www.Tutorialsforu.info

Free Tutorials Cave

  • Increase font size
  • Default font size
  • Decrease font size
Your Ad Here



RADIUS/Diameter Protocol Interactions - Page 2

Thursday, 08 November 2007 03:34
E-mail Print
Article Index
RADIUS/Diameter Protocol Interactions
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
All Pages
Page 2 of 7
-  If the RADIUS User-Password attribute is present, the password
         must be unencrypted by using the link's RADIUS shared secret.
         The unencrypted value must be forwarded in a User-Password AVP
         using Diameter security.

      -  If the RADIUS CHAP-Password attribute is present, the Ident and
         Data portion of the attribute are used to create the CHAP-Auth
         grouped AVP.

      -  If the RADIUS message contains an address attribute, it MUST be
         converted to the appropriate Diameter AVP and type.

      -  If the RADIUS message contains Tunnel information [RADTunnels],
         the attributes or tagged groups should each be converted to a
         Diameter Tunneling Grouped AVP set.  If the tunnel information
         contains a Tunnel-Password attribute, the RADIUS encryption
         must be resolved, and the password forwarded, by using Diameter
         security methods.

      -  If the RADIUS message received is an Accounting-Request, the
         Acct-Status-Type attribute value must be converted to a
         Accounting-Record-Type AVP value.  If the Acct-Status-Type
         attribute value is STOP, the local server MUST issue a
         Session-Termination-Request message once the Diameter
         Accounting-Answer message has been received.

      -  If the Accounting message contains an Acct-Termination-Cause
         attribute, it should be translated to the equivalent
         Termination-Cause AVP value.  (see below)

      -  If the RADIUS message contains the Accounting-Input-Octets,
         Accounting-Input-Packets, Accounting-Output-Octets, or
         Accounting-Output-Packets, these attributes must be converted
         to the Diameter equivalents.  Further, if the Acct-Input-
         Gigawords or Acct-Output-Gigawords attributes are present,
         these must be used to properly compute the Diameter accounting
         AVPs.

   The corresponding Diameter response is always guaranteed to be
   received by the same Translation Agent that translated the original
   request, due to the contents of the Proxy-Info AVP group in the
   Diameter request.  The following steps are applied to the response
   message during the Diameter-to-RADIUS translation:

      -  If the Diameter Command-Code is set to AA-Answer and the
         Result-Code AVP is set to DIAMETER_MULTI_ROUND_AUTH, the
         gateway must send a RADIUS Access-Challenge.  This must have
 encapsulated in the RADIUS State attribute, with the prefix
         "Diameter/", concatenated in the above order separated with "/"
         characters, in UTF-8 [UTF-8].  This is necessary to ensure that
         the Translation Agent receiving the subsequent RADIUS Access-
         Request will have access to the Session Identifier and be able
         to set the Destination-Host to the correct value.  If the
         Multi-Round-Time-Out AVP is present, the value of the AVP MUST
         be inserted in the RADIUS Session-Timeout AVP.

      -  If the Command-Code is set to AA-Answer, the Diameter Session-
         Id AVP is saved in a new RADIUS Class attribute whose format
         consists of the string "Diameter/" followed by the Diameter
         Session Identifier.  This will ensure that the subsequent
         Accounting messages, which could be received by any Translation
         Agent, would have access to the original Diameter Session
         Identifier.
      -  If a Proxy-State attribute was present in the RADIUS request,
         the same attribute is added in the response.  This information
         may be found in the Proxy-Info AVP group, or in a local state
         table.

      -  If state information regarding the RADIUS request was saved in
         a Proxy-Info AVP or local state table, the RADIUS Identifier
         and UDP IP Address and port number are extracted and used in
         issuing the RADIUS reply.

   When translating a Diameter AA-Answer (with successful result code)
   to RADIUS Access-Accept that contains a Session-Timeout or
   Authorization-Lifetime AVP, take the following steps:

      -  If the Diameter message contains a Session-Timeout AVP but no
         Authorization-Lifetime AVP, translate it to a Session-Timeout
         attribute (not a Termination-Action).

      -  If the Diameter message contains an Authorization-Lifetime AVP
         but no Session-Timeout AVP, translate it to a Session-Timeout
         attribute and a Termination-Action set to AA-REQUEST.  (Remove
         Authorization-Lifetime and Re-Auth-Request-Type.)

      -  If the Diameter message has both, the Session-Timeout must be
         greater than or equal to the Authorization-Lifetime (required
         by [BASE]).  Translate it to a Session-Timeout value (with
         value from Authorization-Lifetime AVP, the smaller one) and
         with the Termination-Action set to AA-REQUEST.  (Remove the
         Authorization-Lifetime and Re-Auth-Request-Type.) the Origin-Host, Origin-Realm, and Diameter Session-Id AVPs
   accurate track on session-state information.

 

Subscribe By Email

Enter your email address:

Delivered by FeedBurner

Translate

Donate

Development & maintainance needs time & money.
With your donation you can help us to keep this project alive
Donate:
  Monthly Monthly
Currency
Amount