- Overview
- Using the Graphical User Interface
- RADIUS Accounting
- Diameter
- Extensible Authentication Protocols
- Using Replication
- Using Identity Caching
- Using Prepaid Billing
- Using Cisco Prime Access Registrar Server Features
- Directing RADIUS Requests
- Using FastRules to Process Packet Flow
- Using LDAP
- Using Open Database Connectivity
- SIGTRAN-M3UA
- Using SNMP
- Backing Up the Database
SIGTRAN-M3UA
SIGTRAN, a working group of the Internet Engineering Task Force (IETF), has defined a protocol for the transport of real-time signaling data over IP networks. Cisco Prime Access Registrar (Prime Access Registrar) supports SS7 messaging over IP (SS7oIP) via SIGTRAN-M3UA, a new transport layer which leverages Stream Control Transmission Protocol (SCTP). Prime Access Registrar supports SIGTRAN-M3UA to fetch the authentication vectors from HLR, which is required for EAP-AKA/EAP-SIM authentication.
Note You have SIGTRAN-M3UA interface support in addition to the existing SUA interface support.
The EAP-AKA and EAP-SIM authentication service is extended to use M3UA. When using M3UA service for authentication, the subscriber identity (IMSI) is used to send a request to HLR and receives information from HLR containing the authentication information for authenticating an user. The authentication service initiates a request to the SIGTRAN server using IMSI, which retrieves the configured number of authentication vectors from HLR, i.e Triplets or Quintets.
The Prime Access Registrar server initiates the MAP service. After enabling the MAP service, the Prime Access Registrar server sends a sendAuthenticationInfo request that contains IMSI and the number of requested authentication vectors to HLR. The HLR sends a response containing the requested vectors information to Prime Access Registrar. Next, the Prime Access Registrar server sends a sendRoutinginfoForLCS request that contains IMSI and the GMLC address to HLR. The HLR sends a response containing the MSISDN information for authenticating the mobile subscribers.
Prime Access Registrar provides map-restore-data authentication support for m3ua services.
Prime Access Registrar supports multiple remote servers with the protocol type, SIGTRAN-M3UA. However, Prime Access Registrar validates and ensures the following when multiple remote servers are available:
- The source port is different for all the remote servers.
- If Origin Point Code (OPC) is different, the routing context is also different for all the remote servers.
- The Destination Point Code (DPC) is different for all the remote servers.
- The NetworkVariant, SubServiceField (SSF), TCAPVariant, NetworkAppearance, and NetworkIndicator values are the same for all the remote servers.
Prerequisites to SIGTRAN-M3UA
Before enabling the SIGTRAN-M3UA remote server, you must do the following:
- ensure that LKSCTP is not available in the Prime Access Registrar server.
- ensure to restart the Prime Access Registrar server whenever you make any configuration changes.
- ensure that you have the 32-bit rpm files for the relevant RHEL OS versions while installing the Cisco Prime Access Registrar. For the list of required rpms for the relevant OS versions, see Required 32-bit rpms for Relevant RHEL OS Versions.
Note You must install the rpm verions relevant to the RHEL OS versions while installing the Prime Access Registrar.
- ensure that the ‘bc’ command (which is an arbitrary precision calculator language) is present while installing Prime Access Registrar in a Linux machine. If the ‘bc’ command is not present, install the relevant rpm such as bc-1.06.95-1.el6.x86_64 on that machine.
- ensure that you have the following packages while installing the Prime Access Registrar:
Note You need to build the gdome-config-0.8.1 package to make it available. For more information, see Building gdome Package
Required 32-bit rpms for Relevant RHEL OS Versions
|
|
|
|
---|---|---|---|
To build gdome-config-0.8.1 package:
Step 1 Download gdome2-0.8.1.tar.gz package from the location http://gdome2.cs.unibo.it/#downloads.
Step 2 Execute the following command:
Step 3 Untar the package using the following command:
Step 4 Use the cd command to move into the package obtained from Step 3.
Step 5 Execute the following commands:
Step 6 Now gdome libraries will be available in the location GdomeInstallPath.
Configuring EAP-AKA/EAP-SIM with SIGTRAN-M3UA
You can use aregcmd to create and configure the service of type eap-aka or eap-sim, see EAP-AKA or EAP-SIM for more information.
To configure EAP-AKA service with SIGTRAN-M3UA remote server:
Step 2 Create an EAP-AKA service.
Step 4 Add m3ua remote server in the remoteServers
The following shows an example configuration for EAP-AKA service with SIGTRAN-M3UA remote server support, see Table 5-1 to know more about EAP-AKA service properties.
To configure EAP-SIM service with SIGTRAN-M3UA remote server:
Step 2 Create an EAP-SIM service.
Step 4 Add m3ua remote server in the remoteServers
The following shows an example configuration for EAP-SIM service with SIGTRAN-M3UA remote server support. See Table 5-6 to know more about EAP-SIM service properties.
Note After enabling the SIGTRAN-M3UA remote server, you must ensure to restart the Prime Access Registrar server whenever you make any configuration changes.
Note If you set FetchAuthorizationInfo as TRUE for EAP-AKA or EAP-SIM service for SIGTRAN-M3UA in Prime Access Registrar, it fetches the MSISDN information from HLR in response. The following is an example script for reading the MSISDN information from the response,
proc MapMSISDN {request response environ} {
$environ get AuthorizationInfo
}
Configuring SIGTRAN-M3UA Remote Server
You can configure the SIGTRAN-M3UA remoteserver under /Radius/RemoteServers.
To configure the SIGTRAN-M3UA remote server:
Step 2 Create sigtran-m3ua remote server.
Step 3 Set the Subscriber_DBLookup.
set Subscriber_DBLookup SIGTRAN-M3UA
Step 4 Set the port of the HLR.
Step 5 Set the port for the source.
Step 6 Set the reactivate timer interval for the remote server.
Set the reactivatetimerinterval.
Step 7 Set the subsystem number for the local.
Note Prime Access Registrar supports the following local Sub System Numbers (SSNs) by default:
SGSN (149)
VLR (7)
GMLC (145)
Step 10 Set routingparameters.
Step 11 Set the source and destination gt parameters.
Step 12 Set the numbering plan, encoding scheme, format, and digits for source.
Step 13 Set the numbering plan, encoding scheme, format, and digits for destination.
ANSI Support for SIGTRAN
Prime Access Registrar provides ANSI variant support apart from ITU variants in SIGTRAN stack for EAP-SIM and EAP-AKA services to M3UA.
While using this service for authentication, the subscriber identity (IMSI) is obtained from the request. Using this IMSI, the authentication service initiates a request to the SIGTRAN server. This request is to retrieve the configured number of authentication vectors (triplets/quintets) for the IMSI.
The remote SIGTRAN server initiates the IS41 service primitive Authentication Data request with IMSI and number of requested authentication vectors. This will retrieve the authentication vectors from HLR which will be used by the authentication service for authenticating the mobile subscriber.
Note Prime Access Registrar supports either ITU or ANSI variant in one running instance. Both the variants are not supported simultaneously.
The following shows an example configuration of SIGTRAN-M3UA remote server with ITU variant:
Table 14-1 describes SIGTRAN-M3UA remote server properties.
|
|
---|---|
Represents the type of remote server. The value should be SIGTRAN-M3UA. |
|
The port number in which Prime Access Registrar is installed for M3UA transactions. |
|
The destination port number to which Prime Access Registrar connects. |
|
The scripting point is used to modify the IMSI based on the requirement before sending the request to STP/HLR. |
|
This is used to specify the name of the script which is responsible for translating IMSI to Global Title Address (GTA). You can choose to configure blacklisting as part of the global title translation script for SIGTRAN-M3UA remote server. For more information about blacklisting, see. |
|
Specifies the time (in seconds) to wait before an authentication request times out; defaults to 15. |
|
Specifies the time interval (in milliseconds) to activate an inactive server; defaults to 300000 ms (which is 5 minutes). |
|
Required; the default is FALSE. Prime Access Registrar uses this property in conjunction with the MaxOutstandingRequests property to tune the RADIUS server's use of the HLR. When you set this property to TRUE, the number of outstanding requests for this RemoteServer is limited to the value you specified in MaxOutstandingRequests. When the number of requests exceeds this number, Prime Access Registrar queues the remaining requests, and sends them as soon as the number of outstanding requests drops to this number. |
|
Required when you have set the LimitOutstandingRequests to TRUE. The number you specify, which must be greater than zero, determines the maximum number of outstanding requests allowed for this remote server. |
|
The mode of the traffic for the HLR. The possible values are LOADSHARE or ACTSTANDBY. |
|
Required. The TrafficMode is set as LOADSHARE, which is a type of load sharing scheme. When there is more than one associations with HLR, then the load sharing is set as Signaling Link Selection (SLS). SLS is done based on a simple round-robin basis. |
|
The version of the MAP. The possible values are 2 or 3. Specify the MAP version that the HLR supports, i.e, 2 or 3 during the configuration. |
|
Required. Choose ITU or ANSI to represent the network variant switch. |
|
Specifies the type of network to which this SAP belongs. The possible options are: |
|
The Signaling Connection Control Part (SCCP) variant of the Global Title: |
|
Required; represents the name of the tcap network variant switch. The possible options are ITU88, ITU92, or ITU96. |
|
Required. A parameter that represents network appearance in the M3UA packet. Value ranges from 0-2147483647 and the default value is 1. This is optional as per the RFC 4666 ( http://tools.ietf.org/html/rfc4666.) You can set this value to 0 to remove network appearance from the data packet. |
|
The network indicator used in SCCP address. The possible options are NAT and INT which represents international network and national network respectively. |
|
Required, if you select FetchAuthorizationInfo as True in EAP-AKA or EAP-SIM services. Also, required for M3UA service for fetching the MSISDN from the HLR. This is the map layer network node number by which the HLR identifies the Prime Access Registrar in the network. The MLC number is configured in E.164 format. Note MLC is a max-15 digit number. |
|
Required; represents the routing indicator. The possible values are Route on Global Title (RTE_GT) or Route on Sub System Number (RTE_SSN). You can use either RTE_GT or RTE_SSN value to route the packets for HLR. |
|
|
|
Required; represents the originating point of a message in a signaling network. The value ranges from 0-16777215. |
|
Required; represents the destination address of a signaling point in a SS7 network. |
|
Required; represents the sub system number of the remote server. The RemoteSubSystemNumber is set as 6 by default. |
|
Represents the wild card mask for the origin point code. The value ranges from 0-16777215. |
|
Represents the wild card mask for the destination point code. The value ranges from 0-16777215. |
|
Represents the service identifier octet. The value ranges from 0-255. |
|
Required; represents the routing context which ranges from 0-16777215. |
|
|
|
Represent the multiple source IP addresses configured on the remote server. |
|
|
|
Represent the multiple destination IP addresses configured on the remote server. |
|
|
|
The following fields are displayed only when you set RTE_GT as RoutingIndicator. |
|
Required; represents the format of the global translation (GT) rule. The possible values are GTFRMT_0, GTFRMT_1, GTFRMT_2, GTFRMT_3, GTFRMT_4, or GTFRMT_5. The GT format is GTFRMT_0, GTFRMT_1, or GTFRMT_2 for ANSI variant. GTFRMT_0 is the default format for both ANSI and ITU variants. |
|
Required; represents the type of the source address. The possible values are ADDR_NOTPRSNT (Address not present), SUBNUM (Subscriber number), NATSIGNUM (National significant number), or INTNUM (International number.) |
|
Required; represents the type of translation. The possible values ranges from 0-255. |
|
Required; represents the numbering plan of the network that the subscriber uses. For example, land mobile numbering plan, ISDN mobile numbering plan, private or network specific numbering plan. |
|
Required; represents the BCD encoding scheme. The possible values are UNKN (Unknown), BCDODD (BCD Odd), BCDEVEN (BCD Even), or NWSPEC (National specific). This must be set based on the length of the GT. |
|
|
|
The following fields are displayed only when you set RTE_GT as RoutingIndicator. |
|
Required; represents the format of the global translation (GT) rule. The possible values are GTFRMT_0, GTFRMT_1, GTFRMT_2, GTFRMT_3, GTFRMT_4, or GTFRMT_5. The GT format is GTFRMT_0, GTFRMT_1, or GTFRMT_2 for ANSI variant. GTFRMT_0 is the default format for both ANSI and ITU variants. |
|
Required; represents the type of the destination address. The possible values are ADDR_NOTPRSNT (Address not present), SUBNUM (Subscriber number), NATSIGNUM (National significant number), or INTNUM (International number.) |
|
Required; represents the type of translation. The possible values ranges from 0-255. |
|
Required; represents the numbering plan of the network that the subscriber uses. For example, Land mobile numbering plan, ISDN mobile numbering plan, private or network specific numbering plan. Possible values are DATA, GENERIC, ISDN, ISDNMOB, LANMOB, MARMOB, NWSPEC, TEL, TELEX, and UNKN. |
|
Required; represents the BCD encoding scheme. The possible values are UNKN (Unknown), BCDODD (BCD Odd), BCDEVEN (BCD Even), or NWSPEC (National specific). This must be set based on the length of the GT. |
The following shows an example configuration of SIGTRAN-M3UA remote server with ANSI variant:
Configuring M3UA Service
Prime Access Registrar supports the M3UA service, which is used to fetch MSISDN from IMSI or vice versa through RADIUS packets.
To configure the M3UA service with SIGTRAN-M3UA remote server:
Step 2 Create an M3UA service.
Step 4 Set AuthorizationInfoLookUp to one of the following:
- MSISDN-IMSI—To fetch MSISDN in the request and send IMSI in the response to the HLR.
- IMSI-MSISDN—To fetch IMSI in the request and send MSISDN in the response to the HLR.
Note See Example Configuration for a sample configuration with
- Map-Restore—To fetch the profile information of a subscriber from the HLR. For more information on configuring the M3UA service with Map Restore Data authorization, see Configuring M3UA Service with Map Restore Data Authorization.
set AuthorizationInfoLookUp IMSI-MSISDN
Step 5 Add M3UA remote server in the remoteServers.
The following shows an example configuration of the M3UA service:
Configuring M3UA Service with Map Restore Data Authorization
Prime Access Registrar provides the Map Restore Data functionality to fetch the profile information of a subscriber from the HLR.
Map Restore Data Authorization Flow
Prime Access Registrar sends a MAP_SEND_AUTH_INFO request to HLR on receiving EAP-SIM / EAP-AKA authentication request and fetches the authentication vectors in MAP_SEND_AUTH_INFO_RES message. Prime Access Registrar checks the IMSI and if it is authentic, sends a MAP_RESTORE_DATA_REQUEST to fetch the profile information from the HLR. HLR then responds with MAP_INSERT_SUBSCRIBER_DATA request to Prime Access Registrar. The request contains the circuit switched (CS) profile information for a subscriber.
Prime Access Registrar server stores the profile information based on the ProfileInfo configuration and sends a MAP_INSERT_SUBSCRIBER_DATA_RESPONSE to HLR. HLR responds with MAP_RESTORE_DATA_RESPONSE to Prime Access Registrar. After successful acknowledgment of MAP_RESTORE_DATA, Prime Access Registrar server maps the fetched profile through RestoreDataMappings to any of the environment variables configured by the user. The CS profile used to authorize WI-FI access which is fetched from HLR can be transported to access point in any of the radius attribute.
The mapping of the values in the response to a profile is possible based on the configuration in the profilemappings configuration.
Figure 14-2 represents the Map-Restore-Data message flow between Prime Access Registrar and HLR.
Figure 14-2 Map-Restore-Data Authorization Flow
CS Insert Subscriber Data Structure
Figure 14-3 shows the parameters fetched by Prime Access Registrar on receipt of the subscriber data request.
Figure 14-3 CS Insert Subscriber Data Structure
CLI Configuration for Map-Restore-Data
If you set AuthorizationInfoLookUp to Map-Restore, two additional properties ProfileMappings and RestoreDataMappings are displayed.
The restore data mapping parameters include LSA information, LCS information, and subscriber data. You can configure an index with a value or a range to fetch one or more properties from the subscriber data.
The following is an example configuration of an M3UA service with Map-Restore-Data authorization:
Table 14-2 shows the restore data mapping parameters.
Configuring Environment Variables to Fetch Subscriber Data Values
You can configure an environment variable to fetch the required values from the subscriber data packets. You can run a script to fetch the environment variable along with the values. See the example below:
In the above script bs-ext is the environment variable that is configured. If the values fetched from BearerServiceList are 17,18,19,20 and 21, the above script returns the value 17:18:19:20:21.
Similarly we can run scripts to retrieve other environment variables as well.
Blacklisting Support for SIGTRAN-M3UA Remote Server
Prime Access Registrar supports blacklisting of IMSI or IP address values for SIGTRAN-M3UA remote servers.
You can configure a SIGTRAN-M3UA remote server with EAP-SIM or EAP-AKA service, and then choose to configure blacklisting as part of the global title translation script of the remote server. For more information about blacklisting, see the “Using Extension Points” chapter of the Cisco Prime Access Registrar 9.1 Administrator Guide.
Support for SCTP Multihoming in SIGTRAN-M3UA
Stream Control Transmission Protocol (SCTP) is an IP transport protocol that supports data exchange between exactly two endpoints. Multihoming feature of SCTP provides the ability for a single SCTP endpoint to support multiple IP addresses. With this feature, each of the two endpoints during an SCTP association can specify multiple points of attachment. Each endpoint will be able to receive messages from any of the addresses associated with the other endpoint. With the use of multiple interfaces, data can be sent to alternate addresses when failures occur and thus Prime Access Registrar runs successfully even during network failures.
Prime Access Registrar allows you to configure multiple source and destination addresses on the remote server. The following shows an example configuration of SIGTRAN-M3UA remote server with multiple source and destination addresses:
In the above example, the link between IP addresses 192.168.0.2 and 192.168.0.5 acts as the primary link and the link between IP addresses 192.168.0.3 and 192.168.0.6 acts as the secondary link. With the Multihoming feature, if one of the interfaces in the primary link is down, the secondary link carries the active traffic. On restoration of the IP address, the traffic switches back to the primary link.
Tuning Global SIGTRAN Parameters
Prime Access Registrar provides a CLI tool SigtranXMLEdit that allows you to edit the values of the global SIGTRAN XML parameters. The tool is available under the <installation directory>/bin directory, e.g. /cisco-ar/bin and the parameters are available in the default.xml file under the /cisco-ar/m3ua-cfg directory.
Table 14-3 lists the global SIGTRAN parameters that you can edit using the CLI tool.
|
|
---|---|
To edit the SIGTRAN parameters:
Step 1 Launch the CLI tool SIGTRANXMLEdit from the /cisco-ar/bin directory.
The tool displays the list of editable parameters available in the default.xml file as shown below.
The tool prompts you to enter the new value against the first parameter as shown below.
In this example, 1024 is the value that exists for the parameter in the default.xml file.
Step 2 Type the new value and press ENTER or just press ENTER to skip and proceed to the next parameter. Perform this step for all parameters as shown below.
Step 3 When prompted for a confirmation, type Yes and press ENTER to save the changes. The tool displays the modified parameters with the new and old values.
Changed Value of maxNmbOutStrms is 90 <- 1024
Changed Value of mtuMinInitial is 65 <- 1500
Changed Value of mtuMaxInitial is 33 <- 1500
Changed Value of maxInitReTx is 9 <- 5
Changed Value of maxAssocReTx is 4 <- 10
Changed Value of maxPathReTx is 2 <- 5
Changed Value of alpha is 15 <- 12
Changed Value of beta is 34 <- 25
Changed Value of maxAckDelayTm is 89 <- 2
Changed Value of cookieLife is 67 <- 60
Changed Value of intervalTm is 89 <- 15
[root@ar-lnx-vm061 bin]#
SIGTRAN-M3UA Logs
The following logs are applicable for SIGTRAN-M3UA:
- stack.log—Logs the interaction between Prime Access Registrar and STP/HLR.
- sm.log—Logs the internal debug information for SIGTRAN-M3UA stack manager.
- m3ua.log—Logs the inter-process communication between Prime Access Registrar and SIGTRAN-M3UA stack.
- cliActivity.log—Logs the initialization and command interactions.