01

UE performs 802.11 association with the AP, and attaches to the open SSID.

02

AP forms a Radius Access Request (RAR) message and sends it to SaMOG. The RAR message has the following parameter:

• UE MAC address in the Username and Calling-Station-Id attribute

• (Optional) VLAN ID in the NAS-Identifier attribute

• AP-MAC and SSID in the Called-Station-Id attribute

03

SaMOG caches the Access Request message from the AP/WLC and maps its contents to the Radius Access-Request message towards the AAA Server. The AP’s IP address (Radius endpoint address/source address of the Access-Request message) is included in NAS-Port-Id attribute of the Access-Request message.

04

AAA server determines that the UE MAC is not authenticated and sends an Access-Accept message with an access point name (APN) and NAI in the MAC@realm format. These values are received using the CS-AVPair attributes similar to DHCP-triggered sessions.

05

SaMOG initiates a PMIPv6 Proxy Binding Update (PBU) message towards the Local Gateway (LGW) to setup the network side of the call. The MNID of the PBU is the NAI received from the AAA Server.

06

LGW sends CCR-I towards the PCRF, and includes the NAI/MNID received from SaMOG in the PBU.

07

PCRF determines that the subscriber is not authenticated and sends a CCA-I with Layer 7 (L7) redirection rulebase name.

08

LGW installs the L7 redirection rule and proceeds with session creation.

09

LGW allocates an IP address for the UE, and sends the same in Proxy Binding Answer (PBA) message towards SaMOG.

10

SaMOG completes the session creation by sending an Access-Accept message to the WLC with the MN-NAI attribute in MAC@realm format, as received from the AAA Server.

11

Cisco WLC sends a Proxy Binding Update (PBU) message with the NAI in MAC@realm format as received from SaMOG. Non-Cisco WLC sends a Proxy Binding Update (PBU) message with the NAI in MAC format.

12

SaMOG validates the NAI value received from the WLC. Upon successful validation of the NAI value, SaMOG sends a Proxy Binding Answer (PBA) message towards WLC.

13

LGW sends an Accounting Start message with the UE MAC and the Framed-IP-Address in the message towards the AAA Server.

14

AAA server sends Accounting Start response to the LGW.

15

UE attempts to access the HTTP page. The HTTP packet reaches the LGW through SaMOG. SaMOG forwards the packet to the LGW over the GRE tunnel.

16

As the L7 redirection rule on LGW is active, the HTTP packet is intercepted. LGW responds with an HTTP 302 response and provides the URL of the authentication portal to the UE. SaMOG forwards it to the UE.

17

UE sends an HTTP GET request to the portal through SaMOG and LGW.

18

The web portal presents the login page to the UE to enter the username and password.

19

Subscriber enters the username and password to perform web authentication.

20

The web portal invokes the PCRF API to share the username, password, and the source IP address of the packet. PCRF validates the user credentials and marks the UE MAC corresponding to the IP as authenticated.

21

The PCRF indicates an authentication success to the web portal. The web portal sends an HTTP 302 response to the UE with redirect to the originally accessed web page.

22

PCRF sends an RAR message on the Gx Interface to remove the redirection rule. LGW acknowledges the RAR with an RAA message. LGW removes the L7 redirection rule for the UE session. LGW sends a CCR-U message to the PCRF to get the quota information for the authenticated session. PCRF sends back a CCA-U message with the requested information.

23

UE attempts to reach the originally accessed web page again.

24

As the L7 rule is no longer present at the LGW, and the packets are sent to the Internet.