain1 is used as the destination context.For subscriber2, the PDSN service determined that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determines the subscriber IP context name configured for the Default subscriber within the Domainx context. Because this parameter is configured to Domainx, the Domainx context will be used as the destination context.For subscriber3, the PDSN service determines that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determined the Default subscriber IP context name configured within the Source context. Because this parameter is configured to Domainx, the Domainx context is used as the destination context.Data traffic for the subscriber session is routed through the PDN interface in each subscriber’s destination context.Accounting messages for the session are sent to the AAA servers over the AAA interfacesA subscriber session from the PCF is received by the PDSN service over the R-P interface.
The PDSN service determines which context to use in providing AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.For this example, the result of this process is that PDSN service determined that AAA functionality should be provided by the Source context.
The system communicates with the AAA server specified in the Source context’s AAA configuration to authenticate the subscriber.
Upon successful authentication, the system determines which egress context to use for the subscriber session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.The system determines that the egress context is the destination context based on the configuration of either the Default subscriber’s ip-context name or from the SN-VPN-NAME or SN1-VPN-NAME attributes that is configured in the subscriber’s RADIUS profile.
Data traffic for the subscriber session is routed through the PDN interface in the Destination context.
Accounting information for the session is sent to the AAA server over the AAA interface.

The system-level AAA settings were configured as follows:
- Default subscriber domain name = Domainx
- Subscriber username format = username @
- No subscriber last-resort context name was configured.
The IP context names for the Default subscriber were configured as follows:
- Within the Source context, the IP context name was configured as Domainx.
- Within the Domainx context, the IP context name was configured as Domainx.
Sessions are received by the PDSN service from the PCF over the R-P interface for subscriber1@Domain1, subscriber2, and subscriber3@Domain37.
The PDSN service attempts to determine the domain names for each session.
- For subscriber1, the PDSN service determines that a domain name is present and is Domain1.
- For subscriber2, the PDSN service determines that no domain name is present.
- For subscriber3, the PDSN service determines that a domain name is present and is Domain37.
The PDSN service determines which context to use to provide AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
- For subscriber1, the PDSN service determines that a context is configured with a name that matches the domain name specified in the username string (Domain1). Therefore, Domain1 is used.
- For subscriber2, the PDSN service determines that Domainx was configured as the subscriber default domain name. Therefore, Domainx was used.
- For subscriber3, the PDSN service determines that no context was configured that matched the domain name specified in the username string (Domain37). Because no subscriber last-resort context name is configured, the source context is used.
The system then communicates with the AAA servers specified in each of the selected context’s AAA configuration to authenticate the subscriber.
Upon successful authentication of all three subscribers, the PDSN service determines which destination context to use for each of the subscriber sessions. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
- For subscriber1, the PDSN service receives the SN-VPN-NAME or SN1-VPN-NAME attribute equal to Domain1 as part of the authentication accept message from the AAA server on Domain1’s network. Therefore, Domain1 is used as the destination context.
- For subscriber2, the PDSN service determined that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determines the subscriber IP context name configured for the Default subscriber within the Domainx context. Because this parameter is configured to Domainx, the Domainx context will be used as the destination context.
- For subscriber3, the PDSN service determines that the SN-VPN-NAME or SN1-VPN-NAME attribute was not returned with the Authentication Accept response, and determined the Default subscriber IP context name configured within the Source context. Because this parameter is configured to Domainx, the Domainx context is used as the destination context.
Data traffic for the subscriber session is routed through the PDN interface in each subscriber’s destination context.
Accounting messages for the session are sent to the AAA servers over the AAA interfaces