Example 1: Mobile IP Support Using the System as a GGSN/FA
IMPORTANT:
Information Required
Source Context Configuration
AAA Context Configuration
| Required Information | Description |
|---|---|
| AAA context name | An
identification string from 1 to 79 characters (alpha and/or
numeric) by which the AAA context will be recognized by the system.
NOTE: If a separate
system is used to provide HA functionality, the AAA context name
should match the name of the context in which the AAA functionality
is configured on the HA machine.
|
| APN Configuration | |
| APN name | An
identification string by which the APN will be recognized by the
system. The name can be from 1 to 62 alpha and/or numeric
characters and is not case sensitive. It may also contain dots (
. ) and/or dashes ( - ). Multiple names are needed
if multiple APNs will be used.
|
| Accounting mode | Selects
the accounting protocol. GTPP or RADIUS are supported. In addition,
accounting can be completely disabled. The default is to perform accounting
using GTPP.
NOTE: The examples
discussed in this chapter assumes GTPP is used.
|
| Authentication protocols used | Specifies how the system handles authentication: using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any authentication. |
| APN charging characteristics (CC) (optional) | Specifies
whether or not the GGSN accepts the CC from the SGSN for home, visiting,
and roaming subscribers. By default the GGSN
accepts the CC from the SGSN for all three scenarios.
If the GGSN is to use
its own CC for any of these scenarios, then each scenario requires
the specification of behavior bits and a profile index to use.
NOTE: The profile
index parameters are configured as part of the GGSN service.
|
| Domain Name Service (DNS) information (optional) | If DNS will be used for the APN, IP addresses can be configured for primary and secondary DNS servers. |
| IP destination context name | The name of the system destination context to use for subscribers accessing the APN. If no name is specified, the system automatically uses the system context in which the APN is configured. |
| Maximum number of PDP contexts | The
maximum number of PDP contexts that are supported for the APN. The maximum number can
be configured to any integer value from 1 to 1500000. The default
is 1000000.
|
| PDP type | The type of PDP contexts supported by the APN. The type can be IPv4, IPv6, both IPv4 and IPv6, or PPP. IPv4 support is enabled by default. |
| Verification selection mode | The level of verification that will be used to ensure a MS’s subscription to use the APN. The GGSN uses any of the following methods: |
| Mobile IP Configuration | Home Agent IP Address:
The IP address of an HA with which the system will tunnel subscriber
Mobile IP sessions. Configuring this information
tunnels all subscriber Mobile IP PDP contexts facilitated by the
APN to the same HA unless an individual subscriber profile provides
an alternate HA address.
Parameters stored in
individual profiles supersede parameters provided by the APN.
|
| Mobile IP Requirement: The APN can be configured to require Mobile IP for all sessions it facilitates. Incoming PDP contexts that do/can not use Mobile IP are dropped. | |
| AAA Interface Configuration | |
| AAA interface name | This
is an identification string from 1 to 79 characters (alpha and/or
numeric) by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
|
| IP address and subnet | These
will be assigned to the AAA interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description | This
is an identification string from 1 to 79 characters (alpha and/or
numeric) by which the physical port will be recognized by the system. Multiple descriptions
are needed if multiple ports will be used.
Physical ports are used
to bind logical AAA interfaces.
|
| Gateway IP address | Used when configuring static routes from the AAA interface(s) to a specific network. |
| Foreign RADIUS Server Configuration | |
| Foreign RADIUS Authentication server | IP Address: Specifies
the IP address of the Foreign RADIUS authentication server the system
will communicate with to provide subscriber authentication functions. Multiple addresses are
needed if multiple RADIUS servers.
Foreign RADIUS servers
are configured with in the source context. Multiple servers can
be configured and each can be assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the RADIUS
authentication server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. | |
| Foreign RADIUS Accounting server (optional) | IP Address: Specifies
the IP address of the foreign RADIUS accounting server that the
source context will communicate with to provide subscriber accounting
functions. Multiple addresses are
needed if multiple RADIUS servers will be configured.RADIUS accounting
servers are configured within the source context.
Multiple servers can
be configured and each assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the foreign
RADIUS accounting server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the foreign RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. | |
| RADIUS attribute NAS Identifier | Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be from 1 to 32 alpha and/or numeric characters and is case sensitive. |
| RADIUS NAS IP address | Specifies the IP address of the system’s AAA interface. A secondary address can be optionally configured. |
Mobile IP Destination Context Configuration
| Required Information | Description |
|---|---|
| Mobile IP Destination context name | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the Mobile IP destination context will be recognized
by the system.
NOTE: For this
configuration, the destination context name should not match the domain
name of a specific domain. It should, however, match the name of
the context in which the HA service is configured if a separate system
is used to provide HA functionality.
|
| Gi Interface Configuration | |
| Gi interface name | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
Gi interfaces are configured
in the destination context.
|
| IP address and subnet | These
will be assigned to the Gi interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description(s) | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the physical port will be recognized by the system. Multiple descriptions
will be needed if multiple ports will be used.
Physical ports are configured
within the destination context and are used to bind logical Gi interfaces.
|
| Gateway IP address(es) | Used when configuring static routes from the Gi interface(s) to a specific network. |
| FA Service Configuration | |
| FA service name | This
is an identification string between 1 and 63 characters (alpha and/or
numeric) by which the FA service will be recognized by the system .Multiple names are
needed if multiple FA services will be used.
FA services are configured
in the destination context.
|
| UDP port number for Mobile IP traffic | Specifies the port used by the FA service and the HA for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 434. |
| Security Parameter Index (indices) Information | HA IP address: Specifies the IP address of the HAs with which the FA service communicates. The FA service allows the creation of a security profile that can be associated with a particular HA. |
| Index: Specifies the shared SPI between the FA service and a particular HA. The SPI can be configured to any integer value between 256 and 4294967295.Multiple SPIs can be configured if the FA service is to communicate with multiple HAs. | |
| Secrets: Specifies the shared SPI secret between the FA service and the HA. The secret can be between 1 and 127 characters (alpha and/or numeric).An SPI secret is required for each SPI configured. | |
| Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is hmac-md5.A hash-algorithm is required for each SPI configured. | |
| FA agent advertisement lifetime | Specifies
the time (in seconds) that an FA agent advertisement remains valid
in the absence of further advertisements. The time can be configured
to any integer value between 1 and 65535. The default is 9000.
|
| Number of allowable unanswered FA advertisements | Specifies
the number of unanswered agent advertisements that the FA service
will allow during call setup before it will reject the session. The number can be any
integer value between 1 and 65535. The default is 5.
|
| Maximum mobile-requested registration lifetime allowed | Specifies
the longest registration lifetime that the FA service will allow
in any Registration Request message from the mobile node. The lifetime is expressed
in seconds and can be configured between 1 and 65534. An infinite
registration lifetime can be configured by disabling the timer. The
default is 600 seconds.
|
| Registration reply timeout | Specifies
the amount of time that the FA service will wait for a Registration
Reply from an HA. The time is measured
in seconds and can be configured to any integer value between 1
and 65535. The default is 7.
|
| Number of simultaneous registrations | Specifies
the number of simultaneous Mobile IP sessions that will be supported
for a single subscriber. The maximum number of
sessions is 3. The default is 1.
NOTE: The system
will only support multiple Mobile IP sessions per subscriber if
the subscriber’s mobile node has a static IP address.
|
| Mobile node re-registration requirements | Specifies
how the system should handle authentication for mobile node re-registrations. The FA service can be
configured to always require authentication or not. If not, the
initial registration and de-registration will still be handled normally.
|
| Maximum registration lifetime | Specifies
the longest registration lifetime that the HA service will allow
in any Registration Request message from the mobile node. The time is measured
in seconds and can be configured to any integer value between 1
and 65535. An infinite registration lifetime can also be configured
by disabling the timer. The default is 600.
|
| Maximum number of simultaneous bindings | Specifies
the maximum number of “care-of” addresses that
can simultaneously be bound for the same user as identified by NAI
and Home address. The number can be configured
to any integer value between 1 and 5. The default is 3.
|
Optional Destination Context Configuration
IMPORTANT:
| Required Information | Description |
|---|---|
| Destination context name | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the destination context will be recognized by
the system.
NOTE: For this
configuration, the destination context name should not match the domain
name of a specific domain.
|
| PDN Interface Configuration | |
| PDN interface name | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.PDN interfaces are configured
in the destination context.
|
| IP address and subnet | These
will be assigned to the PDN interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the physical port will be recognized by the system.Multiple
descriptions are needed if multiple ports will be used. Physical ports are configured
within the destination context and are used to bind logical PDN
interfaces.
|
| Gateway IP address(es) | Used when configuring static routes from the PDN interface(s) to a specific network. |
How This Configuration Works
Example 2: Mobile IP Support Using the System as an HA
Information Required
Source Context Configuration
| Required Information | Description |
|---|---|
| Source context name | An identification string from 1 to 79 characters (alpha and/or numeric) by which the source context will be recognized by the system. |
| Gi Interface Configuration | |
| Gi interface name | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
Gi interfaces are configured
in the destination context.
|
| IP address and subnet | These
will be assigned to the Gi interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description(s) | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the physical port will be recognized by the system. Multiple descriptions
will be needed if multiple ports will be used.
Physical ports are configured
within the destination context and are used to bind logical Gi interfaces.
|
| Gateway IP address | Used when configuring static routes from the Gi interface(s) to a specific network. |
| HA service Configuration | |
| HA service name | An
identification string from 1 to 63 characters (alpha and/or
numeric) by which the HA service will be recognized by the system. Multiple names are needed
if multiple HA services will be used.
HA services are configured
in the destination context.
|
| UDP port number for Mobile IP traffic | The port used by the HA service and the FA for communications. The UDP port number and can be any integer value from 1 to 65535. The default value is 434. |
| Mobile node re-registration requirements | Specifies how the system should handle authentication for mobile node re-registrations.The HA service can be configured as follows: |
| FA-to-HA Security Parameter Index Information | FA IP address:
The HA service allows the creation of a security profile that can
be associated with a particular FA. This specifies the IP
address of the FA that the HA service will be communicating with.
Multiple FA addresses
are needed if the HA will be communicating with multiple FAs.
|
| Index: Specifies
the shared SPI between the HA service and a particular FA. The SPI
can be configured to any integer value between 256 and 4294967295. Multiple SPIs can be
configured if the HA service is to communicate with multiple FAs.
|
|
| Secret: Specifies
the shared SPI secret between the HA service and the FA. The secret
can be between 1 and 127 characters (alpha and/or numeric). An SPI secret is required
for each SPI configured.
|
|
| Hash-algorithm:
Specifies the algorithm used to hash the SPI and SPI secret. The
possible algorithms that can be configured are MD5 per RFC 1321
and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. A hash-algorithm is
required for each SPI configured.
|
|
| Mobile Node Security Parameter Index Information | Index: Specifies
the shared SPI between the HA service and a particular FA. The SPI
can be configured to any integer value between 256 and 4294967295. Multiple SPIs can be
configured if the HA service is to communicate with multiple FAs.
|
| Secret: Specifies
the shared SPI secret between the HA service and the FA. The secret
can be between 1 and 127 characters (alpha and/or numeric). An SPI secret is required
for each SPI configured.
|
|
| Hash-algorithm:
Specifies the algorithm used to hash the SPI and SPI secret. The
possible algorithms that can be configured are MD5 per RFC 1321
and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. A hash-algorithm is
required for each SPI configured.
|
|
| Replay-protection process:
Specifies how protection against replay-attacks is implemented.
The possible processes are nonce and timestamp. The default is timestamp
with a tolerance of 60 seconds. A replay-protection
process is required for each mobile node-to-HA SPI configured.
|
|
| Maximum registration lifetime | Specifies
the longest registration lifetime that the HA service will allow
in any Registration Request message from the mobile node. The time is measured
in seconds and can be configured to any integer value between 1
and 65535. An infinite registration lifetime can also be configured
by disabling the timer. The default is 600.
|
| Maximum number of simultaneous bindings | Specifies
the maximum number of “care-of” addresses that
can simultaneously be bound for the same user as identified by NAI
and Home address. The number can be configured
to any integer value between 1 and 5. The default is 3.
|
| AAA Interface Configuration | |
| AAA interface name | This
is an identification string from 1 to 79 characters (alpha and/or
numeric) by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
AAA interfaces will
be configured in the source context.
|
| IP address and subnet | These
will be assigned to the AAA interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description | This
is an identification string from 1 to 79 characters (alpha and/or
numeric) by which the physical port will be recognized by the system. Multiple descriptions
are needed if multiple ports will be used.
Physical ports are used
to bind logical AAA interfaces.
|
| Gateway IP address | Used when configuring static routes from the AAA interface(s) to a specific network. |
| Home RADIUS Server Configuration | |
| Home RADIUS Authentication server | IP Address: Specifies
the IP address of the home RADIUS authentication server the system
will communicate with to provide subscriber authentication functions. Multiple addresses are
needed if multiple RADIUS servers.
Home RADIUS servers
are configured with in the source context. Multiple servers can
be configured and each can be assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the RADIUS
authentication server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. | |
| Home RADIUS Accounting server (optional) | IP Address: Specifies
the IP address of the home RADIUS accounting server that the source
context will communicate with to provide subscriber accounting functions. Multiple addresses are
needed if multiple RADIUS servers will be configured.RADIUS accounting
servers are configured within the source context.
Multiple servers can
be configured and each assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the home
RADIUS accounting server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the home RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. | |
| RADIUS attribute NAS Identifier | Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be from 1 to 32 alpha and/or numeric characters and is case sensitive. |
| RADIUS NAS IP address | Specifies the IP address of the system’s AAA interface. A secondary address can be optionally configured. |
| Default Subscriber Configuration | |
| “Default” subscriber’s IP context name | Specifies
the name of the egress context on the system that facilitates the
Gi interfaces.
NOTE: For this configuration,
the IP context name should be identical to the name of the destination
context.
|
Destination Context Configuration
| Required Information | Description |
|---|---|
| Destination context name | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the destination context will be recognized by
the system.
NOTE: For this
configuration, the destination context name should not match the domain
name of a specific domain.
|
| PDN Interface Configuration | |
| PDN interface name | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
PDN interfaces are configured
in the destination context.
|
| IP address and subnet | These
will be assigned to the PDN interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description | This
is an identification string between 1 and 79 characters (alpha and/or
numeric) by which the physical port will be recognized by the system.Multiple
descriptions are needed if multiple ports will be used. Physical ports are configured
within the destination context and are used to bind logical PDN
interfaces.
|
| Gateway IP address(es) | Used when configuring static routes from the PDN interface(s) to a specific network. |
| IP Address Pool Configuration | |
| IP address pool name | Each
IP address pool is identified by a name. The pool name can be between
1 and 31 alpha and/or numeric characters and is case sensitive. IP address pools are
configured in the destination context(s). Multiple address pools
can be configured within a single context.
|
| IP pool addresses | An
initial address and a subnet, or a starting address and an ending
address, are required for each configured pool. The pool will then
consist of every possible address within the subnet, or all addresses
from the starting address to the ending address. The pool can be configured
as public, private, or static.
|
How This Configuration Works
Example 3: HA Using a Single Source Context and Multiple Outsourced Destination Contexts
Information Required
Source Context Configuration
| Required Information | Description |
|---|---|
| Source context name | An identification string from 1 to 79 characters (alpha and/or numeric) by which the source context will be recognized by the system. |
| Gi Interface Configuration | |
| Gi interface name | An
identification string between 1 and 79 characters (alpha and/or numeric)
by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
Gi interfaces are configured
in the destination context.
|
| IP address and subnet | These
will be assigned to the Gi interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | The
physical port to which the interface will be bound. Ports are identified by
the chassis slot number where the line card resides in, followed
by the number of the physical connector on the line card. For example,
port 17/1 identifies connector number 1 on the card in
slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description | An
identification string from 1 to 79 characters (alpha and/or
numeric) by which the physical port will be recognized by the system. Multiple descriptions
are needed if multiple ports will be used.
Physical ports are configured
within the source context and are used to bind logical Gn interfaces.
|
| Gateway IP address | Used when configuring static routes from the Gi interface(s) to a specific network. |
| HA service Configuration | |
| HA service name | An
identification string from 1 to 63 characters (alpha and/or
numeric) by which the HA service will be recognized by the system. Multiple names are needed
if multiple HA services will be used.
HA services are configured
in the destination context.
|
| UDP port number for Mobile IP traffic | The port used by the HA service and the FA for communications. The UDP port number and can be any integer value from 1 to 65535. The default value is 434. |
| Mobile node re-registration requirements | Specifies how the system should handle authentication for mobile node re-registrations.The HA service can be configured as follows: |
| FA-to-HA Security Parameter Index Information | FA IP address:
The HA service allows the creation of a security profile that can
be associated with a particular FA. This specifies the IP
address of the FA that the HA service will be communicating with.
Multiple FA addresses
are needed if the HA will be communicating with multiple FAs.
|
| Index: Specifies
the shared SPI between the HA service and a particular FA. The SPI
can be configured to any integer value between 256 and 4294967295. Multiple SPIs can be
configured if the HA service is to communicate with multiple FAs.
|
|
| Secret: Specifies
the shared SPI secret between the HA service and the FA. The secret
can be between 1 and 127 characters (alpha and/or numeric). An SPI secret is required
for each SPI configured.
|
|
| Hash-algorithm:
Specifies the algorithm used to hash the SPI and SPI secret. The
possible algorithms that can be configured are MD5 per RFC 1321
and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. A hash-algorithm is
required for each SPI configured.
|
|
| Mobile Node Security Parameter Index Information | Index: Specifies
the shared SPI between the HA service and a particular FA. The SPI
can be configured to any integer value between 256 and 4294967295. Multiple SPIs can be
configured if the HA service is to communicate with multiple FAs.
|
| Secret: Specifies
the shared SPI secret between the HA service and the FA. The secret
can be between 1 and 127 characters (alpha and/or numeric). An SPI secret is required
for each SPI configured.
|
|
| Hash-algorithm:
Specifies the algorithm used to hash the SPI and SPI secret. The
possible algorithms that can be configured are MD5 per RFC 1321
and keyed-MD5 per RFC 2002. The default algorithm is hmac-md5. A hash-algorithm is
required for each SPI configured.
|
|
| Replay-protection process:
Specifies how protection against replay-attacks is implemented.
The possible processes are nonce and timestamp. The default is timestamp
with a tolerance of 60 seconds. A replay-protection
process is required for each mobile node-to-HA SPI configured.
|
|
| Maximum registration lifetime | Specifies
the longest registration lifetime that the HA service will allow
in any Registration Request message from the mobile node. The time is measured
in seconds and can be configured to any integer value between 1
and 65535. An infinite registration lifetime can also be configured
by disabling the timer. The default is 600.
|
| Maximum number of simultaneous bindings | Specifies
the maximum number of “care-of” addresses that
can simultaneously be bound for the same user as identified by NAI
and Home address. The number can be configured
to any integer value between 1 and 5. The default is 3.
|
| AAA Interface Configuration | |
| AAA interface name | This
is an identification string from 1 to 79 characters (alpha and/or numeric)
by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
AAA interfaces will
be configured in the source context.
|
| IP address and subnet | These
will be assigned to the AAA interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description | This
is an identification string from 1 to 79 characters (alpha and/or numeric)
by which the physical port will be recognized by the system. Multiple descriptions
are needed if multiple ports will be used.
Physical ports are used
to bind logical AAA interfaces.
|
| Gateway IP address | Used when configuring static routes from the AAA interface(s) to a specific network. |
| Home RADIUS Server Configuration | |
| Home RADIUS Authentication server | IP Address: Specifies
the IP address of the home RADIUS authentication server the system
will communicate with to provide subscriber authentication functions. Multiple addresses are
needed if multiple RADIUS servers.
Home RADIUS servers
are configured with in the source context. Multiple servers can
be configured and each can be assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the RADIUS
authentication server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. | |
| Home RADIUS Accounting server (optional) | IP Address: Specifies
the IP address of the home RADIUS accounting server that the source
context will communicate with to provide subscriber accounting functions. Multiple addresses are
needed if multiple RADIUS servers will be configured.RADIUS accounting
servers are configured within the source context.
Multiple servers can
be configured and each assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the home
RADIUS accounting server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the home RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. | |
| RADIUS attribute NAS Identifier | Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be from 1 to 32 alpha and/or numeric characters and is case sensitive. |
| RADIUS NAS IP address | Specifies the IP address of the system’s AAA interface. A secondary address can be optionally configured. |
| Default Subscriber Configuration | |
| “Default” subscriber’s IP context name | Specifies
the name of the egress context on the system that facilitates the Gi
interfaces.
NOTE: For this configuration,
the IP context name should be identical to the name of the destination
context.
|
Destination Context Configuration
| Required Information | Description |
|---|---|
| Destination context name | This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system.NOTE: For this configuration, the destination context name should not match the domain name of a specific domain. |
| PDN Interface Configuration | |
| PDN interface name | This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system.Multiple names are needed if multiple interfaces will be configured.PDN interfaces are configured in the destination context. |
| IP address and subnet | These will be assigned to the PDN interface.Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
| Physical port number | This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17.A single physical port can facilitate multiple interfaces. |
| Physical port description | This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system.Multiple descriptions are needed if multiple ports will be used.Physical ports are configured within the destination context and are used to bind logical PDN interfaces. |
| Gateway IP address(es) | Used when configuring static routes from the PDN interface(s) to a specific network. |
| IP Address Pool Configuration (optional) | |
| IP address pool name | Each
IP address pool is identified by a name. The pool name can be between
1 and 31 alpha and/or numeric characters and is case sensitive. IP address pools are
configured in the destination context(s). Multiple address pools
can be configured within a single context.
|
| IP pool addresses | An
initial address and a subnet, or a starting address and an ending address,
are required for each configured pool. The pool will then consist of
every possible address within the subnet, or all addresses from
the starting address to the ending address. The pool can be configured
as public, private, or static.
|
| AAA Interface Configuration | |
| AAA interface name | This
is an identification string from 1 to 79 characters (alpha and/or numeric)
by which the interface will be recognized by the system. Multiple names are needed
if multiple interfaces will be configured.
|
| IP address and subnet | These
will be assigned to the AAA interface. Multiple addresses and/or
subnets are needed if multiple interfaces will be configured.
|
| Physical port number | This
specifies the physical port to which the interface will be bound.
Ports are identified by the chassis slot number where the line card
resides in, followed by the number of the physical connector on
the line card. For example, port 17/1 identifies connector
number 1 on the card in slot 17. A single physical port
can facilitate multiple interfaces.
|
| Physical port description | This
is an identification string from 1 to 79 characters (alpha and/or numeric)
by which the physical port will be recognized by the system. Multiple descriptions
are needed if multiple ports will be used.
Physical ports are used
to bind logical AAA interfaces.
|
| Gateway IP address | Used when configuring static routes from the AAA interface(s) to a specific network. |
| RADIUS Server Configuration | |
| RADIUS Authentication server | IP Address: Specifies
the IP address of the RADIUS authentication server the system will
communicate with to provide subscriber authentication functions. Multiple addresses are
needed if multiple RADIUS servers.
Foreign RADIUS servers
are configured with in the source context. Multiple servers can
be configured and each can be assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the RADIUS
authentication server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the RADIUS authentication server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. | |
| RADIUS Accounting server (optional) | IP Address: Specifies
the IP address of the RADIUS accounting server that the source context
will communicate with to provide subscriber accounting functions. Multiple addresses are
needed if multiple RADIUS servers will be configured.RADIUS accounting
servers are configured within the source context.
Multiple servers can
be configured and each assigned a priority.
|
| Shared Secret: The
shared secret is a string between 1 and 15 characters (alpha and/or
numeric) that specifies the key that is exchanged between the RADIUS
accounting server and the source context. A shared secret is needed
for each configured RADIUS server.
|
|
| UDP Port Number: Specifies the port used by the source context and the RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. | |
| RADIUS attribute NAS Identifier | Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the RADIUS server. The name must be from 1 to 32 alpha and/or numeric characters and is case sensitive. |
| RADIUS NAS IP address | Specifies the IP address of the system’s AAA interface. A secondary address can be optionally configured. |
System-Level AAA Configuration
| Required Information | Description |
|---|---|
| Subscriber default domain name | Specifies
the name of a context that can provide AAA functions in the event
that the domain-part of the username is missing or poorly formed. This parameter will
be applied to all subscribers if their domain can not be determined
from their username regardless of what domain they are trying to
access.
NOTE: The default
domain name can be the same as the source context.
|
| Subscriber Last-resort context | Specifies
the name of a context that can provide AAA functions in the event
that the domain-part of the username was present but does not match
the name of a configured destination context .This parameter will
be applied to all subscribers if their specified domain does not
match a configured destination context regardless of what domain
they are trying to access.
NOTE: The last-resort
context name can be the same as the source context.
|
| Subscriber username format | Specifies
the format of subscriber usernames as to whether or not the username
or domain is specified first and the character that separates them.
The possible separator characters are:
Up to six username formats
can be specified. The default is username @.
NOTE: The username
string is searched from right to left for the separator character.
Therefore, if there is one or more separator characters in the string,
only the first one that is recognized is considered the actual separator.
For example, if the default username format was used, then for the
username string user1@enterprise@isp1,
the system resolves to the username user1@enterprise with
domain isp1.
|
How This Configuration Works