Ruckus SmartZone 100 And Virtual Essentials AAA (RADIUS) Interface Reference Guide For 3.6 Smart Zone (SZ100/v SZ E) SZ100VSZE 36 Rev A 20171110
2017-11-17
User Manual: Ruckus SmartZone 3.6 AAA (RADIUS) Interface Reference Guide (SZ100/vSZ-E)
Open the PDF directly: View PDF 
.
Page Count: 86
| Download | |
| Open PDF In Browser | View PDF |
REFERENCE GUIDE Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Supporting SmartZone 3.6 Part Number: 800-71561-001 Rev A Publication Date: November 2017 Copyright Notice and Proprietary Information Copyright 2017 Brocade Communications Systems, Inc. All rights reserved. No part of this documentation may be used, reproduced, transmitted, or translated, in any form or by any means, electronic, mechanical, manual, optical, or otherwise, without prior written permission of or as expressly provided by under license from Brocade. Destination Control Statement Technical data contained in this publication may be subject to the export control laws of the United States of America. Disclosure to nationals of other countries contrary to United States law is prohibited. It is the reader’s responsibility to determine the applicable regulations and to comply with them. Disclaimer THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. BROCADE and RUCKUS WIRELESS, INC. AND THEIR LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. BROCADE and RUCKUS RESERVE THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME. Limitation of Liability IN NO EVENT SHALL BROCADE or RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL. Trademarks Ruckus Wireless, Ruckus, the bark logo, BeamFlex, ChannelFly, Dynamic PSK, FlexMaster, Simply Better Wireless, SmartCell, SmartMesh, SmartZone, Unleashed, ZoneDirector and ZoneFlex are trademarks of Ruckus Wireless, Inc. in the United States and in other countries. Brocade, the B-wing symbol, MyBrocade, and ICX are trademarks of Brocade Communications Systems, Inc. in the United States and in other countries. Other trademarks may belong to third parties. 2 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Contents Preface..........................................................................................................................................................................................................5 Document Conventions..........................................................................................................................................................................5 Notes, Cautions, and Warnings.......................................................................................................................................................5 Document feedback...............................................................................................................................................................................5 Ruckus resources.................................................................................................................................................................................. 6 Online Training Resources...................................................................................................................................................................... 6 Contacting Ruckus Customer Services and Support..............................................................................................................................6 What Support Do I Need?...............................................................................................................................................................6 Open a Case...................................................................................................................................................................................6 Self-Service Resources................................................................................................................................................................... 7 About This Guide.......................................................................................................................................................................................... 9 About this Guide.................................................................................................................................................................................... 9 Terminology.................................................................................................................................................................................... 9 Legend......................................................................................................................................................................................... 10 Definition of Data Types.................................................................................................................................................................10 RFCs and Standards.....................................................................................................................................................................11 EAP Full Authentication............................................................................................................................................................................... 13 EAP Full Authentication Overview......................................................................................................................................................... 13 EAP Full Authentication........................................................................................................................................................................ 13 RADIUS Access Request [ID]........................................................................................................................................................ 14 RADIUS Access Challenge [EAP Request (SIM Start)]................................................................................................................... 17 RADIUS Access Request [EAP Response (NONCE_MT)].............................................................................................................. 18 RADIUS Access Challenge [EAP Request (RAND, MAC)].............................................................................................................. 21 RADIUS Access Request [EAP Response (SRES)]........................................................................................................................ 21 RADIUS Access Accept [EAP Success (MSK)].............................................................................................................................. 23 EAP - Full Authentication – 3GPP Solution........................................................................................................................................... 26 RADIUS Access Request [ID]........................................................................................................................................................ 27 RADIUS Access Challenge [EAP Request (SIM Start)] .................................................................................................................. 29 RADIUS Access Request [EAP Response (NONCE_MT)............................................................................................................... 30 RADIUS Access Challenge [EAP Request (RAND, MAC)].............................................................................................................. 32 RADIUS Access Request [EAP Response (SRES)]........................................................................................................................ 33 RADIUS Access Accept [EAP Success (MSK)].............................................................................................................................. 34 Authorization Access Request.......................................................................................................................................................36 Authorization Access Accept........................................................................................................................................................ 37 RADIUS Access Reject........................................................................................................................................................................ 38 Hotspot (WISPr) Authentication and Accounting.......................................................................................................................................... 39 Hotspot (WISPr) Authentication and Accounting Overview....................................................................................................................39 Hotspot (WISPr) Authentication Request ............................................................................................................................................. 40 Hotspot (WISPr) Authentication Response............................................................................................................................................43 Hotspot (WISPr) Accounting Request [Start].........................................................................................................................................44 Hotspot (WISPr) Accounting Request [Stop/Interim]............................................................................................................................. 46 Hotspot (WISPr) Accounting Response................................................................................................................................................ 49 Hotspot 2.0 Authentication..........................................................................................................................................................................51 Hotspot 2.0 Authentication Overview................................................................................................................................................... 51 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 3 SIM Based Authentication - Access Request....................................................................................................................................... 51 R2 Device Access Authentication......................................................................................................................................................... 52 Access Request............................................................................................................................................................................53 Access Response......................................................................................................................................................................... 54 R2 Device Onboarding......................................................................................................................................................................... 55 Onboarding Access Request........................................................................................................................................................ 55 Onboarding Access Response......................................................................................................................................................55 Hotspot 2.0 VSAs................................................................................................................................................................................ 56 AP Initiated Accounting Messages.............................................................................................................................................................. 57 AP Initiated Accounting Messages (PDG/LBO Sessions)...................................................................................................................... 57 Accounting Start Messages................................................................................................................................................................. 58 Accounting Interim Update and Stop Messages...................................................................................................................................60 Accounting On Messages.................................................................................................................................................................... 63 Accounting Off Messages.................................................................................................................................................................... 64 AAA Server Dynamic Authorization and List of Vendor Specific Attributes....................................................................................................67 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server.......................................................................................... 67 Service Authorization............................................................................................................................................................................67 Change of Authorization (CoA) Messages - Not Set to Authorize Only...........................................................................................68 Change of Authorization Acknowledge Messages (CoA Ack)........................................................................................................ 69 Change of Authorization Negative Acknowledge Messages (CoA NAK).........................................................................................70 Disconnect Messages...................................................................................................................................................................70 Acknowledgment of Disconnect Messages (DM Ack)....................................................................................................................72 Negative Acknowledge of Disconnect Messages (DM NAK).......................................................................................................... 72 Disconnect Messages - Dynamic Authorization Client (AAA server)............................................................................................... 72 List of Vendor Specific Attributes..........................................................................................................................................................73 WISPr Vendor Specific Attributes.................................................................................................................................................. 73 Ruckus Wireless Vendor Specific Attributes.................................................................................................................................. 73 AP Roaming Scenarios................................................................................................................................................................................79 AP Roaming Scenarios........................................................................................................................................................................ 79 Roaming from AP1 to AP2 - PMK / OKC Disabled............................................................................................................................... 80 Roaming from AP1 to AP2 - PMK / OKC Enabled................................................................................................................................ 80 AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled.........................................................................................81 Use Cases...................................................................................................................................................................................................83 Use Case Scenarios.............................................................................................................................................................................83 4 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Preface • • • • • Document Conventions............................................................................................................................................. 5 Document feedback.................................................................................................................................................. 5 Ruckus resources......................................................................................................................................................6 Online Training Resources......................................................................................................................................... 6 Contacting Ruckus Customer Services and Support................................................................................................. 6 Document Conventions The following tables list the text and notice conventions that are used throughout this guide. TABLE 1 Text conventions Convention Description monospace Example Identifies command syntax examples. bold User interface (UI) components such as screen or page names, keyboard keys, software buttons, and field names On the Start menu, click All Programs. italics Publication titles Refer to the Ruckus Small Cell Release Notes for more information device(config)# interface ethernet 1/1/6 Notes, Cautions, and Warnings Notes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential hazards. NOTE A NOTE provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information. CAUTION A CAUTION statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data. DANGER A DANGER statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations. Document feedback Ruckus is interested in improving its documentation and welcomes your comments and suggestions. You can email your comments to Ruckus at: docs@ruckuswireless.com When contacting us, please include the following information: • Document title and release number • Document part number (on the cover page) Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 5 Preface Ruckus resources • Page number (if appropriate) • For example: – – – SmartCell Gateway 200 S2a Interface Reference Guide for SmartZone 3.5.1 Part number: 800-71306-001 Page 88 Ruckus resources Visit the Ruckus website to locate related documentation for your product and additional Ruckus resources. Release Notes and other user documentation are available at https://support.ruckuswireless.com/documents. You can locate documentation by product or perform a text search. White papers, data sheets, and other product documentation are available at www.ruckuswireless.com. Online Training Resources To access a variety of online Ruckus training modules, including free introductory courses to wireless networking essentials, site surveys, and Ruckus products, visit the Ruckus Training Portal at https://training.ruckuswireless.com. Contacting Ruckus Customer Services and Support The Customer Services and Support (CSS) organization is available to provide assistance to customers with active warranties on their Ruckus Networks products, and customers and partners with active support contracts. For product support information and details on contacting the Support Team, go directly to the Support Portal using https:// support.ruckuswireless.com, or go to https://www.ruckuswireless.com and select Support. What Support Do I Need? Technical issues are usually described in terms of priority (or severity). To determine if you need to call and open a case or access the selfservice resources use the following criteria: • Priority 1 (P1)—Critical. Network or service is down and business is impacted. No known workaround. Go to the Open a Case section. • Priority 2 (P2)—High. Network or service is impacted, but not down. Business impact may be high. Workaround may be available. Go to the Open a Case section. • Priority 3 (P3)—Medium. Network or service is moderately impacted, but most business remains functional. Go to the Self-Service Resources section. • Priority 4 (P4)—Low. Request for information, product documentation, or product enhancements. Go to the Self-Service Resources section. Open a Case When your entire network is down (P1), or severely impacted (P2), call the appropriate telephone number listed below to get help: • 6 Continental United States: 1-855-782-5871 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Preface Contacting Ruckus Customer Services and Support • Canada: 1-855-782-5871 • Europe, Middle East, Africa, and Asia Pacific, toll-free numbers are available at https://support.ruckuswireless.com/contact-us and Live Chat is also available. Self-Service Resources The Support Portal at https://support.ruckuswireless.com/contact-us offers a number of tools to help you to research and resolve problems with your Ruckus products, including: • Technical Documentation—https://support.ruckuswireless.com/documents • Community Forums—https://forums.ruckuswireless.com/ruckuswireless/categories • Knowledge Base Articles—https://support.ruckuswireless.com/answers • Software Downloads and Release Notes—https://support.ruckuswireless.com/software • Security Bulletins—https://support.ruckuswireless.com/security Using these resources will help you to resolve some issues, and will provide TAC with additional data from your troubleshooting analysis if you still require assistance through a support case or RMA. If you still require help, open and manage your case at https:// support.ruckuswireless.com/case_management Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 7 8 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A About This Guide • About this Guide....................................................................................................................................................... 9 About this Guide This SmartZone™ SZ100 and Virtual SmartZone Essentials (vSZ-E) AAA (RADIUS) Interface Reference Guide describes the interface between SZ100/vSZ-E (collectively referred to as “the controller” throughout this guide) and the Authentication, Authorization and Accounting (AAA) server. It describes the message flow between the controller and AAA for EAP-based full authentication, authorization, and accounting. This guide is written for service operators and system administrators who are responsible for managing, configuring, and troubleshooting Ruckus Wireless devices. Consequently, it assumes a basic working knowledge of local area networks, wireless networking, and wireless devices. NOTE If release notes are shipped with your product and the information there differs from the information in this guide, follow the instructions in the release notes. Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format (PDF) or HTML on the Ruckus Wireless Support Web site at https://support.ruckuswireless.com/contact-us. Terminology The table lists the terms used in this guide. TABLE 2 Terms used in this guide Terminology Description AAA Authentication, Authorization, and Accounting CHAP Challenge Handshake Authentication Protocol EAP Extensible Authentication Protocol EPS Evolved Packet System GGSN Gateway GPRS Support Node GSN GPRS Support Node HLR Home Location Register LCS Location Services MAP Mobile Application Part MTU Maximum Transmission Unit MWSG Metro Wireless Security Gateway OSU Online Sign-Up Passpoint Hotspot 2.0 certification PKI Public Key Infrastructure PDP Packet Data Protocol PPS-MO Per Provider Subscription Management Object R-WSG/WSG Ruckus Wireless Security Gateway Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 9 About This Guide About this Guide TABLE 2 Terms used in this guide (continued) Terminology Description Release1 Device Hotspot 2.0 Release1 specification compliant device Release 2 Device Hotspot 2.0 Release 2 passpoint enabled device RAC Radio Access Controller RADIUS Remote Access Dial In User Service TEID Tunnel End Point Identifier UE User Equipment WFA Wi-Fi Alliance Legend The table lists the legends/presence used in this guide. TABLE 3 Legends used in this guide Legend/Presence Description M Mandatory O Optional C Conditional U Indicates that the inclusion of the parameter is the choice of service-user Definition of Data Types The table lists the data types used in this guide. TABLE 4 Data Types Definition Data Type Description text Printable, generally UTF-8 encoded (subset of 'string') string 0-253 octets ipaddr 4 octets in network byte order integer 32 bit value in big endian order (high byte first) date 32 bit value in big endian order - seconds since 00:00:00 GMT, Jan. 1, 1970. ipv6addr 16 octets in network byte order. ipv6prefix 18 octets in network byte order. abinary Ascend's binary filter format. byte 8 bit unsigned integer. ether 6 octets of hh:hh:hh:hh:hh:hh where 'h' is hex digits, upper or lowercase. short 16-bit unsigned integer. octets Raw octets, printed and input as hex strings. For example, 0x123456789abcdef. 10 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A About This Guide About this Guide RFCs and Standards The table lists the references used in this guide TABLE 5 References used in this guide Serial Number Reference Description 1. 3GPP TS 23.234 3GPP system to WLAN inter-working 2. 3GPP TS 33.234 � Wireless Local Area Network (WLAN) inter-working security 3. RFC 2865 Remote authentication dial In user service (RADIUS)) 4. RFC 2866 RADIUS accounting 5. RFC 5176 Dynamic authorization extensions to remote authentication dial In user service (RADIUS) 6. RFC 5580 Carrying Location Objects in RADIUS and Diameter (August 2009) 7. WFA HS 2-0 WFA HS 2-0 Technical Specification R2 PUBLIC DRAFT v5.00 (Specification for HS 2.0 R2) Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 11 12 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication • • • • EAP Full Authentication Overview............................................................................................................................ 13 EAP Full Authentication........................................................................................................................................... 13 EAP - Full Authentication – 3GPP Solution...............................................................................................................26 RADIUS Access Reject............................................................................................................................................38 EAP Full Authentication Overview This reference guide describes the interface between the controller and the AAA (Authentication, Authorization and Accounting) server. The RADIUS protocol is used for interfacing between Access Points (AP) and controller as well as between the controller and a third party AAA server. The controller acts as a RADIUS proxy for authentication and authorization. This guide also describes the message flow between the controller and AAA for EAP based full authentication, authorization and accounting in the following sections. EAP-SIM is used as EAP message payload type but can be replaced with EAP-AKA without affecting call flows and RADIUS attributes except EAP-Message (79). The controller supports two different call flows for authentication and authorization: • A 3GPP standard based solution, where authentication and service authorization are performed separately. • A proprietary solution where authentication and authorization are combined. This guide lists all the interface messages and RADIUS VSAs used between the controller and AAA. NOTE This guide does not provide design details of either the AAA server or the controller to handle interface requirements. NOTE Refer to the AP Roaming Scenarios chapter for various scenario cases. NOTE Refer to the Use Cases chapter for flow details on NAS IP, accounting session identifier and filter identifier. EAP Full Authentication This is authentication and authorization combined together. In this call flow, the controller acts as an AAA proxy server. It does not initiate a separate access request message to perform service authorization. Parameters needed by the controller (TTG) to establish the GTP tunnel (QoS, Charging Characteristics, MSISDN) are expected in the access accept message from AAA. The figure shows the detailed call flow. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 13 EAP Full Authentication EAP Full Authentication FIGURE 1 Combined authentication sequence diagram This section covers: • RADIUS Access Request [ID] on page 14 • RADIUS Access Challenge [EAP Request (SIM Start)] on page 17 • RADIUS Access Request [EAP Response (NONCE_MT)] on page 18 • RADIUS Access Challenge [EAP Request (RAND, MAC)] on page 21 • RADIUS Access Request [EAP Response (SRES)] on page 21 • RADIUS Access Accept [EAP Success (MSK)] on page 23 RADIUS Access Request [ID] The table lists the attribute details for the first message sent by the controller to the AAA server. NOTE When RFC 5580 is enabled for a WLAN, and the AAA server supports RFC 5580, location-related information is not conveyed in access requests. Instead, the exchange of location-related information is negotiated between the controller and the AAA server as stipulated in RFC 5580. TABLE 6 RADIUS access request attributes Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user to be authenticated. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. 14 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP Full Authentication TABLE 6 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID:Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where AP-MAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BBCC:SSID. 15 EAP Full Authentication EAP Full Authentication TABLE 6 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580 Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. 16 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP Full Authentication TABLE 6 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Capable 131 C Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. NOTE This attribute is included only if location delivery method is not Out of Band. RADIUS Access Challenge [EAP Request (SIM Start)] The table lists the attribute details of the first message sent by the AAA to the controller, which is forwarded to the RADIUS client (access point). TABLE 7 RADIUS access challenge attributes Attribute Attribute ID Presence Type Description State 24 O Octets This attribute is sent by the server to the client in an accesschallenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Proxy-State 33 C Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access-challenge and accounting response. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 17 EAP Full Authentication EAP Full Authentication TABLE 7 RADIUS access challenge attributes (continued) Attribute Attribute ID Presence Type Description EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. Requested-Location-Info 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. RADIUS Access Request [EAP Response (NONCE_MT)] The table lists the attribute details of messages sent by the controller to the AAA server and responses received from the UEs. TABLE 8 RADIUS access request attributes Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user to be authenticated. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. 18 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP Full Authentication TABLE 8 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where AP-MAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 19 EAP Full Authentication EAP Full Authentication TABLE 8 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Location-Capable 131 C Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. 20 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP Full Authentication RADIUS Access Challenge [EAP Request (RAND, MAC)] The table lists the attribute details of messages sent by the AAA to the controller, which are forwarded to the RADIUS client (access point). TABLE 9 RADIUS access challenge attributes Attribute Attribute ID Presence Type Description State 24 O Octets This attribute is sent by the server to the client in an accesschallenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Proxy-State 33 C Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAPSIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. RADIUS Access Request [EAP Response (SRES)] The table lists the attribute details of messages sent by the controller to the AAA server. TABLE 10 RADIUS access request attributes Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user to be authenticated. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 21 EAP Full Authentication EAP Full Authentication TABLE 10 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description VSA Length: 6 Reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID:Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where AP-MAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String This attribute allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. The value supported is STA's MAC address where the letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address f AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. 22 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP Full Authentication TABLE 10 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAPAKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. RADIUS Access Accept [EAP Success (MSK)] The table lists the attribute details of messages sent by AAA to the controller, which is forwarded to the RADIUS client (access point) upon successful service authorization (see the next two messages). NAS calculates MSK using the MS-MPP-Send and MS-MPP-Recv attributes. TABLE 11 RADIUS access accept attributes Attribute Attribute ID Presence Type Description User-Name 1 O String Indicates the name of the user to be authenticated Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Class 25 O Integer This attribute is sent by the server in access accept and client should include this attribute in accounting request without modification. ChargeableUser ID 89 C Integer This attribute is MSISDN or any chargeable user identity returned by the AAA server. This attribute is mandatory for TTG sessions only. Vendor-Specific 26 O String Vendor ID: 3GPP: 10415 VSA: 3GPP-GPRS-Negotiated-QoS-Profile (5) VSA Length: Variable This attribute carries the QoS value from AAA server. QoS from AAA is received from Ruckus defined VSA or from 3GPP defined VSA (3GPP-GPRS-Negotiated-QoS Profile). Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 23 EAP Full Authentication EAP Full Authentication TABLE 11 RADIUS access accept attributes (continued) Attribute Attribute ID Presence Type Description Vendor-Specific 26 C Charging characteristics Vendor ID:Ruckus:25053 VSA: Ruckus-Charging-Charac (118) VSA Length: 4 Charging characteristics value, Octets are encoded according to TS 3GPP 32.215. This attribute carries the charging characteristics value, which is received from the AAA server. Vendor-Specific 26 C String Vendor ID:Ruckus:25053 VSA: Ruckus-IMSI (102) VSA Length: Variable BCD encoded IMSI of the subscriber. Session-Timeout 27 O Integer This attribute sets the maximum number of seconds of service to be provided to the user before session termination. Idle-Timeout 28 O Integer It sets the maximum number of consecutive seconds of idle connection allowed to the user, before the session gets terminated. Termination-Action 29 O Integer This attribute indicates the action that NAS will take when the specified service completes. Proxy-State 33 M Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Tunnel-Type 64 C Integer This attribute indicates the tunnel type for the access point. For example, tunnel type 13 is for VLAN. Tunnel-Medium-Type 65 C Integer This attribute indicates the tunnel medium type for the access point. For example, tunnel type 06 is for IEEE_802. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Tunnel-Private-Group-ID 81 C String This attribute contains the dynamic VLAN ID as configured in the authentication profile. Accounting-Interim-Interval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Chargeable User ID 89 M String This attribute sends a null value during authentication. Vendor-Specific 26 C Integer Vendor ID:Ruckus:25053 VSA: Ruckus-Acct-Status (126) VSA Length: 4 24 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP Full Authentication TABLE 11 RADIUS access accept attributes (continued) Attribute Attribute ID Presence Type Description Acct Stat is true(1) or false(0). The controller sever uses this attribute on the access accept to indicate if the authenticator needs to send the accounting start for the current/specified client. Vendor-Specific 26 O Integer Vendor ID: Microsoft: 311 VSA: MS-MPPE-Send-Key (16) VSA Length: Variable This attribute contains a session key used by Microsoft Point-to-Point Encryption Protocol (MPPE). Vendor-Specific 26 O Integer Vendor ID: Microsoft: 311 VSA: MS-MPPE-Recv-Key (17) VSA Length: Variable This attribute contains a session key used by the Microsoft Point-to-Point Encryption Protocol (MPPE). Vendor-Specific 26 C Octets Vendor ID: Ruckus:25053 VSA: Ruckus-APN-NI (104) VSA Length: Variable This attribute carries the APN subscribed by the user. It contains only the network identifier (NI), which is part of the APN. The operator identifier part is stored separately in Ruckus-APN-OI. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-Session-Type(125) VSA Length: 6 Session type - TTG (2), Local-Breakout(3), LocalBreakout-AP(4), L3GRE (5), L2GRE (6), QinQL3 (7), PMIP (8). The controller server uses this attribute on the access -accept to indicate the forward policy of the specific UE. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Requested-Location-Info 132 M Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. 25 EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 11 RADIUS access accept attributes (continued) Attribute Attribute ID Presence Type Description NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. EAP - Full Authentication – 3GPP Solution In this call flow, EAP-SIM authentication is performed first. When the controller (acting as an AAA proxy) receives access accept from the AAA server, a separate access request is sent back to the AAA server to process a service authorization. The figure shows the detailed call flow. FIGURE 2 3GPP based solution sequence diagram 26 • RADIUS Access Request [ID] on page 27 • RADIUS Access Challenge [EAP Request (SIM Start)] on page 29 • RADIUS Access Request [EAP Response (NONCE_MT) on page 30 • RADIUS Access Challenge [EAP Request (RAND, MAC)] on page 32 • RADIUS Access Request [EAP Response (SRES)] on page 33 • RADIUS Access Accept [EAP Success (MSK)] on page 34 • Authorization Access Request on page 36 • Authorization Access Accept on page 37 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP - Full Authentication – 3GPP Solution RADIUS Access Request [ID] The table lists the attribute details of the first message sent by the controller to AAA. NOTE When RFC 5580 is enabled for a WLAN, and the AAA server supports RFC 5580, location-related information is not conveyed in access requests. Instead, the exchange of location-related information is negotiated between the controller and the AAA server as stipulated in RFC 5580. TABLE 12 RADIUS access request attributes Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user for authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSAs are received only from Ruckus APs. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable. Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable. Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Called Station ID 30 O Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is the MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where AP- 27 EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 12 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description MAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BBCC:SSID. Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C String NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, accesschallenge and accounting response. Acct-Session-ID 44 M String This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates the whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified. This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. 28 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 12 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description Location-Capable 131 C Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is not Out of Band as specified in RFC 5580. RADIUS Access Challenge [EAP Request (SIM Start)] The table lists the attribute details of the messages sent by the AAA server to the controller and forwarded to the RADIUS client (NAS). TABLE 13 RADIUS access challenge attributes Attribute Attribute ID Presence Type Description State 24 O Octets This attribute is sent by the server to the client in an accesschallenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, accesschallenge and accounting response. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used for signing access request for preventing spoofing of access request using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. Note: This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. Note: This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Requested-Location-Info 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. Note: This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 29 EAP Full Authentication EAP - Full Authentication – 3GPP Solution RADIUS Access Request [EAP Response (NONCE_MT) The table lists the attribute details for messages sent by the controller to the AAA server (response received from UE). TABLE 14 RADIUS access request attributes Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user for authentication. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location(5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. � Vendor-Specific 30 26 C String Vendor ID: Ruckus:25053 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 14 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C String NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. Acct-Session-ID 44 M String This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Information 127 C Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. 31 EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 14 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. RADIUS Access Challenge [EAP Request (RAND, MAC)] The table lists the attribute details for messages sent by the AAA server to the controller and forwarded to the RADIUS client NAS. Attribute Attribute ID Presence Type Description State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. ProxyState 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authentic ator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeabl e User ID 89 M String This attribute sends a null value during authentication. 32 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP - Full Authentication – 3GPP Solution RADIUS Access Request [EAP Response (SRES)] The table lists the attribute details for messages sent by controller to AAA. TABLE 15 RADIUS access accept messages Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user for authentication. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Note: Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053. VSA: Ruckus-Location (5) VSA Length: Variable. Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific( 26 C String Vendor ID: Ruckus:25053. VSA: Ruckus-SSID (3) VSA Length: Variable. Reports the associated WLANs SSID in access request and accounting packet. Note: Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 33 EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 15 RADIUS access accept messages (continued) Attribute Attribute ID Presence Type Description Calling Station ID 30 O String Allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. Calling Station ID 31 M IString Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C String NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. Acct-Session-ID 44 M String This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAPSIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. RADIUS Access Accept [EAP Success (MSK)] The table lists the attribute details for message sent by the AAA to the controller, which are forwarded to the RADIUS client (access point) upon successful service authorization (see the next two messages). TABLE 16 RADIUS access request messages Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user for authentication. Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Class 25 O String This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122. VSA: WISPr-Bandwidth-Max-UP (7) 34 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 16 RADIUS access request messages (continued) Attribute Attribute ID Presence Type Description VSA Length: Variable. The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122. VSA: WISPr-Bandwidth-Max-DOWN (8). VSA Length: Variable. The attribute contains the maximum downlink value in bits per second. Vendor-Specific 26 M Integer Vendor ID: Microsoft 311. VSA: MS-MPPE-Send-Key (16). VSA Length: Variable. This attribute contains a session key used by Microsoft Point-toPoint Encryption Protocol (MPPE). Vendor-Specific 26 M Integer Vendor ID: Microsoft 311. VSA: MS-MPPE-Recv-Key (17). VSA Length: Variable. This attribute contains a session key used by the Microsoft Point-to-Point Encryption Protocol (MPPE). Vendor-Specific 26 C String Vendor ID: Ruckus:25053. VSA: Ruckus-IMSI (102). VSA Length: Variable. BCD encoded IMSI of the subscriber. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-Session-Type (125). VSA Length: 6. Session Type - TTG (2), Local-Breakout(3), Local-BreakoutAP(4), L3oGRE (5), L2oGRE (6), QinQL3 (7), PMIP (8). The controller server uses this attribute on the access -accept to indicate the forward policy of the specific UE. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-Acct-Status (126). VSA Length: 6. Acct Stat is true(1) or false(0). The controller server uses this attribute on the access accept to indicate if the authenticator needs to send the accounting start for the current/specified client. Session-Timeout 27 O Integer This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session. Idle-Timeout 28 O Integer It sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. Termination-Action 29 O Integer Indicates the action that NAS will take when the specified service is completed. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Tunnel-Type 64 C Integer This attribute indicates the tunnel type for the access point. For example, tunnel type 13 is for VLAN. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 35 EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 16 RADIUS access request messages (continued) Attribute Attribute ID Presence Type Description Tunnel-Medium-Type 65 C Integer This attribute indicates the tunnel medium type for the access point. For example, tunnel type 06 is for IEEE_802. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M String This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Tunnel-Private-Group-ID 81 C String This attribute contains the dynamic VLAN ID as configured in the authentication profile. Accounting-InterimInterval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Basic-Location-PolicyRules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server if the location delivery method is accounting request as specified in RFC 5580. Extended-Location-PolicyRules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server if the location delivery method is accounting request as specified in RFC 5580. Requested-Location-Info 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. NOTE This attribute is expected from the AAA server if the location delivery method is accounting request as specified in RFC 5580. Authorization Access Request The authorization procedure starts after successful authentication only. Messages are initiated from the controller. The table lists the attribute details for messages sent by the controller to the AAA server. TABLE 17 Authorisation Access request attributes Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user to be authenticated. Vendor-Specific 26 C Integer Vendor ID: Ruckus VSA: 25053 VSA: Ruckus-SGSN-Number(124) VSA Length: Variable. 36 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A EAP Full Authentication EAP - Full Authentication – 3GPP Solution TABLE 17 Authorisation Access request attributes (continued) Attribute Attribute ID Presence Type Description AAA uses this attribute to populate the MAP update GPRS location. E.164 address of SGSN (controller). Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus: 25053 VSA: Ruckus-SSID (3) VSA Length: Variable. Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus: 25053 VSA: Ruckus-Location (5) VSA Length: Variable. Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Chargeable User ID 89 M String This attribute sends a null value during authentication. Authorization Access Accept The authorization procedure starts only after successful authorization, where messages are sent by AAA to the controller. Information received from AAA is used in setting the GTP tunnel towards the GGSN (APN, QoS and Charging Characteristics). The table lists the attribute details for messages sent by the AAA server to the controller. TABLE 18 Authorization access accept attributes Attribute Attribute ID Presence Type Description User-Name 1 O String Indicates the name of the user for authentication. Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by the controller to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable. The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable. The attribute contains the maximum downlink value in bits per second. Vendor-Specific 26 O Octets Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Vendor ID: Ruckus: 25053 VSA: Ruckus-APN-NI(104) 37 EAP Full Authentication RADIUS Access Reject TABLE 18 Authorization access accept attributes (continued) Attribute Attribute ID Presence Type Description VSA Length: Variable. This attribute carries the APN subscribed by the user. It contains only the network identifier (NI), which is part of the APN. The operator identifier part is stored separately in Ruckus-APN-OI. Vendor-Specific 26 O String Vendor ID: 3GPP: 10415 VSA:3GPP-GPRS-Negotiated-QoS-Profile (5) VSA Length: Variable. This attribute carries the QoS value from AAA server. QoS from AAA is received from Ruckus defined VSA or from 3GPP defined VSA (3GPPGPRS-Negotiated-QoS Profile). Vendor-Specific 26 O Charging characteristics Vendor ID: Ruckus: 25053 VSA: Ruckus-Charging-Charac (118) VSA Length: 4 Charging characteristics value, octets are encoded according to TS 3GPP 32.215. This attribute carries the charging characteristics value, which is received from the AAA server. Session-Timeout 27 O Integer This attribute de-authenticates the UE when the session time expires. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Accounting-InterimInterval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Chargeable User ID 89 M String This attribute sends a null value during authentication. RADIUS Access Reject The table lists the attribute details of access reject messages (failure scenarios) sent by the AAA in case of unsuccessful authentication or authorization. The controller can also initiate access reject towards NAS, based on certain use cases. TABLE 19 RADIUS access reject attributes Attribute Attribute ID Presence Type Description Reply-Message 18 O Integer Indicates the text, which could be displayed to the user. EAP Message 79 C Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 C Octets This attribute is used for signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). This attribute is available only for EAP failures. 38 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot (WISPr) Authentication and Accounting • • • • • • Hotspot (WISPr) Authentication and Accounting Overview.......................................................................................39 Hotspot (WISPr) Authentication Request ................................................................................................................ 40 Hotspot (WISPr) Authentication Response...............................................................................................................43 Hotspot (WISPr) Accounting Request [Start]............................................................................................................44 Hotspot (WISPr) Accounting Request [Stop/Interim]................................................................................................ 46 Hotspot (WISPr) Accounting Response................................................................................................................... 49 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) authentication starts after a user has entered his or her logon credentials (user name and password) on the subscriber portal logon page. After this, the northbound portal interface initiates an access request message to process a service authorization. Additional parameters can be provided by the AAA server in the access accept message. These parameters define the limitations and behavior of a specific user, such as session timeout, grace period and idle timeout.The figure shows the detailed call flow. FIGURE 3 Hotspot (WISPr) call flow This section covers: • Hotspot (WISPr) Authentication Request on page 40 • Hotspot (WISPr) Authentication Response on page 43 • Hotspot (WISPr) Accounting Request [Start] on page 44 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 39 Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Authentication Request Hotspot (WISPr) Authentication Request The table lists the attribute details of messages sent by the controller to Hotspot (WISPr). NOTE These attributes are sent in the Access-Request only if Client Fingerprinting is enabled. To enable this option in the controller web interface navigate to Access Points > Zone Tab > WLANs > Advanced Options > Select Enable Client Fingerprinting. FIGURE 4 Enable Client Fingerprinting TABLE 20 Hotspot (WISPr) authentication request attributes Attribute Attribute ID Presence Type Description User-Name 1 M String This attribute is the logon user name. User-Password 2 C String This attribute indicates the password of the user to be authenticated. This attribute is mandatory for PAP authentication. CHAP-Password 3 M String Indicates the value provided by a CHAP user in response to the accesschallenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C IP Address This attribute contains the controller management IP address. Service-Type 6 O Integer This attribute has the value 1 (login). Framed-IP-Address 8 O IP Address This attribute is STA’s IP address. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. NOTE The attribute will not be available if the MTU size is set to auto in the WLAN configuration page of the controller Web interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 1 VSA: WISPr-Location-ID VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 2 VSA: WISPr-Location-Name VSA Length: Variable 40 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Authentication Request TABLE 20 Hotspot (WISPr) authentication request attributes (continued) Attribute Attribute ID Presence Type Vendor-Specific 26 O Integer Description This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor ID: WISPr: 14122 Vendor Type: 3 VSA: WISPr-Logoff-URL VSA Length: Variable This attribute indicates the hotspot (WISPr) service logout URL. Vendor-Specific 26 O String Vendor ID: Ruckus Vendor Type: 3 VSA: Ruckus-Client-Host-name VSA Length: 138 This attribute reports the configured client host name Vendor-Specific 26 O String Vendor ID: Ruckus Vendor Type: 3 VSA: Ruckus-Client-Os-Type VSA Length: 139 This attribute reports the Client OS Type. Vendor-Specific 26 O String Vendor ID: Ruckus Vendor Type: 3 VSA:Ruckus-Client-Os-Class VSA Length: Variable This attribute reports the client OS class Vendor-Specific 26 O String Vendor ID: WISPr: 25053 Vendor Type: 3 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-Zone-ID (127) VSA Length: 6 Reports the zone ID to which the 3rd party AP is associated. This VSA is received only for 3rd party APs. Called Station ID 30 M Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where AP-MAC is the MAC address of the AP. The letters in the MAC address are in uppercase. For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String STA’s MAC address where the letters in the MAC address are in uppercase. For example, 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer This attribute contains a string identifying the NAS originating the access request. It supports 3 types of values for BSSID (MAC address of the WLAN on AP). AP-MAC (MAC address of AP) is a user defined attribute where the maximum length is 62. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 41 Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Authentication Request TABLE 20 Hotspot (WISPr) authentication request attributes (continued) Attribute Attribute ID Presence Type Description Chap-Challenge 60 M String This attribute contains the chap challenge sent by NAS to a PPP CHAP user. NAS-Port-Type 61 O Integer This attribute indicates the physical port type of the NAS, which authenticates the user. Vendor-Specific 26 C Integer Vendor ID: Ruckus: 2503 Vendor Type: 9 VSA: VLAN-ID VSA Length: Variable This attribute value is as per the configuration specified on the WLAN configuration page of the controller web interface. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Basic-Location-PolicyRules 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Extended-Location-PolicyRules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. 42 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Authentication Response TABLE 20 Hotspot (WISPr) authentication request attributes (continued) Attribute Attribute ID Presence Type Description Location-Capable 131 C Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request or accounting request as specified in RFC 5580. NOTE Acct-Session-Id shall be optionally included in the WISPr Access Request by Ruckus AP if Accounting is disabled in the UI. Hotspot (WISPr) Authentication Response The table lists the attribute details of messages sent by the Hotspot (WISPr) module to the controller. TABLE 21 Hotspot (WISPr) authentication request attributes Attribute Attribute ID Presence Type Description Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/ rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Class 25 O Integer This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without any modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 7 VSA: Ruckus-Grace-Period VSA Length: Variable This attribute is the grace period in hotspot (WISPr) WLANs. Session-Timeout 27 O Integer This attribute de-authenticates the UE when the session time expires. Idle-Timeout 28 O Integer This attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. Accounting-InterimInterval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Basic-Location-PolicyRules 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 43 Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Accounting Request [Start] TABLE 21 Hotspot (WISPr) authentication request attributes (continued) Attribute Attribute ID Presence Type Description NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Extended-LocationPolicy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Requested-LocationInfo 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Hotspot (WISPr) Accounting Request [Start] The table lists the attribute details of messages sent by the controller to the Hotspot (WISPr) module. TABLE 22 Hotspot (WISPr) accounting request (start) attributes Attribute Attribute ID Presence Type Description User-Name 1 M String This attribute is the logon user name. NAS-IP-Address 4 C IP Address This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute is the AID value. Framed-IP-Address 8 O IP Address This attribute is STA’s IP address. Class 25 O Integer This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 1 VSA: WISPr-Location-ID VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 2 VSA: WISPr-Location-Name VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 2 VSA: Ruckus-STA-RSSI (2) 44 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Accounting Request [Start] TABLE 22 Hotspot (WISPr) accounting request (start) attributes (continued) Attribute Attribute ID Presence Type Description VSA Length: Variable This attribute can only be present with Acct-Status-Type = Interim or Stop. Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 3 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 5 VSA: Ruckus-Location VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 7 VSA: Ruckus-SCG-CBLADE-IP VSA VSA Length: 6 This attribute indicate the control plane IP address that is being used. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 8 VSA: Ruckus-SCG-DBLADE-IP VSA VSA Length: 6 This attribute value is observed by NBI, when the GRE tunnel is set up. Called Station ID 30 M Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID Calling Station ID 31 M String STA’s MAC address the letters in the MAC address are in uppercase. For example, 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer This attribute contains a string identifying the NAS originating the access request. It supports 3 types of values for BSSID (MAC address of the WLAN on AP). AP-MAC (MAC address of AP) is a user defined attribute where the maximum length is 62. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute has the following values where 1 is Start, 2 is Stop, 3 is Interim, 7 are On and 8 are Off. Acct-Delay-Time 41 C Integer This attribute can only be seen in accounting retry packets. This is a configurable option and by default this attribute is disabled. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 45 Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Accounting Request [Stop/Interim] TABLE 22 Hotspot (WISPr) accounting request (start) attributes (continued) Attribute Attribute ID Presence Type Description Acct-Authentic 45 M Integer This attribute value in EAP 802.1X-Auth and hotspot (WISPr) is: 1 for RADIUS-Auth and 2 for MAC-Auth local. Acct-TerminateCause 49 M Integer This attribute can only be present with Acct-Status-Type = Stop. Acct-Multi-SessionID 50 O Integer This attribute is hand-off between APs, which triggers new accounting session (stop followed by start) with different session identifiers. Acct-Multi-Session-ID retains the same ID to tie multiple sessions. Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Event-Timestamp 55 O Integer This attribute is included in the Accounting-Request packet to record the time that this event occurred on NAS. For example, in seconds since January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer This attribute indicates the physical port type of the NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the accounting request as specified in RFC 5580. Basic-LocationPolicy-Rules 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the accounting request as specified in RFC 5580. Extended-LocationPolicy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the accounting request as specified in RFC 5580. Hotspot (WISPr) Accounting Request [Stop/Interim] The table lists the attribute details of messages sent by the controller to the Hotspot (WISPr) module. TABLE 23 Hotspot (WISPr) accounting request (stop/interim) attributes Attribute Attribute ID Presence Type Description User-Name 1 M String This attribute is the logon user name. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute is the AID value. Framed-IP-Address 8 O IP Address This attribute is STA’s IP address. 46 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Accounting Request [Stop/Interim] TABLE 23 Hotspot (WISPr) accounting request (stop/interim) attributes (continued) Attribute Attribute ID Presence Type Description Class 25 O Integer This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 1 VSA: WISPr-Location-ID VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 2 VSA: WISPr-Location-Name VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 2 VSA: Ruckus-STA-RSSI (2) VSA Length: Variable This attribute can only be present with Acct-Status-Type = Interim or Stop. Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 3 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 5 VSA: Ruckus-Location VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 7 VSA: Ruckus-SCG-CBLADE-IP VSA VSA Length: Variable This attribute indicate the control plane IP address that is being used. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 8 VSA: Ruckus-SCG-DBLADE-IP VSA VSA Length: Variable This attribute value is observed by NBI, when the GRE tunnel is set up. Called Station ID 30 M Integer Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where AP-MAC is the MAC address of the AP. The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID 47 Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Accounting Request [Stop/Interim] TABLE 23 Hotspot (WISPr) accounting request (stop/interim) attributes (continued) Attribute Attribute ID Presence Type Description Calling Station ID 31 M String STA’s MAC address the letters in the MAC address are in uppercase. For example, 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer This attribute contains a string identifying the NAS originating the access request. It supports 3 types of values for BSSID (MAC address of the WLAN on AP). AP-MAC (MAC address of AP) is a user defined attribute where the maximum length is 62. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute has the following values where 1 is Start, 2 is Stop, 3 is Interim, 7 are On and 8 are Off. Acct-Delay-Time 41 C Integer This attribute can only be seen in accounting retry packets. This is a configurable option and by default this attribute is disabled. Acct-Input-Octets 42 M Integer This attribute indicates the number of octets received from the port over the course of this service provided. Acct-Output-Octets 43 M Integer This attribute indicates the number of octets sent to the port in the course of delivering this service. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Acct-Authentic 45 M Integer This attribute value in EAP 802.1X-Auth and hotspot (WISPr) is: 1 for RADIUS-Auth and 2 for MAC-Auth local. Acct-Session-Time 46 M Integer This attribute can only be present with Acct-Status-Type = Interim, Stop. Acct-Terminate-Cause 49 M Integer This attribute can only be present with Acct-Status-Type = Stop. Acct-Multi-Session-ID 50 O Integer This attribute is hand-off between APs, which triggers new accounting session (stop followed by start) with different session identifiers. Acct-Multi-Session-ID retains the same ID to tie multiple sessions. Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Acct-Input-Gigawords 52 M Integer This attribute can only be present with Acct-Status-Type = Interim, Stop. Acct-Output-Gigawords 53 M Integer This attribute can only be present with Acct-Status-Type = Interim, Stop. Event-Timestamp 55 O Integer This attribute is included in the Accounting-Request packet to record the time that this event occurred on NAS. For example, in seconds since January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer This attribute indicates the physical port type of the NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Location-Data 48 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot (WISPr) Authentication and Accounting Hotspot (WISPr) Accounting Response TABLE 23 Hotspot (WISPr) accounting request (stop/interim) attributes (continued) Attribute Attribute ID Presence Type Description NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Basic-Location-Policy-Rules 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Extended-Location-PolicyRules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Hotspot (WISPr) Accounting Response The table lists the attribute details of messages received by the controller to the Hotspot (WISPr) module. TABLE 24 Hotspot (WISPr) accounting response attributes Attribute Presence Type Description Response Authenticator M Integer MD5(Code|ID|Length|RequestAuth|RequestAuth|RequestAuth|Attributes|Secret) Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 49 50 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot 2.0 Authentication • • • • • Hotspot 2.0 Authentication Overview.......................................................................................................................51 SIM Based Authentication - Access Request...........................................................................................................51 R2 Device Access Authentication............................................................................................................................ 52 R2 Device Onboarding............................................................................................................................................ 55 Hotspot 2.0 VSAs....................................................................................................................................................56 Hotspot 2.0 Authentication Overview Hotspot 2.0 WLAN supports 802.1x authentication and passpoint technology. Passpoint enabled devices (R2 devices) connect to the network automatically based on their PPS-MO and facilitates seamless roaming for users on Wi-Fi network. WLAN supports Hotspot 2.0 Online SignUp (OSU) procedure and passpoint enabled devices, which connect to the network and are provisioned with PPS-MO. R2 users can onboard PPS-MO through authentication procedure using RADIUS credentials. Non SIM based authentication (EAP-TTLS) is supported as per the WFA RFC mandate for Hotspot 2.0 R2 devices. SIM based authentication (EAP SIM and EAP AKA) is supported as per the WFA RFC mandate for Hotspot 2.0 R1 devices. SIM based authentication is similar to EAP - Full Authentication – 3GPP Solution except that RADIUS message include Hotspot 2.0 specific attributes. SIM based authentication is also applicable for R1 devices associated with Hotspot 2.0 WLAN and RADIUS messages are proxied to the external AAA server. R2 devices are associated with Hotspot 2.0 WLAN on receiving the PPS-MO from the controller. Alternatively R2 devices can also get PPSMO from remote OSU server and RADIUS request is proxied to external AAA server during access. NOTE For this release, TTLS RADIUS authentication is supported. There is no support for EAP-SIM. SIM Based Authentication - Access Request SIM based authentication for Hotspot 2.0 devices is similar to EAP - Full Authentication – 3GPP Solution. In addition to the parameters mentioned in each of the following RADIUS access-accept. The table lists the attributes specific to Hotspot 2.0. • RADIUS Access Request [ID] on page 27 • RADIUS Access Request [EAP Response (NONCE_MT)] on page 18 • RADIUS Access Request [EAP Response (SRES)] on page 21 TABLE 25 Hotspot 2.0 RADIUS access request attributes Attribute Attribute ID Presence Type Description Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 2 VSA: AP Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1as R2 compliant AP. Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 3 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 51 Hotspot 2.0 Authentication R2 Device Access Authentication TABLE 25 Hotspot 2.0 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description VSA: Mobile Device Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1 as R2 compliant AP. Version 1 also includes the update identifier details. R2 Device Access Authentication In the R2 device authentication where PPS-MO is provisioned by an external OSU, RADIUS access request is always proxied to the remote AAA server when the device connects to the Hotspot 2.0 WLAN. RAC proxies the request to the AAA server based on the realm configuration defined in Services&Profiles > Hotspot 2.0 of the controller web interface. The figure shows the call flow for R2 devices when PPS-MO is received from external OSU. RAC does not decode the EAP payload and certificate details. It merely proxy’s the request based on the RADIUS user name attribute used in the request. 52 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot 2.0 Authentication R2 Device Access Authentication FIGURE 5 R2 device access authentication Access Request The table lists the attributes specific to Hotspot 2.0. TABLE 26 Hotspot 2.0 RADIUS access request attributes Attribute Attribute ID Presence Type Description Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 2 VSA: AP Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1as R2 compliant AP. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 53 Hotspot 2.0 Authentication R2 Device Access Authentication TABLE 26 Hotspot 2.0 RADIUS access request attributes (continued) Attribute Attribute ID Presence Type Description Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 3 VSA: Mobile Device Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1 as R2 compliant AP. Version 1 also includes the update identifier details. NOTE R2 access requests will have similar attributes as captured in EAP Full Authentication with a few exceptions: • The Username in the access request will have the value 'anonymous@realm.com'. 'Realm.com' will vary depending on the NAI realm configured in the PPS-MO. • The EAP message will carry an EAP-TTLS payload. It will be used to exchange certificate details and MSCHAPv2 credentials unlike EAP carrying EAP SIM credentials such as RAND, SRES, and Kc in EAP-SIM. Access Response The table lists the attributes specific to Hotspot 2.0. An HS 2.0 R2 call will have RADIUS responses such as multiple access challenges and Access Accept as captured or EAP SIM full authentication. See the note at the end of the table. TABLE 27 Hotspot 2.0 RADIUS access response attributes Attribute Attribute ID Presence Type Description Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 1 VSA: Subscription Remediation Needed VSA Length: Variable This attribute provides the remediation URL. Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 4 VSA: De-authentication Request VSA Length: Variable This attribute is applicable only for R2 devices. It gives the de-authenticated URL and the re-authentication delay. Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 5 VSA: Session Information URL VSA Length: Variable 54 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Hotspot 2.0 Authentication R2 Device Onboarding TABLE 27 Hotspot 2.0 RADIUS access response attributes (continued) Attribute Attribute ID Presence Type Description This attribute provides the URL details seen before session termination. NOTE The EAP message for the HS 2.0 R2 call will have TLS and MSCHAPv2 credentials instead of SIM. NOTE Attributes such as Client Hello, Server Hello are standard TLS 1.0 specific attributes and are embedded within EAP. For details refer to RFC 2246. R2 Device Onboarding The UE can onboard with a controller using AAA credentials, where the controller proxys the onboarding requests to AAA. Onboarding Access Request The details in the access request are as follows: TABLE 28 Onboarding Access Request Attribute Attribute ID Presence Type Description NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. User-Name 1 M String Indicates the name of the user for authentication. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. Calling Station ID 31 O String This attribute will contain the Calling Station ID as received from NAS during authentication or the accounting procedure Message Authenticator 80 O Octets This attribute is used to sign access requests to prevent spoofing access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). NAS-IP-address 4 C IP Address This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server to another server. Onboarding Access Response The details in the access response are as follows: TABLE 29 Onboarding Access Response Attribute Attribute ID Presence Type Description Proxy-State 33 O Octets This attribute is available to be sent by a proxy server to another server. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 55 Hotspot 2.0 Authentication Hotspot 2.0 VSAs TABLE 29 Onboarding Access Response (continued) Attribute Attribute ID Presence Type Description Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/ rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. WISPr uplink 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. WISPr downlink 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Hotspot 2.0 VSAs There are vendor specific attributes for Hotspot 2.0 as mandated by WFA Hotspot 2.0 specifications along with the regular RADIUS message attributes (as per RFC 2865). The figure indicates the VSA fields in a hotspot 2.0 subscription remediation flow. FIGURE 6 Hotspot 2.0 VSA fields 56 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AP Initiated Accounting Messages • • • • • AP Initiated Accounting Messages (PDG/LBO Sessions)......................................................................................... 57 Accounting Start Messages.....................................................................................................................................58 Accounting Interim Update and Stop Messages...................................................................................................... 60 Accounting On Messages....................................................................................................................................... 63 Accounting Off Messages........................................................................................................................................64 AP Initiated Accounting Messages (PDG/LBO Sessions) The controller honors RADIUS accounting messages received from AP, for both Ruckus AP and 3rd Party AP. For accounting messages from AP, controller generates W-AN-CDR/S-CDR/W-CDR as configured in the controller UI (non-proxy mode), or proxy accounting messages received from AP to configured external AAA server (proxy mode). The figure shows the controller proxy accounting messages from NAS to external AAA server. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 57 AP Initiated Accounting Messages Accounting Start Messages FIGURE 7 AP initiated accounting messages This section covers: • Accounting Start Messages on page 58 • Accounting Interim Update and Stop Messages on page 60 • Accounting On Messages on page 63 • Accounting Off Messages on page 64 Accounting Start Messages The table lists the attribute details of messages sent by the controller to the AAA server. TABLE 30 Accounting start message attributes Attribute Attribute ID Presence Type Description User-Name 1 M String The username of the given accounting session. 58 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AP Initiated Accounting Messages Accounting Start Messages TABLE 30 Accounting start message attributes (continued) Attribute Attribute ID Presence Type Description NAS-IP-Address 4 C IP Address This attribute is the IP address of the AP which is serving the station or user equipment, controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Framed-IP-Address 8 O IP Address This attribute indicates the address to be configured for the user. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O Integer This attribute supports two kinds of formats, namely, BSSID:SSID, which is the MAC address of the WLAN on AP and AP-MAC:SSID which is the MAC address of AP. The letters in the MAC address are in uppercase. For example: 11-22-33AA-BB-CC:SSID. Calling Station ID 31 O String Allows NAS to send the ID (UE MAC), which indicates as to who is calling the STA's MAC address. The letters in the MAC address are in uppercase. For example: 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 C Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute indicates whether the Accounting-Request attribute marks the beginning of the user service (Start). Start value is 1. Acct-Delay-Time 41 C Integer This is a configurable option and by default this attribute is disabled.In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 59 AP Initiated Accounting Messages Accounting Interim Update and Stop Messages TABLE 30 Accounting start message attributes (continued) Attribute Attribute ID Presence Type Description Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or remote authentication protocol. Acct-Multi-Session-ID 50 O Integer This attribute is a unique Accounting ID, to link multiple related sessions in a log file Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Event-Timestamp 55 O Integer This attribute is included in the accounting-request packet for recording the time in seconds that the event occurred on NAS. For example, January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. Chargeable User ID 89 C String This attribute is MSISDN or any chargeable user identity returned by the AAA server. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Basic-Location-PolicyRules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Extended-LocationPolicy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Accounting Interim Update and Stop Messages The table lists the attribute details of messages sent by the controller to AAA. TABLE 31 Accounting interim update and stop message attributes Attribute Attribute ID Presence Type Description User-Name 1 M String The username of the given accounting session. 60 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AP Initiated Accounting Messages Accounting Interim Update and Stop Messages TABLE 31 Accounting interim update and stop message attributes (continued) Attribute Attribute ID Presence Type Description NAS-IP-Address 4 C IP Address This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Framed-IP-Address 8 O IP Address This attribute indicates the address to be configured for the user. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-STA-RSSI (2) VSA Length: 6 UE reports the current RSSI value in the accounting packet. Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor D: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where AP-MAC is the MAC address of the AP. The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID Calling Station ID 31 O String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 61 AP Initiated Accounting Messages Accounting Interim Update and Stop Messages TABLE 31 Accounting interim update and stop message attributes (continued) Attribute Attribute ID Presence Type Description unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer Value differs based on message type. Attribute interim update has the value 3 and stop has the value 2. Acct-Delay-Time 41 C Integer This is a configurable option and by default this attribute is disabled. In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Acct-Input-Octets 42 M Integer This attribute indicates the number of octets received from the port over the course of the service provided. This attribute is present in Acct- Status-Type = Interim, Stop. Acct-Output-Octets 43 M Integer This attribute indicates the number of octets sent to the port in the course of delivering this service. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or remote authentication protocol. Acct-Session-Time 46 M Integer This attribute indicates the number of seconds for receiving the service. Acct-Input-Packets 47 M Integer This attribute indicates the number of packets received from the port over the course of the service provided to a framed user. Acct-Output-Packets 48 M Integer This attribute indicates the number of packets sent from the port over the course of the service provided to a framed user. Acct-Terminate-Cause 49 M Integer This attribute indicates how the session was terminated. This attribute can only be present in accounting request records where the AcctStatus-Type is set to Stop. Acct-Multi-Session-ID 50 O Integer This attribute is a unique Accounting ID, linking multiple related sessions in a log file. Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Acct-Input-Gigawords 52 M Integer This attribute indicates the number of times that the Acct-Input-Octets counter wraps around 2^32 over the course of this provided service. Acct-Output-Gigawords 53 M Integer This attribute indicates the number of times the Acct-Output-Octets counter is wrapped around 2^32 in the course of delivering this service. Event-Timestamp 55 O Integer This attribute is included in the accounting request packet to record the time (in seconds) that this event occurred on NAS. For example, January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. Chargeable User ID 89 C String AP includes Chargeable User ID attribute along with the values received from the AAA server. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. Note: This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. 62 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AP Initiated Accounting Messages Accounting On Messages TABLE 31 Accounting interim update and stop message attributes (continued) Attribute Attribute ID Presence Type Description NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Basic-Location-PolicyRules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Extended-LocationPolicy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Accounting On Messages The table lists the attribute details of messages sent by the controller to the AAA server. TABLE 32 Accounting on message attributes Attribute Attribute ID Presence Type Description User-Name 1 M String The username of the given accounting session. NAS-IP-Address 4 C IP Address This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: - Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location(5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 63 AP Initiated Accounting Messages Accounting Off Messages TABLE 32 Accounting on message attributes (continued) Attribute Attribute ID Presence Type Description Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where AP-MAC is the MAC address of the AP. The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute indicates whether the Accounting-Request attribute marks it as Accounting-On (7) and Accounting-Off(8). Acct-Delay-Time 41 C Integer In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or Remote authentication protocol. Accounting Off Messages The table lists the attribute details of messages sent by the controller to the AAA server. TABLE 33 Accounting off message attributes Attribute Attribute ID Presence Type Description User-Name 1 M String The username of the given accounting session. NAS-IP-Address 4 C IP Address This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 64 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AP Initiated Accounting Messages Accounting Off Messages TABLE 33 Accounting off message attributes (continued) Attribute Attribute ID Presence Type Description VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is AP-MAC:SSID, where AP-MAC is the MAC address of the AP. The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute indicates whether the Accounting-Request attribute marks it as Accounting-On (7) and Accounting-Off(8). Acct-Delay-Time 41 C Integer In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or Remote authentication protocol. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 65 66 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AAA Server Dynamic Authorization and List of Vendor Specific Attributes • • • Dynamic Authorization and List of Vendor Specific Attributes - AAA Server............................................................. 67 Service Authorization...............................................................................................................................................67 List of Vendor Specific Attributes............................................................................................................................. 73 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server The AAA server initiates messages to the controller signaling an authorization change, as described in RFC 5176, Dynamic Authorization Extensions to RADIUS. This occurs when modifications are made to the subscriber GPRS profile at the HLR (via OAM). Reference TS 29.234 describes these procedures on the Wm reference point using the diameter protocol. The following sections list the message flow attributes utilized for RADIUS Dynamic Authorization Extension. Change of Authorization (CoA) and Disconnect Message (DM) messages can have any of the following attributes as a session identifier. • User name • CUI with MSISDN • Acct-Sess-Id (Session identification attribute) Service Authorization A change in service authorization is initiated at the AAA server. For example, when the AAA server receives a MAP-InsertSubscriberData from the HLR along with the modified GPRS profile information (QoS) or is modified for any other reason the controller AAA proxy intercepts the CoA request. It checks if the CoA message contains a session identification attribute (such as user name) as well as attributes indicating the authorization changes (new QoS). Depending on these attributes the call flows could vary. If the CoA request contains a session identification and the attribute - service-type (6) is set to authorize-only the controller responds with CoA NAK since the controller does not support CoA with service-type as authorize-only. If the CoA request does not contain the service-type (6) attribute, the message must contain a session identification attributes as well as authorization attributes (QoS). The controller supports RADIUS CoA (Change-of-Authorization) in limited form. RADIUS CoA is supported only for modifying QoS profile when subscriber traffic is tunneled to the core network (Gn and S2a) interface. It is also supported when traffic originates from Ruckus Wireless or from 3rd Party APs. NOTE Refer to the Authentication and Authorization section for this procedure. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 67 AAA Server Dynamic Authorization and List of Vendor Specific Attributes Service Authorization Change of Authorization (CoA) Messages - Not Set to Authorize Only The table lists the attribute details of CoA messages where the service type AVP is not set.is not set. CoA can have any of the following attributes as session identifier: • User name • CUI with MSISDN • Acct-Sess-Id TABLE 34 Change of Authorization (CoA) messages - Authorize-Only is not set Attribute Attribute ID Message Code Presence Type/Description M 43 User-Name 1 C Identifies the username of the UE/subscriber to be disconnected. Username is received from NAS during authentication or accounting session. NAS-IP-Address 4 C This attribute is the IP address of the AP which is serving the station or user equipment, controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Indicates the physical NAS port number, which authenticates the user or the port on which a session is terminated. If present should match the session context table. 3GPP VSA (Negotiated-QoS-Profile) 5 O This attribute carries the new QoS value and can be either be Ruckus defined VSA or 3GPP defined VSA. NOTE The controller uses this attribute for updating the QoS from the AAA server, whichever is present. If both are present priority is for 3GPP-QoS attribute. Service-Type 6 O This attribute indicates the type of service the user has requested, or the type of service to be provided. CoA request should be processed if present. Framed-IP-Address 8 O The IPv4 address associated with a session. This is the IP address, which gets assigned to UE after successfull call establishment. If present should match the session context table. Filter-Id 11 O Represents the user role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Vendor-Specific 26 O Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) 68 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AAA Server Dynamic Authorization and List of Vendor Specific Attributes Service Authorization TABLE 34 Change of Authorization (CoA) messages - Authorize-Only is not set (continued) Attribute Attribute ID Presence Type/Description VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Session-Timeout 27 O This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session Idle-Timeout 28 O It sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. Called Station ID 30 O This attribute will contain the Called Station ID as received from NAS during authentication or the accounting procedure. Calling Station ID 31 O This attribute will contain the Calling Station ID as received from NAS during authentication or the accounting procedure NAS-Identifier 32 C If present, it should match with the value in the controller session table. Acct-Session-ID 44 C This attribute should have the same value as sent by NAS during the accounting procedure. State 45 O This attribute is copied as is if it is received in a request from the AAA server. Acct-Multi-Session-Id 50 O Thus attribute uniquely identifyies related sessions. It should have the same value received in authentication or accouting request. If present should match the session context table. Accounting-Interim-Interval 85 O Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. NAS-Port-Id 87 O String identifying the port based on the session and should match the session context if present in request. Chargeable User ID 89 C This attribute is MSISDN or any chargeable user identity returned by the AAA server. Framed-Interface-Id 96 O The IPv6 interface identifier associated with a session, which is always sent with framed-IPv6 prefix. If present should match the session context. Framed-IPv6-Prefix 97 O The IPv6 prefix associated with a session, which is always sent with framed interface identifier. If present should match the session context. Change of Authorization Acknowledge Messages (CoA Ack) The table lists the attributes of CoA messages being acknowledged by the controller to DAC. TABLE 35 Change of Authorization (CoA) messages - Acknowledge Attribute Attribute ID Message Code Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Presence Type/Description M 44 69 AAA Server Dynamic Authorization and List of Vendor Specific Attributes Service Authorization TABLE 35 Change of Authorization (CoA) messages - Acknowledge (continued) Attribute Attribute ID Presence Type/Description State 24 C This attribute is copied without any modification or only if it is sent in the CoA request. Change of Authorization Negative Acknowledge Messages (CoA NAK) The table lists the attributes of CoA messages that are not acknowledged by the controller to the DAC. TABLE 36 Change of Authorization (CoA) messages - Negative Acknowledge Attribute Attribute ID Message Code Presence Type/Description M 45 Service-Type 6 C Indicates the type of service based on the user request or the type of service to be provided. It is included only if the Service-Type attribute is present in CoA request, is set to authorize only. State 24 C This attribute is copied without any modification or only if it is sent in the CoA request. Error-Cause 101 C Included only if the Service-Type attribute is present in CoA request is set to authorize only. It is included only if the Error-Cause attribute is set to request initiated. NOTE For other scenarios, the attribute Error-Cause will have the value as mentioned in TS. Disconnect Messages The table lists the attributes of disconnect messages, which are initiated by the controller. TABLE 37 Disconnected messages Attribute Attribute ID Message Code Presence Type/Description M 40 User-Name 1 M Identifies the user name of the UE/ subscriber to be disconnect. User name received from NAS during authentication or accounting session. NAS-IP-Address 4 C If present, it should match with the value in the controller session table. NAS-Port 5 O Indicates the physical NAS port number, which authenticates the user or the port on which a session is terminated. If present should match the session context table. Framed-IP-Address 8 O The IPv4 address associated with a session. This is the IP address, 70 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AAA Server Dynamic Authorization and List of Vendor Specific Attributes Service Authorization TABLE 37 Disconnected messages (continued) Attribute Attribute ID Presence Type/Description which gets assigned to UE after successfull call establishment. If present should match the session context table. Calling Station ID 31 C This attribute will contain the Calling Station ID as received from NAS during authentication or the accounting procedure. NAS-Identifier 32 C It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), AP-MAC (MAC address of AP) and user defined address (maximum length of 62). Acct-Session-ID 44 C This attribute should have the same value as sent by NAS during accounting procedure. State 45 O This attribute is copied as is if it is received in a request from the AAA server. Acct-Multi-Session-Id 50 O Thus attribute uniquely identifyies related sessions. It should have the same value received in authentication or accouting request. If present should match the session context table. Message Authenticator 80 O This attribute is used to sign access requests to prevent spoofing access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). NAS-Port-Id 87 O String identifying the port based on the session and should match the session context if present in request. Chargeable User ID 89 C This attribute is MSISDN or any chargeable user identity returned by the AAA server. Framed-Interface-Id 96 O The IPv6 interface identifier associated with a session, which is always sent with framed-IPv6 prefix. If present should match the session context. Framed-IPv6-Prefix 97 O The IPv6 prefix associated with a session, which is always sent with framed interface identifier. If present should match the session context. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 71 AAA Server Dynamic Authorization and List of Vendor Specific Attributes Service Authorization Acknowledgment of Disconnect Messages (DM Ack) The table lists the attributes of disconnect messages, which are acknowledged. TABLE 38 Acknowledgment of disconnect messages Attribute Attribute ID Message Code Acct-Terminate-Cause 49 Presence Type/Description M 41 O This attribute indicates how the session was terminated. Value for Admin-Reset is set to 6. Negative Acknowledge of Disconnect Messages (DM NAK) The table lists the attributes of disconnect messages, which are not acknowledged. TABLE 39 Negative acknowledgment of disconnect messages Attribute Attribute ID Message Code Error-Cause 101 Presence Type/Description M 41 C Included only if the Service-Type attribute is present in CoA request is set to authorize only. It is included only if the Error-Cause attribute is set to request initiated. Disconnect Messages - Dynamic Authorization Client (AAA server) A disconnect request packet is sent by the Dynamic Authorization Client for terminating user session(s) on a NAS and to discard all associated session context. The disconnect request packet is sent to UDP port 3799 where it identifies the NAS as well as the user session(s) to be terminated by including the identification attributes. Disconnected messages can have any of the following attributes as a session identifier. • User name • CUI with MSISDN • Acct-Sess-Id The table lists the attribute details of the disconnect messages, which are initiated by the dynamic authorization client of the AAA server. TABLE 40 Disconnected messages initiated by dynamic authorization client (DAC) Attribute Attribute ID Message Code Presence Type/Description M 40 User-Name 1 C Identifies the username of the UE/ subscriber to be disconnect. User name received from NAS during authentication or accounting session. NAS-IP-Address 4 C This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. Calling Station ID 31 O String This attribute will contain the Calling Station ID as received from NAS 72 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AAA Server Dynamic Authorization and List of Vendor Specific Attributes List of Vendor Specific Attributes TABLE 40 Disconnected messages initiated by dynamic authorization client (DAC) (continued) Attribute Attribute ID Presence Type/Description during authentication or the accounting procedure. NAS-Identifier 32 C If present, it should match with the value in the controller session table. Proxy-State 33 O This attribute is available to be sent by a proxy server to another server. Acct-Session-ID 44 C This attribute should have the same value as sent by NAS during accounting procedure. Chargeable User ID 89 C String This attribute is MSISDN or any chargeable user identity returned by the AAA server. List of Vendor Specific Attributes This section lists the vendor specific attributes. This section includes: • WISPr Vendor Specific Attributes on page 73 • Ruckus Wireless Vendor Specific Attributes on page 73 WISPr Vendor Specific Attributes The table lists the WISPr vendor specific attributes. The VSA ID for the following VSAs is 14122 and the type is 26. TABLE 41 WISPr vendor specific attributes - 14122 Attribute Name Vendor Type RADIUS Message Type Purpose WISPr-Location-ID 1 Access-Accept Accounting Start - Stop This attribute indicates the WISPr location id for the specified WISPr service. WISPr-Location-Name 2 Access-Accept Accounting Start - Stop and Interim This attribute indicates the WISPr location name for the specified WISPr service. WISPr-Bandwidth-Max-UP 7 Access-Accept This attribute specifies the maximum rate at which the corresponding user is allowed to transmit for upstream data. WISPr-Bandwidth-Max-DOWN 8 Access-Accept This attribute specifies the maximum rate at which the corresponding user is allowed to transmit for downstream data Ruckus Wireless Vendor Specific Attributes All Ruckus Wireless vendor specific attributes are encoded as sequence of: • Vendor type • Vendor length Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 73 AAA Server Dynamic Authorization and List of Vendor Specific Attributes List of Vendor Specific Attributes • Value fields The figure shows the VSA fields. FIGURE 8 VSA fields The table lists the Ruckus Wireless vendor specific attributes. The VSA ID for all the following VSAs is 25053 and type is 26. TABLE 42 Ruckus Wireless vendor specific attributes - 25053 Attribute Name Vendor Type RADIUS Message Type Purpose Ruckus-User-Groups 1 Access-Accept RADIUS server uses this attribute to indicate the access point group, specifying the UE group. Ruckus-STA-RSSI 2 Accounting - Interim - Stop This attribute reports the UEs current RSSI value in the accounting packet. Ruckus-SSID 3 Access- Request Accounting - Start -Interim- Stop This attribute reports the associated WLANs SSID in the access request and accounting packet. Ruckus-WLan-ID 4 Access- Request Accounting - Start -Interim- Stop This attribute reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. Note: It is optional for 3rd party APs. Ruckus-Location 5 Access- Request Accounting - Start -Interim- Stop This attribute reports the device location for the current/ specified access point. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Ruckus-Grace-Period 6 Access- Request Accounting - Start -Interim- Stop This attribute is the grace period in Hotspot WLANs. Ruckus-SCG-CBLADE-IP 7 Access- Request Accounting - Start -Interim- Stop This attribute reports the control plane IP address. Ruckus-SCG-DBLADE-IP 8 Access- Request Accounting - Start -Interim- Stop This attribute reports the data plane IP address. Ruckus-VLAN-ID 9 Access-Accept This attribute value is as per the configuration specified on the WLAN configuration page of the controller web interface 74 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AAA Server Dynamic Authorization and List of Vendor Specific Attributes List of Vendor Specific Attributes TABLE 42 Ruckus Wireless vendor specific attributes - 25053 (continued) Attribute Name Vendor Type RADIUS Message Type Purpose and indicates the VLAN ID when it is not zero. Refer to the figure showing the VSA fields. Ruckus-Sta-Expiration 10 This attribute indicates the expiration value from the RADIUS server. Ruckus-Sta-UUID 11 This attribute indicates the UUID value from the RADIUS server, when the UUID exists. Ruckus-Accept-Enhancement-Reason 12 This attribute indicates the reason from the RADIUS server, when the reason exists. Ruckus-VLAN-ID 13 This attribute indicates the user name from the RADIUS server, when the user exists. Ruckus-IMSI 102 Accounting - Start-Stop This is sent by AAA to the controller as an authorization accept RADIUS message. Mcontroller utilizes this information to create the PDP context toward GGSN. Refer to the figure showing the VSA fields. Ruckus-MSISDN 103 Ruckus-APN 104 The CUI is generally used, but MSISDN can also be used. Access- Request Accounting - Start - Stop This attribute carries the APN subscribed by the user. It contains only the network identifier (NI), which is part of the APN. The operator identifier part is stored separately in Ruckus-APN-OI. Note: This attribute is always sent and received as a string format, as explained in the figure showing the VSA fields. Ruckus-QoS 105 Ruckus-NAS-Type 109 Ruckus-Status 110 Ruckus-APN-OI 111 3GPP-QoS is now used instead of this VSA. However, this VSA is supported in 2.1.x releases. Accounting - Start The Accounting Response does not have a status type. This attribute was added to inform AUT that the Accounting has failed due to the setting of this VSA. Access-Accept Accounting - Start Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A The value for this parameter is always 1. It contains the Operator ID, which is part of the APN name. APN NI part is sent in the Ruckus-APN attribute. 75 AAA Server Dynamic Authorization and List of Vendor Specific Attributes List of Vendor Specific Attributes TABLE 42 Ruckus Wireless vendor specific attributes - 25053 (continued) Attribute Name Vendor Type RADIUS Message Type Purpose Refer to the encoding as explained in Figure 8 . Ruckus-Session-Type 125 Access- Accept The controller server uses this attribute on the access-accept to indicate forward policy of the specific UE. Ruckus-Acct-Status 126 Access- Accept The controller server uses this attribute on the access accept to indicate if the authenticator needs to send the accounting start for the current/specified client. Ruckus-Zone-ID 127 Access- Request The controller server uses this attribute to report the zone ID to which the 3rd party AP is associated. This VSA is received only for 3rd party APs. Ruckus-Auth-Server-Id 128 RAS(IDM) and SCG-RACC use this attribute to obtain the AAA UUID from RAS(IDM) and SCG-RAC. Ruckus-Utp-Id 129 SCG-RAC and Ruckus-AP use this attribute to provide the UTP ID value to the AP. Ruckus-Area-Code 130 This attribute carries the area code of the NAS location. Ruckus-Cell-Identifier 131 This attribute carries the cell ID of the NAS location. Ruckus-Wispr-Redirect-Policy 132 External AAA and SCG-RAC use this attribute to get the vanilla values for the WISPrTTG feature. Ruckus-Eth-Profile-Id 133 Ruckus-AP and SCG-RAC use this attribute to find the Ethernet-Profile-Id for a particular session. Ruckus-Zone-Name 134 SCG-RAC and the external AAA use this attribute to notify the Zone that the AP belongs to. Ruckus-Wlan-Name 135 SCG-RAC and the external AAA use this attribute to notify the name of the WLAN that the AP belongs to. Ruckus-Read-Preference 137 The NBI/RAC and external AAA use this attribute to notify the primary/secondary database from where the data is to be read. Ruckus-Client-Host-Name 138 76 String Host name of the client device accessing the network Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AAA Server Dynamic Authorization and List of Vendor Specific Attributes List of Vendor Specific Attributes TABLE 42 Ruckus Wireless vendor specific attributes - 25053 (continued) Attribute Name Vendor Type RADIUS Message Type Purpose Ruckus-Client-Os-Type 139 String Operating System on the client device. Ruckus-Client-Os-Class 140 String Operating System groups classes category that represent the OS related objects on the client device. Ruckus-Vlan-Pool 141 String List of VLAN identifiers supported for the WLAN. This attribute can be found only in RADIUS Access-Accept. APs use the MAC hashing to find the proper VLAN ID from the VLAN pool dynamically and tag all the user equipment data traffic. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 77 78 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AP Roaming Scenarios • • • • AP Roaming Scenarios............................................................................................................................................79 Roaming from AP1 to AP2 - PMK / OKC Disabled.................................................................................................. 80 Roaming from AP1 to AP2 - PMK / OKC Enabled................................................................................................... 80 AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled............................................................ 81 AP Roaming Scenarios The AP roaming scenarios are as follows. NOTE The session timeout values received from the AAA server are used for maintaining the PMK/OKC cache timer values at the controller and AP. If the timer value received is less than the default value of 12 hours, it will be used. Otherwise the default value will be used as the maximum value. • Roaming from AP1 to AP2 - PMK / OKC Disabled on page 80 • Roaming from AP1 to AP2 - PMK / OKC Enabled on page 80 • AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled on page 81 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 79 AP Roaming Scenarios Roaming from AP1 to AP2 - PMK / OKC Disabled Roaming from AP1 to AP2 - PMK / OKC Disabled In this scenario as seen in the figure, the UE (subscriber) roams from AP1 to AP2. Authentication and accounting messages are initiated from the AP and the PMK (Pairwise Master Key) / OKC (Opportunistic Key Caching) cache is disabled. FIGURE 9 UE roaming from AP1 to AP2 - PMK / OKC disabled Roaming from AP1 to AP2 - PMK / OKC Enabled In this scenario as seen in the figure, the UE (subscriber) roams from AP1 to AP2. Authentication and accounting messages are initiated from the AP and the PMK/OKC cache is enabled. 80 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A AP Roaming Scenarios AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled FIGURE 10 UE roaming from AP1 to AP2 - PMK/OKC enabled AP1 to AP2 Connected to Different Controller Node PMK / OKC Disabled In this scenario as seen in the figure, the UE (subscriber) roams from AP1 to AP2 with both the APs connected to the different controller nodes in a cluster environment. This scenario is specific to TTG sessions, where the controller has a GTP tunnel from the controller to the GGSN/PGW. The AP initiates authentication of messages whereas accounting messages are initiated by the controller. PMK / OKC cache is disabled. Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 81 AP Roaming Scenarios AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled FIGURE 11 UE roams from AP1 to AP2 connected to different controller node 82 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Use Cases • Use Case Scenarios................................................................................................................................................ 83 Use Case Scenarios The following are the use cases pertaining to NAS IP, Accounting session identifier, and filter identifier. Authentication and Accounting of NAS IP AVP CoA / DM Handling with NAS IP AVP Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 83 Use Cases Use Case Scenarios CoA Handling with Accounting Session Identifier DM Handling with Accounting Session Identifier User Role change using Radius CoA - Filter Identifier 84 Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A Use Cases Use Case Scenarios Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide Part Number: 800-71561-001 Rev A 85 Copyright © 2006-2017. Ruckus Wireless, Inc. 350 West Java Dr. Sunnyvale, CA 94089. USA www.ruckuswireless.com
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Author : Brocade Create Date : 2017:11:10 09:05:17Z Modify Date : 2017:11:10 14:53:22+05:30 Subject : Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.6 Has XFA : No Language : EN-US XMP Toolkit : Adobe XMP Core 5.4-c006 80.159825, 2016/09/16-03:31:08 Format : application/pdf Creator : Brocade Title : Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.6 Description : Ruckus SmartZone 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.6 Creator Tool : AH XSL Formatter V6.4 R1 for Windows (x64) : 6.4.2.26942 (2016/12/07 15:30JST) Metadata Date : 2017:11:10 14:53:22+05:30 Producer : Antenna House PDF Output Library 6.4.928 (Windows (x64)) Trapped : False Document ID : uuid:f502c96c-d9a1-42c1-85d3-2b64aa773ac0 Instance ID : uuid:4ffb0c1b-51c0-4143-892a-e9a17fc36fa5 Page Mode : UseOutlines Page Count : 86EXIF Metadata provided by EXIF.tools