SIGTRAN-M3UA
SIGTRAN, a working group of the Internet Engineering Task Force (IETF), has defined a protocol for the transport of real-time signaling data over IP networks. Cisco Prime AR supports SS7 messaging over IP (SS7oIP) via SIGTRAN-M3UA, a new transport layer which leverages Stream Control Transmission Protocol (SCTP). Cisco Prime AR supports SIGTRAN-M3UA to fetch the authentication vectors from HLR, which is required for EAP-AKA/EAP-SIM authentication.
Note You have SIGTRAN-M3UA interface support in addition to the existing SUA interface support.
The EAP-AKA and EAP-SIM authentication service is extended to use M3UA. When using M3UA service for authentication, the subscriber identity (IMSI) is used to send a request to HLR and receives information from HLR containing the authentication information for authenticating an user. The authentication service initiates a request to the SIGTRAN server using IMSI, which retrieves the configured number of authentication vectors from HLR, i.e Triplets or Quintets.
Note When you install SIGTRAN-M3UA remote server for the first time or update the existing installation, you need to update the ip address of Cisco Prime AR where it is been installed in network.data and cli_client.conf files. Also, you must restart Cisco Prime AR to have the changes reflected.
If the LocalSubSystemNumber is not set as SGSN(149), you need to make the same change in the default.xml file, located at /cisco-ar/m3ua-cfg/.
Figure 22-1 MAP Service
The Cisco Prime AR server initiates the MAP service. After enabling the MAP service, the Cisco Prime AR server sends a sendAuthenticationInfo request that contains IMSI and the number of requested authentication vectors to HLR. The HLR sends a response containing the requested vectors information to Cisco Prime AR. Next, the Cisco Prime AR server sends a sendRoutinginfoForLCS request that contains IMSI and the GMLC address to HLR. The HLR sends a response containing the MSISDN information for authenticating the mobile subscribers.
Note Cisco Prime AR 6.0 supports only one remote server with the protocol type, SIGTRAN-M3UA.
This section describes the following:
•Prerequisites to SIGTRAN-M3UA
•Configuring EAP-AKA/EAP-SIM with SIGTRAN-M3UA
•Configuring M3UA Service
Prerequisites to SIGTRAN-M3UA
Before enabling the SIGTRAN-M3UA remote server, you must do the following:
•ensure that LKSCTP is not available in the Cisco Prime AR server.
•ensure to restart the Cisco Prime AR server whenever you make any configuration changes.
•ensure that the following rpm files are not installed while installing the Cisco Prime AR in RHEL 6.2:
–nss-softokn-freebl-3.12.9-11.el6.i686.rpm
–glibc-2.12-1.47.el6.i686.rpm
–ncurses-libs-5.7-3.20090208.el6.i686.rpm
–ncurses-devel-5.7-3.20090208.el6.i686.rpm
–ncurses-5.7-3.20090208.el6.i686.rpm
–nspr-4.8.8-3.el6.i686.rpm
–nss-util-3.12.10-2.el6.i686.rpm
•ensure that the following rpm files are installed while installing the Cisco Prime AR in RHEL 6.2:
–nss-softokn-freebl-3.12.9-11.el6.i686.rpm
–glibc-2.12-1.47.el6.i686.rpm
–ncurses-libs-5.7-3.20090208.el6.i686.rpm
–ncurses-devel-5.7-3.20090208.el6.i686.rpm
–ncurses-5.7-3.20090208.el6.i686.rpm
–nspr-4.8.8-3.el6.i686.rpm
–nss-util-3.12.10-2.el6.i686.rpm
–gamin-0.1.10-9.el6.i686.rpm
–libselinux-2.0.94-5.2.el6.i686.rpm
–glib2-2.22.5-6.el6.i686.rpm
–zlib-1.2.3-27.el6.i686.rpm
–libxml2-2.7.6-4.el6.i686.rpm
–gdome2-0.8.1-1.i386.rpm
–glib-1.2.10-33.el6.i686.rpm
–libgcc-4.4.6-3.el6.i686.rpm
–libstdc++-4.4.6-3.el6.i686.rpm
Note You must install the rpm verions relevant to the RHEL OS versions while installing the Cisco Prime AR.
Configuring EAP-AKA/EAP-SIM with SIGTRAN-M3UA
You can use aregcmd to create and configure the service of type eap-aka or eap-sim, see EAP-AKA or EAP-SIM for more information.
To configure EAP-AKA service with SIGTRAN-M3UA remote server:
Step 1 Launch aregcmd.
Step 2 Create an EAP-AKA service.
cd /Radius/Services
add eap-aka-service
Step 3 Set type as eap-aka.
set eap-aka
Step 4 Add m3ua remote server in the remoteServers
cd remoteServers/
Set 1 m3ua
The following shows an example configuration for EAP-AKA service with SIGTRAN-M3UA remote server support, see Table 9-1 to know more about EAP-AKA service properties.
[ //localhost/Radius/Services ]
Entries 1 to 2 from 2 total entries
AlwaysRequestIdentity = False
EnableIdentityPrivacy = False
PseudonymSecret = <encrypted>
PseudonymRenewtime = "24 Hours"
PseudonymLifetime = Forever
Generate3GPPCompliantPseudonym = False
EnableReauthentication = False
MaximumReauthentications = 16
ReauthenticationTimeout = 3600
AuthenticationTimeout = 120
QuintetGenerationScript~ =
UseProtectedResults = False
SendReAuthIDInAccept = False
Subscriber_DBLookup = siGTRAN-m3UA
FetchAuthorizationInfo = FALSE
MultipleServersPolicy = Failover
To configure EAP-SIM service with SIGTRAN-M3UA remote server:
Step 1 Launch aregcmd.
Step 2 Create an EAP-SIM service.
cd /Radius/Services
add eap-sim-service
Step 3 Set type as eap-sim.
set eap-sim
Step 4 Add m3ua remote server in the remoteServers
cd remoteServers
Set 1 m3ua
The following shows an example configuration for EAP-SIM service with SIGTRAN-M3UA remote server support, see Table 9-6 to know more about EAP-SIM service properties.
UseSimDemoTriplets = False
AlwaysRequestIdentity = False
EnableIdentityPrivacy = False
PseudonymSecret = <encrypted>
PseudonymRenewtime = "24 Hours"
PseudonymLifetime = Forever
Generate3GPPCompliantPseudonym = False
EnableReauthentication = False
MaximumReauthentications = 16
ReauthenticationTimeout = 3600
AuthenticationTimeout = 120
UseProtectedResults = False
SendReAuthIDInAccept = False
SubscriberDBLookup = SiGTRAN-M3UA
FetchAuthorizationInfo = FALSE
MultipleServersPolicy = Failover
Note Before enabling the SIGTRAN-M3UA remote server, you must ensure to restart the Cisco Prime AR server whenever you make any configuration changes.
Note If you set FetchAuthorizationInfo as TRUE for EAP-AKA or EAP-SIM service for SIGTRAN-M3UA in Cisco Prime AR, it fetches the MSISDN information from HLR in response. The following is an example script for reading the MSISDN information from the response,
proc MapMSISDN {request response environ} {
$environ get AuthorizationInfo
}
You can configure the SIGTRAN-M3UA remoteserver under /Radius/RemoteServers.
To configure the SIGTRAN-M3UA remote server:
Step 1 Launch aregcmd.
Step 2 Create sigtran-m3ua remote server.
cd /r/remoteServers/
add M3UA
cd M3UA
set protocol sigtran-m3ua
Step 3 Set the Subscriber_DBLookup.
set Subscriber_DBLookup SIGTRAN-M3UA
Step 4 Set the hostname and port of the HLR.
set hostName 10.81.78.140
set DestinationPort 2905
Step 5 Set the IP address and port for the source.
set SourceIPAddress 10.81.78.142
set SourcePort 2905
Step 6 Set the reactivatetimerinterval.
Step 7 Set the subsystem number for the local.
set LocalSubSystemNumber 149
Step 8 Set routingindicator.
Set routingindicator rte_gt
Step 9 Set mlcnumber.
Set mlcnumber
Step 10 Set routingparameters.
cd routingparameters/
set OriginPointCode 2
set DestinationPointCode 4
set RemoteSubSystemNumber 6
set OPCMask 16383
set DPCMask 16383
set RoutingContext 11
Step 11 Set the source and destination gt parameters.
Step 12 Set the numbering plan, encoding scheme, format, and digits for source.
Step 13 Set the numbering plan, encoding scheme, format, and digits for destination.
The following shows an example configuration of SIGTRAN-M3UA remote server support:
[ //localhost/Radius/RemoteServers/m3ua ]
SourceIPAddress = 10.81.78.139
LocalSubSystemNumber = 149
GlobalTitleTranslationScript~ = setGT
ReactivateTimerInterval = 2000
LimitOutstandingRequests = FALSE
MaxOutstandingRequests = 0
MLCNumber = 123456789012345
RoutingIndicator = RTE_GT
RemoteSubSystemNumber = 6
ServiceIndicatorOctet = 0
SourceGTDigits = 919845071842
SourceGTFormat = GTFRMT_4
SourceNatureofAddress = INTNUM
SourceTranslationType = 0
SourceNumberingPlan = ISDN
SourceEncodingScheme = BCDEVEN
DestGTDigits = 919845071842
DestNatureofAddress = INTNUM
DestEncodingScheme = BCDEVEN
Table 22-1 describes SIGTRAN-M3UA remote server properties.
Table 22-1 SIGTRAN-M3UA Stack Properties
|
|
Name |
Required; inherited from the upper directory. |
Description |
An optional description of the service. |
Protocol |
Represents the type of remote server. The value should be SIGTRAN-M3UA. |
HostName |
IP address of the remote server. |
SourceIPAddress |
The local IP address in which Cisco Prime AR is installed. |
SourcePort |
The port number in which Cisco Prime AR is installed for M3UA transactions. |
LocalSubSystemNumber |
The local sub system number is set as 149 by default. |
DestinationPort |
The destination port number to which Cisco Prime AR connects. |
IMSITranslationScript |
The scripting point is used to modify the IMSI based on the requirement before sending the request to STP/HLR. |
Timeout |
Specifies the time (in seconds) to wait before an authentication request times out; defaults to 120. |
ReactivateTimerInterval |
Specifies the time interval (in milliseconds) to activate an inactive server; defaults to 300000 ms (which is 5 minutes). |
LimitOutstandingRequests |
Required; the default is FALSE. Cisco Prime AR uses this property in conjunction with the MaxOutstandingRequests property to tune the RADIUS server's use of the HLR. When you set this property to TRUE, the number of outstanding requests for this RemoteServer is limited to the value you specified in MaxOutstandingRequests. When the number of requests exceeds this number, Cisco Prime AR queues the remaining requests, and sends them as soon as the number of outstanding requests drops to this number. |
MaxOutstandingRequests |
Required when you have set the LimitOutstandingRequests to TRUE. The number you specify, which must be greater than zero, determines the maximum number of outstanding requests allowed for this remote server. |
TrafficMode |
The mode of the traffic for the HLR. The possible values are LOADSHARE or ACTSTANDBY. |
LoadShareMode |
Required. The TrafficMode is set as LOADSHARE, which is a type of load sharing scheme. When there is more than one associations with HLR, then the load sharing is set as Signaling Link Selection (SLS). SLS is done based on a simple round-robin basis. |
MAPVersion |
The version of the MAP. The possible values are 2 or 3. Specify the MAP version that the HLR supports, i.e, 2 or 3 during the configuration. |
NetworkVariant |
Required. Represents the network variant switch.
Note Cisco Prime AR supports only ITU value in 6.0 version.
|
SubServiceField |
Specifies the type of network to which this SAP belongs. The possible options are INT and NAT which represents international network and national network respectively. |
TCAPVariant |
Required; represents the name of the tcap network variant switch. The possible options are ITU88, ITU92, or ITU96. |
NetworkAppearance |
Required. Represents the network appearance code which ranges from 0-2147483647. |
NetworkIndicator |
The network indicator used in SCCP address. The possible options are NAT and INT which represents international network and national network respectively. |
MLCNumber |
Required, if you select FetchAuthorizationInfo as True in EAP-AKA or EAP-SIM services. Also, required for M3UA service for fetching the MSISDN from the HLR. The MLC number is configured in E.164 format.
Note MLC is a max-15 digit number.
|
RoutingIndicator |
Required; represents the routing indicator. The possible values are Route on Gloabl Title(RTE_GT) or Route on Sub System Number(RTE_SSN). You can use either RTE_GT or RTE_SSN value to route the packets for HLR. |
RoutingParameters |
OriginPointCode |
Required; represents the originating point of a message in a signalling network. The value ranges from 0-16777215. |
DestinationPointCode |
Required; represents the destination address of a signalling point in a SS7 network. |
RemoteSubSystemNumber |
Required; represents the sub system number of the remote server. The RemoteSubSyatemNumber is set as 6 by default. |
OPCMask |
Represents the wild card mask for the origin point code. The value ranges from 0-16777215. |
DPCMask |
Represents the wild card mask for the destination point code. The value ranges from 0-16777215. |
ServiceIndicatorOctet |
Represents the service identifier octet. The value ranges from 0-255. |
RoutingContext |
Required; represents the routing context which ranges from 0-16777215. |
SourceGTAddress |
SourceGTDigits |
Required; an unique number to identify the source. |
SourceGTFormat |
Required; represents the format of the global translation (GT) rule. The possible values are GTFRMT_0, GTFRMT_1, GTFRMT_2, GTFRMT_3, GTFRMT_4, or GTFRMT_5. |
SourceNatureofAddress |
Required; represents the type of the source address. The possible values are ADDR_NOTPRSNT (Address not present), SUBNUM (Subscriber number), NATSIGNUM (National significant number), or INTNUM (International number.) |
SourceTranslationType |
Required; represents the type of translation. The possible values ranges from 0-255. |
SourceNumberingPlan |
Required; represents the numbering plan of the network that the subscriber uses. For example, land mobile numbering plan, ISDN mobile numbering plan, private or network specific numbering plan. |
SourceEncodingScheme |
Required; represents the BCD encoding scheme. The possible values are UNKN (Unknown), BCDODD (BCD Odd), BCDEVEN (BCD Even), or NWSPEC (National specific.) |
DestinationGTAddress The following fields are displayed only when you set RTE_GT as RoutingIndicator. |
DestGTDigits |
Required; an unique number to identify the destination. |
DestGTFormat |
Required; represents the format of the global translation (GT) rule. The possible values are GTFRMT_0, GTFRMT_1, GTFRMT_2, GTFRMT_3, GTFRMT_4, or GTFRMT_5. |
DestNatureofAddress |
Required; represents the type of the destination address. The possible values are ADDR_NOTPRSNT (Address not present), SUBNUM (Subscriber number), NATSIGNUM (National significant number), or INTNUM (International number.) |
DestTranslationType |
Required; represents the type of translation. The possible values ranges from 0-255. |
DestNumberingPlan |
Required; represents the numbering plan of the network that the subscriber uses. For example, Land mobile numbering plan, ISDN mobile numbering plan, private or network specific numbering plan. |
DestEncodingScheme |
Required; represents the BCD encoding scheme. The possible values are UNKN (Unknown), BCDODD (BCD Odd), BCDEVEN (BCD Even), or NWSPEC (National specific.) |
Configuring M3UA Service
Cisco Prime AR supports the M3UA service, which is used to fetch MSISDN from IMSI through RADIUS Packets, see Chapter 4 "Cisco Prime Access Registrar Server Objects," for more information.
To configure the M3UA service with SIGTRAN-M3UA remote server:
Step 1 Launch aregcmd.
Step 2 Create an M3UA service.
cd /Radius/Services
add FetchMSISDN
Step 3 Set the type as M3UA.
set type M3UA
Step 4 Add M3UA remote server in the remoteServers.
cd remoteServers
Set 1 m3ua