cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2299
Views
10
Helpful
12
Replies

Cisco ACS - missing RADIUS attributes

fedja.delalic
Level 1
Level 1

We have established a site-to-site VPN tunnel, but we are struggling with RADIUS setup. Problem is that two sides of tunnel use different vendor products. Our service provider uses Juniper's Steel Belted RADIUS, while we use Cisco ACS RADIUS.

I assume that is the reason why we cannot see the following RADIUS (3GPP) attributes:

apn-identifier;

imsi;

msisdn;

Only ones we can see are:

RADIUS (3GPP) Attributes

[10415\001] 3GPP-IMSI

[10415\002] 3GPP-Charging-ID

[10415\003] 3GPP-PDP-Type

[10415\005] 3GPP-GPRS-NegotiatedQoS-profile

[10415\006] 3GPP-SGSN-Address

[10415\007] 3GPP-GGSN-Address

[10415\018] 3GPP-SGSN

[10415\021] 3GPP-RAT-Type

but these are useless to us.

As it stands, we cannot have RADIUS authentication without these attributes appearing in our 3GPP RADIUS settings under Group Settings. Service provider offcourse is not willing to change theirs, so we have to change ours. Is there anything we can do within ACS to add them? Manually configure them by editing .ini file? If yes, does anyone know what the values are?

Any other advice would be appreciated.

12 Replies 12

Jagdeep Gambhir
Level 10
Level 10

Hi,

Please find attached the 3GPP vendor file to import in your ACS so you can configure the IMSI attribute as per requirement.

For instructions on how to import the file, please see:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guid

e_chapter09186a00806fe256.html#wp365540

Hope that helps !

Regards,

Jagdeep

Thanks Jagdeep, I'll try it in a second.

What about apn-identifier and msisdn?

Jagdeep, can you please tell me what values I need to enter for IMSI, MSISDN and APN-IDENTIFIER for them to appear in my 3GPP RADIUS attributes?

Hello,

I would suggest you to get .ini(dictionary) file from the vendor for your device type/model. Because they know their device well. After that you can load it on ACS to get those attributes that you want.

Regards,

Prem

I am using .ini file that Jagdeep suggested above, but mentioned attributes are not showing up. I rang Cisco and they gave me the following information, but I am not an expert on RADIUS config and it does not make much sense to me:

Hi Fedja, my research shows that you need to set the following to be set on the

ACS:

MSISDN

-> Calling-Station-ID (or RADIUS attribute #31)

Access Point Name (APN)

-> NAS-Identifier (ie, RADIUS Attribute # 32)

IMSI

-> 3GPP-IMSI

Any knows what he's talking about?

Cheers,

Fedja

Okay,

Now the question that will arise is, why do we want to specify MSISDN, APN, IMSI. What is their significance? What will happen if we do not configure them?

Regards,

Prem

OK, let me explain from the beginning:

We purchased 3G wireless cards which talk to our network via site-to-site VPN and authenticate via RADIUS server. I was told by provider that these attributes need to be matched on our side in order to use our RADIUS.

Hi,

Have you tried some test authentication using 3G cards? What was the result?

As ins maximum cases 31 and 32 radius attributes are sent to radius server by NAS.

Can you setup a test lab and share results?

Regards,

Prem

Thanks to rochopra,

I think I was right,

Both these attributes are IETF attributes. And its only that 3GPP describes them as

MSISDN (mobile phone number) rather then Calling-Station-Id

And,

APN name rather then Called-Station-Id

Above are not vendor specific attributes only,

3GPP-IMSI : IMSI (international mobile subscriber identity)

Is, which you already have in VSA loaded.

I would say give a lab test first and share the result.

Regards,

Prem

rochopra
Cisco Employee
Cisco Employee

believe this attachment will be helpful for you to understand the attributes being exchanged

In the attachment you can clearly see the following in Access-Request packet:

30 Called-Station-Id UTF-8 hexadecimal encoding APN name

31 Calling-Station-Id UTF-8 decimal encoding MSISDN (mobile phone number)

26/10415 3GPP Vendor-Specific

1 3GPP-IMSI UTF-8 hexadecimal encoding IMSI (international mobile subscriber identity)

These are being send to ACS server to request the authentication.

Excellent, I think this help. I'll set this up on our test ACS tomorrow and let yo know.

Many thanks guys

Fedja

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: