01
|
UE sends 802.1x association request to AP/WLC with the SSID/Open-SSID information that it wishes to associate with.
|
02
|
On the WLC, the SSID is configured with MAC-based authentication, and SaMOG as the RADIUS Server.
The WLC sends an Access-Request (user-name=UE-MAC, called-station-id=AP-MAC:SSID, Calling-Station-Id=UE-MAC) message to SaMOG without the EAP payload.
|
03
|
On SaMOG, an SSID-based policy is applied.
If applicable, the operator policy allows Non-EAP based authentication. SaMOG fetches the AAA authentication server information from the policy. SaMOG initiates the authentication process by sending the Access-Request message received from the AP/WLC to the AAA server.
|
04
|
On the AAA Server, a MAC-based session lookup takes place as the user session is not found. Since the AAA Server is configured to allow user sessions, it sends an Access-Accept message to SaMOG. The subscription details will not be available on the AAA Server at this point. So the AAA Server sends only the user-name AVP in Access-Accept message.
Optionally, the AAA server can provide the Filter-Id AVP and SN1-Rulebase AVPs for redirection along with SN1-IP-Pool-Name, SN1-VPN-Name, SN1-Primary/Secondary-DNS-Server, Framed-IPv6-Pool, SN1-IPv6-Primary/Secondary/DNS parameters.
|
05
|
Since the AAA Server does not provide the APN, SaMOG fetches the default web authorization APN profile associated to the operator policy. This APN profile is configured for IP address allocation and traffic redirection (if rulebase is not provided by the AAA Server).
SaMOG performs the following procedures before sending the Access-Accept message to WLC:
-
Reserves IP Address (a.b.c.d and p:q:r:s::/64) from the local IP/IPv6 pool for UE.
-
Installs L4/L7 redirection rules to redirect the user traffic to the web portal and installs downlink NPU flow for the allocated ip-address and ipv6-prefix.
-
Initiates webauth_preauth_timer with a timeout value of 5 minutes. Post-authorization phase will be triggered within this timer.
|
06
|
SaMOG forwards the RADIUS Access-Accept message to the AP/WLC.
|
07
|
The WLC/AP sends an 802.1x association response to the UE. MAC-based authentication between the UE and AP/WLC is complete.
|
08
|
UE initiates an L3 attach procedure by sending a DHCP-Discover. SaMOG receives the same through the EoGRE tunnel.
|
09
|
SaMOG sends the allocated IPv4 address, default gateway address, and the lease duration through the DHCP-Offer message to the UE.
|
10
|
SaMOG sends DHCP-Request with a request IP as received in DHCP-Offer. SaMOG responds with a DHCP-Reply confirming the allotment of IP address.
|
11
|
UE sends the ARP-Request message to resolve the MAC address of the default gateway.
|
12
|
SaMOG sends ARP-Reply message to the UE with the virtual MAC address that is configured in the APN profile.
|
13
|
For IPv6/Dual stack, the UE sends a Router Solicitation to obtain the IPv6 address/prefix.
|
14
|
SaMOG responds to the UE with a Router Advertisement containing the IPv6 prefix.
|
15
|
UE sends a Neighbor Solicitation to determine the link-layer address of SaMOG.
|
16
|
SaMOG sends a Neighbor Advertisement to the UE with its link-layer address. The UE may also send a DHCPv6-Info-Request to obtain the DNS server addresses at this stage. If received, SaMOG sends a DHCPv6-Info-Reply with the DNS server addresses configured under the APN profile.
|
17
|
UE initiates data packets.
|
18
|
SaMOG receives the data packets from the UE through the EoGRE tunnel.
|
19
|
SaMOG redirects the traffic to a web portal as per the redirection rules installed (Step 5).
If L4 rules are applied, SaMOG changes the destination address to the IP address of the portal, and forwards the packets.
If L7 rules are applied, SaMOG redirects the packets to the IP address of the portal without modifying the destination address.
|
20
|
UE provides the subscriber’s credentials for authorization.
|
21
|
Web-based authorization takes place between the UE and the portal server.
|
22
|
Portal server indicates the successful authentication status with the AAA server.
|
23
|
Post successful authentication, the AAA server triggers post-authorization phase by sending a CoA with the IMSI/MN-NAI and new rulebase in the SN1-Rulebase AVP. If CoA doesn’t contain IMSI/MN-NAI identifier, SaMOG will not consider the CoA as a post-authorization trigger.
|
24
|
SaMOG sends CoA-Acknowledgement to the AAA Server.
|
25
|
SaMOG removes the redirection rules and installs the new rulebase received in the CoA message. SaMOG will offload the traffic locally with certain ECS capabilities.
|
26
|
SaMOG sends an Accounting-Request (Acct-Status-Type: Start) to the accounting server, if SaMOG has been configured to act as the Accounting client.
|
27
|
The Accounting Server sends an Accounting-Response to SaMOG.
|
28
|
UE initiates data packets.
|
29
|
SaMOG receives the data packets through the EoGRE tunnel.
|
30
|
SaMOG locally offloads the traffic to ISP without any redirection. SaMOG enforces any ECS capabilities like DSCP marking, rate limiting, MSS overwriting, and so on.
|
31
|
When the accounting interim conditions (volume/interval) configured under the AAA group are met, SaMOG sends an Accounting-Request (Acct-Status-Type: Interim) to the Accounting Server.
|
32
|
The Accounting Server sends an Accounting-Response to SaMOG.
|
33
|
(Optional) The AAA Server could send more CoA messages to SaMOG to install new rules.
|
34
|
SaMOG installs the new rules received in the CoA message.
|
35
|
Upon UE detach, SaMOG sends an Accounting-Request (Acct-Status-Type: Stop) message to the Accounting Server.
|
36
|
The Accounting Server sends an Accounting-Response message to SaMOG.
|