Understanding the authentication imsi-auth | msisdn-auth Configuration for Corporate L2TP APNs

Introduction

This documents describes the expected results of configuring corporate L2TP APNs with the authentication imsi-auth or authentication msisdn-auth.

Problem: The msisdn-auth and imsi-auth APN Configuration Options have a Speciffic (non obvious) Result for L2TP based APNs

The official documentation (for release 19) states:

imsi-auth - Configures the APN to attempt to authenticate the subscriber based on their International Mobile Subscriber Identification (IMSI) number.

msisdn-auth - Configures the APN to attempt to authenticate the subscriber based on their Mobile Station International Integrated Services Digital Network (MSISDN) number as described in the Usage section of this command.

Example configuration:

apn ecs-apn
 ims-auth-service IMSA
 dns primary 192.168.1.128
 dns secondary 192.168.1.129
 ip access-group CSS_ACL in
 ip access-group CSS_ACL out
 authentication imsi-auth username-strip-apn prefer-chap-pco <<<<<<<<<<<<<<<<<<<<<<<<<<<
 ip context-name Gi
 tunnel l2tp peer-address 2.2.2.2 encrypted secret +A3oxne9nnyqmuz16dddqucwcqz92p2hi4t8z21nx3hmmpcgvh4ida preference 1 <<<<<<<<<<<<<<<<<<<<<<<<<<<
 tunnel l2tp peer-address 3.3.3.3 encrypted secret +A2dbz9joxajmv80jxmr5aycl1ka2s6nzmu7s2bte3nnz4o2hgkqxn preference 2 <<<<<<<<<<<<<<<<<<<<<<<<<<<
 loadbalance-tunnel-peers prioritized <<<<<<<<<<<<<<<<<<<<<<<<<<<
 exit

lac-service LAC-SVC <<<<<<<<<<<<<<<<<<<<<<<<<<<
 max-retransmission 1
 retransmission-timeout-max 1
 load-balancing prioritized
 allow aaa-assigned-hostname
 keepalive-interval 30
 peer-lns 2.2.2.2 encrypted secret +A2q4fv7h5tum1a06vc2wblk9l7k3ma98myremkew1552c2vosy2h1
 peer-lns 3.3.3.3 encrypted secret +A16gnydsddbqqx3okh7ln6jrwxz3s3u3lzvzo5bz0ccc0ztr0cvsh
 bind address 1.1.1.1
 #exit

An expected behavior is that, if one of the above options are configured for a L2TP based APN, the Gateway GPRS Support Node/

The option works as expected in case there is no username provided by the User Equipment (UE).

 ii

Friday April 07 2017

INBOUND>>>>>  09:57:08:270 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35664 to 213.151.233.230:2123 (271)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x317962 (3242338)

GTP HEADER
        Version number: 2
        TEID flag: Present
        Piggybacking flag: Not present
        Message Length: 0x010B (267)


INFORMATION ELEMENTS

        IMSI:
            Type: 1  Length: 8  Inst: 0
            Value: 231014450903030
            Hex: 0100 0800 3201 4154 9030 30F0 

        MSISDN:
            Type: 76  Length: 6  Inst: 0
            Value: 421917667546
        Hex: 4C00 0600 2491 7166 5764



        MOBILE EQUIPMENT IDENTITY:
            Type: 75  Length: 8  Inst: 0
            Value: 3594050557927001
            Hex: 4B00 0800 5349 5050 7529 0710



[…]

        ACCESS POINT NAME:
            Type: 71  Length: 38  Inst: 0
            Value: ltpipsec.corp.test.mnc001.mcc231.gprs
            Hex: 4700 2600 086C 7470 6970 7365 6304 636F
                 7270 0474 6573 7406 6D6E 6330 3031 066D
                 6363 3233 3104 6770 7273



        SELECTION MODE:

            Type: 128  Length: 1  Inst: 0
            Value: MS provided APN,subscr not verified (0x01)
            Hex: 8000 0100 01



        PDN TYPE:
            Type: 99  Length: 1  Inst: 0
            Value: IPV4
            Hex: 6300 0100 01 

[…]

        PCO:
            Type: 78  Length: 32  Inst: 0
            Container id: 0xC023 (PAP)
            Container length: 0x06 (6)
            Container content:
                 Auth-Req(0), Name=, Passwd=
            Container id: 0x8021 (IPCP)
            Container length: 0x10 (16)
            Container content:
                 Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
            Container id: 0x000D (IPv4-DNS-Server)
            Container length: 0x00 (0)
            Container content:
                DNS Address: Request for IPv4 DNS Address allocation
            Hex: 4E00 2000 80C0 2306 0100 0006 0000 8021
                 1001 0000 1081 0600 0000 0083 0600 0000
                 0000 0D00

[…]

Friday April 07 2017
<<<<OUTBOUND  09:57:08:295 Eventid:25001(0)
PPP Tx PDU (20)
PAP 20:          Auth-Req(1), Name=421917667546, Passwd=   <-- username is replaced with MSISDN as the APN is configured with “msisdn-auth”

The option doesn’t work if there is a username provided by UE. In this case, GGSN/PGW sends the username and password configured inside the APN.
If nothing is configured there

Friday April 07 2017
INBOUND>>>>> 09:47:51:254 Eventid:141004(3)
[PGW-S5/S2a/S2b]GTPv2C Rx PDU, from 213.151.233.172:35824 to 213.151.233.230:2123 (279)
TEID: 0x00000000, Message type: EGTP_CREATE_SESSION_REQUEST (0x20)
Sequence Number: 0x5C4D6C (6049132)
GTP HEADER
 Version number: 2
 TEID flag: Present
 Piggybacking flag: Not present
 Message Length: 0x0113 (275)

INFORMATION ELEMENTS
 IMSI:
 Type: 1 Length: 8 Inst: 0
 Value: 231014450903030
 Hex: 0100 0800 3201 4154 9030 30F0

MSISDN:
 Type: 76 Length: 6 Inst: 0
 Value: 421917667546
 Hex: 4C00 0600 2491 7166 5764

MOBILE EQUIPMENT IDENTITY:
 Type: 75 Length: 8 Inst: 0
 Value: 3594050557927001
 Hex: 4B00 0800 5349 5050 7529 0710


[..]

PCO:
 Type: 78 Length: 40 Inst: 0
 Container id: 0xC023 (PAP)
 Container length: 0x0E (14)
 Container content:
 Auth-Req(0), Name=null, Passwd=null
 Container id: 0x8021 (IPCP)
 Container length: 0x10 (16)
 Container content:
 Conf-Req(0), Pri-DNS=0.0.0.0, Sec-DNS=0.0.0.0
 Container id: 0x000D (IPv4-DNS-Server)
 Container length: 0x00 (0)
 Container content:
 DNS Address: Request for IPv4 DNS Address allocation
 Hex: 4E00 2800 80C0 230E 0100 000E 046E 756C
 6C04 6E75 6C6C 8021 1001 0000 1081 0600
 0000 0083 0600 0000 0000 0D00

[…]

Friday April 07 2017
<<<<OUTBOUND 09:47:51:334 Eventid:25001(0)
PPP Tx PDU (16)
PAP 16: Auth-Req(1), Name=null, Passwd=null <-- username is the same as in the APN

Solution

Observed behavior is expected as per design.

The authentication imsi-auth username-strip-apn prefer-chap-pco (or authentication msisdn-auth username-strip-apn prefer-chap-pco) configuration is used when there is no Protocol Configuration Options (PCO) username coming in.

This is the order of precedence for Network Access Identifier (NAI) construction configuration:

1. If outbound username <1-128 char string> is configured inside the APN, this overrides all other configurations/IEs and is sent in PAP/CHAP req.
   
   
2. If UE sends PCO username/password it is sent from the UE, it is sent to LNS in Password Authentication Protocol/Challenge Handshake Authentication Protocol (PAP/CHAP) req.
   
   
3. If no username is sent from UE, then msisdn/imsi@APN is sent by default as username in PAP/CHAP req. 
   
   
4. Further this CLI - authentication msisdn/imsi-auth username-strip-apn can be used to strip the APN and send only the msisdn/imsi in PAP/CHAP req.

Note that in case the authentication is done by Radius (localy) the IMSI (or MSISDN) are sent in Access-Request messages as expected.

As well in scenario of L2TP, if authentication is done by RADIUS (on LAC side), the expected username (IMSI or MSISDN) is seen in Access-Request messages, but not in Auth-Req towards LNS.