Ruckus SZ™ 100 And VSZ E™ AAA (RADIUS) Interface Reference Guide For SmartZone 3.5 Smart Zone (GA) (SZ100/v SZ E) Sz100Vsze 35 Rev B 20170905
2017-09-05
User Manual: Ruckus SmartZone 3.5 (GA) AAA Interface Reference Guide (SZ100/vSZ-E)
Open the PDF directly: View PDF 
.
Page Count: 134
| Download | |
| Open PDF In Browser | View PDF |
Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Part Number: 800-71286-001 Rev B Published: 05 September 2017 www.ruckuswireless.com Contents Copyright Notice and Proprietary Information.............................................................................4 About this Guide.........................................................................................................................5 Document Conventions.........................................................................................................5 Terminology..........................................................................................................................6 Legend.................................................................................................................................7 Definition of Data Types........................................................................................................7 Related Documentation.........................................................................................................8 Online Training Resources.....................................................................................................8 References............................................................................................................................8 1 EAP Full Authentication Overview EAP Full Authentication.......................................................................................................10 RADIUS Access Request [ID]........................................................................................11 RADIUS Access Challenge [EAP Request (SIM Start)]....................................................18 RADIUS Access Request [EAP Response (NONCE_MT)]...............................................20 RADIUS Access Challenge [EAP Request (RAND, MAC)]...............................................25 RADIUS Access Request [EAP Response (SRES)].........................................................26 RADIUS Access Accept [EAP Success (MSK)]..............................................................29 EAP - Full Authentication – 3GPP Solution..........................................................................35 RADIUS Access Request [ID]........................................................................................36 RADIUS Access Challenge [EAP Request (SIM Start)] ...................................................41 RADIUS Access Request [EAP Response (NONCE_MT)...............................................43 RADIUS Access Challenge [EAP Request (RAND, MAC)]...............................................48 RADIUS Access Request [EAP Response (SRES)].........................................................49 RADIUS Access Accept [EAP Success (MSK)]..............................................................53 Authorization Access Request.......................................................................................57 Authorization Access Accept.........................................................................................59 RADIUS Access Reject.......................................................................................................61 2 Hotspot (WISPr) Authentication and Accounting Overview Hotspot Hotspot Hotspot Hotspot Hotspot (WISPr) Authentication Request ............................................................................63 (WISPr) Authentication Response..........................................................................68 (WISPr) Accounting Request [Start].......................................................................70 (WISPr) Accounting Request [Stop/Interim]............................................................74 (WISPr) Accounting Response...............................................................................80 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 2 3 Hotspot 2.0 Authentication SIM Based Authentication - Access Request......................................................................81 R2 Device Access Authentication........................................................................................82 Access Request............................................................................................................84 Access Response.........................................................................................................84 R2 Device Onboarding........................................................................................................86 Hotspot 2.0 VSAs...............................................................................................................88 4 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Start Messages................................................................................................90 Accounting Interim Update and Stop Messages..................................................................94 Accounting On Messages...................................................................................................99 Accounting Off Messages.................................................................................................101 5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation........................................................................................................103 Change of Authorization (CoA) Messages - Not Set to Authorize Only.........................104 Change of Authorization Acknowledge Messages (CoA Ack).......................................108 Change of Authorization Negative Acknowledge Messages (CoA NAK).......................109 Disconnect Messages.................................................................................................109 Acknowledgment of Disconnect Messages (DM Ack)..................................................111 Negative Acknowledge of Disconnect Messages (DM NAK)........................................112 Disconnect Messages - Dynamic Authorization Client (AAA server)..............................113 List of Vendor Specific Attributes......................................................................................115 WISPr Vendor Specific Attributes................................................................................115 Ruckus Wireless Vendor Specific Attributes.................................................................116 A AP Roaming Scenarios Roaming from AP1 to AP2 - PMK / OKC Disabled............................................................125 Roaming from AP1 to AP2 - PMK / OKC Enabled.............................................................126 AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled.....................127 Use Cases 3 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 4 Copyright Notice and Proprietary Information Destination Control Statement Technical data contained in this publication may be subject to the export control laws of the United States of America. Disclosure to nationals of other countries contrary to United States law is prohibited. It is the reader’s responsibility to determine the applicable regulations and to comply with them. Disclaimer THIS DOCUMENTATION AND ALL INFORMATION CONTAINED HEREIN (“MATERIAL”) IS PROVIDED FOR GENERAL INFORMATION PURPOSES ONLY. RUCKUS AND ITS LICENSORS MAKE NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THE MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE MATERIAL IS ERROR-FREE, ACCURATE OR RELIABLE. RUCKUS RESERVES THE RIGHT TO MAKE CHANGES OR UPDATES TO THE MATERIAL AT ANY TIME. Limitation of Liability IN NO EVENT SHALL RUCKUS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY YOU OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, ARISING FROM YOUR ACCESS TO, OR USE OF, THE MATERIAL. Trademarks Ruckus Wireless, Ruckus, the bark logo, BeamFlex, ChannelFly, Dynamic PSK, FlexMaster, Simply Better Wireless, SmartCell, SmartMesh, SmartZone, Unleashed, ZoneDirector and ZoneFlex are trademarks of Ruckus Wireless, Inc. in the United States and other countries. All other product or company names may be trademarks of their respective owners. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 4 5 About this Guide This SmartZone™ SZ100 and Virtual SmartZone Essentials (vSZ-E) AAA (RADIUS) Interface Reference Guide describes the interface between SZ100/vSZ-E (collectively referred to as “the controller” throughout this guide) and the Authentication, Authorization and Accounting (AAA) server. It describes the message flow between the controller and AAA for EAP-based full authentication, authorization, and accounting. This guide is written for service operators and system administrators who are responsible for managing, configuring, and troubleshooting Ruckus Wireless devices. Consequently, it assumes a basic working knowledge of local area networks, wireless networking, and wireless devices. NOTE If release notes are shipped with your product and the information there differs from the information in this guide, follow the instructions in the release notes. Most user guides and release notes are available in Adobe Acrobat Reader Portable Document Format (PDF) or HTML on the Ruckus Wireless Support Web site at https://support.ruckuswireless.com/contact-us. Document Conventions Table 1: Text conventions on page 5 and Table 2: Notice conventions on page 5 list the text and notice conventions that are used throughout this guide. Table 1: Text conventions Convention Description Example message phrase Represents information as it [Device Name] > appears on screen user input Represents information that [Device Name] > you enter set ipaddr 10.0.0.12 user interface controls Keyboard keys, software buttons, and field names screen or page names Click Start > All Programs Click Advanced Settings. The Advanced Settings page appears. Table 2: Notice conventions Notice type Description NOTE Information that describes important features or instructions Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 5 About this Guide Terminology Notice type Description Information that alerts you to potential loss of data or potential damage to an application, system, or device CAUTION! Information that alerts you to potential personal injury WARNING! Terminology The table lists the terms used in this guide. Table 3: Terms used in this guide 6 Terminology Description AAA Authentication, Authorization, and Accounting CHAP Challenge Handshake Authentication Protocol EAP Extensible Authentication Protocol EPS Evolved Packet System GGSN Gateway GPRS Support Node GSN GPRS Support Node HLR Home Location Register LCS Location Services MAP Mobile Application Part MTU Maximum Transmission Unit MWSG Metro Wireless Security Gateway OSU Online Sign-Up Passpoint Hotspot 2.0 certification PKI Public Key Infrastructure PDP Packet Data Protocol PPS-MO Per Provider Subscription Management Object R-WSG/WSG Ruckus Wireless Security Gateway Release1 Device Hotspot 2.0 Release1 specification compliant device Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 About this Guide Legend Terminology Description Release 2 Device Hotspot 2.0 Release 2 passpoint enabled device RAC Radio Access Controller RADIUS Remote Access Dial In User Service TEID Tunnel End Point Identifier UE User Equipment WFA Wi-Fi Alliance Legend The table lists the legends/presence used in this guide. Table 4: Legends used in this guide Legend/Presence Description M Mandatory O Optional C Conditional U Indicates that the inclusion of the parameter is the choice of service-user Definition of Data Types The table lists the data types used in this guide. Table 5: Data Types Definition Data Type Description text Printable, generally UTF-8 encoded (subset of 'string') string 0-253 octets ipaddr 4 octets in network byte order integer 32 bit value in big endian order (high byte first) date 32 bit value in big endian order - seconds since 00:00:00 GMT, Jan. 1, 1970. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 7 About this Guide Related Documentation Data Type Description ipv6addr 16 octets in network byte order. ipv6prefix 18 octets in network byte order. abinary Ascend's binary filter format. byte 8 bit unsigned integer. ether 6 octets of hh:hh:hh:hh:hh:hh where 'h' is hex digits, upper or lowercase. short 16-bit unsigned integer. octets Raw octets, printed and input as hex strings. For example, 0x123456789abcdef. Related Documentation For a complete list of documents that accompany this release, refer to the Release Notes. Online Training Resources To access a variety of online Ruckus Wireless training modules, including free introductory courses to wireless networking essentials, site surveys, and Ruckus Wireless products, visit the Ruckus Wireless Training Portal at: https://training.ruckuswireless.com. References The table lists the references used in this guide Table 6: References used in this guide 8 Serial Number Reference 1. 3GPP TS 23.234 Description 3GPP system to WLAN inter-working 2. 3GPP TS 33.234 Wireless Local Area Network (WLAN) inter-working security 3. RFC 2865 Remote authentication dial In user service (RADIUS)) 4. RFC 2866 RADIUS accounting Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Serial Number Reference Description 5. RFC 5176 Dynamic authorization extensions to remote authentication dial In user service (RADIUS) 6. RFC 5580 Carrying Location Objects in RADIUS and Diameter (August 2009) 7. WFA HS 2-0 WFA HS 2-0 Technical Specification R2 PUBLIC DRAFT v5.00 (Specification for HS 2.0 R2) 10 EAP Full Authentication Overview 1 This reference guide describes the interface between the controller and the AAA (Authentication, Authorization and Accounting) server. The RADIUS protocol is used for interfacing between Access Points (AP) and controller as well as between the controller and a third party AAA server. The controller acts as a RADIUS proxy for authentication and authorization. This guide also describes the message flow between the controller and AAA for EAP based full authentication, authorization and accounting in the following sections. EAP-SIM is used as EAP message payload type but can be replaced with EAP-AKA without affecting call flows and RADIUS attributes except EAP-Message (79). The controller supports two different call flows for authentication and authorization: • A 3GPP standard based solution, where authentication and service authorization are performed separately. • A proprietary solution where authentication and authorization are combined. This guide lists all the interface messages and RADIUS VSAs used between the controller and AAA. NOTE This guide does not provide design details of either the AAA server or the controller to handle interface requirements. NOTE Refer to AP Roaming Scenarios appendix for various scenario cases. NOTE Refer to the appendix Use Cases for flow details on NAS IP, accounting session identifier and filter identifier. EAP Full Authentication This is authentication and authorization combined together. In this call flow, the controller acts as an AAA proxy server. It does not initiate a separate access request message to perform service authorization. Parameters needed by the controller (TTG) to establish the GTP tunnel (QoS, Charging Characteristics, MSISDN) are expected in the access accept message from AAA. The figure shows the detailed call flow. Figure 1: Combined authentication sequence diagram Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 10 EAP Full Authentication Overview EAP Full Authentication This section covers: • • • • • • RADIUS Access Request [ID] RADIUS Access Challenge [EAP Request (SIM Start)] RADIUS Access Request [EAP Response (NONCE_MT)] RADIUS Access Challenge [EAP Request (RAND, MAC)] RADIUS Access Request [EAP Response (SRES)] RADIUS Access Accept [EAP Success (MSK)] RADIUS Access Request [ID] The table lists the attribute details for the first message sent by the controller to the AAA server. NOTE When RFC 5580 is enabled for a WLAN, and the AAA server supports RFC 5580, location-related information is not conveyed in access requests. Instead, the exchange of location-related information is negotiated between the controller and the AAA server as stipulated in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 11 EAP Full Authentication Overview EAP Full Authentication Table 7: RADIUS access request attributes Attribute Attribute Presence Type ID Description User-Name 1 M String Indicates the name of the user to be authenticated. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. 12 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Vendor-Specific 26 C Description Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID:Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 13 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Vendor-Specific 26 Vendor ID: Ruckus:25053 C String VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. 14 Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). This attribute is sent from the NAS to indicate the nature of the user's connection. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 15 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580 Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. 16 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Location-Data 128 This attribute contains the actual location information. It is encoded as per RFC 5580. M String NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 17 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Location-Capable 131 C Description Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. NOTE This attribute is included only if location delivery method is not Out of Band. RADIUS Access Challenge [EAP Request (SIM Start)] The table lists the attribute details of the first message sent by the AAA to the controller, which is forwarded to the RADIUS client (access point). Table 8: RADIUS access challenge attributes 18 Attribute Attribute Presence Type ID Description State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Proxy-State 33 C Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access-challenge and accounting response. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. This attribute sends a null value during authentication. NOTE This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. Extended-Location-Polc i y-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 19 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Requested-Location-Info 132 M Description Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. RADIUS Access Request [EAP Response (NONCE_MT)] The table lists the attribute details of messages sent by the controller to the AAA server and responses received from the UEs. Table 9: RADIUS access request attributes 20 Attribute Attribute Presence Type ID Description User-Name 1 M String Indicates the name of the user to be authenticated. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 21 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Vendor-Specific 26 Vendor ID: Ruckus:25053 C String VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. 22 Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. This attribute is sent from the NAS to indicate the nature of the user's connection. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 23 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Location-Information 127 C Description Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Extended-Locato i n-Pocil y-Ruel s 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. 24 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Location-Capable 131 C Description Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. RADIUS Access Challenge [EAP Request (RAND, MAC)] The table lists the attribute details of messages sent by the AAA to the controller, which are forwarded to the RADIUS client (access point). Table 10: RADIUS access challenge attributes Attribute Attribute Presence Type ID Description State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Proxy-State 33 C Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 25 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. RADIUS Access Request [EAP Response (SRES)] The table lists the attribute details of messages sent by the controller to the AAA server. Table 11: RADIUS access request attributes 26 Attribute Attribute Presence Type Description ID User-Name 1 M String Indicates the name of the user to be authenticated. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type Description ID Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID:Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 27 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type Description ID Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. 28 Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String This attribute allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. The value supported is STA's MAC address where the letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address f AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type Description ID Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. RADIUS Access Accept [EAP Success (MSK)] The table lists the attribute details of messages sent by AAA to the controller, which is forwarded to the RADIUS client (access point) upon successful service authorization (see the next two messages). NAS calculates MSK using the MS-MPP-Send and MS-MPP-Recv attributes. Table 12: RADIUS access accept attributes Attribute Attribute Presence Type ID Description User-Name 1 Indicates the name of the user to be authenticated O String Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 29 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Class 25 O Integer This attribute is sent by the server in access accept and client should include this attribute in accounting request without modification. ChargeableUser ID 89 C Integer This attribute is MSISDN or any chargeable user identity returned by the AAA server. This attribute is mandatory for TTG sessions only. Vendor-Specific 26 O String Vendor ID: 3GPP: 10415 VSA: 3GPP-GPRS-Negotiated-QoS-Profile (5) VSA Length: Variable This attribute carries the QoS value from AAA server. QoS from AAA is received from Ruckus defined VSA or from 3GPP defined VSA (3GPP-GPRS-Negotiated-QoS Profile). Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. 30 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Vendor-Specific 26 Vendor ID: WISPr: 14122 O Integer VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Vendor-Specific 26 C Charging Vendor ID:Ruckus:25053 characteristics VSA: Ruckus-Charging-Charac (118) VSA Length: 4 Charging characteristics value, Octets are encoded according to TS 3GPP 32.215. This attribute carries the charging characteristics value, which is received from the AAA server. Vendor-Specific 26 C String Vendor ID:Ruckus:25053 VSA: Ruckus-IMSI (102) VSA Length: Variable BCD encoded IMSI of the subscriber. Session-Timeout 27 O Integer This attribute sets the maximum number of seconds of service to be provided to the user before session termination. Idle-Timeout 28 O Integer It sets the maximum number of consecutive seconds of idle connection allowed to the user, before the session gets terminated. Termination-Action 29 O Integer This attribute indicates the action that NAS will take when the specified service completes. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 31 EAP Full Authentication Overview EAP Full Authentication 32 Attribute Attribute Presence Type ID Description Proxy-State 33 M Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Tunnel-Type 64 C Integer This attribute indicates the tunnel type for the access point. For example, tunnel type 13 is for VLAN. Tunnel-Medium-Type 65 C Integer This attribute indicates the tunnel medium type for the access point. For example, tunnel type 06 is for IEEE_802. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Tunnel-Private-Group-ID 81 C String This attribute contains the dynamic VLAN ID as configured in the authentication profile. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Accounting-Interim-Interval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Chargeable User ID 89 M String This attribute sends a null value during authentication. Vendor-Specific 26 C Integer Vendor ID:Ruckus:25053 VSA: Ruckus-Acct-Status (126) VSA Length: 4 Acct Stat is true(1) or false(0). The controller sever uses this attribute on the access accept to indicate if the authenticator needs to send the accounting start for the current/specified client. Vendor-Specific 26 O Integer Vendor ID: Microsoft: 311 VSA: MS-MPPE-Send-Key (16) VSA Length: Variable This attribute contains a session key used by Microsoft Point-to-Point Encryption Protocol (MPPE). Vendor-Specific 26 O Integer Vendor ID: Microsoft: 311 VSA: MS-MPPE-Recv-Key (17) VSA Length: Variable This attribute contains a session key used by the Microsoft Point-to-Point Encryption Protocol (MPPE). Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 33 EAP Full Authentication Overview EAP Full Authentication Attribute Attribute Presence Type ID Description Vendor-Specific 26 Vendor ID: Ruckus:25053 C Octets VSA: Ruckus-APN-NI (104) VSA Length: Variable This attribute carries the APN subscribed by the user. It contains only the network identifier (NI), which is part of the APN. The operator identifier part is stored separately in Ruckus-APN-OI. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-Session-Type(125) VSA Length: 6 Session type - TTG (2), Local-Breakout(3), Local-Breakout-AP(4), L3GRE (5), L2GRE (6), QinQL3 (7), PMIP (8). The controller server uses this attribute on the access -accept to indicate the forward policy of the specific UE. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. 34 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Extended-Location-Policy-Rules 130 C Octets Description This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Requested-Location-Info 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. EAP - Full Authentication – 3GPP Solution In this call flow, EAP-SIM authentication is performed first. When the controller (acting as an AAA proxy) receives access accept from the AAA server, a separate access request is sent back to the AAA server to process a service authorization. The figure shows the detailed call flow. Figure 2: 3GPP based solution sequence diagram Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 35 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution • • • • • • • • RADIUS Access Request [ID] RADIUS Access Challenge [EAP Request (SIM Start)] RADIUS Access Request [EAP Response (NONCE_MT)] RADIUS Access Challenge [EAP Request (RAND, MAC)] RADIUS Access Request [EAP Response (SRES)] RADIUS Access Accept [EAP Success (MSK)] Authorization Access Request Authorization Access Accept RADIUS Access Request [ID] The table lists the attribute details of the first message sent by the controller to AAA. NOTE When RFC 5580 is enabled for a WLAN, and the AAA server supports RFC 5580, location-related information is not conveyed in access requests. Instead, the exchange of location-related information is negotiated between the controller and the AAA server as stipulated in RFC 5580. 36 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Table 13: RADIUS access request attributes Attribute Attribute Presence Type ID Description User-Name 1 M String Indicates the name of the user for authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSAs are received only from Ruckus APs. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 37 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Vendor-Specific 26 C Description Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable. Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable. Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. 38 Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is the MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Description NAS-Identifier 32 C String NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. Acct-Session-ID 44 M String This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates the whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 39 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution 40 Attribute Attribute Presence Type ID Description Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified. This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Location-Capable 131 C Description Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. Note: This attribute is included only if the location delivery method is not Out of Band as specified in RFC 5580. RADIUS Access Challenge [EAP Request (SIM Start)] The table lists the attribute details of the messages sent by the AAA server to the controller and forwarded to the RADIUS client (NAS). Table 14: RADIUS access challenge attributes Attribute Attribute Presence Type ID Description State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 41 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution 42 Attribute Attribute Presence Type ID Description Message Authenticator 80 M Octets This attribute is used for signing access request for preventing spoofing of access request using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Basic-Location-Policy-Rules 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. Note: This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Extended-Location-Polc i y-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. Note: This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Requested-Location-Info 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. Note: This attribute is expected from the AAA server in the initial request location delivery method mentioned in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution RADIUS Access Request [EAP Response (NONCE_MT) The table lists the attribute details for messages sent by the controller to the AAA server (response received from UE). Table 15: RADIUS access request attributes Attribute Attribute Presence Type ID Description User-Name 1 M String Indicates the name of the user for authentication. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 43 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Description State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. 44 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Description Vendor-Specific 26 Vendor ID: Ruckus:25053 C String VSA: Ruckus-Location(5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Called Station ID 30 O String This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 M String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 45 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution 46 Attribute Attribute Presence Type ID Description NAS-Identifier 32 C String NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. Acct-Session-ID 44 M String This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Description Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is Out of Band as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 47 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Basic-Location-Policy-Rules 129 C Octets Description This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. Extended-Location-Policy-Rules 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request as specified in RFC 5580. RADIUS Access Challenge [EAP Request (RAND, MAC)] The table lists the attribute details for messages sent by the AAA server to the controller and forwarded to the RADIUS client NAS. Attribute Attribute Presence Type Description ID 48 State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type Description ID EAP 79 Message M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message 80 Authenctiator M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeabel 89 User ID M String This attribute sends a null value during authentication. RADIUS Access Request [EAP Response (SRES)] The table lists the attribute details for messages sent by controller to AAA. Table 16: RADIUS access accept messages Attribute Attribute Presence Type ID Description User-Name 1 M String Indicates the name of the user for authentication. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. CHAP-Password 3 C String This attribute indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 49 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Description NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Service-Type 6 O Integer Indicates the type of service based on the user request or the type of service to be provided. Framed MTU 12 O Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. State 24 O Octets This attribute is sent by the server to the client in an access-challenge message and must be sent unmodified from the client to the server in the new access request message - a reply to that challenge, if any. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-WLan-ID (4) VSA Length: 6 Reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. 50 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Vendor-Specific 26 C Description Integer Vendor ID: Ruckus:25053. VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Note: Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053. VSA: Ruckus-Location (5) VSA Length: Variable. Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific( 26 C String Vendor ID: Ruckus:25053. VSA: Ruckus-SSID (3) VSA Length: Variable. Reports the associated WLANs SSID in access request and accounting packet. Note: Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Calling Station ID 30 O String Allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. Calling Station ID 31 M IString Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. NAS-Identifier 32 C String NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 51 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution 52 Attribute Attribute Presence Type ID Description Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access-reject, access-challenge and accounting response. Acct-Session-ID 44 M String This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M Octets This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID 89 M String This attribute sends a null value during authentication. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution RADIUS Access Accept [EAP Success (MSK)] The table lists the attribute details for message sent by the AAA to the controller, which are forwarded to the RADIUS client (access point) upon successful service authorization (see the next two messages). Table 17: RADIUS access request messages Attribute Attribute ID Presence Type Description User-Name 1 M String Indicates the name of the user for authentication. Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Class 25 O String This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122. VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable. The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122. VSA: WISPr-Bandwidth-Max-DOWN (8). VSA Length: Variable. The attribute contains the maximum downlink value in bits per second. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 53 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute ID Vendor-Specific 26 Presence Type Description M Vendor ID: Microsoft 311. Integer VSA: MS-MPPE-Send-Key (16). VSA Length: Variable. This attribute contains a session key used by Microsoft Point-to-Point Encryption Protocol (MPPE). Vendor-Specific 26 M Integer Vendor ID: Microsoft 311. VSA: MS-MPPE-Recv-Key (17). VSA Length: Variable. This attribute contains a session key used by the Microsoft Point-to-Point Encryption Protocol (MPPE). Vendor-Specific 26 C String Vendor ID: Ruckus:25053. VSA: Ruckus-IMSI (102). VSA Length: Variable. BCD encoded IMSI of the subscriber. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053. VSA: Ruckus-Session-Type (125). VSA Length: 6. Session Type - TTG (2), Local-Breakout(3), Local-Breakout-AP(4), L3oGRE (5), L2oGRE (6), QinQL3 (7), PMIP (8). The controller server uses this attribute on the access -accept to indicate the forward policy of the specific UE. 54 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute ID Vendor-Specific 26 Presence Type Description C Vendor ID: Ruckus:25053. Integer VSA: Ruckus-Acct-Status (126). VSA Length: 6. Acct Stat is true(1) or false(0). The controller server uses this attribute on the access accept to indicate if the authenticator needs to send the accounting start for the current/specified client. Session-Timeout 27 O Integer This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session. Idle-Timeout 28 O Integer It sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. Termination-Action 29 O Integer Indicates the action that NAS will take when the specified service is completed. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Tunnel-Type 64 C Integer This attribute indicates the tunnel type for the access point. For example, tunnel type 13 is for VLAN. Tunnel-Medium-Type 65 C Integer This attribute indicates the tunnel medium type for the access point. For example, tunnel type 06 is for IEEE_802. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 55 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute ID Presence Type Description EAP Message 79 M Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 M String This attribute is used in signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Tunnel-Private-Group-ID 81 C String This attribute contains the dynamic VLAN ID as configured in the authentication profile. Accountn i g-Interm i -Interval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Basci -Locato i n-Pocil y-Ruel s 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server if the location delivery method is accounting request as specified in RFC 5580. 56 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute ID Extended-Locao tin-Pocily-Ruels 130 Presence Type Description C This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. Octets NOTE This attribute is expected from the AAA server if the location delivery method is accounting request as specified in RFC 5580. Requested-Locato i n-Info 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. NOTE This attribute is expected from the AAA server if the location delivery method is accounting request as specified in RFC 5580. Authorization Access Request The authorization procedure starts after successful authentication only. Messages are initiated from the controller. The table lists the attribute details for messages sent by the controller to the AAA server. Table 18: Authorisation Access request attributes Attribute Attribute Presence Type Description ID User-Name 1 M String Indicates the name of the user to be authenticated. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 57 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type Description ID Vendor-Specific 26 C Integer Vendor ID: Ruckus VSA: 25053 VSA: Ruckus-SGSN-Number(124) VSA Length: Variable. AAA uses this attribute to populate the MAP update GPRS location. E.164 address of SGSN (controller). Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable. Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable. Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. 58 NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Chargeable User 89 ID M String This attribute sends a null value during authentication. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Authorization Access Accept The authorization procedure starts only after successful authorization, where messages are sent by AAA to the controller. Information received from AAA is used in setting the GTP tunnel towards the GGSN (APN, QoS and Charging Characteristics). The table lists the attribute details for messages sent by the AAA server to the controller. Table 19: Authorization access accept attributes Attribute Attribute Presence Type ID Description User-Name 1 O String Indicates the name of the user for authentication. Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable. The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable. The attribute contains the maximum downlink value in bits per second. Vendor-Specific 26 O Octets Vendor ID: Ruckus: 25053 VSA: Ruckus-APN-NI(104) VSA Length: Variable. This attribute carries the APN subscribed by the user. It contains only the network identifier (NI), which is part of the APN. The operator identifier part is stored separately in Ruckus-APN-OI. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 59 EAP Full Authentication Overview EAP - Full Authentication – 3GPP Solution Attribute Attribute Presence Type ID Vendor-Specific 26 O String Description Vendor ID: 3GPP: 10415 VSA:3GPP-GPRS-Negotiated-QoS-Profile (5) VSA Length: Variable. This attribute carries the QoS value from AAA server. QoS from AAA is received from Ruckus defined VSA or from 3GPP defined VSA (3GPP-GPRS-Negotiated-QoS Profile). Vendor-Specific 26 O Charging Vendor ID: Ruckus: 25053 characteristics VSA: Ruckus-Charging-Charac (118) VSA Length: 4 Charging characteristics value, octets are encoded according to TS 3GPP 32.215. This attribute carries the charging characteristics value, which is received from the AAA server. 60 Session-Timeout 27 O Integer This attribute de-authenticates the UE when the session time expires. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Accounn tig-n Item ri -n Iterval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Chargeable 89 User ID M String This attribute sends a null value during authentication. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 RADIUS Access Reject The table lists the attribute details of access reject messages (failure scenarios) sent by the AAA in case of unsuccessful authentication or authorization. The controller can also initiate access reject towards NAS, based on certain use cases. Table 20: RADIUS access reject attributes Attribute Attribute Presence Type ID Description Reply-Message 18 O Integer Indicates the text, which could be displayed to the user. EAP Message 79 C Octets This attribute encapsulates Extensible Authentication Protocol (EAP) packets, which allows NAS to authenticate dial-in users via EAP, without having to understand the EAP protocol (EAP payload, EAP-SIM or EAP-AKA). Message Authenticator 80 C Octets This attribute is used for signing access requests for preventing spoofing of access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). This attribute is available only for EAP failures. 62 Hotspot (WISPr) Authentication and Accounting Overview 2 Hotspot (WISPr) authentication starts after a user has entered his or her logon credentials (user name and password) on the subscriber portal logon page. After this, the northbound portal interface initiates an access request message to process a service authorization. Additional parameters can be provided by the AAA server in the access accept message. These parameters define the limitations and behavior of a specific user, such as session timeout, grace period and idle timeout.The figure shows the detailed call flow. Figure 3: Hotspot (WISPr) call flow This section covers: • Hotspot (WISPr) Authentication Request • Hotspot (WISPr) Authentication Response • Hotspot (WISPr) Accounting Request [Start] Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 62 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Authentication Request Hotspot (WISPr) Authentication Request The table lists the attribute details of messages sent by the controller to Hotspot (WISPr). NOTE These attributes are sent in the Access-Request only if Client Fingerprinting is enabled. To enable this option in the controller web interface navigate to Access Points > Zone Tab > WLANs > Advanced Options > Select Enable Client Fingerprinting. Figure 4: Enable Client Fingerprinting Table 21: Hotspot (WISPr) authentication request attributes Attribute Attribute Presence Type ID Description User-Name 1 M String This attribute is the logon user name. User-Password 2 C String This attribute indicates the password of the user to be authenticated. This attribute is mandatory for PAP authentication. CHAP-Password 3 M String Indicates the value provided by a CHAP user in response to the access-challenge. It is mandatory for CHAP authentication. NAS-IP-Address 4 C IP This attribute contains the controller Address management IP address. Service-Type 6 O Integer This attribute has the value 1 (login). Framed-IP-Address 8 O IP This attribute is STA’s IP address. Address Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 63 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Authentication Request Attribute Attribute Presence Type ID Framed MTU 12 O Description Integer Indicates the Maximum Transmission Unit (MTU) to be configured for the user, when it is not negotiated by some other means. NOTE The attribute will not be available if the MTU size is set to auto in the WLAN configuration page of the controller Web interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 1 VSA: WISPr-Location-ID VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 2 VSA: WISPr-Location-Name VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 3 VSA: WISPr-Logoff-URL VSA Length: Variable This attribute indicates the hotspot (WISPr) service logout URL. Vendor-Specific 26 O String Vendor ID: Ruckus Vendor Type: 3 VSA: Ruckus-Client-Host-name VSA Length: 138 This attribute reports the configured client host name 64 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Authentication Request Attribute Attribute Presence Type ID Vendor-Specific 26 O Description String Vendor ID: Ruckus Vendor Type: 3 VSA: Ruckus-Client-Os-Type VSA Length: 139 This attribute reports the Client OS Type. Vendor-Specific 26 O String Vendor ID: Ruckus Vendor Type: 3 VSA:Ruckus-Client-Os-Class VSA Length: Variable This attribute reports the client OS class Vendor-Specific 26 O String Vendor ID: WISPr: 25053 Vendor Type: 3 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-Zone-ID (127) VSA Length: 6 Reports the zone ID to which the 3rd party AP is associated. This VSA is received only for 3rd party APs. Called Station ID 30 M Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 65 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Authentication Request Attribute Attribute Presence Type ID Description Calling Station 31 ID M String STA’s MAC address where the letters in the MAC address are in uppercase. For example, 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer This attribute contains a string identifying the NAS originating the access request. It supports 3 types of values for BSSID (MAC address of the WLAN on AP). APMAC (MAC address of AP) is a user defined attribute where the maximum length is 62. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. Chap-Challenge 60 M String This attribute contains the chap challenge sent by NAS to a PPP CHAP user. NAS-Port-Type 61 O Integer This attribute indicates the physical port type of the NAS, which authenticates the user. Vendor-Specific 26 C Integer Vendor ID: Ruckus: 2503 Vendor Type: 9 VSA: VLAN-ID VSA Length: Variable This attribute value is as per the configuration specified on the WLAN configuration page of the controller web interface. Operator-Name 126 C String The attribute identifies the owner of the access network by the AAA server. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. 66 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Authentication Request Attribute Attribute Presence Type ID Location-Information 127 C Description Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Basci -Locato i n-Pocil y-Ruel s 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Extended-Locao tin-Pocily-Ruels 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included in the first access request when the location delivery method is Out of Band. If the location delivery method is the initial request then the subsequent access request is included in this parameter - as specified in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 67 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Authentication Response Attribute Attribute Presence Type ID Location-Capable 131 C Description Integer This attribute is sent in RADIUS access request during the authentication phase to indicate the AP's capability for providing the location. Encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the initial request or accounting request as specified in RFC 5580. NOTE Acct-Session-Id shall be optionally included in the WISPr Access Request by Ruckus AP if Accounting is disabled in the UI. Hotspot (WISPr) Authentication Response The table lists the attribute details of messages sent by the Hotspot (WISPr) module to the controller. Table 22: Hotspot (WISPr) authentication request attributes Attribute Attribute Presence Type Description ID Filter-Id 11 O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. Class 25 O Integer This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without any modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. 68 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Authentication Response Attribute Attribute Presence Type Description ID Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 7 VSA: Ruckus-Grace-Period VSA Length: Variable This attribute is the grace period in hotspot (WISPr) WLANs. Session-Timeout 27 O Integer This attribute de-authenticates the UE when the session time expires. Idle-Timeout 28 O Integer This attribute sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. Accountni g-n I term i -n I terval 85 O Integer Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Basci-Locao tin-Pocily-Ruels 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Extended-Locaotin-Pocily-Ruels 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 69 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Start] Attribute Attribute Presence Type Description ID Requested-Locato i n-n I fo 132 M Integer This attribute is only used in messages sent by the AAA server towards the AP. Using this attribute the AAA server indicates its request for location information. Encoded as per RFC 5580. NOTE This attribute is expected from the AAA server in the initial request location delivery method as mentioned in RFC 5580. Hotspot (WISPr) Accounting Request [Start] The table lists the attribute details of messages sent by the controller to the Hotspot (WISPr) module. Table 23: Hotspot (WISPr) accounting request (start) attributes Attribute Attribute Presence Type Description ID User-Name 1 M String This attribute is the logon user name. NAS-IP-Address 4 C IP This attribute is the IP address of the AP which Address is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute is the AID value. Framed-IP-Address 8 O IP This attribute is STA’s IP address. Address Class 25 O Integer This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 1 VSA: WISPr-Location-ID VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. 70 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Start] Attribute Attribute Presence Type Description ID Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 2 VSA: WISPr-Location-Name VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 2 VSA: Ruckus-STA-RSSI (2) VSA Length: Variable This attribute can only be present with Acct-Status-Type = Interim or Stop. Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 3 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 5 VSA: Ruckus-Location VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 71 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Start] Attribute Attribute Presence Type Description ID Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 7 VSA: Ruckus-SCG-CBLADE-IP VSA VSA Length: 6 This attribute indicate the control plane IP address that is being used. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 8 VSA: Ruckus-SCG-DBLADE-IP VSA VSA Length: 6 This attribute value is observed by NBI, when the GRE tunnel is set up. 72 Called Station ID 30 M Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID Calling Station ID 31 M String STA’s MAC address the letters in the MAC address are in uppercase. For example, 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer This attribute contains a string identifying the NAS originating the access request. It supports 3 types of values for BSSID (MAC address of the WLAN on AP). APMAC (MAC address of AP) is a user defined attribute where the maximum length is 62. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Start] Attribute Attribute Presence Type Description ID Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute has the following values where 1 is Start, 2 is Stop, 3 is Interim, 7 are On and 8 are Off. Acct-Delay-Time 41 C Integer This attribute can only be seen in accounting retry packets. This is a configurable option and by default this attribute is disabled. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Acct-Authentic 45 M Integer This attribute value in EAP 802.1X-Auth and hotspot (WISPr) is: 1 for RADIUS-Auth and 2 for MAC-Auth local. Acct-Session-Time 46 M Integer This attribute can only be present with Acct-Status-Type = Interim, Stop. Acct-Termni ate-Cause 49 M Integer This attribute can only be present with Acct-Status-Type = Stop. Acct-Mutl-iSesso i n-ID 50 O Integer This attribute is hand-off between APs, which triggers new accounting session (stop followed by start) with different session identifiers. Acct-Multi-Session-ID retains the same ID to tie multiple sessions. Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Event-Timestamp 55 O Integer This attribute is included in the Accounting-Request packet to record the time that this event occurred on NAS. For example, in seconds since January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer This attribute indicates the physical port type of the NAS, which authenticates the user. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 73 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Stop/Interim] Attribute Attribute Presence Type Description ID Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. Locato i n-Informato i n 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the accounting request as specified in RFC 5580. Basci-Locaotin-Pocily-Ruels 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the accounting request as specified in RFC 5580. Exe tnded-Locaoitn-Po ciyl-Ruels 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is the accounting request as specified in RFC 5580. Hotspot (WISPr) Accounting Request [Stop/Interim] The table lists the attribute details of messages sent by the controller to the Hotspot (WISPr) module. Table 24: Hotspot (WISPr) accounting request (stop/interim) attributes 74 Attribute Attribute Presence Type Description ID User-Name 1 M String This attribute is the logon user name. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Stop/Interim] Attribute Attribute Presence Type Description ID NAS-IP-Address 4 C Integer This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute is the AID value. Framed-IP-Address 8 O IP This attribute is STA’s IP address. Address Class 25 O Integer This attribute is sent by the server in access accept and the client should include this attribute in the accounting request without modification. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 1 VSA: WISPr-Location-ID VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: WISPr: 14122 Vendor Type: 2 VSA: WISPr-Location-Name VSA Length: Variable This attribute is a configurable value in the hotspot (WISPr) user interface. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 2 VSA: Ruckus-STA-RSSI (2) VSA Length: Variable This attribute can only be present with Acct-Status-Type = Interim or Stop. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 75 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Stop/Interim] Attribute Attribute Presence Type Description ID Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 3 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 O String Vendor ID: Ruckus: 25053 Vendor Type: 5 VSA: Ruckus-Location VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 7 VSA: Ruckus-SCG-CBLADE-IP VSA VSA Length: Variable This attribute indicate the control plane IP address that is being used. Vendor-Specific 26 O Integer Vendor ID: Ruckus: 25053 Vendor Type: 8 VSA: Ruckus-SCG-DBLADE-IP VSA VSA Length: Variable This attribute value is observed by NBI, when the GRE tunnel is set up. 76 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Stop/Interim] Attribute Attribute Presence Type Description ID Called Station ID 30 M Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID Calling Station ID 31 M String STA’s MAC address the letters in the MAC address are in uppercase. For example, 11-22-33-AA-BB-CC. NAS-Identifier 32 C Integer This attribute contains a string identifying the NAS originating the access request. It supports 3 types of values for BSSID (MAC address of the WLAN on AP). APMAC (MAC address of AP) is a user defined attribute where the maximum length is 62. This attribute can also be configured as per the configuration specified on the WLAN configuration page of the controller web interface. Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute has the following values where 1 is Start, 2 is Stop, 3 is Interim, 7 are On and 8 are Off. Acct-Delay-Time 41 C Integer This attribute can only be seen in accounting retry packets. This is a configurable option and by default this attribute is disabled. Acct-Input-Octets 42 M Integer This attribute indicates the number of octets received from the port over the course of this service provided. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 77 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Stop/Interim] Attribute Attribute Presence Type Description ID Acct-Output-Octets 43 M Integer This attribute indicates the number of octets sent to the port in the course of delivering this service. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Acct-Authentic 45 M Integer This attribute value in EAP 802.1X-Auth and hotspot (WISPr) is: 1 for RADIUS-Auth and 2 for MAC-Auth local. Acct-Terminate-Cause 49 M Integer This attribute can only be present with Acct-Status-Type = Stop. Acct-Multi-Session-ID 50 O Integer This attribute is hand-off between APs, which triggers new accounting session (stop followed by start) with different session identifiers. Acct-Multi-Session-ID retains the same ID to tie multiple sessions. 78 Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Acct-Input-Gigawords 52 M Integer This attribute can only be present with Acct-Status-Type = Interim, Stop. Acct-Output-Gigawords 53 M Integer This attribute can only be present with Acct-Status-Type = Interim, Stop. Event-Timestamp 55 O Integer This attribute is included in the Accounting-Request packet to record the time that this event occurred on NAS. For example, in seconds since January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer This attribute indicates the physical port type of the NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot (WISPr) Authentication and Accounting Overview Hotspot (WISPr) Accounting Request [Stop/Interim] Attribute Attribute Presence Type Description ID Location-Information 127 C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Basic-Location-Policy-Rules 129 M String This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Extended-Locato i n-Pocil y-Ruel s 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only if the location delivery method is accounting request as specified in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 79 Hotspot (WISPr) Accounting Response The table lists the attribute details of messages received by the controller to the Hotspot (WISPr) module. Table 25: Hotspot (WISPr) accounting response attributes Attribute Presence Type Description Response M Authenticator Integer MD5(Code|ID|Length|RequestAuth|RequestAuth|RequestAuth|Attributes|Secret) 81 Hotspot 2.0 Authentication 3 Hotspot 2.0 WLAN supports 802.1x authentication and passpoint technology. Passpoint enabled devices (R2 devices) connect to the network automatically based on their PPS-MO and facilitates seamless roaming for users on Wi-Fi network. WLAN supports Hotspot 2.0 Online SignUp (OSU) procedure and passpoint enabled devices, which connect to the network and are provisioned with PPS-MO. R2 users can onboard PPS-MO through authentication procedure using RADIUS credentials. Non SIM based authentication (EAP-TTLS) is supported as per the WFA RFC mandate for Hotspot 2.0 R2 devices. SIM based authentication (EAP SIM and EAP AKA) is supported as per the WFA RFC mandate for Hotspot 2.0 R1 devices. SIM based authentication is similar to EAP - Full Authentication – 3GPP Solution except that RADIUS message include Hotspot 2.0 specific attributes. SIM based authentication is also applicable for R1 devices associated with Hotspot 2.0 WLAN and RADIUS messages are proxied to the external AAA server. R2 devices are associated with Hotspot 2.0 WLAN on receiving the PPS-MO from the controller. Alternatively R2 devices can also get PPS-MO from remote OSU server and RADIUS request is proxied to external AAA server during access. NOTE For this release, TTLS RADIUS authentication is supported. There is no support for EAP-SIM. SIM Based Authentication - Access Request SIM based authentication for Hotspot 2.0 devices is similar to EAP - Full Authentication – 3GPP Solution. In addition to the parameters mentioned in each of the following RADIUS access-accept. The table lists the attributes specific to Hotspot 2.0. • RADIUS Access Request [ID] • RADIUS Access Request [EAP Response (NONCE_MT)] • RADIUS Access Request [EAP Response (SRES)] Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 81 Hotspot 2.0 Authentication R2 Device Access Authentication Table 26: Hotspot 2.0 RADIUS access request attributes Attribute Attribute Presence Type Description ID Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 2 VSA: AP Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1as R2 compliant AP. Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 3 VSA: Mobile Device Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1 as R2 compliant AP. Version 1 also includes the update identifier details. R2 Device Access Authentication In the R2 device authentication where PPS-MO is provisioned by an external OSU, RADIUS access request is always proxied to the remote AAA server when the device connects to the Hotspot 2.0 WLAN. RAC proxies the request to the AAA server based on the realm configuration defined in Services&Profiles > Hotspot 2.0 of the controller web interface. The figure shows the call flow for R2 devices when PPS-MO is received from external OSU. RAC does not decode the EAP payload and certificate details. It merely proxy’s the request based on the RADIUS user name attribute used in the request. Figure 5: R2 device access authentication 82 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot 2.0 Authentication R2 Device Access Authentication Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 83 Hotspot 2.0 Authentication R2 Device Access Authentication Access Request The table lists the attributes specific to Hotspot 2.0. Table 27: Hotspot 2.0 RADIUS access request attributes Attribute Attribute Presence Type Description ID Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 2 VSA: AP Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1as R2 compliant AP. Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 3 VSA: Mobile Device Version VSA Length: Variable This attribute indicates version 0 as R1 compliant AP and version 1 as R2 compliant AP. Version 1 also includes the update identifier details. NOTE R2 access requests will have similar attributes as captured in EAP Full Authentication with a few exceptions: • The Username in the access request will have the value 'anonymous@realm.com'. 'Realm.com' will vary depending on the NAI realm configured in the PPS-MO. • The EAP message will carry an EAP-TTLS payload. It will be used to exchange certificate details and MSCHAPv2 credentials unlike EAP carrying EAP SIM credentials such as RAND, SRES, and Kc in EAP-SIM. Access Response The table lists the attributes specific to Hotspot 2.0. An HS 2.0 R2 call will have RADIUS responses such as multiple access challenges and Access Accept as captured or EAP SIM full authentication. See the note at the end of the table. 84 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot 2.0 Authentication R2 Device Access Authentication Table 28: Hotspot 2.0 RADIUS access response attributes Attribute Attribute ID Vendor-Specific 26 Presence Type Description C String Vendor ID: 40808 Vendor Type: 1 VSA: Subscription Remediation Needed VSA Length: Variable This attribute provides the remediation URL. Vendor-Specific 26 C String Vendor ID: 40808 Vendor Type: 4 VSA: De-authentication Request VSA Length: Variable This attribute is applicable only for R2 devices. It gives the de-authenticated URL and the re-authentication delay. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 85 Hotspot 2.0 Authentication R2 Device Onboarding Attribute Attribute ID Vendor-Specific 26 Presence Type Description C String Vendor ID: 40808 Vendor Type: 5 VSA: Session Information URL VSA Length: Variable This attribute provides the URL details seen before session termination. NOTE The EAP message for the HS 2.0 R2 call will have TLS and MSCHAPv2 credentials instead of SIM. NOTE Attributes such as Client Hello, Server Hello are standard TLS 1.0 specific attributes and are embedded within EAP. For details refer to RFC 2246. R2 Device Onboarding The UE can onboard with a controller using AAA credentials, where the controller proxys the onboarding requests to AAA. Onboarding Access Request The details in the access request are as follows: Table 29: Onboarding Access Request Attribute 86 Attribute Presence Type Description ID NAS-Port-Type 61 M Integer Indicates the physical port type of NAS, which authenticates the user. NAS-Port O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. 5 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Hotspot 2.0 Authentication R2 Device Onboarding Attribute Attribute Presence Type Description ID User-Name 1 M String Indicates the name of the user for authentication. User-Password 2 C String This attribute indicates the password of the user to be authenticated. It is mandatory for PAP authentication. Calling Station 31 ID O String This attribute will contain the Calling Station ID as received from NAS during authentication or the accounting procedure Message Authenticator O Octets This attribute is used to sign access requests to prevent spoofing access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet - HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). NAS-IP-address 4 C IP This attribute is the IP address of the AP Address which is serving the station or controller's control IP address, controller's management IP address and user defined value. Proxy-State O Octets This attribute is available to be sent by a proxy server to another server. 80 33 Onboarding Access Response The details in the access response are as follows: Table 30: Onboarding Access Response Attribute Attribute Presence Type ID Description Proxy-State 33 O Octets This attribute is available to be sent by a proxy server to another server. Filter-Id O String Represents the User Role name sent by AAA. This is used by SCG to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Filter-Id might be included in access accept irrespective of a WISPr, 802.1x or HS 2.0 call. 11 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 87 Attribute Attribute Presence Type ID Description WISPr uplink 26 Vendor ID: WISPr: 14122 O Integer VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. WISPr downlink 26 O Integer Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Hotspot 2.0 VSAs There are vendor specific attributes for Hotspot 2.0 as mandated by WFA Hotspot 2.0 specifications along with the regular RADIUS message attributes (as per RFC 2865). The figure indicates the VSA fields in a hotspot 2.0 subscription remediation flow. Figure 6: Hotspot 2.0 VSA fields 89 AP Initiated Accounting Messages (PDG/LBO Sessions) 4 The controller honors RADIUS accounting messages received from AP, for both Ruckus AP and 3rd Party AP. For accounting messages from AP, controller generates W-AN-CDR/S-CDR/W-CDR as configured in the controller UI (non-proxy mode), or proxy accounting messages received from AP to configured external AAA server (proxy mode). The figure shows the controller proxy accounting messages from NAS to external AAA server. Figure 7: AP initiated accounting messages Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 89 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Start Messages This section covers: • • • • Accounting Start Messages Accounting Interim Update and Stop Messages Accounting On Messages Accounting Off Messages Accounting Start Messages The table lists the attribute details of messages sent by the controller to the AAA server. Table 31: Accounting start message attributes Attribute Attribute Presence Type ID Description User-Name 1 M String The username of the given accounting session. NAS-IP-Address 4 C IP This attribute is the IP address of the AP which Address is serving the station or user equipment, controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Framed-IP-Address 8 O IP This attribute indicates the address to be Address configured for the user. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. 90 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Start Messages Attribute Attribute Presence Type ID Vendor-Specific 26 C String Description Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O Integer This attribute supports two kinds of formats, namely, BSSID:SSID, which is the MAC address of the WLAN on AP and APMAC:SSID which is the MAC address of AP. The letters in the MAC address are in uppercase. For example: 11-22-33-AA-BB-CC:SSID. Calling Station ID 31 O String NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Allows NAS to send the ID (UE MAC), which indicates as to who is calling the STA's MAC address. The letters in the MAC address are in uppercase. For example: 11-22-33-AA-BB-CC. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 91 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Start Messages 92 Attribute Attribute Presence Type ID Proxy-State 33 C Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute indicates whether the Accounting-Request attribute marks the beginning of the user service (Start). Start value is 1. Acct-Delay-Time 41 C Integer This is a configurable option and by default this attribute is disabled.In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or remote authentication protocol. Acct-Mult-iSession-ID 50 O Integer This attribute is a unique Accounting ID, to link multiple related sessions in a log file Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Event-Timestamp 55 O Integer This attribute is included in the accounting-request packet for recording the time in seconds that the event occurred on NAS. For example, January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info 77 O String This attribute is sent from the NAS to indicate the nature of the user's connection. Chargeable User ID C String This attribute is MSISDN or any chargeable user identity returned by the AAA server. 89 Description Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Start Messages Attribute Attribute Presence Type ID Location-Information 127 C Description Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Basci-Locao tin-Pocily-Ruels 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Extended-Locaotin-Pocily-Ruels 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 93 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Interim Update and Stop Messages Accounting Interim Update and Stop Messages The table lists the attribute details of messages sent by the controller to AAA. Table 32: Accounting interim update and stop message attributes Attribute Attribute Presence Type ID Description User-Name 1 M String The username of the given accounting session. NAS-IP-Address 4 C IP This attribute is the IP address of the AP Address which is serving the station or controller's control IP address, controller's management IP address and user defined value. NAS-Port 5 O Integer Framed-IP-Address 8 O IP This attribute indicates the address to be Address configured for the user. Vendor-Specific 26 C Integer This attribute indicates the physical port number of the NAS which authenticates the user. The controller uses the association ID for the STA in the AP to represent this. Vendor ID: Ruckus:25053 VSA: Ruckus-STA-RSSI (2) VSA Length: 6 UE reports the current RSSI value in the accounting packet. Ruckus VSA is received only from Ruckus AP. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in the access request and accounting packet. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. 94 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Interim Update and Stop Messages Attribute Attribute Presence Type ID Vendor-Specific 26 C String Description Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor D: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station 30 ID O Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID Calling Station 31 ID O String Allows NAS to send the ID (UE MAC), which indicates as to who is calling this server. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 95 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Interim Update and Stop Messages Attribute 96 Attribute Presence Type ID Description NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer Value differs based on message type. Attribute interim update has the value 3 and stop has the value 2. Acct-Delay-Time 41 C Integer This is a configurable option and by default this attribute is disabled.In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Acct-Input-Octets 42 M Integer This attribute indicates the number of octets received from the port over the course of the service provided. This attribute is present in Acct-Status-Type = Interim, Stop. Acct-Output-Octets 43 M Integer This attribute indicates the number of octets sent to the port in the course of delivering this service. Acct-Session-ID 44 M Integer This attribute is a unique accounting identity to facilitate easy matching of start, interim and stop records in a log file. The start, interim and stop records for a given session must have the same Acct-Session-ID. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or remote authentication protocol. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Interim Update and Stop Messages Attribute Attribute Presence Type ID Description Acct-Session-Time 46 M Integer This attribute indicates the number of seconds for receiving the service. Acct-Input-Packets 47 M Integer This attribute indicates the number of packets received from the port over the course of the service provided to a framed user. Acct-Output-Packets 48 M Integer This attribute indicates the number of packets sent from the port over the course of the service provided to a framed user. Acct-Terminate-Cause 49 M Integer This attribute indicates how the session was terminated. This attribute can only be present in accounting request records where the Acct-Status-Type is set to Stop. Acct-Multi-Session-ID 50 O Integer This attribute is a unique Accounting ID, linking multiple related sessions in a log file. Acct-Link-Count 51 O Integer Count of links in a multi-link session, when an accounting record is generated. Acct-Input-Gigawords 52 M Integer This attribute indicates the number of times that the Acct-Input-Octets counter wraps around 2^32 over the course of this provided service. Acct-Output-Gg i awords 53 M Integer This attribute indicates the number of times the Acct-Output-Octets counter is wrapped around 2^32 in the course of delivering this service. Event-Timestamp 55 O Integer This attribute is included in the accounting request packet to record the time (in seconds) that this event occurred on NAS. For example, January 1, 2013 00:00 UTC. NAS-Port-Type 61 O Integer Indicates the physical port type of NAS, which authenticates the user. Connect-Info O String This attribute is sent from the NAS to indicate the nature of the user's connection. 77 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 97 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Interim Update and Stop Messages Attribute Attribute Presence Type ID Description Chargeable User ID 89 Location-Information 127 C String AP includes Chargeable User ID attribute along with the values received from the AAA server. C Octets This is a composite attribute, which provides meta data about the location information. It is encoded as per RFC 5580. Note: This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Location-Data 128 M String This attribute contains the actual location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Basci -Locato i n-Pocily-Ruel s 129 C Octets This attribute provides the basic privacy policy associated to the location information. It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. Extended-Locao tin-Pocily-Ruels 130 C Octets This attribute provides the extended privacy policy for the target whose location is specified.This attribute is sent with the above attribute (basic location policy). It is encoded as per RFC 5580. NOTE This attribute is included only when the expected location delivery method is accounting request as specified in RFC 5580. 98 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting On Messages Accounting On Messages The table lists the attribute details of messages sent by the controller to the AAA server. Table 33: Accounting on message attributes Attribute Attribute Presence Type ID Description User-Name 1 M String The username of the given accounting session. NAS-IP-Address 4 C IP This attribute is the IP address of the AP Address which is serving the station or controller's control IP address, controller's management IP address and user defined value. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: - Variable Reports the associated WLANs SSID in the access request and accounting packet, Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location(5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 99 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting On Messages Attribute Attribute Presence Type ID Vendor-Specific 26 C Description Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. 100 Called Station ID 30 O Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute indicates whether the Accounting-Request attribute marks it as Accounting-On (7) and Accounting-Off(8). Acct-Delay-Time 41 C Integer In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or Remote authentication protocol. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 AP Initiated Accounting Messages (PDG/LBO Sessions) Accounting Off Messages Accounting Off Messages The table lists the attribute details of messages sent by the controller to the AAA server. Table 34: Accounting off message attributes Attribute Attribute Presence Type Description ID User-Name 1 M String The username of the given accounting session. NAS-IP-Address 4 C IP This attribute is the IP address of the AP which Address is serving the station or controller's control IP address, controller's management IP address and user defined value. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-SSID (3) VSA Length: Variable Reports the associated WLANs SSID in access request and accounting packet. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Vendor-Specific 26 C String Vendor ID: Ruckus:25053 VSA: Ruckus-Location (5) VSA Length: Variable Reports the device location for this AP. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-CBLADE-IP (7) VSA Length: 6 Reports the control plane IP address. Ruckus VSAs are received from Ruckus APs only. It is optional for 3rd party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 101 Attribute Attribute Presence Type Description ID Vendor-Specific 26 C Integer Vendor ID: Ruckus:25053 VSA: Ruckus-SCG-DBLADE-IP (8) VSA Length: 6 Reports the data plane IP address. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. Called Station ID 30 O Integer This attribute allows NAS to send the ID (BSSID), which is called by the user. It is MAC of the AP. It supports 2 types of values, namely BSSID:SSID, where BSSID is the MAC address of the WLAN on AP. The second value is APMAC:SSID, where APMAC is the MAC address of the AP.The letters in the MAC address are in uppercase.For example: 11-22-33-AA-BB-CC:SSID. NAS-Identifier 32 C Integer NAS-IP-Address or NAS-Identifier attribute is mandatory in received messages. It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Proxy-State 33 O Octets This attribute is available to be sent by a proxy server (controller) to another server (AAA server) when forwarding an access request, accounting request (start, stop or interim) and must be returned unmodified in the access accept, access reject, access challenge and accounting response. Acct-Status-Type 40 M Integer This attribute indicates whether the Accounting-Request attribute marks it as Accounting-On (7) and Accounting-Off(8). Acct-Delay-Time 41 C Integer In case the accounting message gets retransmitted, this attribute contains the time stamp of the consecutive retransmitted message. Acct-Authentic 45 M Integer This attribute indicates whether the user was authenticated through RADIUS server or NAS or Remote authentication protocol. 103 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server 5 The AAA server initiates messages to the controller signaling an authorization change, as described in RFC 5176, Dynamic Authorization Extensions to RADIUS. This occurs when modifications are made to the subscriber GPRS profile at the HLR (via OAM). Reference TS 29.234 describes these procedures on the Wm reference point using the diameter protocol. The following sections list the message flow attributes utilized for RADIUS Dynamic Authorization Extension. Change of Authorization (CoA) and Disconnect Message (DM) messages can have any of the following attributes as a session identifier. • User name • CUI with MSISDN • Acct-Sess-Id (Session identification attribute) Service Authorisation A change in service authorization is initiated at the AAA server. For example, when the AAA server receives a MAP-InsertSubscriberData from the HLR along with the modified GPRS profile information (QoS) or is modified for any other reason the controller AAA proxy intercepts the CoA request. It checks if the CoA message contains a session identification attribute (such as user name) as well as attributes indicating the authorization changes (new QoS). Depending on these attributes the call flows could vary. If the CoA request contains a session identification and the attribute - service-type (6) is set to authorize-only the controller responds with CoA NAK since the controller does not support CoA with service-type as authorize-only. If the CoA request does not contain the service-type (6) attribute, the message must contain a session identification attributes as well as authorization attributes (QoS). The controller supports RADIUS CoA (Change-of-Authorization) in limited form. RADIUS CoA is supported only for modifying QoS profile when subscriber traffic is tunneled to the core network (Gn and S2a) interface. It is also supported when traffic originates from Ruckus Wireless or from 3rd Party APs. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 103 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation This section covers: • • • • • • • Change of Authorization (CoA) Messages - Not Set to Authorize Only Change of Authorization Acknowledge Messages (CoA Ack) Change of Authorization Negative Acknowledge Messages (CoA NAK) Disconnected Messages Acknowledgment of Disconnected Messages (DM Ack) Negative Acknowledge of Disconnected Messages (DM NAK) Disconnected Messages - Dynamic Authorization Client (AAA server) NOTE Refer to the Authentication and Authorization section for this procedure. Change of Authorization (CoA) Messages - Not Set to Authorize Only The table lists the attribute details of CoA messages where the service type AVP is not set.is not set. CoA can have any of the following attributes as session identifier: • User name • CUI with MSISDN • Acct-Sess-Id Table 35: Change of Authorization (CoA) messages - Authorize-Only is not set Attribute Attribute Presence Type/Description ID Message Code 104 M 43 User-Name 1 C Identifies the username of the UE/subscriber to be disconnected. Username is received from NAS during authentication or accounting session. NAS-IP-Address 4 C This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Attribute Attribute Presence Type/Description ID NAS-Port 5 O Indicates the physical NAS port number, which authenticates the user or the port on which a session is terminated. If present should match the session context table. Service-Type 6 O This attribute indicates the type of service the user has requested, or the type of service to be provided. CoA request should be processed if present. Framed-IP-Address 8 O The IPv4 address associated with a session. This is the IP address, which gets assigned to UE after successfull call establishment. If present should match the session context table. Filter-Id 11 O Represents the user role name sent by AAA. This is used by the controller to map the received Group Role Name to the UTP profile and forward the corresponding ACL/rate limiting parameters to NAS. NAS enforces the UTP for the given user. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 105 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Attribute Attribute Presence Type/Description ID VSA 26 3GPP-GPRS-Negotiated-QoS-Profile O This attribute carries the new QoS value and can be either be Ruckus defined VSA or 3GPP defined VSA. Note: The controller uses this attribute for updating the QoS from the AAA server, whichever is present. If both are present priority is for 3GPP-QoS attribute. Vendor-Specific 26 O Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-UP (7) VSA Length: Variable The attribute contains the maximum uplink value in bits per second. Vendor-Specific 26 O Vendor ID: WISPr: 14122 VSA: WISPr-Bandwidth-Max-DOWN (8) VSA Length: Variable The attribute contains the maximum downlink value in bits per second. Session-Timeout 106 27 O This attribute sets the maximum number of seconds of service to be provided to the user before termination of the session Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Attribute Attribute Presence Type/Description ID Idle-Timeout 28 O It sets the maximum number of consecutive seconds of idle connection allowed to the user before termination of the session. Called Station ID 30 O String. This attribute will contain the Called Station ID as received from NAS during authentication or the accounting procedure. Calling Station ID 31 O String. This attribute will contain the Calling Station ID as received from NAS during authentication or the accounting procedure NAS-Identifier 32 C If present, it should match with the value in the controller session table. Acct-Session-ID 44 C This attribute should have the same value as sent by NAS during the accounting procedure. Acct-Multi-Session-Id 50 O Thus attribute uniquely identifyies related sessions. It should have the same value received in authentication or accouting request. If present should match the session context table. Accounting-Interim-Interval 85 O Indicates the number of seconds between each interim update for this specific session. If the value is blank, the configured default value is used as the accounting interim interval. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 107 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Attribute Attribute Presence Type/Description ID NAS-Port-Id 87 O String identifying the port based on the session and should match the session context if present in request. Chargeable User ID 89 C String. This attribute is MSISDN or any chargeable user identity returned by the AAA server. Framed-Interface-Id 96 O The IPv6 interface identifier associated with a session, which is always sent with framed-IPv6 prefix. If present should match the session context. Framed-IPv6-Prefix 97 O The IPv6 prefix associated with a session, which is always sent with framed interface identifier. If present should match the session context. Change of Authorization Acknowledge Messages (CoA Ack) The table lists the attributes of CoA messages being acknowledged by the controller to DAC. Table 36: Change of Authorization (CoA) messages - Acknowledge Attribute Attribute ID Message Code State 108 24 Presence Type/Description M 44 C This attribute is copied without any modification or only if it is sent in the CoA request. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Change of Authorization Negative Acknowledge Messages (CoA NAK) The table lists the attributes of CoA messages that are not acknowledged by the controller to the DAC. Table 37: Change of Authorization (CoA) messages - Negative Acknowledge Attribute Attribute ID Message Code Presence Type/Description M 45 Service-Type 6 C Indicates the type of service based on the user request or the type of service to be provided. It is included only if the Service-Type attribute is present in CoA request, is set to authorize only. State 24 C This attribute is copied without any modification or only if it is sent in the CoA request. Error-Cause 101 C Included only if the Service-Type attribute is present in CoA request is set to authorize only. It is included only if the Error-Cause attribute is set to request initiated. NOTE For other scenarios, the attribute Error-Cause will have the value as mentioned in TS. Disconnect Messages The table lists the attributes of disconnect messages, which are initiated by the controller. Table 38: Disconnected messages Attribute Message Code Attribute ID Presence Type/Description M 40 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 109 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation 110 Attribute Attribute ID Presence Type/Description User-Name 1 M Identifies the user name of the UE/subscriber to be disconnect. User name received from NAS during authentication or accounting session. NAS-IP-Address 4 C If present, it should match with the value in the controller session table. Calling Station ID 31 C This attribute will contain the Calling Station ID as received from NAS during authentication or the accounting procedure. NAS-Identifier 32 C It supports 3 types of values, namely BSSID (MAC address of the WLAN on AP), APMAC (MAC address of AP) and user defined address (maximum length of 62). Acct-Session-ID 44 C This attribute should have the same value as sent by NAS during accounting procedure. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Attribute Attribute ID Presence Type/Description Message Authenticator 80 O This attribute is used to sign access requests to prevent spoofing access requests using CHAP, ARAP or EAP authentication methods. It authenticates this whole RADIUS packet HMAC-MD5 (Type| Identifier | Length | Request Authenticator | Attributes). Chargeable User ID C This attribute is MSISDN or any chargeable user identity returned by the AAA server. 89 Acknowledgment of Disconnect Messages (DM Ack) The table lists the attributes of disconnect messages, which are acknowledged. Table 39: Acknowledgment of disconnect messages Attribute Attribute ID Presence Type/Description Message Code M 41 Acct-Terminate-Cause 49 O This attribute indicates how the session was terminated. Value for Admin-Reset is set to 6. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 111 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Negative Acknowledge of Disconnect Messages (DM NAK) The table lists the attributes of disconnect messages, which are not acknowledged. Table 40: Negative acknowledgment of disconnect messages Attribute Attribute ID Message Code Error-Cause 112 101 Presence Type/Description M 41 C Included only if the Service-Type attribute is present in CoA request is set to authorize only. It is included only if the Error-Cause attribute is set to request initiated. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Disconnect Messages - Dynamic Authorization Client (AAA server) A disconnect request packet is sent by the Dynamic Authorization Client for terminating user session(s) on a NAS and to discard all associated session context. The disconnect request packet is sent to UDP port 3799 where it identifies the NAS as well as the user session(s) to be terminated by including the identification attributes. Disconnected messages can have any of the following attributes as a session identifier. • User name • CUI with MSISDN • Acct-Sess-Id The table lists the attribute details of the disconnect messages, which are initiated by the dynamic authorization client of the AAA server. Table 41: Disconnected messages initiated by dynamic authorization client (DAC) Attribute Attribute ID Message Code Presence Type/Description M 40 User-Name 1 C Identifies the username of the UE/subscriber to be disconnect. User name received from NAS during authentication or accounting session. NAS-IP-Address 4 C This attribute is the IP address of the AP which is serving the station or controller's control IP address, controller's management IP address and user defined value. Calling Station ID 31 O String This attribute will contain the Calling Station ID as received from NAS during authentication or the accounting procedure. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 113 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server Service Authorisation Attribute Attribute ID Presence Type/Description NAS-Identifier 32 C If present, it should match with the value in the controller session table. Proxy-State 33 O This attribute is available to be sent by a proxy server to another server. Acct-Session-ID 44 C This attribute should have the same value as sent by NAS during accounting procedure. C String This attribute is MSISDN or any chargeable user identity returned by the AAA server. Chargeable User ID 89 114 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes List of Vendor Specific Attributes This section lists the vendor specific attributes. This section includes: • WISPr Vendor Specific Attributes on page 115 • Ruckus Wireless Vendor Specific Attributes on page 116 WISPr Vendor Specific Attributes The table lists the WISPr vendor specific attributes. The VSA ID for the following VSAs is 14122 and the type is 26. Table 42: WISPr vendor specific attributes - 14122 Attribute Name Vendor Type RADIUS Message Purpose Type WISPr-Location-ID 1 Access-Accept Accounting Start Stop WISPr-Location-Name 2 Access-Accept Accounting Start Stop and Interim This attribute indicates the WISPr location id for the specified WISPr service. This attribute indicates the WISPr location name for the specified WISPr service. WISPr-Bandwidth-Max-UP 7 Access-Accept This attribute specifies the maximum rate at which the corresponding user is allowed to transmit for upstream data. WISPr-Bandwidth-Max-DOWN 8 Access-Accept This attribute specifies the maximum rate at which the corresponding user is allowed to transmit for downstream data Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 115 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes Ruckus Wireless Vendor Specific Attributes All Ruckus Wireless vendor specific attributes are encoded as sequence of: • Vendor type • Vendor length • Value fields The figure shows the VSA fields. Figure 8: VSA fields The table lists the Ruckus Wireless vendor specific attributes. The VSA ID for all the following VSAs is 25053 and type is 26. Table 43: Ruckus Wireless vendor specific attributes - 25053 116 Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-User-Groups 1 Access-Accept Ruckus-STA-RSSI 2 Accounting - Interim This attribute - Stop reports the UEs current RSSI value in the accounting packet. RADIUS server uses this attribute to indicate the access point group, specifying the UE group. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-SSID 3 Access- Request Accounting - Start -Interim- Stop Ruckus-WLan-ID 4 Access- Request Accounting - Start -Interim- Stop This attribute reports the associated WLANs SSID in the access request and accounting packet. This attribute reports the associated WLANs ID. Ruckus VSA is received only from Ruckus AP. Note: It is optional for 3rd party APs. Ruckus-Location 5 Access- Request Accounting - Start -Interim- Stop Ruckus-Grace-Period 6 Access- Request Accounting - Start -Interim- Stop Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 This attribute reports the device location for the current/specified access point. This is a configurable value in the device location setting. Ruckus VSA is received only from Ruckus AP. It is optional for 3rd party APs. This attribute is the grace period in Hotspot WLANs. 117 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-SCG-CBLADE-IP 7 Access- Request Accounting - Start -Interim- Stop Ruckus-SCG-DBLADE-IP 8 Access- Request Accounting - Start -Interim- Stop 118 Access-Accept This attribute reports the control plane IP address. This attribute reports the data plane IP address. Ruckus-VLAN-ID 9 This attribute value is as per the configuration specified on the WLAN configuration page of the controller web interface and indicates the VLAN ID when it is not zero. Refer to the figure showing the VSA fields. Ruckus-Sta-Expiration 10 This attribute indicates the expiration value from the RADIUS server. Ruckus-Sta-UUID 11 This attribute indicates the UUID value from the RADIUS server, when the UUID exists. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-Accept-Enhancement-Reason 12 This attribute indicates the reason from the RADIUS server, when the reason exists. Ruckus-VLAN-ID 13 This attribute indicates the user name from the RADIUS server, when the user exists. Ruckus-IMSI 102 Accounting Start-Stop This is sent by AAA to the controller as an authorization accept RADIUS message. M-controller utilizes this information to create the PDP context toward GGSN. Refer to the figure showing the VSA fields. Ruckus-MSISDN 103 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 The CUI is generally used, but MSISDN can also be used. 119 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-APN 104 Access- Request This attribute carries the APN Accounting - Start subscribed by Stop the user. It contains only the network identifier (NI), which is part of the APN. The operator identifier part is stored separately in Ruckus-APN-OI. Note: This attribute is always sent and received as a string format, as explained in the figure showing the VSA fields. 120 Ruckus-QoS 105 Ruckus-NAS-Type 109 3GPP-QoS is now used instead of this VSA. However, this VSA is supported in 2.1.x releases. Accounting - Start The value for this parameter is always 1. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes Attribute Name Vendor Type Ruckus-Status 110 Ruckus-APN-OI 111 RADIUS Message Purpose Type The Accounting Response does not have a status type. This attribute was added to inform AUT that the Accounting has failed due to the setting of this VSA. Access-Accept Accounting - Start It contains the Operator ID, which is part of the APN name. APN NI part is sent in the Ruckus-APN attribute. Refer to the encoding as explained in Figure 8 . Ruckus-Session-Type 125 Access- Accept Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 The controller server uses this attribute on the access-accept to indicate forward policy of the specific UE. 121 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes 122 Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-Acct-Status 126 Access- Accept The controller server uses this attribute on the access accept to indicate if the authenticator needs to send the accounting start for the current/specified client. Ruckus-Zone-ID 127 Access- Request The controller server uses this attribute to report the zone ID to which the 3rd party AP is associated. This VSA is received only for 3rd party APs. Ruckus-Auth-Server-Id 128 RAS(IDM) and SCG-RACC use this attribute to obtain the AAA UUID from RAS(IDM) and SCG-RAC. Ruckus-Utp-Id 129 SCG-RAC and Ruckus-AP use this attribute to provide the UTP ID value to the AP. Ruckus-Area-Code 130 This attribute carries the area code of the NAS location. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Dynamic Authorization and List of Vendor Specific Attributes - AAA Server List of Vendor Specific Attributes Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-Cell-Identifier 131 This attribute carries the cell ID of the NAS location. Ruckus-Wispr-Redirect-Policy 132 External AAA and SCG-RAC use this attribute to get the vanilla values for the WISPr-TTG feature. Ruckus-Eth-Profile-Id 133 Ruckus-AP and SCG-RAC use this attribute to find the Ethernet-Profile-Id for a particular session. Ruckus-Zone-Name 134 SCG-RAC and the external AAA use this attribute to notify the Zone that the AP belongs to. Ruckus-Wlan-Name 135 SCG-RAC and the external AAA use this attribute to notify the name of the WLAN that the AP belongs to. Ruckus-Read-Preference 137 The NBI/RAC and external AAA use this attribute to notify the primary/secondary database from where the data is to be read. Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 123 Attribute Name Vendor Type RADIUS Message Purpose Type Ruckus-Client-Host-Name 138 String Host name of the client device accessing the network Ruckus-Client-Os-Type 139 String Operating System on the client device. Ruckus-Client-Os-Class 140 String Operating System groups classes category that represent the OS related objects on the client device. Ruckus-Vlan-Pool 141 String List of VLAN identifiers supported for the WLAN. This attribute can be found only in RADIUS Access-Accept. APs use the MAC hashing to find the proper VLAN ID from the VLAN pool dynamically and tag all the user equipment data traffic. 125 AP Roaming Scenarios A The AP roaming scenarios are as follows. NOTE The session timeout values received from the AAA server are used for maintaining the PMK/OKC cache timer values at the controller and AP. If the timer value received is less than the default value of 12 hours, it will be used. Otherwise the default value will be used as the maximum value. • Roaming from AP1 to AP2 - PMK/OKC Disabled • Roaming from AP1 to AP2 - PMK/OKC Enabled • AP1 to AP2 Connected to Different Controller Node - PMK/OKC Disabled Roaming from AP1 to AP2 - PMK / OKC Disabled In this scenario as seen in the figure, the UE (subscriber) roams from AP1 to AP2. Authentication and accounting messages are initiated from the AP and the PMK (Pairwise Master Key) / OKC (Opportunistic Key Caching) cache is disabled. Figure 9: UE roaming from AP1 to AP2 - PMK / OKC disabled Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 125 AP Roaming Scenarios Roaming from AP1 to AP2 - PMK / OKC Enabled Roaming from AP1 to AP2 - PMK / OKC Enabled In this scenario as seen in the figure, the UE (subscriber) roams from AP1 to AP2. Authentication and accounting messages are initiated from the AP and the PMK/OKC cache is enabled. Figure 10: UE roaming from AP1 to AP2 - PMK/OKC enabled 126 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 AP Roaming Scenarios AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled AP1 to AP2 Connected to Different Controller Node - PMK / OKC Disabled In this scenario as seen in the figure, the UE (subscriber) roams from AP1 to AP2 with both the APs connected to the different controller nodes in a cluster environment. This scenario is specific to TTG sessions, where the controller has a GTP tunnel from the controller to the GGSN/PGW. The AP initiates authentication of messages whereas accounting messages are initiated by the controller. PMK / OKC cache is disabled. Figure 11: UE roams from AP1 to AP2 connected to different controller node Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 127 129 Use Cases The following are the use cases pertaining to NAS IP, Accounting session identififer and filter identifier. Authentication and Accounting of NAS IP AVP Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 129 Use Cases CoA / DM Handling with NAS IP AVP CoA Handling with Accounting Session Identifier 130 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 DM Handling with Accounting Session Identifier User Role change using Radius CoA - Filter Identifier Index 3GPP Solution 35 3GPP-GPRS-Negotiated-QoS-Profile(5) 29 Error-Cause 109, 112 Event-Timestamp 70, 74, 90, 94 Extended-Location-Policy-Rules 11, 18, 20, 29, 41, 53, 63, 68, 70, 74, 90, 94 A Accounting-Interim-Interval 29, 53, 59, 68 Acct-Authentic 70, 74, 90, 94, 99, 101 Acct-Delay-Time 70, 74, 90, 94, 99, 101 Acct-Input-Gigawords 74, 94 Acct-Input-Octets 74, 94 Acct-Input-Packets 94 Acct-Link-Count 70, 74, 90, 94 Acct-Multi-Session-ID 70, 74, 90, 94 Acct-Output-Gigawords 74, 94 Acct-Output-Octets 74, 94 Acct-Output-Packets 94 Acct-Session-ID 11, 20, 26, 49, 70, 74, 90, 94, 109, 113 Acct-Session-Time 70, 94 Acct-Status-Type 70, 74, 90, 94, 99, 101 Acct-Terminate-Cause 70, 74, 94, 111 Authentication and Accounting 129 B F Filter identifier 129 Filter-Id 29, 53, 59, 68 Framed MTU 11, 20, 26, 49, 63 Framed-IP-Address 63, 70, 74, 90, 94 G gPRS profile 103 H hLR 103 Hotspot 2.0 VSAs 88 I Idle-Timeout 29, 53, 68 Basic-Location-Policy-Rules 11, 18, 20, 29, 41, 53, 63, 68, 70, 74, 90, 94 C call flows 103 Called Station ID 11, 20, 63, 70, 74, 90, 94, 99, 101 calling station ID 86 Calling Station ID 11, 20, 26, 63, 70, 74, 90, 94, 109, 113 Chap-Challenge 63 CHAP-Password 20, 26, 49, 63 Chargeable User ID 11, 18, 20, 25–26, 29, 41, 48–49, 57, 59, 90, 94, 109, 113 Class 29, 53, 68, 70, 74 CoA 129 Connect-Info 11, 20, 26, 49, 70, 74, 90, 94 D DM 129 E EAP Message 11, 18, 20, 25–26, 29, 41, 48–49, 53, 61 EAP-AKA 10 EAP-Message (79) 10 EAP-SIM 10 L Location-Capable 11, 20, 63 Location-Data 11, 20, 63, 70, 74, 90, 94 Location-Information 11, 20, 63, 70, 74, 90, 94 M Message Authenticator 11, 18, 20, 25–26, 29, 41, 48–49, 53, 61, 109 Message Code 108–109, 111–113 mS-MPPE-Recv-Key 29 mS-MPPE-Send-Key 29 N NAS IP 129 NAS-Identifier 11, 20, 26, 49, 57, 63, 70, 74, 90, 94, 99, 101, 109, 113 NAS-IP-Address 11, 20, 26, 49, 63, 70, 74, 90, 94, 99, 101, 109, 113 NAS-Port 20, 49, 70, 74, 90, 94 NAS-Port Service-Type 11, 26 NAS-Port-Type 11, 20, 26, 49, 63, 70, 74, 90, 94 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 132 O Operator-Name 11, 20, 63 P pAP authentication 49, 86 proxy 10 proxy-state 86 Proxy-State 11, 18, 20, 25–26, 29, 41, 48–49, 57, 59, 70, 74, 90, 94, 99, 101, 113 Q QoS 103 R Reply-Message 61 Requested-Location-Info 18, 29, 41, 53, 68 Response Authenticator 80 Ruckus-Accept-Enhancement-Reason 116 ruckus-acct-status 29 Ruckus-Acct-Status 116 ruckus-APN-NI 29 Ruckus-APN-NI 116 Ruckus-APN-OI 116 Ruckus-Area-Code 116 Ruckus-Auth-Server-Id 116 Ruckus-BSSID 116 Ruckus-Cell-Identifier 116 ruckus-charging-charac 29 Ruckus-Eth-Profile-Id 116 ruckus-grace-period 68 Ruckus-Grace-Period 116 ruckus-IMSI 29 Ruckus-IMSI 116 ruckus-location 11, 49, 57, 70, 74, 90, 94, 99, 101 Ruckus-Location 116 Ruckus-MSISDN 116 Ruckus-NAS-Type 116 Ruckus-QoS 116 Ruckus-Read-Preference 116 ruckus-SCG-CBLADE-IP 11, 49, 70, 74, 90, 94, 99, 101 Ruckus-SCG-CBLADE-IP 116 ruckus-SCG-DBLADE-IP 11, 49, 70, 74, 90, 94, 99, 101 Ruckus-SCG-DBLADE-IP 116 ruckus-session-type 29 Ruckus-Session-Type 116 ruckus-SGSN-number 57 ruckus-SSID 11, 49, 57, 63, 70, 74, 90, 94, 99, 101 Ruckus-SSID 116 Ruckus-Sta-Expiration 116 Ruckus-Sta-Inner-Id 116 ruckus-STA-RSSI 70, 74, 94 Ruckus-STA-RSSI 116 Ruckus-Sta-UUID 116 Ruckus-Status 116 Ruckus-User-Groups 116 Ruckus-Utp-Id 116 Ruckus-VLAN-ID 116 Ruckus-Wispr-Redirect-Policy 116 ruckus-WLan-ID 49 Ruckus-Wlan-Name 116 ruckus-Zone-ID 63 Ruckus-Zone-ID 116 Ruckus-Zone-Name 116 S service authorization 103 Service-Type 20, 49, 63, 109 session identification 103 Session-Timeout 29, 53, 59, 68 State 18, 20, 25, 41, 48, 108–109 State Called Station ID 26 State Calling Station ID 49 subscriber portal 62 T Termination-Action 29 Termination-Action Proxy-State 53 Tunnel-Medium-Type 29, 53 Tunnel-Private-Group-ID 29, 53 Tunnel-Type 29, 53 U uDP port 3799 113 user-name 57 User-Name 11, 20, 26, 29, 49, 53, 59, 63, 70, 74, 90, 94, 99, 101, 109, 113 User-Password 20, 26, 49, 63 V vendor specific attributes 115 VLAN-ID 63 W wISPr-Bandwidth-Max-DOWN 29, 68, 86 WISPr-Bandwidth-Max-DOWN 115 wISPr-Bandwidth-Max-UP 29, 68, 86 WISPr-Bandwidth-Max-UP 115 wISPr-Location-ID 63, 70, 74 WISPr-Location-ID 115 wISPr-Location-Name 63, 70, 74 WISPr-Location-Name 115 wISPr-Logoff-URL 63 Ruckus Wireless™ SmartZone™ 100 and Virtual SmartZone Essentials AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 133 Copyright © 2017. Ruckus Wireless, Inc. 350 West Java Drive, Sunnyvale, CA www.ruckuswireless.com
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Author : Ruckus Wireless™, Inc. Create Date : 2017:09:05 11:19:24Z Modify Date : 2017:09:05 16:52:50+05:30 Subject : SZ™ 100 and vSZ-E™ AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 XMP Toolkit : Adobe XMP Core 5.4-c006 80.159825, 2016/09/16-03:31:08 Format : application/pdf Title : SZ™ 100 and vSZ-E™ AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Creator : Ruckus Wireless™, Inc. Description : SZ™ 100 and vSZ-E™ AAA (RADIUS) Interface Reference Guide for SmartZone 3.5 Producer : XEP 4.22 build 2013 Trapped : False Creator Tool : Unknown Metadata Date : 2017:09:05 16:52:50+05:30 Document ID : uuid:300d39e2-3151-49cf-9669-a3ca4148f7ab Instance ID : uuid:047daaa0-7613-4177-8f2e-e05c3fbd0d2d Page Mode : UseOutlines Page Count : 134EXIF Metadata provided by EXIF.tools