Authentication and key management are fundamental to the security of mobile networks because they provide mutual authentication between users and the network.

5G defines various authentication methods to authenticate a user. In the 5G architecture, the serving network authenticates the Subscription Permanent Identifier (SUPI), and key agreement between the UE and the network using the primary authentication mechanism.

For information on enabling the RADIUS Client feature, see Configuring the RADIUS Client.

Identity Services Engine

Identity Services Engine (ISE) is a common point of policy definition for 5G and other enterprise devices. In 5G as a Service (5GaaS) architecture, ISE conducts only the authorization and accounting. The Control Center handles the 5G authentication. You can implement the 5G authorization with the RADIUS Authorize-Only flow.

SMF supports communication with ISE for Cisco private 5G. Based on the policies that SMF receives from ISE, Cisco private 5G supports various behaviors on the enterprise side. ISE provides a mechanism for the enterprise customers to perform tasks, such as identifying the subscriber, define groups for the subscribers, and assign policy.

Allow-auth

If allow-auth is enabled in the configuration, it allows the ongoing call to continue irrespective of authentication being successful, timed out, or any error message received. The default value is false, configuration is required to enable the allow-auth.

Accounting collects and sends subscriber usage and access information used for billing, auditing, and reporting. For example, user identities the start and stop times, performed actions, number of packets, and number of bytes. Accounting enables an operator to analyze the services that the users access and the amount of network resources they consume. Accounting records comprise accounting Attribute Value Pairs (AVPs) and are stored on the accounting server. This accounting information can then be analyzed for network management, client billing, and/or auditing.

The SMF implements the RADIUS Accounting functionality through the use of CLI configuration. For more details on the configuration, see Configuring the RADIUS Client.

If the RADIUS accounting is enabled and server-group is configured within the DNN profile, the SMF sends server-group as AAA group in charging-params in N4 session establishment request. When the SMF sends AAA group which is not present on UPF, then it does not account the traffic for static and predefined rules in RADIUS URR and fails to report. In this scenario, the SMF considers only the dynamic rules traffic for accounting in the RADIUS URR.

Dynamic Authorization Client (DAC) sends Disconnect-Request packet to RADIUS endpoint (radius-ep) through UDP port. DAC sends this packet to terminate the user session(s) on Network Access Server (NAS). It also discards all the associated session contexts.

The Disconnect-Request packet contains the following session identification attributes to identify the sessions to be terminated.

• 3GPP-IMSI + 3GPP-NSAPI

• ACCT-SESSION-ID

• CALLED-STATION-ID (DNN) + FRAMED-IP-ADDR

• CALLED-STATION-ID (DNN) + FRAMED-IPV6-PREFIX

The RADIUS endpoint validates the Disconnect-Request packet. If the validation fails, the endpoint rejects the packet and sends Disconnect-NAK message with appropriate cause code to DAC. If the validation is successful, the endpoint performs affinity lookup based on the session identification keys or attributes. Then, the endpoint forwards the Disconnect-Request packet to the particular SMF service instance. The SMF processes the packet and triggers pdu-release or pdn-disconnect procedure. The SMF sends the Disconnect ACK response with the appropriate cause code if the session is identified, removed, and no longer valid. The SMF sends a Disconnect-NAK message with appropriate cause code if the session context is not found. The SMF does not wait for the completion of release procedure to send the Disconnect ACK or NAK response.

In the roaming scenario, the RADIUS Disconnect-Request is supported for home-routed subscribers when the roaming status is roamer. The hSMF acts as the SMF service and initiates the session release procedure.

Note	Roaming with 4G and EpsInterworkingIndication is not supported. Hence, a combination of IMSI and NSAPI keys is not supported.

This feature uses a combination of the session identification keys or attributes to identify the sessions for termination.

Important

If multiple key combination is provided for the same session, it is accepted. However, if the multiple key combination leads to multiple session contexts or non-existing session context, the behavior is non-deterministic.

The SMF supports only one session context per Disconnect-Message (DM) request. The SMF supports the following attributes in the DM request to identify the NAS and the user sessions to be terminated.

The SMF silently discards other attributes present in the DM request if the packet decoding is successful.

The SMF supports the following attributes in the DM ACK or NAK response.

The RADIUS endpoint pod supports the following error codes if the Disconnect Request is rejected by radius-ep:

• 402 (Missing Attribute) - Triggered due to invalid key combination

• 403 (NAS Identification Mismatch) - Triggered if NAS-IP attribute in DM request does not match the endpoint COA-NAS VIP-IP or if NAS-Identifier attribute in the request does NAS identifier configuration within RADIUS Dynamic Authorization or CoA configuration

• 407 (Invalid Attribute) - Triggered due to format error, encode error, and so on

• 405 (Unsupported Service) - Triggered if the request is not a disconnect request

• 503 (Session Context Not Found) - Triggered if the session cannot be located

For more information on configuring this feature, see the Configuring the Session Disconnect Feature section.

The RADIUS server supports various methods to authenticate the user. When the server is provided with the username and original password of the user, it can support Point-to-Point Protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), or Microsoft CHAP (MSCHAP), UNIX login, and other authentication methods.

The SMF supports user authentication using PAP, CHAP, or MSCHAP protocol. The SMF configuration aids in the protocol selection for the user authentication. If the secondary authentication is enabled in DNN profile, the SMF interacts with the RADIUS server to perform RADIUS authentication. To implement the authentication, the RADIUS client residing within the SMF sends the User-Name and User-Password attributes in Access-Request message to the RADIUS server.

The SMF uses more attributes to facilitate the RADIUS authentication function. For the complete list of attributes supported, see the RADIUS Attribute Definition section.

The RADIUS server validates the user with the authentication information. If the validation is successful, the server sends the Access-Accept response to the SMF.

PAP, CHAP, MSCHAP-based Authentication

The SMF decodes the Protocol Configuration Options (PCO), Extended PCO (ePCO), or Additional PCO (APCO) IE received from UE. Then, the SMF retrieves the values related to PAP (User Name and Password), CHAP (Challenge and Response), or MSCHAP (Challenge and Response) from the IE. If any of the protocols have higher precedence in configured priority under DNN, the SMF sends the received values in RADIUS Access-Request message to the RADIUS server.

Note	The SMF does not include the authentication information received from the UE in the RADIUS Access-Request message if the priority is not configured.

By default, the SMF uses the configured host password under DNN for authentication until additional configuration is enabled to use the password received in PCO, ePCO, or APCO. The SMF allows the operator to configure the host password at DNN profile either in plain-text or encrypted form and always displays the same in encrypted format only wherever applicable.

The SMF sends MSISDN as the User Name if the UE does not provide the username explicitly in PCO IE for PAP-based authentication.

For CHAP-based authentication, the SMF converts the received CHAP Challenge and Response to MSCHAP if the convert-to-mschap command option is enabled, CHAP is enabled, and the received CHAP Response length is 49 bytes. By default, the SMF uses MSCHAPv1 as the authentication algorithm.

For MSCHAP-based authentication, the SMF sends User Name, Challenge, and Response received in PCO to the RADIUS server if Protocol ID is LCP and LCP container specifies the algorithm as CHAP/MSCHAPv1 (128) as per RFC 2433 or CHAP/MSCHAPv2 (129) as per RFC 2795.

The SMF forwards the authentication information from RADIUS server to UE in Create-Session-Response PCO/EPCO/APCO IE for a 4G/Wi-Fi session, and in N1 Container EPCO IE for a 5G session.

Consider the following important points while implementing the RADIUS authentication functionality.

• Perform the length validation of different AVPs applicable for this feature based on RFC 2865. Also, reject the authentication if any violation is identified.

  • The minimum length of CHAP Challenge is 5 bytes (even though it is 1 byte as per RFC 1334 and RFC 1994).

• The SMF sends the received authentication information from UE to RADIUS server based on the configured authentication algorithm at DNN level. The SMF does not manipulate any data received from UE and it only applies the configurations related to authentication before sending the information to RADIUS server.

• SMF assigns the IPv4 or IPv6 address to the session and sends FRAMED-IP or FRAMED-IPv6-PREFIX attribute to the RADIUS server through RADIUS accounting messages. RADIUS server uses this attribute information to correlate MSISDN with IP address.

• The SMF does not validate the use case of incrementing the Identifier value for every authentication as it does not allow multiple authentication during the PDU session lifetime.

• The SMF sends the encrypted NULL (empty) password in Access-Request when it receives empty password from UE and no host level password configured at SMF or password-use-pco option is enabled.

• The SMF falls back to the default authentication where Access-Request carries the configured server secret as User Password in the following scenarios:

  • If none of the algorithm preference is enabled with priority

  • If the UE provided information is not applicable for the configured algorithm preferences, if any

  • When the UE sends the empty PAP or CHAP containers without any data (the container length is 0)

• The SMF rejects the authentication in the following scenarios:

  • When there is no other algorithm configured for authentication

  • Whenever there is a mismatch in CHAP identifier received in both CHAP Challenge and CHAP Response containers (the SMF currently copies the CHAP-ID from CHAP Challenge container)

    • CHAP-ID in CHAP Password must be taken from CHAP Response as per RFC 2865.

    • Response Identifier must be copied from the Identifier field of the Challenge Response as per RFC 1334.

    • Whenever the validation criteria of the current algorithm fails

• The SMF allows to configure the same priority through CLI for different algorithms because configuring 0 explicitly disables the configuration. In this scenario, any one of the algorithms is considered and the selection is purely implementation dependent. It is the responsibility of operator to ensure different algorithms have different priorities to resolve the conflicts whenever UE sends multiple authentication containers to the SMF.

• The SMF allows to configure the password-use-pco option without configuring PAP due to the limitation of Yang defined syntax format. The same is applicable for convert-to-mschap option. But the functionality will work only if the corresponding algorithm is enabled with the valid priority.

• By default, the SMF encrypts the operator given Host level password using AES-128-CFB encryption algorithm, if it’s a plain-text. It ignores the encryption if the operator gives the already encrypted password which has to meet the AES-128-CFB encryption standard.

• By default, the SMF considers the authentication algorithm as MSCHAPv1(128) whenever the received CHAP Challenge and Response converted to MSCHAP if received CHAP-Response length is 49 bytes and convert-to-mschap option is enabled.

• The following are the list of MSCHAP specific AVPs supported at SMF and its RFC references:

  • MSCHAP-CHALLENGE (MSCHAP)  RFC2548 Section 2.1.2

  • MSCHAP-RESPONSE  RFC2548 Section 2.1.3

  • MSCHAP2-RESPONSE  RFC2548 Section 2.3.2

  • MSCHAP-ERROR  RFC2548 Section 2.1.5

  • MS-CHAP2-Success (RFC 2548, Section 2.3.3) is not supported as there is no clear information on MS-CHAP success AVP for v1 in RFC 2548.

• When the RADIUS server sends both MSCHAP-Error and Reply-Message AVPs in Access-Reject message, the preference is given to MSCHAP-ERROR while filling the CHAP container for NACK in PCO/APCO/EPCO. MSCHAP-Error is common for both MSCHAPv1 and MSCHAPv2 algorithm and it is encapsulated in the Message field of the CHAP Failure container.

• In MSCHAP, only the authentication functionality is supported.

Important

The SMF uses the inbuilt encryption algorithm “AES-128-CFB” for encrypting the host level password (outbound password) provided by NETCONF-YANG data model. The SMF Ops Center creates a global key, for AES-128-CFB encryption, which is used for encrypting the operator given plain-text password. It shares the key with all the pods via SSH for decrypting the encrypted data in the respective pods. The key is exported as a ENV variable “CONFD_AES_KEY” in SMF-SERVICE pod. If the operator wishes to configure the already encrypted password, then the AES-CFB-128 encrypted string should be prefixed with “$8$” as follows, $8$<encrypted-data> to indicate that the given input is already AES-128-CFB encrypted string to NETCONF-YANG model.

For CLI details associated with authentication, see the Configuring the RADIUS Client section.

The SMF exchanges the following messages with RADIUS server through the RADIUS-client RADIUS-EP.

• Accounting-Request: This message carries any of the following packets to relay the accounting information to the RADIUS server.

  • Accounting Start packet: This packet describes the type of service being delivered and the user it is being delivered to.

    The SMF sends accounting-start packet during the session establishment procedure. The RADIUS Accounting server returns an acknowledgement upon receiving the accounting-start packet.

    For details on configuring the RADIUS Accounting, see Configuring the RADIUS Client section.

  • Accounting Stop packet: This packet describes the type of service that was delivered and optionally statistics, such as elapsed time, input and output octets, or input and output packets.

    At the end of service delivery, the SMF sends the accounting-stop packet for all session deletion scenarios and when the RADIUS accounting is enabled during the call setup.

  • Accounting-Request Interim-Update: During the session, the SMF sends the updated cumulative usage report to the RADIUS accounting server.

• Accounting-Response: For each successfully processed accounting request, the RADIUS server returns an accounting acknowledgment confirming the receipt of the information.

For CLI details associated with accounting, see the Configuring the RADIUS Client section.

The following section provides a full description of each attribute. The majority of the attribute values are common for the ISE and 3GPP dictionaries. The values are included especially in the attribute description section for the attributes with different attribute values for ISE and 3GPP dictionary:

• USER-NAME

  Description: String value encoded as per RFC 2865.

  • 5G call: GPSI value is used, with stripped-off "msisdn-"

  • 4G call: MSISDN value is used, with stripped-off "msisdn-"

  • The attribute value for 3GPP dictionary is imsi@apn.

  Note	PAP, CHAP, and MSCHAP authentication methods are not supported in releases prior to 2020.02.x. In release 2020.02.x and beyond, the PAP, CHAP, and MSCHAP authentication methods are supported.

• PASSWORD

  Description: Encrypted string value encoded as per RFC 2865.

  For both 5G and 4G calls, selected RADIUS server's "secret" is set as user-password.

• CALLING-STATION-ID

  Description: String value encoded as per RFC 2865.

  5G call: GPSI value is used, with stripped of "msisdn-"

  4G call: MSISDN value is used, with stripped of "msisdn-"

• CALLED-STATION-ID

  Description: String value encoded as per RFC 2865.

  For both 5G and 4G calls, DNN value is set as called-station-id.

• NAS-IP-ADDRESS

  Description: IPv4 address value encoded as per RFC 2865.

  For both 5G and 4G calls, user-configured RADIUS Client interface-type's VIP-IP is used.

• NAS-IDENTIFIER

  Description: String value encoded as per RFC 2865.

  For both 5G and 4G calls, user-configured nas-identifier attribute value is used.

• SERVICE-TYPE

  Description: 4-byte octet (int) value encoded as per RFC 2865.

  For both 5G and 4G calls, "FRAMED (2)" value is set.

• FRAMED-PROTOCOL

  Description: 4-byte octet (int) value encoded as per RFC 2865.

  For both 5G and 4G calls, "GPRS-PDP-CONTEXT (7)" value is set.

• NAS-PORT-TYPE

  Description: 4-byte octet (int) value encoded as per RFC 2865.

  For both 5G and 4G calls, "WIRELESS-OTHER (18)" value is set.

• NAS-PORT

  Description: 4-byte octet (int) value encoded as per RFC 2865.

  For both 5G and 4G calls, the base value of respective instance is used. That is:

  0x4000... 0x407F is set for replica-0

  0x4080... 0x40FF is set for replica-1

• 3GPP-IMSI

  Description: String value encoded as per 3GPP TS 29.061.

  5G call: SUPI value is used.

  4G call: IMSI value is used.

• 3GPP-CHARGING-ID

  Description: 4-byte octet (int) value encoded as per 3GPP TS 29.061.

  For both 5G and 4G calls, charging-ID is set.

• 3GPP-PDP-TYPE

  Description: 4-byte octet (int) value encoded as per 3GPP TS 29.061.

  For both 5G and 4G calls, pdp-type is set as follows:

  • 0 = IPv4

  • 2 = IPv6

  • 3 = IPv4v6

• 3GPP-CHARGING-GATEWAY-ADDR

  Description: 4-byte octet (IPv4-address) value encoded as per 3GPP TS 29.061.

  For both 5G and 4G calls, charging gateway address is set.

• 3GPP-GPRS-NEG-QOS-PROFILE

  Description: Octets (special encoding) value encoded as per 3GPP TS 29.061 and 29.274.

  For 5G call, the values from default-qos profile of the system are used and the encoding is performed as follows:

  Table 6. Non-GBR case

  1-2	<Release indicator>- = "15" (UTF-8 encoded)
  3	"-" (UTF-8 encoded)
  4-5	ARP (UTF-8 encoded)
  6-7	5QI (UTF-8 encoded)
  8-9	UL Session-AMBR length (UTF-8 encoded)
  10-m	UL Session-AMBR (UTF-8 encoded)
  (m+1) - (m+2)	DL Session-AMBR length (UTF-8 encoded)
  (m+3) – n	DL Session-AMBR (UTF-8 encoded)

  Table 7. GBR case

  1-2	<Release indicator> = "15" (UTF-8 encoded)
  3	"-" (UTF-8 encoded)
  4-5	ARP (UTF-8 encoded)
  6-7	5QI (UTF-8 encoded)
  8-9	UL MFBR length (UTF-8 encoded)
  10-m	UL MFBR (UTF-8 encoded)
  (m+1)-(m+2)	DL MFBR length (UTF-8 encoded)
  (m+3)-n	DL MFBR (UTF-8 encoded)
  (n+1)-(n+2)	UL GFBR length (UTF-8 encoded)
  (n+3)-o	UL GFBR (UTF-8 encoded)
  (o+1) – (o+2)	UL GFBR length (UTF-8 encoded)
  (o+3) - p	DL GFBR (UTF-8 encoded)

  For 4G call, the values from the default-qos profile of the system are used and the encoding is performed as follows:

  Table 8. Non-GBR case

  1-2	<Release indicator>- = "08" (UTF-8 encoded)
  3	"-" (UTF-8 encoded)
  4-5	ARP (UTF-8 encoded)
  6-7	5QI (UTF-8 encoded)
  8-11	UL Session-AMBR (UTF-8 encoded)
  12-15	DL Session-AMBR (UTF-8 encoded)

  Table 9. GBR case

  1-2	<Release indicator> = "08" (UTF-8 encoded)
  3	"-" (UTF-8 encoded)
  4-5	ARP (UTF-8 encoded)
  6-7	5QI (UTF-8 encoded)
  8-11	UL MBR (UTF-8 encoded)
  12-15	DL MBR (UTF-8 encoded)
  16-19	UL GBR (UTF-8 encoded)
  20-23	DL GBR (UTF-8 encoded)

• 3GPP-SGSN-ADDRESS

  Description: 4-byte octet (IPv4-address) value encoded as per 3GPP TS 29.061.

  For 5G call, the AMF address is set.

  For 4G call, the S-GW address is set.

• 3GPP-GGSN-ADDRESS

  Description: 4-byte octet (IPv4-address) value encoded as per 3GPP TS 29.061.

  For both 5G and 4G calls, the SMF-Service IP is set.

  For 3GPP dictionary, PGW control IP address as sent in CSRsp.

• 3GPP-IMSI-MCC-MNC

  Description: String value encoded as per 3GPP TS 29.061.

  For 5G call, SUPIs MCC and MNC values are set.

  For 4G call, IMSIs MCC and MNC values are set.

  MCC is first 3 bytes, MNC is next 2 or 3 bytes.

  If MCC value is any of the following, then MNC will be of 3 bytes, else MNC will be of 2 bytes.

  300 302 310 311 312 313 316 334 338 342 344 346 348 354 356 358 360 365 376 405 708 722 732

• 3GPP-GGSN-MCC-MNC

  Description: String value encoded as per 3GPP TS 29.061.

  For both 5G and 4G calls, configured MCC and MNC value of SMF is used.

  MCC is first 3 bytes, and MNC is next 2 or 3 bytes.

• 3GPP-SGSN-MCC-MNC

  Description: String value encoded as per 3GPP TS 29.061.

  For 5G call, AMFs MCC and MNC values are set.

  For 4G call, SGWs MCC and MNC values are set.

  MCC is first 3 bytes, and MNC is next 2 or 3 bytes.

• 3GPP-NSAPI

  Description: String value encoded as per 3GPP TS 29.061.

  For 5G call, QFI value from the defaultQos profile is set.

  For 4G call, EPS bearer ID is set.

• 3GPP-SELECTION-MODE

  Description: String value encoded as per 3GPP TS 29.061.

  For both 4G and 5G calls, the value is set to "0".

  For 3GPP dictionary, the selection mode value is received in CSReq.

• 3GPP-CHARGING-CHARACTERISTICS

  Description: String value encoded as per 3GPP TS 29.061.

  For both 4G and 5G calls, generic charging character is set.

• 3GPP-IMEISV

  Description: String value encoded as per 3GPP TS 29.061.

  For 5G call, PEI value is set.

  For 4G call, IMEI value is set.

• 3GPP-RAT-TYPE

  Description: 1-byte octet encoded as per 3GPP TS 29.061.

  For 5G call, value "NR (51)" is set.

  For 4G call, value "EUTRAN (6)" is set.

  For WLAN call, value "WLAN (3)" is set.

• 3GPP-USER-LOCATION

  Description: Special octet value encoded as per 3GPP TS 29.061.

  For 5G call, the following encoding logic is used:

  1	Location-Type Only TAI = 136 Only NCGI = 135 Both TAI + NCGI =137
  2-7	TAI-Encoding (if present)
  8-15	NCGI-Encoding (if present)

  TAI Encoding header:

  1	MCC digit 2	MCC digit 1
  2	MNC digit 3	MCC digit 3
  3	MNC digit 2	MNC digit 1
  4-6	TAC value

  NCGI Encoding header:

  1	MCC digit 2	MCC digit 1
  2	MNC digit 3	MCC digit 3
  3	MNC digit 2	MNC digit 1
  4	SPARE	NCI
  5-8	NR Cell Identifier (NCI)

  For 4G call, the following encoding logic is used:

  1	Location-Type
  	Only TAI = 128
  	Only ECGI = 129
  	Both TAI + ECGI =130
  2-6	TAI-Encoding (if present)
  7-13	ECGI-Encoding (if present)

  TAI Encoding header:

  1	MCC digit 2	MCC digit 1
  2	MNC digit 3	MCC digit 3
  3	MNC digit 2	MNC digit 1
  4-5	TAC value

  ECGI Encoding header:

  1	MCC digit 2	MCC digit 1
  2	MNC digit 3	MCC digit 3
  3	MNC digit 2	MNC digit 1
  4	Spare	ECI
  5-7	EUTRAN Cell Identifier (ECI)

• 3GPP-MS-TIMEZONE

  Description: Special octet value encoded as per 3GPP TS 29.061.

  Timezone string (for example: -07:00+1) is encoded as two-byte value as mentioned in the following table.

  1	TIMEZONE The first byte timezone is encoded as per 3GPP 29.061, 3GPP 29.274, 3GPP 24.008, and 3GPP 23.040 (section 9.2.3.11).
  2	DAYLIGHT SAVING 0, or +1 or +2 The second byte daylight consists of two bits used (00-0, 01-+1, 10-+2, 11 – Unused).

• 3GPP-NEGOTIATED-DSCP

  Description: 1-byte octet encoded as per 3GPP TS 29.061

  For both 5G and 4G calls, DSCP configuration from DNN qos-profile configuration is used.

  Sub -> DNN profile -> QosProfile -> DSCPMap -> Qi5 value check -> ARP priority check

• Acct-Status-Type

  Description: Enum value encoded as per RFC 2866. The value of this attribute can be one of the following:

  • 1 - Start

  • 2 - Stop

  • 3 - Interim Update

• Acct-Delay-Time

  Description: Integer value encoded as per RFC 2866. This attribute represents the amount of time client is trying to send the accounting record.

• Acct-Input-Octets

  Description: Integer value encoded as per RFC 2866. This attribute represents the amount of bytes received. This attribute contains 4 bytes.

  The SMF wraps values when the number crosses the maximum value.

• Acct-Output-Octets

  Description: Integer value encoded as per RFC 2866. This attribute represents the amount of bytes transmitted. This attribute contains 4 bytes.

  The SMF wraps values when the number crosses the maximum value.

• Acct-Input-Packets

  Description: Integer value encoded as per RFC 2866. This attribute represents the amount of packets received. This attribute contains 4 bytes.

  The SMF wraps values when the number crosses the maximum value.

• Acct-Output-Packets

  Description: Integer value encoded as per RFC 2866. This attribute represents the amount of packets transmitted. This attribute contains 4 bytes.

  The SMF wraps values when the number crosses the maximum value.

• Acct-Input-Gigawords

  Description: Integer value encoded as per RFC 2869. This attribute indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of this service being provided. This value is incremented whenever Acct-Input-Octets is wrapped.

• Acct-Output-Gigawords

  Description: Integer value encoded as per RFC 2869. This attribute indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 over the course of this service being provided. This value is incremented whenever Acct-Output-Octets is wrapped.

• Acct-Session-Id

  Description: String value encoded as per RFC 2866. This attribute represents the unique accounting ID of subscriber. The accounting ID is unique to make it easy to match start and stop records in a log file. The start and stop records for a given session MUST have the same Acct-Session-Id. An Accounting-Request packet MUST have an Acct-Session-Id.

  An Access-Request packet MAY have an Acct-Session-Id; if it does, then the NAS MUST use the same Acct-Session-Id in the Accounting-Request packets for that session. The Acct-Session-Id contains UTF-8 encoded 10646 characters.

• Acct-Session-Time

  Description: Integer value encoded as per RFC 2866. This attribute represents the amount of time the subscriber is active.

• Framed-MTU

  Description: This attribute indicates the Maximum Transmission Unit to be configured for the user, when it is not negotiated by some other means (such as PPP). The default value is 1500.

  It MAY be used in Access-Accept packets. It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that value, but the server is not required to honour the hint.

• Acct-Terminate-cause

  Description: Enum value encoded as per RFC 2866. This attribute represents the reason for termination of subscriber.

• FRAMED-IP

  The IPv4 address value decoded as per RFC 2865.

  For both 4G and 5G calls, the received value is set as the IPv4 address for the subscriber.

• FRAMED-IPv6-PREFIX

  The IPv6 Prefix + Length value decoded as per RFC 3162.

  For both 4G and 5G calls, the received value is set as the IPv6 prefix for the subscriber.

  Important

  If the received prefix-length is !=64, the SMF overrides to 64.

• IDLE-TIMEOUT

  The 4-byte octet (integer) value encoded as per RFC 2865. This attribute is supported in the inbound RADIUS packet.

  For both 4G and 5G calls, the received value is used as the maximum number of consecutive seconds of idle time that the user is permitted before being disconnected by the NAS.

• SESSION-TIMEOUT

  The 4-byte octet (integer) value encoded as per RFC 2865. This attribute is supported in the inbound RADIUS packet.

  For both 4G and 5G calls, the received value is used as the maximum number of seconds that the user is allowed to remain connected by the NAS.

• 3GPP-Negotiated-QoS-Profile

  • Access-request

    For ISE or default dictionary: ARP PCI and ARP PVI were sent out incorrectly and did not match value received in CSReq. Also APN AMBR was sent out in bps instead of Kbps.

    For 3GPP dictionary: ARP PCI and ARP PVI values are fixed and in sync with what is received in CSReq. Also APN AMBR is sent out in Kbps.

  • Accounting-request

    For ISE or default dictionary: ARP PCI and ARP PVI were sent out incorrectly and did not match value received in CSReq/Gx CCA-I. Also APN AMBR was sent out in bps instead of Kbps.

  • For 3GPP dictionary: ARP PCI and ARP PVI values are fixed and in sync with what is received in CSReq/Gx-CCA-I. Also APN AMBR is sent out in Kbps.

• 3GPP-IMEI-SV

  • Access-request

    For ISE or default dictionary: For 16 bit IMEI: imeisv-1122334455667788 and for 15 bit imei: 112233445566778.

    For 3GPP dictionary: For 16 bit IMEI: 1122334455667788 and for 15 bit IMEI: 112233445566778.

  • Accounting-request

    For ISE or default dictionary: For 16 bit IMEI: imeisv-1122334455667788 and for 15 bit IMEI: 112233445566778.

  • For 3GPP dictionary: For 16 bit IMEI: 1122334455667788 and for 15 bit IMEI: 112233445566778.

• 3GPP-UE-Location

  • Access-request

    For ISE or default dictionary: ECI value is going as 0.

    For 3GPP dictionary: the value is received in CSReq.

  • Accounting-request

    For ISE or default dictionary: For 16 bit IMEI: imeisv-1122334455667788 and for 15 bit IMEI: 112233445566778.

  • For 3GPP dictionary: For 16 bit IMEI: 1122334455667788 and for 15 bit IMEI: 112233445566778 .

Note	The WiFi call attributes are the same as the 4G call.

The RADIUS Client feature complies with the following standards:

• RFC 2865: RADIUS

• RFC 2866: RADIUS Accounting

• RFC 3162: RADIUS and IPv6

• 3GPP TS 29.061

• 3GPP TS 29.274

• 3GPP TS 29.561, version 16.4.0

The SMF has the following limitations:

• The SMF supports only single RADIUS attribute profile, and does not support dictionary selection.

• If RADIUS accounting is enabled and server-group is configured within DNN profile, the SMF sends server-group as AAA group in charging-params in N4 session establishment. The UPF displays an error if there is a server group mismatch between SMF and UPF.

  In this scenario, static and predefined usage are not accounted in the RADIUS URR. However, the dynamic rules traffic is accounted in the RADIUS URR.

Use the following sample configuration to configure the RADIUS server.

config 
   profile radius 
      server ipv4_address port_num 
         secret secret_key 
         priority priority_value 
         type { acct | auth } 
         commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• server ipv4_address port_num : Specify the IPv4 address and port of the RADIUS server.

• secret secret_key : Specify the secret key.

• priority priority_value : Specify the server priority.

• type { acct | auth } : Specify the type of the RADIUS server. The server can be one of the following:

  • acct : RADIUS server used for the accounting requests

  • auth : RADIUS server used for the authentication requests

• commit : Commit the configuration.

Example

The following is an example of the RADIUS server configuration.

profile radius 
 server 209.165.200.238 1812 
  secret   $8$73a0i4G3ILj0Np+8tn2QOoWDj3QkB+oefPc2ZK6RE6A= 
  priority 1 
 exit 
 server 209.165.200.240 1812 
  secret   $8$VccEEUVou7m5ptA9WZRPR7KDmxQ/L3KlJ3QqgHjexkk= 
  priority 2 
 exit 
exit 

Use the following sample configuration to configure the RADIUS server selection logic.

config 
   profile radius 
      algorithm { first-server | round-robin } 
      commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• algorithm { first-server | round-robin } : Define the algorithm for selecting the RADIUS server.

  • first-server : Set the selection logic as highest priority first. This is the default behavior.

  • round-robin : Set the selection logic as round-robin order of servers.

• commit : Commit the configuration.

Example

The following is an example of the RADIUS server selection logic configuration.

config 
   profile radius 
      algorithm round-robin 
      exit 

To configure the RADIUS attributes for authentication and accounting, use the following sample configuration:

config 
   profile radius 
      attribute [  [ instance gr_instance_id ]   [ nas-identifier nas_id ] [ nas-ip ipv4_address ] ] 
      end 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• attribute [ [ instance gr_instance_id ] [ nas-identifier nas_id ] [ nas-ip ipv4_address ] ] : Configure the RADIUS identification parameters.

  • instance gr_instance_id : Specify the Geographic Redundancy (GR) instance ID. gr_instance_id must be an integer.

  • nas-identifier nas_id : Specify the attribute name by which the system will be identified in Accounting-Request messages. nas_id must be an alphanumeric string.

  • nas-ip ipv4_address : Specify the NAS IPv4 address. ipv4_address must be an IPv4 address in dotted decimal notation.

• The NAS-IP-Address and NAS-Identifier attributes can be configured per instance-id in RADIUS profile configuration. In this case, NAS-IP-Address and NAS-Identifier attributes under instance configuration are treated as high priority over the non-instance based attribute configuration.

Example

The following is an example of the RADIUS attributes configuration.

config 
   profile radius 
      attribute 
         instance 1 
            nas-identifier CiscoSmf 
         exit 
      exit 
   exit 
exit 

Use the following configuration to enable allow-auth in the RADIUS server.

config 
   profile radius 
      enable-allow-auth 
      end 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• enable-allow-auth : If allow-auth is enabled in the configuration, it allows the ongoing call to continue irrespective of authentication being successful, timed out, or any error message received. The default value is false, configuration is required to enable the allow-auth.

Use the following configuration to enable allow-auth in the RADIUS server group.

config 
   profile radius 
      server-group group_name 
         enable-allow-auth 
         end 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• server-group group_name : Enter the server group on which you want to enable the allow-auth.

• enable-allow-auth : If allow-auth is enabled in the configuration, it allows the ongoing call to continue irrespective of authentication being successful, timed out, or any error message received. The default value is false, configuration is required to enable the allow-auth..

Use the following configuration to configure consecutive failure in the RADIUS server. Even if there is no option for dead-server-detection, consecutive-failure is enabled by default and its default value is 10. To turn it off, the user must set the value to 0.

config 
   profile radius 
      detect-dead-server consecutive-failures value 
      end 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• detect-dead-server consecutive-failures value : When a server's failure count reaches the threshold for consecutive failures, the server is declared as dead server.

  value: must be an integer in the range of 1–1000. Default: 10.

• It is recommended to configure the consecutive failure value more than the request maxTransmissions value in the setup.

  Example: The consecutive failure count may be greater than 6 if maxRetry = 2 and maxTransmissions = 6, so as not to affect the server switch caused by maxtransmissions. Moreover, a server level value called consecutive-failure is increased when successive requests are made to the same server.

The protocol endpoint is the configuration for the UDP-Proxy pod. The UDP-Proxy pod receives the IPC request to send the UDP message from the RADIUS-EP pod. The UDP-Proxy pod then converts the message to a proper UDP packet and sends it to the radius server. When radius server is sending UDP packet to the SMF, the UDP-Proxy pod receives and forwards the packet on the TCP connection to the RADIUS-EP pod.

config 
   instance instance-idgr_instance_id 
      endpoint protocol 
         replicasreplica_id 
         nodesnode_id 
         internal-vip{ SMF_UDP_PROXY_INTERNAL_VIP } 
         vip-ip{ client_ipv4_address } 
      exit 
   exit 

NOTES:

• instance instance-idgr_instance_id : Specify GR Instance ID.

• endpoint protocol : Enter the endpoint configuration mode.

• replicasreplica_id : Specifies the replica server's ID.

• nodesnode_id : Specify the node ID for the SMF peer node. The value must be a string.

• internal-VIP{ SMF_UDP_PROXY_INTERNAL_VIP } : Specify the IP address of the UDP-Proxy for internal SMF communication, Radius-ep uses this IP address to reach the UDP proxy for outgoing AAA messages.

• VIP-ip{ client_ipv4_address } : Specify the IP address of the dynamic authorization client. ipv4_address must be in standard IPv4 dotted decimal notation.

Example

The following is an example configuration.

config
   instance instance-id 1
      endpoint protocol
         replicas 1
         nodes 2
         internal-vip {SMF_UDP_PROXY_INTERNAL_VIP}
         vip-ip { client_ipv4_address}
      exit
   exit

Use the following sample configuration to configure the RADIUS detect dead server.

config 
   profile radius 
      detect-dead-server response-timeout value 
      commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• detect-dead-server response-timeout value : Set the timeout value that marks a server as "dead" when a packet is not received for the specified number of seconds.

  value must be an integer in the range of 1–65535. Default: 10 seconds.

• commit : Commit the configuration.

Example

The following is an example of the RADIUS detect dead server configuration.

config 
   profile radius 
      detect-dead-server response-timeout 100 
      exit 

Use the following sample configuration to configure the RADIUS dead time.

config 
   profile radius 
      deadtime value 
      commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• deadtime value : Set the time to elapse between RADIUS server marked unreachable and when we can reattempt to connect.

  value must be an integer in the range of 1–65535. Default: 10 minutes.

• commit : Commit the configuration.

Example

The following is an example of the RADIUS dead time configuration.

config 
   profile radius 
     deadtime 15 
     exit 

Use the following sample configuration to configure the RADIUS dictionary.

config 
   profile radius 
      dictionary { ISE dictionary | 3GPP dictionary } 
      commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• dictionary { ISE dictionary | 3GPP dictionary } : The SMF service renders the RADIUS configuration and populates the request messages with the ISE or 3GPP specific parameters as selected.

• commit : Commit the configuration.

Example

The following is an example of the RADIUS dictionary configuration.

config 
   profile radius 
      dictionary { ISE dictionary | 3GPP dictionary } 
      exit 

Use the following sample configuration to configure the maximum RADIUS retries.

config 
   profile radius 
      max-retry value 
      commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• max-retry value : Set the maximum number of times that the system will attempt retry with the RADIUS server.

  value must be an integer in the range of 0–65535. Default: 2

• commit : Commit the configuration.

Example

The following is an example of the RADIUS retries configuration.

config 
   profile radius 
      max-retry 2 
      exit 

Use the following configuration to configure max transmissions in the RADIUS server.

config 
   profile radius 
      max-transmissions value 
      end 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• max-transmissions value : Max transmission allows you to configure the transmission parameters for all the available servers. This feature helps to cross-check if the number of transmissions exceeds the number of retries once the retry cycle for a request is finished, and if so, it begins the subsequent retry cycle on a different server if one is available. If no server is available or if maxtransimissions limit is reached, then the server database sends out the timeout response.

  value: must be an integer in the range of 0–65535. Default: 6.

• Max transmission value should always be higher value than the max retries +1. It is recommended to use maxTransmissions number as multiples of (maxRetries +1).

• Based on the maxTransmissions, time spent on a single request increases and remains in the system without providing a response by retrying on other servers. As a result, system resources are used up, which may lead to performance degradation.

Use the following configuration to configure max transmissions in the RADIUS server group.

config 
   profile radius 
      server-group group_name 
         max-transmissions value 
         end 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• server-group group_name : Enter the server group on which you want to configure the max-transmissions.

• max-transmissions value : Max transmission allows you to configure the transmission parameters for all the available servers. This feature helps to cross-check if the number of transmissions exceeds the number of retries once the retry cycle for a request is finished, and if so, it begins the subsequent retry cycle on a different server if one is available. If no server is available or if maxtransimissions limit is reached, then the server database sends out the timeout response.

  value: must be an integer in the range of 0–65535. Default: 6.

• Max transmission value should always be higher value than the max retries +1. It is recommended to use maxTransmissions number as multiples of (maxRetries +1).

• Based on the maxTransmissions, time spent on a single request increases and remains in the system without providing a response by retrying on other servers. As a result, system resources are used up, which may lead to performance degradation.

Use the following sample configuration to configure the RADIUS timeout.

config 
   profile radius 
      timeout value_in_seconds 
      commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• timeout value_in_seconds : Set the time to wait for response from the RADIUS server before retransmitting.

  value_in_seconds must be an integer in the range of 1–65535. Default: 2 seconds.

• commit : Commit the configuration.

Example

The following is an example of the RADIUS timeout configuration.

config 
   profile radius 
      timeout 4 
      exit 

Use the following sample configuration to configure the RADIUS pod.

config 
   instance instance-id gr_instance_id 
      endpoint radius 
         replicas number_of_replicas 
         commit 

NOTES:

• endpoint radius : Enter the RADIUS endpoint configuration mode.

• replicas number_of_replicas : Set the number of replicas required.

• commit : Commit the configuration.

Example

The following is an example of the RADIUS pod configuration.

config 
   instance instance-id 1 
      endpoint radius 
         replicas 3 
         exit 

This section describes how to configure the RADIUS NAS-IP.

Multiple RADIUS NAS-IP Configuration

Note	The NAS-Identifier attribute configuration can be defined per instance-id in RADIUS profile configuration. In this case, NAS-Identifier attribute under instance configuration is treated as high priority over the non-instance based NAS-Identifier attribute configuration.

To configure multiple RADIUS NAS-IP addresses at various levels, use the following sample configuration:

config 
   profile radius 
      attribute [ [ instance gr_instance_id ]  [ nas-ip ipv4_address ]  ] 
      accounting attribute [ [ instance gr_instance_id ]  [ nas-ip ipv4_address ]  ] 
      server-group group_name attribute [ [ instance gr_instance_id ]  [ nas-ip ipv4_address ]  ] 
      server-group group_name accounting attribute [ [ instance gr_instance_id ]  [ nas-ip ipv4_address ]  ] 
      end 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• attribute [ [ instance gr_instance_id ] [ nas-ip ipv4_address ] ] : Set the global NAS-IP address value.

  • instance gr_instance_id : Specify the Geographic Redundancy (GR) instance ID. gr_instance_id must be an integer.

  • nas-ip ipv4_address : Specify the NAS IPv4 address. ipv4_address must be an IPv4 address in dotted decimal notation.

• accounting attribute [ [ instance gr_instance_id ] [ nas-ip ipv4_address ] ] : Set the global accounting NAS-IP address value.

  • instance gr_instance_id : Specify the Geographic Redundancy (GR) instance ID. gr_instance_id must be an integer.

  • nas-ip ipv4_address : Specify the NAS IPv4 address. ipv4_address must be an IPv4 address in dotted decimal notation.

• server-group group_name attribute [ [ instance gr_instance_id ] [ nas-ip ipv4_address ] ] : Set the per server-group common NAS-IP address value.

  • instance gr_instance_id : Specify the Geographic Redundancy (GR) instance ID. gr_instance_id must be an integer.

  • nas-ip ipv4_address : Specify the NAS IPv4 address. ipv4_address must be an IPv4 address in dotted decimal notation.

• server-group group_name accounting attribute [ [ instance gr_instance_id ] [ nas-ip ipv4_address ] ] : Set the per server-group accounting NAS-IP address value.

  • instance gr_instance_id : Specify the Geographic Redundancy (GR) instance ID. gr_instance_id must be an integer.

  • nas-ip ipv4_address : Specify the NAS IPv4 address. ipv4_address must be an IPv4 address in dotted decimal notation.

Example:

The following is an example of the multiple RADIUS NAS-IP configuration.

config
 profile radius
  attribute
   instance 1
    nas-ip 209.165.200.225 
    nas-identifier  smf1  
   exit
   instance 2
    nas-ip 209.165.201.2
          
    nas-identifier  smf2  
   exit
  exit
  accounting
   attribute
    instance 1
     nas-ip 209.165.200.225 
     nas-identifier  smf1 
    exit
    instance 2
     nas-ip 209.165.201.2
          
     nas-identifier  smf2 
    exit
   exit
  exit
 exit
 server-group g1
  attribute
   instance 1
    nas-ip 209.165.200.225 
    nas-identifier  smf1 
   exit
   instance 2
    nas-ip 209.165.201.2
       
    nas-identifier  smf2 
   exit
  exit
 exit
 accounting
  attribute
   instance 1
    nas-ip 209.165.200.225 
    nas-identifier  smf1 
   exit
   instance 2
    nas-ip 209.165.201.2
    
    nas-identifier  smf2 
   exit
  exit
 exit
exit
 

Use the following sample configuration to configure the secondary authentication method.

config 
   profile dnn dnn_name 
      authentication secondary radius [ group group_name ] 
      commit 

NOTES:

• profile dnn dnn_name : Enter the DNN Profile configuration mode.

• authentication secondary radius [ group group_name ] : Enable secondary authentication under the DNN profile and sets method as RADIUS.

  group group_name : This keyword is optional. This keyword defines the RADIUS server group name.

• commit : Commit the configuration.

Example

The following is a configuration example of the secondary authentication method.

config 
   profile dnn intershat 
   ... 
   authentication secondary radius 
   exit 

This section provides the configuration to enable the PAP, CHAP, and MSCHAP-based RADIUS authentication. This configuration aids in converting the CHAP Challenge and Response received in PCO IE as MSCHAP Challenge and Response.

Use the following sample configuration to enable RADIUS accounting on SMF and configure the RADIUS accounting specific parameters.

config 
   profile charging charging_profile_name 
      accounting limit { duration value | volume { downlink value | total value | uplink value } } 
      accounting triggers [ ambr-change | plmn-change | qos-change | rat-change | serv-node-change |  tft-change |  ue-time-change | user-loc-change ] 
      commit 

NOTES:

• profile charging charging_profile_name : Specify the charging profile name. charging_profile_name must be an alphanumeric string.

• accounting : Specify this option to enable RADIUS accounting on SMF for the subscribesrs.

• limit { duration value | volume { downlink value | total value | uplink value } } : Specify the volume and time limits for RADIUS accounting.

  duration value : Specify the time duration value as an integer in the range of 0–2147483647.

  downlink value : Specify the downlink volume limit for interim generation in bytes, as an integer in the range of 100000–4000000000.

  total value : Specify the total volume limit for interim generation in bytes, as an integer in the range of 100000–4000000000.

  uplink value : Specify the uplink volume limit for interim generation in bytes, as an integer in the range of 100000–4000000000.

• accounting triggers [ ambr-change | plmn-change | qos-change | rat-change | serv-node-change | tft-change | ue-time-change | user-loc-change ] : Enable the appropriate RADIUS accounting triggers according to the following conditions:

  • AMBR change

  • PLMN change

  • Quality of Service change

  • Routing Area Information change

  • Serving node change

  • Traffic Flow Template (TFT) change

  • UE time change

  • User Location Information change - applicable only for PGW-C and GGSN.

  Important

  Enabling any one of these triggers turns off the remaining triggers.

• commit : Commit the configuration.

Use the following sample configuration to set RADIUS server-group to use for accounting in DNN profile.

All subscribers under the specified DNN will have RADIUS accounting enabled.

config 
   profile dnn dnn_profile_name 
      accounting server-group group_name 
      commit 

NOTES:

• profile dnn dnn_profile_name : Specify the DNN profile name to enter the DNN configuration mode. dnn_profile_name must be an alphanumeric string.

• accounting server-group group_name : Specify the RADIUS server-group to use for accounting in the configured DNN profile. group_name must be an alphanumeric string.

• commit : Commit the configuration.

To configure the RADIUS accounting options, use the following sample configuration:

config 
   profile radius accounting 
      algorithm { first-server | round-robin } 
      attribute [  [ instance gr_instance_id ]   [ nas-identifier nas_id ] [ nas-ip ipv4_address ] ] 
      deadtime value 
      detect-dead-server response-timeout value 
      max-retry value 
      timeout value 
      end 

NOTES:

• profile radius accounting : Enter the RADIUS accounting configuration mode.

• algorithm { first-server | round-robin } : Define the algorithm for selecting the RADIUS server.

  • first-server : Set the selection logic as highest priority first. This is the default behavior.

  • round-robin : Set the selection logic as round-robin order of servers.

• attribute [ [ instance gr_instance_id ] [ nas-identifier nas_id ] [ nas-ip ipv4_address ] ] : Configure the RADIUS identification parameters.

  • instance gr_instance_id : Specify the Geographic Redundancy (GR) instance ID. gr_instance_id must be an integer.

  • nas-identifier nas_id : Specify the attribute name by which the system will be identified in Accounting-Request messages. nas_id must be an alphanumeric string.

  • nas-ip ipv4_address : Specify the NAS IPv4 address. ipv4_address must be an IPv4 address in dotted decimal notation.

• deadtime value : Set the time to elapse between RADIUS server marked unreachable and when we can re-attempt to connect.

  value must be an integer from 0 through 65535. Default: 10 minutes.

• detect-dead-server response-timeout value : Set the timeout value that marks a server as "dead" when a packet is not received for the specified number of seconds.

  value must be an integer from 1 through 65535. Default: 10 seconds.

• max-retry value : Set the maximum number of times that the system will attempt retry with the RADIUS server.

  value must be an integer in the range of 0–65535. Default: 2

• timeout value : Set the time to wait for response from the RADIUS server before retransmitting.

  value must be an integer in the range of 1–65535. Default: 2 seconds.

• All the keyword options under the RADIUS accounting configuration mode are also available within the RADIUS configuration mode.

Use the following sample configuration to configure the RADIUS server group.

config 
   profile radius 
      server-group group_name 
      commit 

NOTES:

• profile radius : Enter the RADIUS configuration mode.

• server group group_name : Specify the name of server group for use in RADIUS accounting. group_name must be an alphanumeric string.

• commit : Commit the configuration.

This section describes how to configure the Session Disconnect feature.

Configuring the Session Disconnect feature in SMF involves the following steps:

• Configuring the Dynamic Authorization Service

• Configuring the CoA-NAS Interface

RADIUS Authentication Statistics

This feature supports the following statistics related to RADIUS Authentication:

• SMF-Service:

  • Number of Secondary-Authentication requests sent

  • Number of Secondary-Authentication response received

• RADIUS-EP:

  • Number of Secondary-Authentication requests sent

  • Number of Secondary-Authentication response received

  • Number of RADIUS packets sent

  • Number of RADIUS packets received

RADIUS Accounting Statistics

The SMF maintains the following statistics to track the total number of attempted, successful, and failed RADIUS Accounting Start, Accounting Update Interim and Accounting Terminate requests and responses.

• SMF_SERVICE_STATS for the following procedure types:

  • radius_initial: This counter gets incremented for Accounting Start request and response.

  • radius_update: This counter gets incremented for Accounting Interim Update request and response.

  • radius_terminate: This counter gets incremented for Accounting Terminate request and response.

RADIUS Access Management Statistics

The following statistics track the number of times the AVP is received in the RADIUS Access-Accept messages at SMF.

• SmfRadiusMessageStats

  INBOUND:

  • radius_access_accept

    • radius_avp_session_timeout

    • radius_avp_idle_timeout

PAP, CHAP, or MSCHAP-based Authentication Statistics

The SMF supports the following statistics to track the number of times the AVP sent in Access-Request messages.

Group: smf_radius_message_stats

Format: {app_name, cluster, data_center, direction, instance_id, message_type, radius_avp_type, rat_type, service_name}

message_type: radius_access_request

radius_avp_type:

• radius_avp_pap_user_password

• radius_avp_pap_username

• radius_avp_chap_challenge

• radius_avp_chap_response

• radius_avp_mschap_challenge

• radius_avp_mschap_response

Example:

smf_radius_message_stats{app_name="SMF",cluster="Local",data_center="DC",direction="outbound",
instance_id="0",message_type="radius_access_request",radius_avp_type="radius_avp_pap_user_password",
rat_type="NR",service_name="smf-service"} 1

smf_radius_message_stats{app_name="SMF",cluster="Local",data_center="DC", 
direction="outbound",instance_id="0",message_type="radius_access_request", 
radius_avp_type="radius_avp_pap_username",rat_type="NR",service_name="smf-service"} 1

The SMF supports these additional statistics to track the number of attempted, successful and failed responses received due to PAP, CHAP, and MSCHAP authentication.

Group: radius_authentication_message_stats

Format: {app_name, cluster, data_center, dnn, instance_id, radius_auth_algorithm, rat_type, reason, service_name, status}

radius_auth_algorithm:

• radius_auth_algorithm_default

• radius_auth_algorithm_pap

• radius_auth_algorithm_chap

• radius_auth_algorithm_mschap

rat_type:

• NR

• EUTRA

• WLAN

status:

• decode_failed

• encode_failed

• attempted

• success

• failed

• timeout

reason:

• parse_error

• invalid_code

• invalid_option

• invalid_pco

• invalid_epco

• invalid_apco

• write_error

Example:

radius_authentication_message_stats{app_name="SMF",cluster="Local",
data_center="DC",dnn="intershat2",instance_id="0",
radius_auth_algorithm="radius_auth_algorithm_default",rat_type="NR",reason="",
service_name="smf-service",status="attempted"} 2

 radius_authentication_message_stats{app_name="SMF",cluster="Local",
data_center="DC",dnn="intershat2",instance_id="0",radius_auth_algorithm="radius_auth_algorithm_default",
rat_type="NR",reason="",service_name="smf-service",status="success"} 2

radius_authentication_message_stats{app_name="SMF",cluster="Local",data_center="DC",
dnn="intershat",instance_id="0",radius_auth_algorithm="radius_auth_algorithm_chap",
rat_type="EUTRA",reason="",service_name="smf-service",status="attempted"} 2

radius_authentication_message_stats{app_name="SMF",cluster="Local", 
data_center="DC",dnn="intershat",instance_id="0",radius_auth_algorithm="radius_auth_algorithm_chap", 
rat_type="EUTRA",reason="",service_name="smf-service",status="failed"} 2

RADIUS Disconnect and CoA Request Related Statistics

The RADIUS endpoint (radius-ep) pod supports the following statistics.

Radius_Server_Status

Description: Display the active or inactive status of RADIUS server.

Metrics-Type: Gauge

Metrics-Value: 1 – ActiveServer, 0 – Inactive Server

Labels:

• Label: radSvrIP

  • Description: Server IP Address

  • Value: <any-ip-address>

• Label: radSvrPort

  • Description: Server Port

  • Value: <any-port>

• Label: radSvrPortType

  • Description: Authentication or Accounting type

  • Value: Auth, Acct

Radius_Requests_Current

Description: Displays the outstanding authentication and accounting requests

Metrics-Type: Gauge

Labels:

• Label: radMsgCode

  • Description: RADIUS Message Type

  • Values: SecondaryAuthenReq, RadiusAcctReq, TestAuth, TestAcct

• Label: radSvrIP

  • Description: Server IP Address

  • Value: <any-ip-address>

• Label: radSvrPort

  • Description: Server Port

  • Value: <any-port>

• Label: radSvrPortType

  • Description: Authentication or Accounting type

  • Value: Auth, Acct

• Label: dnn

  • Description: DNN of subscriber

  • Value: <string>

• Label: procType

  • Description: Procedure-type

  • Value: <string>

• Label: ratType

  • Description: RAT type of subscriber

  • Value: <string>

• Label: sessType

  • Description: Session-type of subscriber

  • Value: <string>

• Label: grInstId

  • Description: Geographic redundancy (GR) instance ID

  • Value: <string>

Radius_Requests_Statistics

Description: Displays the total authentication and accounting requests transmitted, retransmitted, and responses received

Metrics-Type: Counter

Labels:

• Label: radMsgCode

  • Description: Radius Message Type

  • Values: SecondaryAuthenReq, RadiusAcctReq, TestAuth, TestAcct

• Label: radPacketType

  • Description: Direction of packet

  • Value: Tx, Rx, Retry_Tx

• Label: radResult

  • Description: Result of operation

  • Value: Success, Failed, Timeout, Failure_Reject, ...

• Label: radSvrIP

  • Description: Server IP Address

  • Value: <any-ip-address>

• Label: radSvrPort

  • Description: Server Port

  • Value: <any-port>

• Label: radSvrPortType

  • Description: Authentication or Accounting type

  • Value: Auth, Acct

• Label: dnn

  • Description: DNN of subscriber

  • Value: <string>

• Label: procType

  • Description: Procedure-type

  • Value: <string>

• Label: ratType

  • Description: RAT type of subscriber

  • Value: <string>

• Label: sessType

  • Description: Session-type of subscriber

  • Value: <string>

• Label: grInstId

  • Description: Geographic redundancy (GR) instance ID

  • Value: <string>

Radius_CoaDM_Requests_Current

Description: Displays the outstanding CoA and DM requests being processed.

Metrics-Type: Gauge

Labels:

• Label: radMsgCode

  • Description: RADIUS Message Type

  • Values: DisconnectRequest, CoARequest

• Label: radSvrIP

  • Description: Server IP Address

  • Value: <any-ip-address>

• Label: grInstId

  • Description: Geographic redundancy (GR) instance ID

  • Value: <string>

Radius_CoaDM_Requests_Statistics

Description: Displays the total CoA and DM requests received and processed.

Metrics-Type: Counter

Labels:

• Label: radMsgCode

  • Description: Radius Message Type

  • Values: DisconnectRequest, DisconnectACK, DisconnectNAK, CoARequest, CoaDMReq, CoAACK

• Label: radPacketType

  • Description: Direction of packet

  • Value: Tx, Rx

• Label: radResult

  • Description: Result of operation

  • Value: Success, Failure_Invalid_Request, Failure_Drop_Retry_Coa, Failure_Unknown_Error...

• Label: radSvrIP

  • Description: Server IP Address

  • Value: <any-ip-address>

• Label: nakErrorCause

  • Description: Error-cause set during COA-NAK / DM-NAK (not applicable for other cases)

  • Value: Missing-Attribute, NAS-Identification-Mismatch, Unsupported-Service, Invalid-Attribute-Value, Session-Context-Not-Found, Internal-Error

• Label: grInstId

  • Description: Geographic redundancy (GR) instance ID

  • Value: <string>

Use the following bulk statistics to monitor the failures or issues associated with RADIUS authentication, RADIUS accounting, and Disconnect Message requests.

The show subscriber supi supi_id nf-service smf full CLI command displays the subscriber details for RADIUS-specific use cases.

[unknown] smf# show subscriber supi imsi-123456789012345 nf-service smf full  
subscriber-details 
{
…
"alwaysOn": "None",
        "dcnr": "None",
        "wps": "Wps Session",
        "ratType": "NR",
        "idleTimeout": 600,      << can be overwritten from Radius in Auth Resp 
        "sessTimeout": 1200,     << can be overwritten from Radius in Auth Resp 
        "radiusEpInfo": "209.165.200.228:1812", 
        "authAlg": "pap-default", 
        "authStatus": "Authenticated" 
…
…
        "accountingEnabled": "true", 
        "n40ChargingEnabled": "true",
        "acctSessId": "198.15.1.40016777221" 
…
…
"upfServData": {
        "numberOfTunnels": 2,
        "smfSeid": 72057615828912656,
        "UPState": "Activated",
        "urrInfo": [
          {
            "id": 2147483657,
            "chgName": "radiusurr",
            "method": {
              "duration": "false",
              "volume": "true",
              "event": "false"
            },

The show radius CLI command displays statistics for RADIUS Authentication and Accounting from RADIUS endpoint.

[unknown] smf# show radius 
radius
--------------------------------------------------------
 Server: 209.165.200.240, port: 1812, status: up, port-type: Auth
 3 requests, 0 pending, 0 retransmits
 2 accepts, 0 rejects, 1 timeouts
 0 bad responses, 0 bad authenticators
 0 unknown types, 0 dropped, 1 ms latest rtt
--------------------------------------------------------
--------------------------------------------------------
 Server: 209.165.200.234, port: 1813, status: up, port-type: Acct
 3 requests, 0 pending, 6 retransmits
 0 responses, 3 timeouts
 0 bad responses, 0 bad authenticators
 0 unknown types, 0 dropped, 0 ms latest rtt
--------------------------------------------------------
 Server: 209.165.200.245, port: 1813, status: up, port-type: Acct
 5 requests, 0 pending, 3 retransmits
 3 responses, 2 timeouts
 0 bad responses, 0 bad authenticators
 0 unknown types, 0 dropped, 6 ms latest rtt
--------------------------------------------------------
[unknown] smf# 

[unknown] smf# show radius acct-server  
--------------------------------------------------------
 Server: 209.165.200.234, port: 1813, status: up, port-type: Acct
 3 requests, 0 pending, 6 retransmits
 0 responses, 3 timeouts
 0 bad responses, 0 bad authenticators
 0 unknown types, 0 dropped, 0 ms latest rtt
--------------------------------------------------------
 Server: 209.165.200.240, port: 1813, status: up, port-type: Acct
 5 requests, 0 pending, 3 retransmits
 3 responses, 2 timeouts
 0 bad responses, 0 bad authenticators
 0 unknown types, 0 dropped, 6 ms latest rtt
--------------------------------------------------------
[unknown] smf#  
[unknown] smf# show radius auth-server  
--------------------------------------------------------
 Server: 209.165.200.243, port: 1812, status: up, port-type: Auth
 3 requests, 0 pending, 0 retransmits
 2 accepts, 0 rejects, 1 timeouts
 0 bad responses, 0 bad authenticators
 0 unknown types, 0 dropped, 1 ms latest rtt
--------------------------------------------------------
[unknown] smf# 

The show radius-dyn-auth CLI command displays statistics for RADIUS Disconnect Message and CoA from RADIUS endpoint.

[unknown] smf# show radius-dyn-auth
radius-dyn-auth
--------------------------------------------------------
 IP: 209.165.201.20
 ------------------
 COA:
 0 total-requests       0 inprocess-requests
     0 retry-request-drops  0 invalid-requests
     0 bad-authenticators   0 internal-errors
 0 ack-sent             0 nak-sent
 ------------------
 DISCONNECT:
 2 total-requests       0 inprocess-requests
     0 retry-request-drops  0 invalid-requests
     0 bad-authenticators   0 internal-errors
 1 ack-sent             1 nak-sent
 ------------------
 UnknownTypesRcvd: 0
--------------------------------------------------------
[unknown] smf# 

The show peers all CLI command fetches the list of external inbound and outbound connections established by the SMF.

[unknown] smf# show peers all | include radius 
RadiusServer  -     209.165.202.145:1813   Outbound   radius-ep-0    Udp   18 hours   Radius  Status: Active,Type: Acct  1 
RadiusServer  -     209.165.201.20:1812    Outbound   radius-ep-0    Udp   17 hours   Radius  Status: Active,Type: Auth  1 
RadiusServer  -     209.165.201.20:1813    Outbound   radius-ep-0    Udp   17 hours   Radius  Status: Active,Type: Acct  1 
[unknown] smf# 

Important

During application startup or configuration updates, RADIUS endpoint sends test authentication and accounting requests to check the status of RADIUS server peer. The output of the show peers command displays the peer status result. The results of these dummy requests will be overwritten by the outcomes of actual authentication and accounting requests.

The show endpoint info CLI command fetches the list of internal and external connections established by the SMF.

[unknown] smf# show endpoint all | include radius 
Radius:209.165.201.4:     209.165.201.1:3799     Udp   Started  RADIUS     false     18 hours  <none>   1
[unknown] smf#

The show running-status CLI command fetches the current status of pods. This function is analogous to the K8 kubectl get pods –n <> CLI command.

[unknown] smf# show running-status | include radius 
radius-ep-0      Started      19 hours  
[unknown] smf#

The show config-error CLI command displays the validation criteria — Pass or Failed. The Pass criteria appears when no entries exist.

[unknown] smf# show config-error | include radius 
[unknown] smf#

This section provides the sample output for different variants of the show alerts CLI command.

show alerts | include radius

alerts history radius_test cfb253587397
alerts history radius_test 911f84aff47c
alerts history radius_test 3ed7a5112905
alerts history radius_test 292af807b299
 source      radius-ep-n0-0
 labels      [ "namespace: smf" "pod: radius-ep-n0-0" ]
 annotations [ "summary: Container:  of pod: radius-ep-n0-0 in namespace: smf has been restarted." ]
 source      radius-ep-n0-0
 labels      [ "name: k8s_radius-ep_radius-ep-n0-0_smf_7f9e968a-39dc-11eb-ba84-0050569cb367_0" "namespace: smf" "pod: radius-ep-n0-0" ]
 annotations [ "summary: Container: k8s_radius-ep_radius-ep-n0-0_smf_7f9e968a-39dc-11eb-ba84-0050569cb367_0 of pod: radius-ep-n0-0 in namespace: smf has been restarted." ]
 source      radius-ep-n0-0
 labels      [ "name: k8s_POD_radius-ep-n0-0_smf_7f9e968a-39dc-11eb-ba84-0050569cb367_0" "namespace: smf" "pod: radius-ep-n0-0" ]
 annotations [ "summary: Container: k8s_POD_radius-ep-n0-0_smf_7f9e968a-39dc-11eb-ba84-0050569cb367_0 of pod: radius-ep-n0-0 in namespace: smf has been restarted." ]
alerts history radius_test 1c17e31c13f9
alerts history radius_test ffaabfce0929
 source      radius-ep-n0-0
 labels      [ "name: k8s_POD_radius-ep-n0-0_smf_cd16807a-2f0b-11eb-ba84-0050569cb367_0" "namespace: smf" "pod: radius-ep-n0-0" ]
 annotations [ "summary: Container: k8s_POD_radius-ep-n0-0_smf_cd16807a-2f0b-11eb-ba84-0050569cb367_0 of pod: radius-ep-n0-0 in namespace: smf has been restarted." ]
 source      radius-ep-n0-0
 labels      [ "namespace: smf" "pod: radius-ep-n0-0" ]
 annotations [ "summary: Container:  of pod: radius-ep-n0-0 in namespace: smf has been restarted." ]
 source      radius-ep-n0-0
 labels      [ "name: k8s_radius-ep_radius-ep-n0-0_smf_cd16807a-2f0b-11eb-ba84-0050569cb367_0" "namespace: smf" "pod: radius-ep-n0-0" ]
 annotations [ "summary: Container: k8s_radius-ep_radius-ep-n0-0_smf_cd16807a-2f0b-11eb-ba84-0050569cb367_0 of pod: radius-ep-n0-0 in namespace: smf has been restarted." ]
[unknown] cee# 

show alerts active detail | include radius

alerts active detail Radius_Server_Down 0fe030aba3ce
 summary  "Radius Server: 209.165.201.20, Port: 1813 in namespace: smf is DOWN for more than 15min."
alerts active detail Radius_Server_Down 6f41c340311c
 summary  "Radius Server: 209.165.202.145, Port: 1813 in namespace: smf is DOWN for more than 15min."
alerts active detail Radius_Server_Down 8a290c5ed1de
 summary  "Radius Server: 209.165.201.20, Port: 1812 in namespace: smf is DOWN for more than 15min."
[unknown] cee#
[unknown] cee# 
alerts active detail Radius_Server_Down 0fe030aba3ce
 severity major
 type     "Processing Error Alarm"
 startsAt 2020-12-11T13:30:16.874Z
 source   System
 summary  "Radius Server: 209.165.201.20, Port: 1813 in namespace: smf is DOWN for more than 15min."
 labels   [ "namespace: smf" "radSvrIP: 209.165.201.20" "radSvrPort: 1813" ]
alerts active detail Radius_Server_Down 6f41c340311c
 severity major
 type     "Processing Error Alarm"
 startsAt 2020-12-11T13:30:16.874Z
 source   System
 summary  "Radius Server: 209.165.202.145, Port: 1813 in namespace: smf is DOWN for more than 15min."
 labels   [ "namespace: smf" "radSvrIP: 209.165.202.145" "radSvrPort: 1813" ]
alerts active detail Radius_Server_Down 8a290c5ed1de
 severity major
 type     "Processing Error Alarm"
 startsAt 2020-12-11T13:30:16.874Z
 source   System
 summary  "Radius Server: 209.165.201.20, Port: 1812 in namespace: smf is DOWN for more than 15min."
 labels   [ "namespace: smf" "radSvrIP: 209.165.201.20" "radSvrPort: 1812" ]

[unknown] cee# show alerts active summary | include RTT 
Radius_Server_RTT      1d0353b3db82  major     12-11T15:10:16  System   RTT for Radius Server: 209.165.201.20, Port: 1812 in namespace: smf is more than 5 ms.
[unknown] cee#

show alerts active summary | include RTT

Radius_Server_RTT      1d0353b3db82  major     12-11T15:10:16  System RTT for Radius Server: 209.165.201.20, Port: 1812 in namespace: smf is more than 5 ms.
[unknown] cee#

show alerts active summary | include radius

Radius_Server_RTT      1d0353b3db82  major     12-11T15:10:16  System                 RTT for Radius Server: 209.165.201.20, Port: 1812 in namespace: smf is more than 5 ms.
Radius_Acct_Establish  520d9943d53f  major     12-11T15:05:16  System                 This alert is fired when the percentage of successful Radius Accounting Establish responses received is lesser than threshold
Radius_Server_Down     0fe030aba3ce  major     12-11T13:30:16  System                 Radius Server: 209.165.201.20, Port: 1813 in namespace: smf is DOWN for more than 15min.
Radius_Server_Down     6f41c340311c  major     12-11T13:30:16  System                 Radius Server: 209.165.202.145, Port: 1813 in namespace: smf is DOWN for more than 15min.
Radius_Server_Down     8a290c5ed1de  major     12-11T13:30:16  System                 Radius Server: 209.165.201.20, Port: 1812 in namespace: smf is DOWN for more than 15min. 

The RADIUS endpoint for MVNO or PAPN flow supports new alerts. Following sections describe some basic alerts. These alerts can be enhanced based on RAT or as required by the users.

Important

These alerts are configurable only through the CEE Ops-center CLI.

The Grafana charts are used for monitoring based on the RADIUS endpoint or Service endpoint.

• RADIUS endpoint for call flows involving RADIUS Authentication, Accounting, and Disconnect Message.

• Service endpoint for accounting flows specific to Accounting Initial, Interim, or Terminate packets.

This section explains the basic error conditions and the related logs to debug the failures.