top button
Flag Notify
Site Registration

How does Radius Authentication used while LTE Attach ?

+2 votes
1,059 views

I am not able to figure out an use-case where radius authentication is used and also how the credentials are provided, like manually or automatically by UE, in LTE attach procedure?

Please help me with an example?

posted Feb 24, 2015 by Subodh Kamble

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+2 votes

In LTE diameter authentication is used in place of radius authentication over the interface S6a/S6d, however in some cases where respective HSS is not upgraded to diameter, an interworking function is used which converts diameter signalling to radius signalling or vice-versa.

answer Mar 5, 2015 by Salil Agrawal
Thanks for the answer, but how the credentials are provided, manually or automatically?
Unfortunately there is no specification (most are proprietary solutions) for diameter-radius interworking so I can not give a definite answer. But I guess it should be auto as manual will be a big limitation.
Similar Questions
+5 votes

Not sure I am missing something obvious, looking for a method to achieve Radius COA functionality with all possible command codes

Using Diameter. I see, it would be possible with server initiated messages, looking for more details in case any draft talks more about the respected messages.

+2 votes

I just want to covert my radius request as an diameter request for authentication.

So I configured radgw and all mentioned configurations.

But I'm facing below issue
"No suitable candidate to route the message to." and getting access reject

My setup is like below

Started freediameter with radgw support and initiated the radius request by executing radtest.

$ sudo ../../../build/freeDiameterd/freeDiameterd-1.1.4  freeDiameterd-1.1.4 -c freeDiameter-1.conf
libfdproto initialized.
libgnutls '2.12.14' initialized.
Generating fresh Diffie-Hellman parameters of size 1024 (this takes some time)...
Loading : /usr/local/lib/freeDiameter/test_app.fdx
Extension Test_App initialized with configuration: 'doc/test_app1.conf'
------- app_test configuration dump: ---------
 Vendor Id .......... : 999999
 Application Id ..... : 16777215
 Command Id ......... : 16777214
 AVP Id ............. : 16777215
 Mode ............... : Cli
 Destination Realm .. : localdomain
 Destination Host ... : - none -
 Signal ............. : 10
------- /app_test configuration dump ---------
Loading : /usr/local/lib/freeDiameter/dict_nasreq.fdx
Extension 'Dictionary definitions for NASREQ' initialized
Loading : /usr/local/lib/freeDiameter/dict_eap.fdx
Extension 'Dictionary definitions for EAP' initialized
Loading : /usr/local/lib/freeDiameter/app_radgw.fdx
Extension RADIUS Gateway initialized with configuration: 'doc/rgw.conf'
Loading : /usr/local/lib/freeDiameter/app_diameap.fdx
-------- DiamEAP extension : Configuration parameters (Dump) -------------
    -Configuration file.....: doc/app_diameap.conf
    -EAP Application Id.....: 5
    -EAP Application Command: 268
    -EAP Application Vendor.: 0
    -Max invalid EAP packets: 5
    -Multi-Round Timeout....: 30
    -MySQL Database Params..:
        User .......:root
        Server .....:127.0.0.1
        Database....:diameap
    -EAP Method Plugins.....:
         - EAP Identity plugin      [Type: 1, Vendor: 0]  loaded
-------- DiamEAP extension : Configuration parameters (End) ---------------
[DiamEAP extension] Diameter EAP Application Extension started successfully.
All extensions loaded.
-- Configuration :
  Debug trace level ...... : +1
  Configuration file ..... : freeDiameter-1.conf
  Diameter Identity ...... : peer1.localdomain (l:17)
  Diameter Realm ......... : localdomain (l:11)
  Tc Timer ............... : 30
  Tw Timer ............... : 30
  Local port ............. : 3868
  Local secure port ...... : 3869
  Number of SCTP streams . : 30
  Number of server threads : 4
  Local endpoints ........ : Default (use all available)
  Local applications ..... : App: 1    Au--    Vnd: 0
                             App: 3    --Ac    Vnd: 0
                             App: 5    Au--    Vnd: 0
                             App: 16777215    Au--    Vnd: 999999
  Flags : - IP ........... : Enabled
          - IPv6 ......... : Enabled
          - Relay app .... : Enabled
          - TCP .......... : Enabled
          - SCTP ......... : Enabled
          - Pref. proto .. : SCTP
          - TLS method ... : Separate port
  TLS :   - Certificate .. : peer1.cert.pem
          - Private key .. : peer1.key.pem
          - CA (trust) ... : cacert.pem (1 certs)
          - CRL .......... : (none)
          - Priority ..... : (default: 'NORMAL')
          - DH bits ...... : 1024
  Origin-State-Id ........ : **********
freeDiameterd daemon initialized.

------------- RADIUS/Diameter Request Debug -------------
 RADIUS request (0x8887088) DUMP:
 id  : 0xf7, code: 1 (Access-Request [RFC2865])
 auth: 41 f9 0b ae  86 19 2b 6c
       0b 59 1a 79  0f ae db cd
 RADIUS answer: NULL pointer
 Diameter message (0xb5000558) DUMP:
------ Dumping object 0xb5000558 (w)-------
|MSG: 0xb5000558
|   (no model)
|   public: V:1 L:20 fl:RP-- CC:265 A:1 hi:0 ei:ffe00000
|   intern: rwb:(nil) rt:0 cb:(nil)((nil)) qry:(nil) asso:0 sess:(nil) src:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 263 "Session-Id"
 |   public: C:263 fl:-M L:8 V:0  data:@0xb50008ac
 |   value t: 'UTF8String' (OCTETSTRING) v: chris-VirtualBox;**********;1;user;peer1.l
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 283 "Destination-Realm"
 |   public: C:283 fl:-M L:8 V:0  data:@0xb5000764
 |   value t: 'DiameterIdentity' (OCTETSTRING) v: localdomain
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 264 "Origin-Host"
 |   public: C:264 fl:-M L:8 V:0  data:@0xb5000624
 |   value t: 'DiameterIdentity' (OCTETSTRING) v: chris-VirtualBox
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 296 "Origin-Realm"
 |   public: C:296 fl:-M L:8 V:0  data:@0xb500069c
 |   value t: 'DiameterIdentity' (OCTETSTRING) v: localdomain
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,   UNSIGNED32, 258 "Auth-Application-Id"
 |   public: C:258 fl:-M L:12 V:0  data:@0xb500094c
 |   value (UNSIGNED32) v: 1 (0x1)
 |   intern: src:(nil) mf:0 raw:(nil)(0)
 |   model : v/m:-M/VM,    INTEGER32, 274 "Auth-Request-Type"
 |   public: C:274 fl:-M L:12 V:0  data:@0xb50009ac
 |   value t: 'Enumerated(Auth-Request-Type)' (INTEGER32) v: 'AUTHORIZE_AUTHENTICATE' (3 (0x3))
 |   intern: src:(nil) mf:0 raw:(nil)(0)
 |   model : v/m:-M/VM,   UNSIGNED32, 408 "Origin-AAA-Protocol"
 |   public: C:408 fl:-M L:12 V:0  data:@0xb5000a0c
 |   value t: 'Enumerated(Origin-AAA-Protocol)' (UNSIGNED32) v: 'RADIUS' (1 (0x1))
 |   intern: src:(nil) mf:0 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 1 "User-Name"
 |   public: C:1 fl:-M L:8 V:0  data:@0xb5000a6c
 |   value t: 'UTF8String' (OCTETSTRING) v: user
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 2 "User-Password"
 |   public: C:2 fl:-M L:8 V:0  data:@0xb5000adc
 |   value (OCTETSTRING) v: 75 73 65 72 00 00 00 00 00 00 00 00 00 00 00 00
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,  OCTETSTRING, 4 "NAS-IP-Address"
 |   public: C:4 fl:-M L:8 V:0  data:@0xb5000b54
 |   value (OCTETSTRING) v: C0 A8 38 66
 |   intern: src:(nil) mf:1 raw:(nil)(0)
 |   model : v/m:-M/VM,   UNSIGNED32, 5 "NAS-Port"
 |   public: C:5 fl:-M L:12 V:0  data:@0xb5000bc4
 |   value (UNSIGNED32) v: 0 (0x0)
 |   intern: src:(nil) mf:0 raw:(nil)(0)
------ /end of object 0xb5000558 -------
 Diameter session: chris-VirtualBox;**********;1;user;peer1.localdomain
===========  Debug complete =============
No suitable candidate to route the message to.
Logged: 05/11/15,08:50:59.543145

 |MSG: 0xb5000558
 |   model : v/m:RP--/RPE-, 265 "AA-Request"
 |   public: V:1 L:20 fl:RP-- CC:265 A:1 hi:0 ei:ffe00000
 |   intern: rwb:(nil) rt:0 cb:0xb4fe7ddb(0xb5001c28) qry:(nil) asso:0 sess:(nil) src:(nil)(0)
[auth.rgwx] Received Diameter answer with error code '3002' from server 'peer1.localdomain', session chris-VirtualBox;**********;1;user;peer1.localdomain, translating into Access-Reject
[auth.rgwx]   Error-Message content: 'No suitable candidate to route the message to'
------------- RADIUS/Diameter Answer Debug -------------
 Diameter message (0x88871b0) DUMP:
------ Dumping object 0x88871b0 (w)-------
|MSG: 0x88871b0
|   model : v/m:-P--/RP--, 265 "AA-Answer"
|   public: V:1 L:20 fl:--E- CC:265 A:1 hi:0 ei:ffe00000
|   intern: rwb:(nil) rt:0 cb:(nil)((nil)) qry:0xb5000558 asso:0 sess:0xb50007f0 src:(nil)(0)
------ /end of object 0x88871b0 -------
 RADIUS answer (0xb4c00508) DUMP:
 id  : 0xf7, code: 3 (Access-Reject [RFC2865])
 auth: 00 00 00 00  00 00 00 00
       00 00 00 00  00 00 00 00
  - len: 47, type:0x12 (Reply-Message )
  - len:  6, type:0x65 (Error-Cause Attribute[RFC3576])
===========  Debug complete =============
ERROR: in '(pthread_mutex_lock( &sess->stlock ))':    Invalid argument
freeDiameterd-1.1.4: /home/chris/diameter/freeDiameter-1.1.4/freeDiameter-1.1.4/libfdproto/sessions.c:626: fd_sess_destroy: Assertion `0' failed.

freediameter conf

# -------- Test configuration ---------

Identity = "peer1.localdomain";
Realm = "localdomain";
# Port = 3868;
# SecPort = 3869;

TLS_Cred = "peer1.cert.pem",
           "peer1.key.pem";
TLS_CA = "cacert.pem";

LoadExtension = "test_app.fdx" : "doc/test_app1.conf";
LoadExtension = "dict_nasreq.fdx":"doc/app_diameap.conf";
LoadExtension = "dict_eap.fdx":"doc/app_diameap.conf";
LoadExtension = "app_radgw.fdx":"doc/rgw.conf";
LoadExtension = "app_diameap.fdx":"doc/app_diameap.conf";

rgw.conf
# Handle some attributes
#RGWX = "echodrop.rgwx" : "doc/echodrop.rgwx.conf";

# Handle Accounting-Request messages received on the correct port
RGWX = "acct.rgwx" : acct : 4;

# Handle Access-Request messages received on the correct port
RGWX = "auth.rgwx" : auth : 1;

# Dump state when loop ends
RGWX = "debug.rgwx";

##################

nas = 192.168.56.101 / "radiusecret" ;
nas = 192.168.56.105 / "radiusecret" ;
nas = 127.0.0.1 / "radiusecret" ;
nas = 192.168.56.102 / "radiusecret" ;

Please help me to proceed further,

+1 vote

Diameter and Radius both are used for authentication, authorization, and accounting in network/telecom system. My question here is why someone should use diameter where we already have proven Radius protocol.

...