Samsung Wimax Support of Radius Interface Between Asn-Gw and Aaa

Samsung WiMAX
Support of RADIUS Interface between

ASN-GW and AAA
Advanced Technology Lab

Samsung Telecommunications America
Release: 6.0
Version 1.1
Doc ID: WIMAX-FDD-01
2008 © Samsung Telecommunications America, LLC. All rights reserved.

Proprietary and Confidential. Property of Samsung Telecommunications America.
Further distribution is prohibited

RADIUS Interface between ASNGW & AAA ID: WiMAX FDD-01
Revision History
Version Date History Author
1.0 10/31/2008 Initial Draft Rajeev Ramanath
1,1 12/15/2008 Formatting & HQ Comments Neil Todd
Page 2 of 12
2008 © Samsung Telecommunications America, LLC. All Rights Reserved
Table of Content
Contents
1 INTRODUCTION .......................................................................................................... 4
2 SCOPE ......................................................................................................................... 4
Figure 1: Samsung WiMAX ASN solution ..................................................................................................4
2.1 RADIUS Overview .........................................................................................................................5
2.2 RADIUS Protocol...........................................................................................................................5
2.2.1 Protocol encapsulation ..................................................................................................5
2.2.2 RADIUS header and data format ..................................................................................6
2.2.3 TLV Header ...................................................................................................................7
2.3 RADIUS Interface Configuration on ASN-GW ..............................................................................7
2.3.1 AAA Related configuration on ASN-GW .......................................................................7
2.3.2 Realm configuration on ASN-GW .................................................................................7
2.4 Load Balancing between RADIUS Servers ...................................................................................8
2.5 RADIUS – Call flows .....................................................................................................................8
2.6 RADIUS Accounting ....................................................................................................................10
3 SUMMARY ................................................................................................................. 10
4 REFERENCES ........................................................................................................... 11
5 ABBREVIATIONS & DEFINITIONS ........................................................................... 11
Page 3 of 12
1 INTRODUCTION
This document describes the feature that provides Remote Authentication Dial In User Service (RADIUS)
interface between ASN-GW and AAA (Authentication, Authorization and Accounting) Server in a Samsung
M-WiMAX System.
2 SCOPE
Figure 1 “Samsung WiMAX ASN solution” shows the ASN and CSN which together form a complete WiMAX
network. The details of ASN-GW and AAA are beyond the scope of this document. For details on Samsung ASN-
GW implementation, which is called Access Control Router (ACR) refer to ACR system description document
number AXXXXXXX. AAA server is a network element not provided by Samsung as part of WiMAX network
solution. For details on AAA refer to product documentation of appropriate third party vendor.
Note:
1. In this document ASN-GW and ACR is used interchangeably.

2. In this document AAA and RADIUS server is used interchangeably.
Figure 1: Samsung WiMAX ASN solution
AAA
HA
Core Router/Switch
IMS
Internet
DNS
CSN
WSM
Edge
ASN
ACR
… ACR
RAS RAS
RAS RAS
MS MS MS MS
Page 4 of 12
2.1 RADIUS Overview
RADIUS is a networking protocol that provides centralized access to authentication, authorization and accounting
management for a network service provider.
Key features of RADIUS are:
• Client/Server Model: The ACR operates as a RADIUS client and the AAA as the RADIUS server. The
device or user sends a request to the ACR to gain access to a particular network resource using access
credentials. The credentials are passed to the ACR via the 802.16e link-layer mechanism. In turn, the
ACR sends a RADIUS Access Request message to the AAA server, requesting authorization to grant
access via the RADIUS protocol.
This Access Request message includes access credentials, in the form device certificate or username
and password, provided by the user. The AAA checks that the information is correct using various
authentication schemes like EAP, and on successful authentication returns all the configuration
information necessary for the client to deliver service to the user. The RADIUS message exchanges are
done using UDP/IP protocol.
• Network Security: Transactions between the client and RADIUS server are authenticated through the use
of a shared secret, which is never sent over the network. In addition, any user passwords are sent
encrypted between the client and RADIUS server, to eliminate the possibility that someone snooping on
an unsecure network could determine a user's password.
• Flexible Authentication Mechanisms: Samsung WiMAX network supports different flavors of EAP based
user authentication like – EAP-AKA, EAP-TLS and EAP-TTLS.
• Extensible Protocol: All transactions are comprised of variable length Attribute - Length-Value-tuples.
New attribute values can be added without disturbing existing implementations of the protocol.
2.2 RADIUS Protocol
This section provides a summary of RADIUS header format and some of the codes and attributes used
between client and server. For more details on RADIUS protocol refer to IETF RFC 2865. For more
details on RADIUS accounting refer to RFC 2866.
2.2.1 Protocol encapsulation
This section describes how RADIUS messages are encapsulated over UDP/IP and exchanged between
ACR and AAA server(s). RADIUS message sent over UDP/IP transport protocol as depicted below:
Exactly one RADIUS packet is encapsulated in the UDP Data field, where the UDP Destination Port field
indicates 1812 (Access Request), or 1813 (accounting requests).
Page 5 of 12
When a reply is generated, the source and destination ports are reversed.
2.2.2 RADIUS header and data format
The format of RADIUS header and TLV header is as follows.
Code: 8 bits - Identifies the type of RADIUS packet. If a packet is received with an invalid Code field, it is
silently discarded.
Code Description
1 Access-Request
2 Access-Accept
3 Access-Reject
4 Accounting-Request
5 Accounting-Response
11 Access-Challenge
40 Disconnect-Request
41 Disconnect-ACK
Identifier: 8 bits - The Identifier field MUST be changed whenever the content of the Attributes field
changes, and whenever a valid reply has been received for a previous request. For retransmissions, the
Identifier MUST remain unchanged. Used to match RADIUS request and reply packets.
Length: 16 bits - It indicates the length of the packet including the Code, Identifier, Length, Authenticator
and Attribute fields. Bytes outside the range of the Length field should be treated as padding and should
be ignored on reception. If the packet is shorter than the Length field indicates, it should be silently
discarded. The minimum length is 20 and maximum length is 4096.
Authenticator: 16 bytes - This value is used to authenticate the reply from the RADIUS server, and is
used in the password hiding algorithm. The Request Authenticator value MUST be changed each time a
new Identifier is used.
Page 6 of 12
Attributes: Variable - RADIUS Attributes carry the specific authentication, authorization and accounting
details for the request and response. Some attributes MAY be included more than once. The effect of this
is attribute specific, and is specified in each attribute description. The end of the list of attributes is
indicated by the Length of the RADIUS packet.
2.2.3 TLV Header
Type Length Value...
Type: 8 bits - The Type field is one octet. Up-to-date values of the RADIUS Type field are specified in the
most recent "Assigned Numbers" RFC 1700 for assigned numbers. Values 192-223 are reserved for
experimental use, values 224-240 are reserved for implementation-specific use, and values 241-255 are
reserved and should not be used.
A RADIUS server MAY ignore Attributes with an unknown Type.
A RADIUS client MAY ignore Attributes with an unknown Type.
Length: 8 bits - Indicates the length of this attribute including the Type, Length and Value fields. If an
attribute is received in an Accounting-Request packet with an invalid Length, the entire request should be
silently discarded.
Value: variable - Contains information specific to the attribute. The format and length of this field is
determined by the Type and Length fields. The format of the field can be one of the following data types:
- Text – 1-253 octets containing UTF-8 encoded characters. Text of length zero (0) MUST NOT be
sent; omit the entire attribute instead.
- String - 0 to 253 bytes.
- Address - 32 bits, MSB first
- Integer - 32 bits, MSB first
- Time - 32 bits seconds since 00:00:00 GMT, January 1, 1970.
2.3 RADIUS Interface Configuration on ASN-GW
2.3.1 AAA Related configuration on ASN-GW
The AAA server IP addresses and the RADIUS UDP port 3799 is configured on the ASN-GW. Timer values and
accounting related parameters are also configured on the ASN-GW for each AAA connection. (Details shall be
provided in later version of this document)
2.3.2 Realm configuration on ASN-GW
Page 7 of 12
The ASN-GW can be configured to connect up to 10 different AAAs, each serving 10 different realms,
simultaneously. Each of these realms can support a maximum of 50 AAA servers per realm.
2.4 Load Balancing between RADIUS Servers
[Details shall be provided in the next version of this document]
2.5 RADIUS – Call flows
Samsung WiMAX network supports different flavors of EAP based user authentication – EAP-AKA, EAP-TLS and
EAP-TTLS. ACR uses RADIUS protocol to transfer EAP messages to the AAA server, as shown in Figure 2
“Initial Network Entry and User Authentication procedure”. As per NWG Release 1.0.0, in a Profile C network -
which is the case with Samsung WiMAX network - the ASN-GW has two functions as part of end user
authentication and authorization procedures, namely authenticator and Key distributor.
Authenticator: The authenticator sends EAP-Identity request to the device. This is encapsulated into a MAC
management PDU at the BS and then transmitted in a EAP-Transfer message using [PKM-REQ (PKMv2 EAP-
Transfer)]
Key Distributor: The Key Distributor entity in the Authenticator delivers the Authentication Key (AK) and its context
to the serving BS. The BS uses this AK to create relevant security context with a device.
Page 8 of 12
Figure 2: Initial Network Entry and User Authentication procedure with EAP-TTLS
In Figure 3, “EAP-TTLS for user authentication procedure” shows a typical EAP-TTLS authentication process
between the device and the AAA in more detail.
For more call flows, please refer to the RADIUS specification v1.1 dated 10/08/08.
Page 9 of 12
Figure 3 EAP-TTLS for user authentication procedure

2.6 RADIUS Accounting
These accounting records are sent as part of Accounting-Request from the ACR to the AAA. The AAA responds
with an Accounting-Response with valid cause value.
When a device connects to a WiMAX network it is provided with an IP address (for details on IP allocation
schemes refer to FDD “Simultaneous support of SIP and MIP”). The devices DL and UL data usage is recorded
by the ACR. The ACR provides IP session based accounting information to the AAA which is basically the air-
interface usage time and network usage measured in terms of the number of data octets transmitted in DL and
UL.
3 SUMMARY
This document provides a brief overview of support of RADIUS between Samsung ACR and AAA in a WiMAX
network. RADIUS is a protocol which is encapsulated on UDP/IP to provides services between ACR as a RADIUS
client and AAA as a RADIUS server.
For further information on Samsung M-WiMAX system (ACR, RAS, WSM), refer to System Description and
Operation Manuals.
Page 10 of 12
4 REFERENCES
1. RADIUS Specification version 1.1
2. WiMAX NWG Rel. 1.2.2 Stage 3 .
3. RFC2865 - Remote Authentication Dial In User Service (RADIUS)
4. RFC2866 – RADIUS Accounting
5. RFC2869 – RADIUS Extensions
6. RFC 3576 - Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
7. RFC3579 - RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication
Protocol (EAP)
8. RFC3748 – Extensible Authentication Protocol (EAP)
9. WiMAX NWG Rel. 1.0.0 Stage2, Stage3
5 ABBREVIATIONS & DEFINITIONS
NOTE
For a detailed acronym reference document, the reader should refer to Samsung’s
WiMAX 600ASN_Acryonym_Reference_Document which is available on the
Samsung’s publication website
(http://samsungwireless.com/wireless%5Fsystems/custTab.asp) .
Any questions about obtaining permission to access this website should be

directed to:
WiMaxdocuments@sta.samsung.com
Page 11 of 12
Page 12 of 12

Samsung Wimax Support of Radius Interface Between Asn-Gw and Aaa

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Samsung Wimax Support of Radius Interface Between Asn-Gw and Aaa

Uploaded by

Copyright:

Available Formats

Samsung WiMAX

Support of RADIUS Interface between

Advanced Technology Lab

Doc ID: WIMAX-FDD-01

2008 © Samsung Telecommunications America, LLC. All rights reserved.

Further distribution is prohibited

1. In this document ASN-GW and ACR is used interchangeably.

Figure 1: Samsung WiMAX ASN solution

2.1 RADIUS Overview

Key features of RADIUS are:

2.2 RADIUS Protocol

2.2.1 Protocol encapsulation

2.2.2 RADIUS header and data format

The format of RADIUS header and TLV header is as follows.

2.2.3 TLV Header

Type Length Value...

A RADIUS server MAY ignore Attributes with an unknown Type.

A RADIUS client MAY ignore Attributes with an unknown Type.

- String - 0 to 253 bytes.

- Address - 32 bits, MSB first

- Integer - 32 bits, MSB first

- Time - 32 bits seconds since 00:00:00 GMT, January 1, 1970.

2.3 RADIUS Interface Configuration on ASN-GW

2.3.1 AAA Related configuration on ASN-GW

2.3.2 Realm configuration on ASN-GW

2.4 Load Balancing between RADIUS Servers

[Details shall be provided in the next version of this document]

2.5 RADIUS – Call flows

Figure 3 EAP-TTLS for user authentication procedure

1. RADIUS Specification version 1.1

2. WiMAX NWG Rel. 1.2.2 Stage 3 .

3. RFC2865 - Remote Authentication Dial In User Service (RADIUS)

4. RFC2866 – RADIUS Accounting

5. RFC2869 – RADIUS Extensions

8. RFC3748 – Extensible Authentication Protocol (EAP)

9. WiMAX NWG Rel. 1.0.0 Stage2, Stage3

5 ABBREVIATIONS & DEFINITIONS

Any questions about obtaining permission to access this website should be

You might also like