DIAMETER Support in BNG

DIAMETER provides a base protocol that can be extended in order to provide authentication, authorization, and accounting (AAA) services to new access technologies. This chapter provides information about DIAMETER protocol and its support in BNG.

Table 1. Feature History for DIAMETER Support in BNG

Release

Modification

Release 6.1.2

Added DIAMETER-Geo redundancy interworking.

Release 5.3.0

This chapter was introduced for DIAMETER support feature in BNG.

This chapter covers these topics:

DIAMETER Overview

DIAMETER is a peer-to-peer protocol that is composed of a base protocol and a set of applications that allow it to extend its services to provide AAA services to new access technologies. The base protocol provides basic mechanisms for reliable transport, message delivery, and error handling and the base protocol must be used in conjunction with a DIAMETER application. Each application relies on the services of the base protocol to support a specific type of network access. Each application is defined by an application identifier and associated with commands. Each command is defined with mandatory Attribute Value Pairs (AVPs) and non-mandatory AVPs including vendor-specific AVPs.

DIAMETER allows peers to exchange a variety of messages. The DIAMETER client generates DIAMETER messages to the DIAMETER server to perform the AAA actions for the user. This protocol also supports server-initiated messages, such as a request to cancel service to a particular user.

DIAMETER Interface in BNG

BNG supports the DIAMETER base protocol, along with applications such as DIAMETER Credit Control Application (DCCA) and Network Access Server Requirements (NASREQ), which is used for policy control and charging, and real-time credit control of pre-paid users. BNG acts as NASREQ and DCCA client to perform AAA NAS related functionality, policy provisioning, quota request and usage reporting function. With this DIAMETER interface, BNG provides service-aware billing functionality and policy provisioning for post-paid and pre-paid users.

This figure shows the network of the DIAMETER interface in BNG:
Figure 1. DIAMETER Interface in BNG


Along with the DIAMETER base protocol, these DIAMETER applications are also supported in BNG:

  • Diameter Credit Control Application (DCCA)

  • Gx interface for Policy Control and Charging

  • Gy interface for online charging

  • Gz interface for offline charging

This table lists IANA-assigned application IDs for DIAMETER applications:

DIAMETER Application

DIAMETER Application ID

DIAMETER common message

0x00000000

DIAMETER NASREQ message

0x00000001

DIAMETER base accounting

0x00000003

DIAMETER DCCA application(Gy)

0x00000004

DIAMETER policy interface(Gx)

0x01000016 (16777224)

Features supported for BNG with DIAMETER

These base protocol features are supported in BNG with DIAMETER:

  • TCP as the transport protocol for DIAMETER messages

  • TLS support over TCP for secure communication

  • IPv4 and IPv6 transport stack to the back end DIAMETER server

These base protocol features are not supported in BNG with DIAMETER:

  • Communication with diameter peers that act as proxy, relay or a redirection agent

  • Diameter peer discovery

  • SCTP as the transport protocol for DIAMETER messages

  • Internet Protocol Security (IPSec)

Supported DIAMETER Base Messages

BNG supports these DIAMETER base messages:

DIAMETER Base Messages

Abbreviation

Command Code

Description

Capabilities-Exchange-Request

CER

257

Sent from the client to the server to determine the capabilities of the server.

Capabilities-Exchange-Answer

CEA

257

Sent from the server to the client in response to a CER message.

Disconnect-Peer-Request

DPR

282

Sent to the peer to inform about the termination of the connection. The client or server may initiate the termination.

Disconnect-Peer-Answer

DPA

282

Sent as a response to a DPR message.

Device-Watchdog-Request

DWR

280

Sent from the client to the server to monitor the health of the connection. This happens if, for a while, there is no traffic between peers, after CER and CEA messages are exchanged.

Device-Watchdog-Answer

DWA

280

Sent as response to a DWR message.

For details of DIAMETER attributes and sample packets of DIAMETER messages, see Appendix E, DIAMETER Attributes.

DIAMETER NASREQ Application

The NASREQ application is used for Authentication, Authorization and Accounting (AAA) in the Network Access Server (NAS) environment. For subscriber authentication or authorization, as part of the session creation, a DIAMETER AA-Request message is sent to the DIAMETER NASREQ server and the response may be an AA-Answer message. Subscriber accounting for sessions and services is done using AC-Request and AC-Answer messages of the NASREQ application. BNG supports the NASREQ application for network access related functionality; the admin access requests (such as Telnet, SSH, rlogin, and so on) must not be transported using the DIAMETER protocol. Because Extensible Authentication Protocol (EAP) authentication is not required in BNG, the support for DIAMETER EAP application is not considered.

If the user deploys a separate Offline Charging Server (OFCS) with the AAA method list configuration, the NASREQ application forwards the messages accordingly.

No new application-specific AVPs are sent for the NASREQ application, except DIAMETER-specific common set of AVPs and RADIUS prohibited AVPs for accounting.

This table lists the DIAMETER NAS messages supported by BNG:

DIAMETER NAS Messages

Abbreviation

Command Code

Description

AA-Request

AAR

265

Used to request authentication or authorization (or both) for a given NAS user.

Admin user related AVPs are not applicable for BNG deployment with DIAMETER NASREQ application.

AA-Answer

AAA

265

Sent in response to the AAR message.

If authorization was requested, a successful response includes the authorization AVPs appropriate for the service being provided. For backward compatibility and also based on the session type if it is IPoE or PPPoE, a few additional DIAMETER Cisco VSAs may also be present in this message.

Re-Auth-Request

RAR

258

Sent by a DIAMETER server when it initiates a re-authentication or re-authorization (or both) service for a particular session.

Re-Auth-Answer

RAA

258

Sent in response to the RAR message.

The Result-Code AVP must be present in the RAA message and it indicates the disposition of the request. A successful RAA transaction must be followed by an AAR message.

Session-Termination-Request

STR

275

Sent by NAS to inform DIAMETER server that an authenticated or authorized (or both) session is being terminated.

This is required only if NASREQ application is stateful.

Session-Termination-Answer

STA

275

Sent by DIAMETER server to acknowledge the session termination notification sent by NAS.

The Result-Code AVP must be present in this STA message, and it may also contain an indication that an error occurred while the STR was being serviced. Upon sending or receiving the STA, the DIAMETER server must releases all resources for the session indicated by the Session-ID AVP.

Abort-Session-Request

ASR

274

Sent by DIAMETER server to NAS to stop the session identified by the Session-ID AVP.

This is similar to RADIUS CoA Session-disconnect request or POD. In the case of stateless application, the DIAMETER session with the particular Session-ID does not exist on BNG. Therefore, instead of Session-ID, another BNG subscriber identity such as Acct-Session-ID, <Framed-IP-Address, VRF> may be sent as one of the AVPs.

Abort-Session-Answer

ASA

274

Sent in response to the ASR message.

These are the possible result codes:

  • DIAMETER_SUCCESS - If the session identified by Session-ID was successfully terminated.

  • DIAMETER_UNKNOWN_SESSION_ID - If the session is not currently active.

  • DIAMETER_UNABLE_TO_COMPLY - If the access device does not stop the session for some reason.

Accounting-Request

ACR

271

Sent by a DIAMETER node that is acting as a client, in order to exchange accounting information with a peer.

In addition to the standard AVPs, ACR messages must also include service-specific accounting AVPs.

Accounting-Answer

ACA

271

To acknowledge an ACR message.

The ACA message contains the same Session-ID as the corresponding request.

DIAMETER Accounting

The session accounting and service accounting functionality provided by BNG, remain unchanged with the introduction of the DIAMETER interface. BNG uses accounting messages defined in the DIAMETER base protocol. The DIAMETER NASREQ application is used for regular AAA services over DIAMETER. The DIAMETER accounting message construction and transport is supported as part of this application.

The DIAMETER applications in BNG have the option of using either or both of these accounting application extension models:

  • Split Accounting Service - The accounting message carries the Application-ID of the DIAMETER base accounting application (0x00000003). The respective diameter nodes advertise the DIAMETER base accounting Application ID during capabilities exchanges (CER and CEA).

  • Coupled Accounting Service - The accounting message carries the Application-ID of the application that is using it (for example, NASREQ). The application itself processes the received accounting records or forwards them to an accounting server. The accounting application advertisement is not required during capabilities exchange, and the accounting messages are routed the same way as any of the other application messages. In the case of BNG, where an application does not define its own accounting service, the use of the split accounting model is preferred.

    The Gz interface between PCEF and OFCS use DIAMETER base accounting application for offline charging. Because BNG supports session based and service based accounting, the split accounting model in which the accounting Application-ID is inserted in all the accounting messages, is preferable.

BNG does not support persistence of accounting records when the DIAMETER server is down.

DIAMETER Accounting Messages

Accounting-Request (ACR) and Accounting-Answer (ACA) are the typical DIAMETER accounting NASREQ messages. The possible ACR types are:

  1. EVENT_RECORD - sent if a session fails to start, along with the reason for the failure.

  2. START_RECORD - sent if the first authentication or authorization transaction is successfully completed.

  3. INTERIM_RECORD - sent if additional authentications or authorizations occur.

  4. STOP_RECORD - sent upon termination of the session context.

DIAMETER Gx and Gy Applications

The Gx reference point (based on 3GPP TS 129 212 V11.10.0), that is located between Policy and Charging Rules Function (PCRF) and Policy and Charging Enforcement Function (PCEF), is used for provisioning and removal of policy and charging control (PCC) rules from the PCRF to the PCEF and for the transmission of traffic plane events from PCEF to PCRF. BNG acts as a PCEF in the current deployment. The PCRF acts as a DIAMETER server with respect to the DIAMETER protocol defined over the Gx interface. That is, it is the network element that handles PCC rule requests for a particular realm. The PCEF acts as the DIAMETER client. That is, it is the network element that requests PCC rules in the transport plane network resources. Currently BNG supports the Gx interface for PCC rules provisioning, but the usage monitoring feature on Gx interface (3GPP RLS9) is not supported.

The Gy reference point (based on 3GPP TS 132 299 V11.9.1), that is located between OCS and PCEF, is used for reporting and online charging.

The required AVPs for broadband deployment and for Cisco ASR 9000 Series Aggregation Services Router use cases are derived out of the Gx and Gy reference points.


Note

When there is a DIAMETER process restart, all the ongoing or transient Gy sessions corresponding established Gx sessions are dropped for the sessions between a customer premise equipment (CPE) and the network resource.

Whenever a DIAMETER Gx peer connection is down, 200 subscriber sessions are disconnected every second.

Supported Gx Messages

This table lists the DIAMETER Gx messages supported by BNG:

DIAMETER Gx Messages

Abbreviation

Command Code

Description

Credit-Control-Request

CCR

272

Sent by the traffic plane function (TPF) to the charging rules function (CRF) in order to request charging rules for a bearer, and also to indicate the termination of the subscriber session.

Credit-Control-Answer

CCA

272

Sent by the PCRF to the PCEF in response to the CCR command. It is used to provision PCC rules and event triggers for the bearer or session, and to provide the selected bearer control mode for the IP connectivity access network (IP-CAN) session.

Re-Auth-Request

RAR

258

Sent by the PCRF to the PCEF in order to provision unsolicited PCC rules using the PUSH procedure.

Re-Auth-Answer

RAA

258

Sent by the PCEF to the PCRF in response to the RAR command.

Abort Session Request

ASR

274

Sent by any server to the access device providing session service, requesting it to stop the session identified by the Session-Id.

Abort Session Answer

ASA

274

Sent in response to the ASR. The Result-Code AVP that indicates the disposition of the request must be present.

Supported Gy Messages

BNG supports these DIAMETER Gy messages:

  • CCR-Initial

  • CCA-Initial

  • CCR-Update message with tariff change units

  • CCA-Update

  • CCR-Final

  • CCA-Final

DIAMETER DCCA Application

DCCA interface implementation is based on the RFC 4006. The 3GPP Gx and Gy applications use the DCCA framework and AVPs to provide the respective functions.

BNG supports these DCCA messages:

  • Credit Control Request (CCR)

  • Credit Control Answer (CCA)

Every single CCR must be responded with a separate CCA.

DCCA Session and Services

Each BNG subscriber session is associated with a DIAMETER CC-Session (Credit Control-Session) when Gx or Gy, or both applications, are enabled. Multiple services may be active in a BNG subscriber session. The quota management and usage reporting for each service is performed by using MSCC AVP in the CCR-CCA messages. The Service-Identifier and Rating-Group AVP inside the MSCC identifies the service of a subscriber session. Quota for a service is granted within one Granted-Service-Unit AVP (GSU). Quota usage reporting is done in one or more Used-Service-Unit (USU) AVP.

A CC-Session is uniquely identified by a Diameter Session-ID. The same format is used for the construction of Session-ID.

BNG DIAMETER Call Flow

This figure shows a call flow sequence of BNG DIAMETER, for DHCP-initiated IPoE sessions (this is based on one of the BNG DIAMETER use cases and the BNG call flow):

Figure 2. BNG DIAMETER Call Flow


Guidelines and Restrictions for DIAMETER Support in BNG

Guidelines for DIAMETER AVPs in BNG

These guidelines must be taken into consideration for the DIAMETER AVPs in BNG:

  • Because BNG is deployed in wire-line scenario, Subscription-ID (443) AVP is not required. Instead, the subscriber identifier is carried using DIAMETER User-Name (1) AVP. If a provider likes to use the common subscriber identity, BNG can include Subscription-ID(443) Grouped AVP with the appropriate value for Subscription-ID-Type (450).

  • To bring up a BNG session, a few Cisco VSAs are also needed as part of the subscriber authorization profile. Since the profile is provided by the PCRF, you must ensure the support of those DIAMETER Cisco AVPs.

  • The network access details are sent from BNG in the request packet using the existing RADIUS equivalent of DIAMETER AVPs, such as NAS-Port-ID (87), NAS-Identifier (32) and NAS-IP-Address (4).

  • The user must define the subscriber service on the BNG router as part of the dynamic template. The configurations on BNG router defines the service definitions that are part of a prepaid set. Hence, from the Gx interface perspective, only the Service-name is expected to come from PCRF. More than one service-name instance may come in CCA and RAR messages from PCRF. BNG receives these instances using Charging-Rule-Install (1001) 3GPP Grouped AVP, Charging-Rule-Name (1005) 3GPP AVP, Service-Identifier (439) IETF AVP and Rating-Group (432) 3GPP AVP, to be part of this grouped AVP to represent the one logical service construct.

  • Currently BNG does not support service definition coming from PCRF. Therefore, the Charging-Rule-Definition(1003) 3GPP Grouped AVP, with containers to denote the flow-description, is not required.

Restrictions for DIAMETER in BNG

The DIAMETER support in BNG is subjected to these restrictions:

  • BNG does not support Origin-State-Id AVP. Therefore, if this AVP is received from the DIAMETER server, it is ignored.

  • The Session-Binding AVP is ignored by BNG router. BNG uses the value of Origin-Host AVP, received in the latest CCA message, for the Destination-Host AVP of the next request and the termination request as well.

  • The use of In-band-Security-Id AVP, that is used to advertise the support of security portion of the application is not recommended in CER and CEA messages. Instead, discovery of a DIAMETER entity's security capabilities can be done through static configuration.

Configuring DIAMETER Peer in BNG

Perform this task to configure the DIAMETER connection on a BNG router.

The selection of DIAMETER server is mostly based on the AAA method list configuration. These are the various selection options:

  • For regular AAA services (NASREQ), it is completely based on the AAA configuration on the router.

  • For Gx, it can be based on the Gx realm selection.

  • For prepaid, it is based on the charging profile associated with the subscriber session on BNG.

For details on configuring AAA for DIAMETER, see Configuring AAA for DIAMETER Peer in BNG.

SUMMARY STEPS

  1. configure
  2. diameter {gx | gy}
  3. diameter peer peer name
  4. transport security-type tls
  5. transport tcp port port_num
  6. destination host host_string
  7. destination realm realm_string
  8. address [ ipv4 | ipv6] ip_addr
  9. ip vrf forwarding vrf_table_name
  10. source-interface intf-type intf-name
  11. peer-type server
  12. root
  13. diameter origin host host-name
  14. diameter origin realm realm-string
  15. diameter timer [ connection | transaction | watchdog] timer-value
  16. diameter vendor supported [ cisco | etsi | threegpp | vodafone]
  17. diameter tls trustpoint label
  18. diameter {gx | gy} [ retransmit retansmit-timer-val | tx-timer tx-timer-val]
  19. Use the commit or end command.

DETAILED STEPS

  Command or Action Purpose

Step 1

configure

Example:


RP/0/RSP0/CPU0:router# configure

Enters global configuration mode.

Step 2

diameter {gx | gy}

Example:


RP/0/RSP0/CPU0:router(config)# diameter gx

Configures Gx interface for policy control and charging.

Similarly, configures the Gy interface for online (prepaid) charging.

Step 3

diameter peer peer name

Example:


RP/0/RSP0/CPU0:router(config)# diameter peer GX_SERVER

Configures DIAMETER peer.

Step 4

transport security-type tls

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# transport security-type tcp

[Optional] Configures the DIAMETER security type as TLS .

Step 5

transport tcp port port_num

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# transport tcp port 3868

Configures the DIAMETER transport protocol used for establishing the connection with the peer, along with the port number (Optional) that the remote peer uses for DIAMETER messages.

Currently only TCP is supported as DIAMETER transport protocol.

Step 6

destination host host_string

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# destination host dcca1.cisco.com

Configures the hostname of the peer in Fully Qualified Domain Name (FQDN) format.

This value is sent in various messages so that intermediate proxies can correctly route the packets.

Step 7

destination realm realm_string

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# destination realm GX_REALM

[Optional] Configures the realm to which the peer belongs to.

The destination realm is added by AAA clients while sending a request to AAA server, using the AAA_AT_DESTINATION_REALM attribute. If this attribute is not present, then the realm information is retrieved using the User name field. If the clients do not add the attribute, then the value configured in the peer mode is used while sending messages to the destination peer.

Step 8

address [ ipv4 | ipv6] ip_addr

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# address ipv4 2.2.2.2

Configures IP address of the DIAMETER peer.

Step 9

ip vrf forwarding vrf_table_name

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# ip vrf forwarding VRF1

[Optional] Configures the VRF associated with the peer, to establish connections with the peers immediately after configuring the peers.

If this command is not configured, then the global routing table is used for establishing the connection with the peer.

If the VRF associated with the name is not configured, then an error message mentioning that is displayed, and this command does not have any effect.

Step 10

source-interface intf-type intf-name

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# source-interface Bundle-Ether 1

[Optional] Configures the source-interface to be used for the DIAMETER connection. The diameter client uses this source address and port to initiate the TCP connection to the peer.

This command is also available in global configuration mode, when used with diameter keyword.

Step 11

peer-type server

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# peer-type server

Configures the peer type. By default, the peer type is, server .

Step 12

root

Example:


RP/0/RSP0/CPU0:router(config-dia-peer)# root

Returns the configuration mode back to the global configuration mode.

Step 13

diameter origin host host-name

Example:


RP/0/RSP0/CPU0:router(config)# diameter origin host 1.1.1.1

Configures the origin host information.

The origin host information is sent in different requests to the DIAMETER peer and it maps to multiple IP addresses. If this value is not configured, then a NULL string is sent. Therefore, this is a mandatory configuration.

Step 14

diameter origin realm realm-string

Example:


RP/0/RSP0/CPU0:router(config)# diameter origin realm cisco.com

[Optional] Configures the origin realm information.

The origin realm information is sent in each request to the DIAMETER peer. If this value is not configured, then a NULL string is sent. Therefore, this is a mandatory configuration.

Step 15

diameter timer [ connection | transaction | watchdog] timer-value

Example:


RP/0/RSP0/CPU0:router(config)# diameter timer watchdog 300

Configures global timers for DIAMETER.

  • Connection timer is used to delay the connection establishment or re-establishment of client with the DIAMETER server. It determines the frequency of transport connection attempts with the peer when there is no active connection with the peer.

  • Transaction timer is used for setting the frequency of transaction attempts. That is, the duration for which the client waits for any response message from the peer.

  • Watchdog timer is used to periodically send the Device-Watch-Dog to the DIAMETER server to test the link status.

Note

 

These timers can also be configured at the peer level (in diameter peer configuration mode). By default, the peers inherit the globally configured timer values. But, if the timer values are configured at peer level as well, then the peer level timer values take precedence over the globally configured timer values.

Step 16

diameter vendor supported [ cisco | etsi | threegpp | vodafone]

Example:


RP/0/RSP0/CPU0:router(config)# diameter vendor supported cisco

Advertises the various vendor AVPs that the DIAMETER node understands. This information is passed to the peer in capability exchange messages.

Step 17

diameter tls trustpoint label

Example:


RP/0/RSP0/CPU0:router(config)# diameter tls trustpoint DIAMETER_TRUSTPOINT

Specifies the trustpoint name to be used in the certificate to be used for DIAMETER TLS exchange. If a trustpoint name is not provided, then the default trustpoint is used.

Step 18

diameter {gx | gy} [ retransmit retansmit-timer-val | tx-timer tx-timer-val]

Example:


RP/0/RSP0/CPU0:router(config)# diameter gx retransmit 5
RP/0/RSP0/CPU0:router(config)# diameter gx tx-timer 100

Configures the re-transmit and the transaction timers for Gx and Gy applications.

Step 19

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:

  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Configuring DIAMETER Connection in BNG: Example 


DIAMETER-specific configurations:

diameter gx
diameter gy
diameter peer GX_SERVER
 destination realm GX_REALM
 address ipv4 2.2.2.2
!
diameter peer GY_SERVER
 transport tcp port 3869
 destination realm GY_REALM
 address ipv4 2.2.2.2
!
diameter peer NASREQ_SERVER
 address ipv4 1.1.1.2
!
diameter timer watchdog 300
diameter origin host 1.1.1.1
diameter origin realm cisco.com
diameter vendor supported threegpp
diameter vendor supported cisco
diameter vendor supported vodafone

Configuring AAA for DIAMETER Peer in BNG

Perform this task to configure AAA for DIAMETER NASREQ application in BNG router.

Before you begin

Prior to this task, you must set up the DIAMETER peer in BNG router. For details, see Configuring DIAMETER Peer in BNG.

SUMMARY STEPS

  1. configure
  2. aaa group server { diameter | radius} server-group-name
  3. server peer_name
  4. aaa authentication subscriber { list-name | default} group { server-group-name | diameter | radius}
  5. aaa authorization subscriber { list-name | default} group { server-group-name | diameter | radius}
  6. aaa accounting subscriber { list-name | default} group { server-group-name | diameter | radius}
  7. aaa accounting service { list-name | default} group { server-group-name | diameter | radius}
  8. aaa authorization policy-if { list-name | default} group { server-group-name | diameter | radius}
  9. aaa authorization prepaid { list-name | default} group { server-group-name | diameter | radius}
  10. Use the commit or end command.

DETAILED STEPS

  Command or Action Purpose

Step 1

configure

Example:


RP/0/RSP0/CPU0:router# configure

Enters global configuration mode.

Step 2

aaa group server { diameter | radius} server-group-name

Example:


RP/0/RSP0/CPU0:router(config)# aaa group server diameter GX_SG

Configures the named server group for DIAMETER, and enters the server group sub-mode.

Step 3

server peer_name

Example:


RP/0/RSP0/CPU0:router(config-sg-diameter)# server GX_SERVER

Attaches the globally configured DIAMETER server (configured using diameter peer command) having the same name, to the server group. If a server is not configured with the same name, then an error message mentioning that is displayed.

Unlike for RADIUS, DIAMETER does not have private servers. DIAMETER considers a server that does not have a VRF name configured, as a global server, and it uses global routing table for that particular server.

Step 4

aaa authentication subscriber { list-name | default} group { server-group-name | diameter | radius}

Example:


RP/0/RSP0/CPU0:router(config)# aaa authentication subscriber default group diameter

Configures subscriber authentication with DIAMETER protocol using NASREQ application.

Step 5

aaa authorization subscriber { list-name | default} group { server-group-name | diameter | radius}

Example:


RP/0/RSP0/CPU0:router(config)# aaa authorization subscriber default group diameter

Configures subscriber authorization with DIAMETER protocol using NASREQ application.

Step 6

aaa accounting subscriber { list-name | default} group { server-group-name | diameter | radius}

Example:


RP/0/RSP0/CPU0:router(config)# aaa accounting subscriber default group diameter

Configures subscriber session accounting to DIAMETER server using Base Accounting Application.

Step 7

aaa accounting service { list-name | default} group { server-group-name | diameter | radius}

Example:


RP/0/RSP0/CPU0:router(config)# aaa accounting service default group diameter

Configures to carry subscriber service accounting records to DIAMETER server using Base Accounting Application.

Step 8

aaa authorization policy-if { list-name | default} group { server-group-name | diameter | radius}

Example:


RP/0/RSP0/CPU0:router(config)# aaa authorization policy-if policy_meth group GX_SG

Configures authorization lists for policy interface (Gx interface).

Step 9

aaa authorization prepaid { list-name | default} group { server-group-name | diameter | radius}

Example:


RP/0/RSP0/CPU0:router(config)# aaa authorization prepaid prepaid_meth group GY_SG

Configures authorization lists for prepaid (Gy interface).

Step 10

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:

  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Configuring AAA for DIAMETER Connection in BNG: Example 


AAA configurations:

aaa group server diameter GX_SG
 server GX_SERVER
!
aaa group server diameter GY_SG
 server GY_SERVER
!
aaa group server diameter NASREQ_SG
 server NASREQ_SERVER
!
aaa authorization network default group radius
aaa accounting service default group radius
aaa accounting subscriber default group radius
aaa accounting subscriber nasreq_acct_list group NASREQ_SG
aaa authorization subscriber default group radius
aaa authorization subscriber nasreq_author_list group NASREQ_SG
aaa authorization policy-if policy_meth group GX_SG
aaa authentication subscriber default group radius
aaa authorization prepaid prepaid_meth group GY_SG

Prepaid Service:

dynamic-template
 type service prepaid
  service-policy input qos_in_parent1 merge 10 acct-stats
  service-policy output qos_out_parent1 merge 10 acct-stats
  accounting aaa list default type service periodic-interval 30
  prepaid-config prepaid_config

Prepaid Template:

subscriber
 accounting prepaid prepaid_config
  threshold volume 100
  method-list authorization prepaid_meth
  threshold time 100
  password cisco

Policy Map:

policy-map type control subscriber diam_policy
 event session-start match-first
  class type control subscriber dual-stack do-until-failure
   10 activate dynamic-template DYN_TEMP_IPSUB_DUAL
   20 authorize aaa list default identifier source-address-mac password welcome
   30 authorize aaa list policy_meth identifier username password welcome
  !
 !
 end-policy-map
!

Verification of DIAMETER Configurations in BNG

These show commands can be used to verify the DIAMETER configurations in BNG:

SUMMARY STEPS

  1. show tcp brief
  2. show diameter peer
  3. show diameter gx statistics
  4. show diameter gy statistics
  5. show diameter gx session session-id-string
  6. show diameter gy session session-id-string
  7. show diameter nas session [ checkpoint | session | summary]
  8. show checkpoint dynamic process diameter

DETAILED STEPS

Step 1

show tcp brief

Example:


RP/0/RSP0/CPU0:router# show tcp brief

PCB        VRF-ID       Recv-Q Send-Q Local Address   Foreign Address    State
0x1016cc7c 0x60000000     0      0    2.2.2.1:28691   2.2.2.2:3869       ESTAB
0x1016bbc8 0x60000000     0      0    2.2.2.1:24698   2.2.2.2:3868       ESTAB
0x1013ccc0 0x60000000     0      0    0.0.0.0:23      0.0.0.0:0          LISTEN
0x10138db8 0x00000000     0      0    0.0.0.0:23      0.0.0.0:0          LISTEN

Displays a summary of the TCP connection table.

Step 2

show diameter peer

Example:


RP/0/RSP0/CPU0:router# show diameter peer

Origin Host :
Origin Realm :
Source Interface :
TLS Trustpoint :
Connection timer value : 30 seconds
Watchdog timer value : 300 seconds
Transaction timer value : 30 seconds
Number of Peers:3

Peer name : GX_SERVER
        type : SERVER
        Address/port : 2.2.2.2/3868
        Transport protocol : TCP
        Peer security protocol : NONE
        connection timer : 30 seconds
        watchdog timer value : 300 seconds
        transaction timer value : 30 seconds
        VRF name : default
        Source-interface :
        Destination realm : GX_REALM
        Destination host name :
        Peer connection status : Open

      Peer Statistics
------------------------------
          IN     /    OUT
------------------------------
ASR       0             0
ASA       0             0
ACR       0             0
ACA       0             0
CER       0             1
CEA       1             0
DWR       0             0
DWA       0             0
DPR       0             0
DPA       0             0
RAR       0             0
RAA       0             0
STR       0             0
STA       0             0
AAR       0             0
AAA       0             0
CCR       0             0
CCA       0             0
Malformed Rcvd   :  0
Prot. Errs Sent  :  0                 Prot. Errs Rcvd  :  0
Trans. Errs Sent :  0                 Trans. Errs Rcvd :  0
Perm. Errs Sent  :  0                 Perm. Errs Rcvd  :  0

Displays DIAMETER peer information.

Step 3

show diameter gx statistics

Example:


RP/0/RSP0/CPU0:router# show diameter gx statistics
CCR Initial Messages                : 1
CCR Initial Messages Sent Failed    : 0
CCR Initial Messages Timed Out      : 0
CCR Initial Messages Retry          : 0
CCR Update Messages                 : 0
CCR Update Messages Sent Failed     : 0
CCR Update Messages Timed Out       : 0
CCR Update Messages Retry           : 0
CCR Terminate Messages              : 0
CCR Terminate Messages Sent Failed  : 0
CCR Terminate Messages Timed Out    : 0
CCR Terminate Messages Retry        : 0
CCA Initial Messages                : 1
CCA Initial Messages Error          : 0
CCA Update Messages                 : 0
CCA Update Messages Error           : 0
CCA Terminate Messages              : 0
CCA Terminate Messages Error        : 0
RAR Received Messages               : 0
RAR Received Messages Error         : 0
RAA Sent Messages                   : 0
RAA Sent Messages Error             : 0
ASR Received Messages               : 0
ASR Received Messages Error         : 0
ASA Sent Messages                   : 0
ASA Sent Messages Error             : 0
Session Termination Messages Recvd  : 0
Unknown Request Messages            : 0
Restored Sessions                   : 0
Total Opened Sessions               : 1
Total Closed Sessions               : 0
Total Active Sessions               : 1

Displays DIAMETER gx statistics.

Step 4

show diameter gy statistics

Example:


RP/0/RSP0/CPU0:router# show diameter gy statistics

CCR Initial Messages                : 1
CCR Initial Messages Sent Failed    : 0
CCR Initial Messages Timed Out      : 0
CCR Initial Messages Retry          : 0
CCR Update Messages                 : 4
CCR Update Messages Sent Failed     : 0
CCR Update Messages Timed Out       : 0
CCR Update Messages Retry           : 0
CCR Terminate Messages              : 1
CCR Terminate Messages Sent Failed  : 0
CCR Terminate Messages Timed Out    : 0
CCR Terminate Messsages Retry       : 0
CCA Initial Messages                : 1
CCA Initial Messages Error          : 0
CCA Update Messages                 : 4
CCA Update Messages Error           : 0
CCA Terminate Messages              : 1
CCA Terminate Messages Error        : 0
RAR Received Messages               : 0
RAR Received Messages Error         : 0
RAA Sent Messages                   : 0
RAA Sent Messages Error             : 0
ASR Received Messages               : 0
ASR Received Messages Error         : 0
ASA Sent Messages                   : 0
ASA Sent Messages Error             : 0
Unknown Request Messages            : 0
Restored Sessions                   : 0
Total Opened Sessions               : 2
Total Closed Sessions               : 1
Total Active Sessions               : 1

Displays DIAMETER gy statistics.

Step 5

show diameter gx session session-id-string

Example:


RP/0/RSP0/CPU0:router# show diameter gx session 461419

Gx Session Status for  [461419]
        Session Status        : ACTIVE
        Diameter Session ID   : 1.1.1.1;4;461419;1185991
        Gx Session State      : OPEN
        Request Number        : 0
        Request Type          : INITIAL REQUEST
        Request Retry Count   : 0

Displays DIAMETER gx session information.

Step 6

show diameter gy session session-id-string

Example:


RP/0/RSP0/CPU0:router# show diameter gy session 461421

Gy Session Status for  [461421]
        Session Status        : ACTIVE
        Diameter Session ID   : 1.1.1.1;4;461421;1186625
        Gy Session State      : OPEN
        Request Number        : 1
        Request Type          : UPDATE REQUEST
        Request Retry Count   : 0

Displays DIAMETER gy session information.

Step 7

show diameter nas session [ checkpoint | session | summary]

Example:


RP/0/RSP0/CPU0:router# show diameter nas session

Gy Session Status for  [461421]
        Session Status        : ACTIVE
        Diameter Session ID   : 1.1.1.1;4;461421;1186625
        Gy Session State      : OPEN
        Request Number        : 1
        Request Type          : UPDATE REQUEST
        Request Retry Count   : 0

RP/0/RSP0/CPU0:router# show diameter nas session 00070a6f

Nas Session status for [00070a6f]
        Session Status            :  Active
        Diameter Session ID       : 1.1.1.1;4;461423;1187179

        Authentication Status     : NA
        Authorization Status      : SUCCESS
        Accounting Status (Start) : NA
        Accounting Status (Stop)  : NA
        Disconnect status         : NA

  Peer Information :
        Server group     :  NASREQ_SG
        Server Used      :  NASREQ_SERVER

RP/0/RSP0/CPU0:router# show diameter nas summary

NAS Statistics :

    NAS Initiated msgs :

        Authentication       ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Authorization        ::

          In                   :          1   Out                  :          1
          Requests received    :          1   Requests send        :          1
          Response received    :          1   Result forwaded      :          1
          Transaction Succeeded:          1   Transactions Failed  :          0

        Accounting (Start)   ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Accounting (Stop)    ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Accounting (Interim) ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Disconnect           ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0


    Server Initiated msgs :

        Coa  (RAR)           ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        POD  (ASR)           ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0
Diameter NAS summary

Displays DIAMETER NAS information.

Step 8

show checkpoint dynamic process diameter

Example:


RP/0/RSP0/CPU0:router# show checkpoint dynamic process diameter

     Name           Version         ID    Seg #Objects   Length  InfoLen  Flags
---------------------------------------------------------------------------------
0x00000003     0,    0,    0 0x40001c00      M        0      292        4   I M 
0x00000004     0,    0,    0 0x40001d00      M        1      264        4   I M 
0x00000002     0,    0,    0 0x40001e00      M        1       24        4   I M 
0x00000001     0,    0,    0 0x40001f00      M        1       24        4   I M 

Segment 0: Number of pages allocated: 4
Segment 0: Number of pages free: 3

Segment 1: Number of pages allocated: 9
Segment 1: Number of pages free: 3

-----------------------------------------------------------------------------------

Displays checkpoint information of DIAMETER process.

BNG DIAMETER-Geo Redundancy Interworking

BNG extends the geo redundancy feature to support DIAMETER protocol for the northbound interfaces. DIAMETER being a stateful protocol, unlike RADIUS which is a stateless protocol, the northbound interface convergence with respect to the NASREQ, Gx and Gy applications is taken care in the case of BNG switchovers. This functionality is mainly useful for the back end servers to seamlessly maintain the subscriber accounting information of prepaid customers in the case of node fail overs.

This figure shows a topology of DIAMETER-Geo redundancy interworking.

Figure 3. DIAMETER-Geo Redundancy Interworking


See more details about geo redundancy and DIAMETER at BNG Geo Redundancy and DIAMETER Support in BNG.

BNG DIAMETER-Geo Redundancy Call Flow

This figure shows the call flow of subscriber session establishment with BNG DIAMETER-Geo redundancy:

Figure 4. Call Flow of Subscriber Session Establishment With BNG DIAMETER-Geo Redundancy


This figure shows the call flow of subscriber sessions during SRG switch over:

Figure 5. Call Flow of Subscriber Sessions During SRG Switch Over


When sessions move from active to standby state in the case of a switchover, the old SRG primary BNG node stops the prepaid accounting by sending a CCR-Final message from DIAMETER Gy application to the OCS server. Similarly, the old SRG primary BNG node sends a CCR-Terminate message from DIAMETER Gx application to gracefully close the session with PCRF. The NASREQ application handles the accounting start, stop and interim messages. This application sends Accounting STOP messages from primary BNG node to NASREQ server.

When the sessions are switched from standby state to active state, the new SRG primary BNG node re-establishes the state with the PCRF for subsequent communication by sending a CCR-Initial message from the Gx application. Similarly, the new SRG primary BNG node sends a CCR-Initial message to OCS server so that the Gy application starts the new prepaid service. After SRG switchover, the Gy application on the new SRG primary node creates a new context after receiving the Prepaid Start (Authorization) request.

DIAMETER NAS application on the router needs the diameter session context in order to process requests from the client. This context is created for every new request received from the client, except the Accounting Stop and Session-Termination-Request messages. When the sessions are coming up on the new SRG primary node, the NAS application receives Accounting Start messages from the client. DIAMETER sessions are created on receiving the Accounting Start messages. These accounting START messages are sent from the NASREQ application to the NASREQ server, to maintain the continuity of the interim accounting.

Verify BNG DIAMETER-Geo Redundancy

Verify the Statistics From the New Subordinate BNG Node

  • Check the accounting records and STR record counters, if authentication is done with the NASREQ server: 

    
Router#show diameter nas summary
NAS Statistics :

    NAS Initiated msgs :

        Authentication       ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Authorization        ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Accounting (Start)   ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Accounting (Stop)    ::

          In                   :      64000   Out                  :      64000
          Requests received    :      64000   Requests send        :      64000
          Response received    :      64000   Result forwaded      :      64000
          Transaction Succeeded:      64000   Transactions Failed  :          0

        Accounting (Interim) ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Disconnect           ::

          In                   :      32000   Out                  :      32000
          Requests received    :      32000   Requests send        :      32000
          Response received    :      32000   Result forwaded      :      32000
          Transaction Succeeded:      32000   Transactions Failed  :          0

  • Check the Gx-specific statistics: 

    
Router#show diameter gx statistics
Tue Mar 15 16:37:36.545 UTC
CCR Initial Messages                : 0
CCR Initial Messages Sent Failed    : 0
CCR Initial Messages Timed Out      : 0
CCR Initial Messages Retry          : 0
CCR Update Messages                 : 0
CCR Update Messages Sent Failed     : 0
CCR Update Messages Timed Out       : 0
CCR Update Messages Retry           : 0
CCR Terminate Messages              : 32000
CCR Terminate Messages Sent Failed  : 0
CCR Terminate Messages Timed Out    : 0
CCR Terminate Messages Retry        : 0
CCA Initial Messages                : 0
CCA Initial Messages Error          : 0
CCA Update Messages                 : 0
CCA Update Messages Error           : 0
CCA Terminate Messages              : 32000
CCA Terminate Messages Error        : 0
RAR Received Messages               : 0
RAR Received Messages Error         : 0
RAA Sent Messages                   : 0
RAA Sent Messages Error             : 0
ASR Received Messages               : 0
ASR Received Messages Error         : 0
ASA Sent Messages                   : 0
ASA Sent Messages Error             : 0
Session Termination Messages Recvd  : 0
Unknown Request Messages            : 0
Restored Sessions                   : 0
Total Opened Sessions               : 0
Total Closed Sessions               : 32000
Total Active Sessions               : 0

  • Check the Gy-specific statistics: 

    
Router#show diameter gy statistics
Tue Mar 15 16:37:36.545 UTC
CCR Initial Messages                : 0
CCR Initial Messages Sent Failed    : 0
CCR Initial Messages Timed Out      : 0
CCR Initial Messages Retry          : 0
CCR Update Messages                 : 0
CCR Update Messages Sent Failed     : 0
CCR Update Messages Timed Out       : 0
CCR Update Messages Retry           : 0
CCR Terminate Messages              : 32000
CCR Terminate Messages Sent Failed  : 0
CCR Terminate Messages Timed Out    : 0
CCR Terminate Messages Retry        : 0
CCA Initial Messages                : 0
CCA Initial Messages Error          : 0
CCA Update Messages                 : 0
CCA Update Messages Error           : 0
CCA Terminate Messages              : 32000
CCA Terminate Messages Error        : 0
RAR Received Messages               : 0
RAR Received Messages Error         : 0
RAA Sent Messages                   : 0
RAA Sent Messages Error             : 0
ASR Received Messages               : 0
ASR Received Messages Error         : 0
ASA Sent Messages                   : 0
ASA Sent Messages Error             : 0
Session Termination Messages Recvd  : 0
Unknown Request Messages            : 0
Restored Sessions                   : 0
Total Opened Sessions               : 0
Total Closed Sessions               : 32000
Total Active Sessions               : 0

Verify the Statistics From the New Primary BNG Node

  • 
Router#show diameter nas summary
NAS Statistics :

    NAS Initiated msgs :

        Authentication       ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Authorization        ::

          In                   :          0   Out                  :          0
          Requests received    :          0   Requests send        :          0
          Response received    :          0   Result forwaded      :          0
          Transaction Succeeded:          0   Transactions Failed  :          0

        Accounting (Start)   ::

          In                   :      64000   Out                  :      64000
          Requests received    :      64000   Requests send        :      64000
          Response received    :      64000   Result forwaded      :      64000
          Transaction Succeeded:      64000   Transactions Failed  :          0


  • 
Router#show diameter gx statistics

Tue Mar 15 16:36:29.875 UTC
CCR Initial Messages                : 32000
CCR Initial Messages Sent Failed    : 0
CCR Initial Messages Timed Out      : 0
CCR Initial Messages Retry          : 0
CCR Update Messages                 : 0
CCR Update Messages Sent Failed     : 0
CCR Update Messages Timed Out       : 0
CCR Update Messages Retry           : 0
CCR Terminate Messages              : 0
CCR Terminate Messages Sent Failed  : 0
CCR Terminate Messages Timed Out    : 0
CCR Terminate Messages Retry        : 0
CCA Initial Messages                : 32000
CCA Initial Messages Error          : 0
CCA Update Messages                 : 0
CCA Update Messages Error           : 0
CCA Terminate Messages              : 0
CCA Terminate Messages Error        : 0
RAR Received Messages               : 0
RAR Received Messages Error         : 0
RAA Sent Messages                   : 0
RAA Sent Messages Error             : 0
ASR Received Messages               : 0


  • 
Router#show diameter gy statistics

Tue Mar 15 16:36:34.342 UTC
CCR Initial Messages                : 32000
CCR Initial Messages Sent Failed    : 0
CCR Initial Messages Timed Out      : 0
CCR Initial Messages Retry          : 0
CCR Update Messages                 : 0
CCR Update Messages Sent Failed     : 0
CCR Update Messages Timed Out       : 0
CCR Update Messages Retry           : 0
CCR Terminate Messages              : 0
CCR Terminate Messages Sent Failed  : 0
CCR Terminate Messages Timed Out    : 0
CCR Terminate Messsages Retry       : 0
CCA Initial Messages                : 32000
CCA Initial Messages Error          : 0
CCA Update Messages                 : 0
CCA Update Messages Error           : 0
CCA Terminate Messages              : 0
CCA Terminate Messages Error        : 0
RAR Received Messages               : 0
RAR Received Messages Error         : 0
RAA Sent Messages                   : 0
RAA Sent Messages Error             : 0
ASR Received Messages               : 0
ASR Received Messages Error         : 0
ASA Sent Messages                   : 0
ASA Sent Messages Error             : 0
Unknown Request Messages            : 0
Restored Sessions                   : 0
Total Opened Sessions               : 32000
Total Closed Sessions               : 0
Total Active Sessions               : 32000

Additional References

These sections provide references related to implementing DIAMETER.

RFCs and Standards

Standard/RFC

RFC-6733

Diameter Base Protocol

RFC-4006

Diameter Credit-Control Application

RFC-4005

Diameter Network Access Server Application (NASREQ)

RFC-3046

DHCP Relay Agent Information Option

RFC-3539

Authentication, Authorization and Accounting (AAA) Transport Profile

3GPP TS 129 212 V11.10.0

Universal Mobile Telecommunications System (UMTS); LTE; Policy and Charging Control (PCC); Reference Points for Gx interface support.

3GPP TS 132 299 V11.9.1

Technical Specification on Diameter charging applications used for Gx and Gy interface support.

MIBs

MIB MIBs Link

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/support