06-20-2007 02:46 AM - edited 03-10-2019 03:13 PM
We have established a site-to-site VPN tunnel, but we are struggling with RADIUS setup. Problem is that two sides of tunnel use different vendor products. Our service provider uses Juniper's Steel Belted RADIUS, while we use Cisco ACS RADIUS.
I assume that is the reason why we cannot see the following RADIUS (3GPP) attributes:
apn-identifier;
imsi;
msisdn;
Only ones we can see are:
RADIUS (3GPP) Attributes
[10415\001] 3GPP-IMSI
[10415\002] 3GPP-Charging-ID
[10415\003] 3GPP-PDP-Type
[10415\005] 3GPP-GPRS-NegotiatedQoS-profile
[10415\006] 3GPP-SGSN-Address
[10415\007] 3GPP-GGSN-Address
[10415\018] 3GPP-SGSN
[10415\021] 3GPP-RAT-Type
but these are useless to us.
As it stands, we cannot have RADIUS authentication without these attributes appearing in our 3GPP RADIUS settings under Group Settings. Service provider offcourse is not willing to change theirs, so we have to change ours. Is there anything we can do within ACS to add them? Manually configure them by editing .ini file? If yes, does anyone know what the values are?
Any other advice would be appreciated.
06-20-2007 04:53 AM
Hi,
Please find attached the 3GPP vendor file to import in your ACS so you can configure the IMSI attribute as per requirement.
For instructions on how to import the file, please see:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guid
e_chapter09186a00806fe256.html#wp365540
Hope that helps !
Regards,
Jagdeep
06-20-2007 03:45 PM
Thanks Jagdeep, I'll try it in a second.
What about apn-identifier and msisdn?
06-20-2007 05:40 PM
Jagdeep, can you please tell me what values I need to enter for IMSI, MSISDN and APN-IDENTIFIER for them to appear in my 3GPP RADIUS attributes?
06-20-2007 05:58 PM
Hello,
I would suggest you to get .ini(dictionary) file from the vendor for your device type/model. Because they know their device well. After that you can load it on ACS to get those attributes that you want.
Regards,
Prem
06-20-2007 06:05 PM
I am using .ini file that Jagdeep suggested above, but mentioned attributes are not showing up. I rang Cisco and they gave me the following information, but I am not an expert on RADIUS config and it does not make much sense to me:
Hi Fedja, my research shows that you need to set the following to be set on the
ACS:
MSISDN
-> Calling-Station-ID (or RADIUS attribute #31)
Access Point Name (APN)
-> NAS-Identifier (ie, RADIUS Attribute # 32)
IMSI
-> 3GPP-IMSI
Any knows what he's talking about?
Cheers,
Fedja
06-21-2007 03:44 AM
Okay,
Now the question that will arise is, why do we want to specify MSISDN, APN, IMSI. What is their significance? What will happen if we do not configure them?
Regards,
Prem
06-21-2007 04:26 AM
OK, let me explain from the beginning:
We purchased 3G wireless cards which talk to our network via site-to-site VPN and authenticate via RADIUS server. I was told by provider that these attributes need to be matched on our side in order to use our RADIUS.
06-21-2007 04:33 AM
Hi,
Have you tried some test authentication using 3G cards? What was the result?
As ins maximum cases 31 and 32 radius attributes are sent to radius server by NAS.
Can you setup a test lab and share results?
Regards,
Prem
06-21-2007 05:03 AM
Thanks to rochopra,
I think I was right,
Both these attributes are IETF attributes. And its only that 3GPP describes them as
MSISDN (mobile phone number) rather then Calling-Station-Id
And,
APN name rather then Called-Station-Id
Above are not vendor specific attributes only,
3GPP-IMSI : IMSI (international mobile subscriber identity)
Is, which you already have in VSA loaded.
I would say give a lab test first and share the result.
Regards,
Prem
06-21-2007 04:55 AM
06-21-2007 05:01 AM
In the attachment you can clearly see the following in Access-Request packet:
30 Called-Station-Id UTF-8 hexadecimal encoding APN name
31 Calling-Station-Id UTF-8 decimal encoding MSISDN (mobile phone number)
26/10415 3GPP Vendor-Specific
1 3GPP-IMSI UTF-8 hexadecimal encoding IMSI (international mobile subscriber identity)
These are being send to ACS server to request the authentication.
06-21-2007 05:24 AM
Excellent, I think this help. I'll set this up on our test ACS tomorrow and let yo know.
Many thanks guys
Fedja
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: