Friday, April 10, 2009

3GPP Radius

Radius is the authentication and accounting server used in Rel 7. I have been reading a lot about it as my job demands to create a test plan and cases for testing a AAA server. I thought of blogging about it.

Ok, so authentication is important in mobile world. You need to know if the mobile subscriber is allowed to access packet core or not. So how this is done in Rel 7? Here it its.


3GPP Radius.jpg

This feature is explained in 3GPP TS 29.061. So mobile terminal sends out an PDP context activate request to SGSN. SGSN create a PDP context request and send it to GGSN. Now if you look at PDP context request there is and IE called PCO ( Protocol Configuration Options). SGSN creates the request with authentication details put in PCO field and forwards it to GGSN.

PCO contains : Type of authentication protocol, user name and password. (PAP/CHAP)

GGSN before granting the pdp responses creates a radius access request with user name and password in PDP request and sends it to AAA server. AAA server grants or rejects the access. Once AAA sever gives ok, GGSN creates PDP response and sends it to SGSN. GGSN may send Accounting start request to AAA server before sending the PDP response. This is nice, simple and easy way for authentication.

If you have a cisco 7200, a AAA server and SGSN, try creating a network for your selves. What I did in my lab was configured a Cisco 7200 as GGSN. Believe me its very simple. Our tool can act as SGSN. It can send out tens of thousands of PDP context requests. Then I pulled a Free radius server from internet. Wala! I have my network. I configured out tool acting as SGSN to send out PDP requests, Cisco 7200 process the PDP request and sends out radius requests to free radius. Free radius says ok and I have PDP response from router.

So this is how network operators create their network. Now going to Rel 8, I see that PCO is still present in GTP v2. But I am guessing authentication has to be much more stronger since its all IP. We can compare a Rel 8 network to WLAN network, just for understanding the authentication better. So in WLAN we have EAP authentication methods. Now Consider EAP TLS with certificate based security. A laptop in WLAN network has certificate to attach to a particular network. Access points in WLAN are configured to talk to AAA server for authentication. So lets consider that laptops as Mobile subscribers and Access point as the core network. AAA servers remain the same in both. Once a mobile node request access, it uses it certificate to get validated. Core network talks to AAA server to authenticate the mobile node. Just like the way it is done in WLAN. After that data may flow encrypted. I havent read much about this in Rel 8, but will post something in this security section soon.

Comments are welcome.

28 comments:

Manish said...

Hi Santosh

It is really good article.

Few comments:

1. As per my opinion, PCO IE transparently passed by SGSN. It is originated at UE/MS and reached directly as it is at GGSN. It is not set by SGSN. (TFT also such IE.) But I may wrong.

2. PCO also contains IPCP requests for Primary DNS server IP address and/or secondary DNS server IP address and/or dynamic IP address (DHCP request)

3. I think, now many implementations are moving to Diameter protocol.

Regards and Keep Smiling
Manish
layers7.blogspot.com

Santosh said...

Thanks for the comments Manish. I agree that PCO and TFT originate from UE and SGSN transparently passes them to GGSN. I again agree that PCO has other information too. My intention here was to focus on core network ,i.e considering the communication between SGSN, GGSN and AAA server.

What I dint know was your third point. If Network operator want Diameter protocol, I need to get back to my product management team for more research in this segment. It would be useless to provide Radius solution when every one wants Diameter. Saying that, O2 telefonica has asked us for the Radius solution :)

Santosh

Anonymous said...

Don't worry :-) RADIUS will still be used for authentication as I believe it's strong enough for it.

Diameter is used, but most of all for accounting and policing (online charging on Gy, QoS policing and charging rule enforcement on Gx.

So IMHO it will be a good idea to have them both implemented :-)

BTW I've seen in some LTE EPC white papers that Diameter will be used for Gr towards the HSS :-) So take a look at this as well.

Cheers,
Yo

Santosh said...

Thanks for the comment. Will look into it.

Subhajit said...

Santosh - would you please explain how accounting information will be generated at the AAA server end. How GGSN will notify to AAA Server on per data call basis?
Once call is over can we query the accounting details of a call - offlince accounting is also possible ?
Thanks,
Subhajit

Santosh said...

Hi Subhajit

GGSN will notify AAA server about the traffic in two messages, Accounting-Stop and Interim Updates. The information will be sent per IP basis. This avoids the confusion where multiple PDP contexts (One context for every data call made) are used. On the other hand we have calling-station-ID which is nothing but IMSI (??) and it can be used to store how much traffic has been accessed by that mobile.

Next part question is out of Radius scope. Radius RFC defines authentication/accounting messages. There are no queries to see how traffic has been accessed by a mobile (??). On the contrary we can use any other message to know the accounting info offline.

Free Radius: Free radius dumps all the accounting information per IP basis. So we might need to run other programs over the log to see how much traffic every mobile is accessing.

Other Powerful AAA server : Cisco ACS is a powerful server which can maintain accounting details much better. I haven;t looked at it, but I am guessing.

Anonymous said...

Usually calling-station-ID = MSISDN, even I would like to be the IMSI, as SGSN engineers don't like MSISDNs :-)

Santosh said...

True...Calling-Station-ID is MSISDN. I was confused :) Thanks!

Jonas Nylund said...

If AAA is configured for VSA parameters defined in 3GPP IMSI is also included in the AAA packet along with a a lot of outher nice to have information.

Santosh said...

True! But I have seen people mostly using MSISDN for validation!

Jonas Nylund said...

Thats true. But there is a lot of nice things that can be done with the right rype of Radius server.
Our own Radius server/DHCP server can give diffren IP based on IMSI,MSISDN or APN. We also send diffrent QoS classes in the radius respons to the GGSN.

So with some creative manipulation its possible to do a lot of nice things.

Santosh said...

This make me a bit more curious. :-)

Is it the free radius you are using or any other server? I believe free radius gives us lot of flexibilities in these aspects.

Jonas Nylund said...

Its inhouse developed at my company. We are using mysql cluster as a DB backend and all our Radius/DHCP frontends are completly stateless.

We are currently supporting around 1 miljon active IP´s in peak on only 4 frontends.

Ontop of this we have a inhouse management tool that makes it possible to se all radius or dhcp request for a client in real time.

Since all clients are stored based on MSISDN and IMSI its the possible for our CRM system to assigne diffrent "services" on each customer. Everything from QoS class to static IP.

Santosh said...

Excellent Jonas! I am impressed. 1 Million IP pool is awesome. Just few more questions! Hope it is ok :-)

How did you guys test the server? And how many radius transaction does your server support in a sec?

I used free radius on powerful linux box I could get a transaction rate of around 1000 /sec, that is 1000 subscribers going up and down in a sec. However IP Pool was the biggest problem I faced.

Anonymous said...

Hi Santosh,

I found your article and I've comprehension trouble with the CHAP authentication method an up to now nobody could answer my question:

When you use an GPRS/UMTS modem to connect to an APN via the PC DUN, an Activate PDP Context Request is sent to the network. Before that the MT collects authentication data with an simulated PPP, as described in 3GPP TS 29.061. If CHAP is used then the password (sent from TE to MT) is a MD5 Hash, calculated with an random number (sent from MT to TE).

That means:
MT doesn't know the original password, it only knows the random number and the MD5 Hash and cannot calculate back the password.

What information is then put in the PCO and how can authentication towards GGSN and AAA server work then?

Thanks
Tom

Santosh said...

Hi Tom,

In case of CHAP there is a shared secrete that is configured in both MT and AAA server. Typically the shared secrete the password. So when TE throws random number at MT, MT uses the password to create MD5 hash and sends it to TE which is send to AAA server.

Regards, Santosh

shivlu jain said...

Is your SGSN is open source?

regards
Shivlu Jain
http://www.mplsvpn.info

Santosh said...

Nope!

Anonymous said...

Hi Santosh,

How is it possible for AAA server (performing accounting/charging) to inform the GGSN to downgrade QoS? This could be required in the scenario where the user has crossed some kind of usage threshold and server decides to downgrade bandwidth. How can this be done in RADIUS?
Thanks,
Rob

Santosh said...

Hi Rob

If I am not wrong Radius can send a COA with new QoS values and GGSN may go ahead and update the PDP.

Santosh

Anonymous said...

Hi Santosh, Thanks for your prompt response (regarding CoA - Change of Authorisation RADIUS message).
Do you know if the support to receive this message (and act on ot through possibly updating PDP context) is widely implemented in GGSNs/PGWs today?
Rob

Santosh said...

Supported/implemented? Yes, i believe so.

Being used in the field? Amm..not very sure about it.

Cheers, Santosh

anish said...

Hi Santosh,

I'm running into the following error "%GTP-0-GTPv1PACKETPARSINGERROR: GSN: 7.7.7.1, TEID: 1, APN: NULL, Reason: Mandatory ie incorrect"

after having Cisco ggsn 7200 configured with freeRadius. Any clue on what I have gone wrong with?

Thank you in advance
Anish
anish_achenkunju@yahoo.com

Santosh said...

Could you see if you are sending APN in the GTPv1 message?

anish said...

Hi Santosh,

The earler error was caused due to how sgsnemu was sending packets.. got it fixed now.

I'm running into following error now: Reason:1 , No radius servers present for auth!


*Oct 10 21:01:05.764: GTP IE:No IE for parsing
*Oct 10 21:01:05.768: GTP IE:parsed successfully
*Oct 10 21:01:05.772: GTP IE:extract_teid: return teid 0x00000001
*Oct 10 21:01:05.776: GTP IE:4200012143658708:IMSI[2]:4200012143658708
*Oct 10 21:01:05.780: GTP IE:4200012143658708:Recover[14]:198
*Oct 10 21:01:05.780: GTP IE:4200012143658708:Selection Mode[15]:1
*Oct 10 21:01:05.784: MS provided APN, subscription not verified
*Oct 10 21:01:05.784: GTP IE:4200012143658708:TEID Data1[16]:0x6560B550
*Oct 10 21:01:05.788: GTP IE:4200012143658708:TEID Control[17]:0x6560B548
*Oct 10 21:01:05.792: GTP IE:4200012143658708:NSAPI[20]:0
*Oct 10 21:01:05.792: GTP IE:4200012143658708:Charging Characteristics[26]:0x8
*Oct 10 21:01:05.796: GTP IE:4200012143658708:APN[131]:ssenoauth146
*Oct 10 21:01:05.800: GTP IE:4200012143658708:PCO[132](PAP):root
*Oct 10 21:01:05.804: GTP IE:4200012143658708:GSN Addr[133](sig):7.7.7.7
*Oct 10 21:01:05.808: GTP IE:4200012143658708:GSN Addr[133](data):7.7.7.7
*Oct 10 21:01:05.812: GTP IE:4200012143658708:MSISDN[134]:46702123456
*Oct 10 21:01:05.812: GTP IE:4200012143658708:QoS[135](req):0x0B921F
*Oct 10 21:01:05.816: Reliability class:Unacknowledged GTP and LLC; Acknowledged RLC, Protected data
*Oct 10 21:01:05.816: Delay class:Delay class 1
*Oct 10 21:01:05.820: Precedence class:Normal priority
*Oct 10 21:01:05.820: Peak thruput:Up to 256000 octet/s(2048 Kbit/s)
*Oct 10 21:01:05.824: Mean thruput:Best effort
*Oct 10 21:01:05.824: GTP IE:4200012143658708:parsed successfully
*Oct 10 21:01:05.832: %GPRSFLTMG-4-GTPv1AAAFAIL_PDPACTIVATIONFAIL: GSN: 7.7.7.1, TEID: 0, APN: ssenoauth146, Reason: 1, No radius servers present for authentication


GGSN#sh run
GGSN#sh running-config | include radius
aaa group server radius RadiusServers
aaa authentication login default group radius local
aaa authentication ppp default group radius group RadiusServers
ip radius source-interface Virtual-Template1
ip-address-pool radius-client
ip-address-pool radius-client
radius-server host 192.168.61.58 auth-port 1812 acct-port 1813 key nsil
GGSN#sh run
GGSN#sh running-config | begin access-point 3
access-point 3
access-point-name ssenoauth146
access-mode non-transparent
aaa-group authentication RadiusServers
ip-address-pool radius-client
!
!
!
gprs default aaa-group authentication RadiusServers
!
radius-server host 192.168.61.58 auth-port 1812 acct-port 1813 key nsil


I'm using 7200 Software (C7200-G6IK8S-M), Version 12.4(2)T1.

Any assistance on this is greatly appreciated.

Kind regards,
Anish
anish_achenkunju@yahoo.com

Anonymous said...

Hi,

You also need to configure radius for network and if accounting is needed then the below accounting config is also needed.

aaa authorization network group
aaa accounting update newinfo
aaa accounting network action-type start-stop
group
!

With out aaa auth network the PDP will never managed to get an IP.

//Regards JN

anish said...

Hi,

I got this work just now. I did not enable support for non-standard radius and earlier used default keyword instead of radius group name and that seems to have been the issue !

Had been fighting to get a resolution for long while now.. and I'm glad i found this.

I'm working towards defining apn and accounting within free RADIUS. Can anyone direct me to a link or info on how to do this?

Also looking out for emulating charging gateway , HLR .. etc. i could locate open HSS, however it doesnt diameter at this point nor do i've a cisco ios capable of diameter support.


Kind regards,
Anish

anish said...

Hi Santosh,

Could you share more info on how to configure Free RADIUS for accounting per APN??

Thank you in advance.
Anish