We have established a site-to-site VPN tunnel, but we are struggling with RADIUS setup. Problem is that two sides of tunnel use different vendor products. Our service provider uses Juniper's Steel Belted RADIUS, while we use Cisco ACS RADIUS.
I assume that is the reason why we cannot see the following RADIUS (3GPP) attributes:
Only ones we can see are:
RADIUS (3GPP) Attributes
but these are useless to us.
As it stands, we cannot have RADIUS authentication without these attributes appearing in our 3GPP RADIUS settings under Group Settings. Service provider offcourse is not willing to change theirs, so we have to change ours. Is there anything we can do within ACS to add them? Manually configure them by editing .ini file? If yes, does anyone know what the values are?
Any other advice would be appreciated.
Please find attached the 3GPP vendor file to import in your ACS so you can configure the IMSI attribute as per requirement.
For instructions on how to import the file, please see:
Hope that helps !
Jagdeep, can you please tell me what values I need to enter for IMSI, MSISDN and APN-IDENTIFIER for them to appear in my 3GPP RADIUS attributes?
I would suggest you to get .ini(dictionary) file from the vendor for your device type/model. Because they know their device well. After that you can load it on ACS to get those attributes that you want.
I am using .ini file that Jagdeep suggested above, but mentioned attributes are not showing up. I rang Cisco and they gave me the following information, but I am not an expert on RADIUS config and it does not make much sense to me:
Hi Fedja, my research shows that you need to set the following to be set on the
-> Calling-Station-ID (or RADIUS attribute #31)
Access Point Name (APN)
-> NAS-Identifier (ie, RADIUS Attribute # 32)
Any knows what he's talking about?
Now the question that will arise is, why do we want to specify MSISDN, APN, IMSI. What is their significance? What will happen if we do not configure them?
OK, let me explain from the beginning:
We purchased 3G wireless cards which talk to our network via site-to-site VPN and authenticate via RADIUS server. I was told by provider that these attributes need to be matched on our side in order to use our RADIUS.
Have you tried some test authentication using 3G cards? What was the result?
As ins maximum cases 31 and 32 radius attributes are sent to radius server by NAS.
Can you setup a test lab and share results?
Thanks to rochopra,
I think I was right,
Both these attributes are IETF attributes. And its only that 3GPP describes them as
MSISDN (mobile phone number) rather then Calling-Station-Id
APN name rather then Called-Station-Id
Above are not vendor specific attributes only,
3GPP-IMSI : IMSI (international mobile subscriber identity)
Is, which you already have in VSA loaded.
I would say give a lab test first and share the result.
In the attachment you can clearly see the following in Access-Request packet:
30 Called-Station-Id UTF-8 hexadecimal encoding APN name
31 Calling-Station-Id UTF-8 decimal encoding MSISDN (mobile phone number)
26/10415 3GPP Vendor-Specific
1 3GPP-IMSI UTF-8 hexadecimal encoding IMSI (international mobile subscriber identity)
These are being send to ACS server to request the authentication.