Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
PDG/TTG Overview
▀ Features and Functionality
▄ Cisco ASR 5000 Series Product Overview
OL-22937-01
WLAN Access Control
The PDG/TTG enables WLAN access control by enabling you to limit the number of IKEv2/IPSec tunnels per
subscriber session.
subscriber session.
In the PDG Service Configuration Mode of the system‘s CLI, the
command can be used to
specify the maximum number of IKEv2/IPSec tunnels per subscriber session.
The number of tunnels per UE is limited by the NSAPI (Network Service Access Point Identifier) range, which is 5 to
15. Hence, the configurable maximum number of tunnels is 11, within the range of 1 to 11, with a default value of 11.
15. Hence, the configurable maximum number of tunnels is 11, within the range of 1 to 11, with a default value of 11.
RADIUS and Diameter Support
RADIUS and Diameter support on the PDG/TTG provides a mechanism for performing authorization, authentication,
and accounting (AAA) for subscribers. The benefits of using AAA are:
and accounting (AAA) for subscribers. The benefits of using AAA are:
Higher flexibility for subscriber access control
Better accounting, charging, and reporting options
Industry standard RADIUS and Diameter authentication
The Remote Authentication Dial-In User Service (RADIUS) and Diameter protocols can be used to provide AAA
functionality for subscribers. The PDG/TTG supports EAP authentication based on both RADIUS and Diameter
protocols.
functionality for subscribers. The PDG/TTG supports EAP authentication based on both RADIUS and Diameter
protocols.
The AAA functionality on the PDG/TTG provides a wide range of configuration options via AAA server groups, which
allow a number of RADIUS/Diameter parameters to be configured in support of the PDG service.
allow a number of RADIUS/Diameter parameters to be configured in support of the PDG service.
Currently, two types of authentication load-balancing methods are supported: first-server and round-robin. The first-
server method sends requests to the highest priority active server. A request will be sent to a different server only if the
highest priority server is not reachable. With the round-robin method, requests are sent to all active servers in a round-
robin fashion.
server method sends requests to the highest priority active server. A request will be sent to a different server only if the
highest priority server is not reachable. With the round-robin method, requests are sent to all active servers in a round-
robin fashion.
The PDG/TTG can detect the status of the AAA servers. Status checking is enabled by configuration in the AAA Server
Group Configuration Mode of the system CLI. Once an AAA server is detected to be down, it is kept in the down state
up to a configurable duration of time called the dead-time period. After the dead-time period expires, the AAA server is
eligible to be retried. If a subsequent request is directed to that server and the server properly responds to the request, the
system makes the server active again.
Group Configuration Mode of the system CLI. Once an AAA server is detected to be down, it is kept in the down state
up to a configurable duration of time called the dead-time period. After the dead-time period expires, the AAA server is
eligible to be retried. If a subsequent request is directed to that server and the server properly responds to the request, the
system makes the server active again.
The PDG/TTG generates accounting messages on successful session establishment. For a TTG session, the system
creates an IPsec SA for a subscriber session after it creates the GTP tunnel to the GGSN over the Gn' interface. The
TTG sends an accounting START message to the AAA server after successful completion of both GTP tunnel creation
on the Gn' interface and IPsec SA creation on the Wu interface.
creates an IPsec SA for a subscriber session after it creates the GTP tunnel to the GGSN over the Gn' interface. The
TTG sends an accounting START message to the AAA server after successful completion of both GTP tunnel creation
on the Gn' interface and IPsec SA creation on the Wu interface.
Important:
For more information on AAA configuration, refer to the AAA Interface Administration and
Reference.