Cisco Cisco Packet Data Gateway (PDG)
SaMOG Gateway Overview
▀ Features and Functionality - License Enhanced Feature Software
▄ SaMOG Administration Guide, StarOS Release 17
46
Web-based authorization can be performed in the following scenarios:
The UE with the Universal Integrated Circuit Card (UICC) does not support EAP-AKA, EAP-SIM, or EAP-
AKA’ based authentication.
The UE with the UICC uses a prepaid voucher.
The UE does not have a UICC (laptop, tablet, etc).
The SaMOG web-based authorization and session establishment for a non-EAP or non-UICC device occurs in two
phases:
phases:
Pre-Authentication Phase
During the pre-authentication phase, SaMOG supports local IP address assignment and redirects the UE traffic to a web
portal where the subscriber authenticates with a username and password combination, a one-time password, or a
voucher. On successful authentication, the subscriber’s IMSI profile is associated with e MAC address of the UE and
forwarded to the AAA server.
portal where the subscriber authenticates with a username and password combination, a one-time password, or a
voucher. On successful authentication, the subscriber’s IMSI profile is associated with e MAC address of the UE and
forwarded to the AAA server.
The SaMOG gateway allocates an IP address to the UE from a locally configured IP address pool to communicate with
the web portal. The pool name can either be locally configured or received from the AAA server. SaMOG then
processes the HTTP and DNS packets from the UE by using ACL filters on the traffic. All other packets are dropped.
The ACL filter is locally configured, and the filter ID can either be locally configured or received from the AAA server.
The received HTTP packets are then redirected to the web portal using a locally configured ECS rulebase that provides
the URL for redirection. The rulebase name can either be locally configured or received from the AAA server. SaMOG
shares the primary and secondary DNS server address with the UE. The DNS server addresses can either be locally
configured or received from the AAA server.
the web portal. The pool name can either be locally configured or received from the AAA server. SaMOG then
processes the HTTP and DNS packets from the UE by using ACL filters on the traffic. All other packets are dropped.
The ACL filter is locally configured, and the filter ID can either be locally configured or received from the AAA server.
The received HTTP packets are then redirected to the web portal using a locally configured ECS rulebase that provides
the URL for redirection. The rulebase name can either be locally configured or received from the AAA server. SaMOG
shares the primary and secondary DNS server address with the UE. The DNS server addresses can either be locally
configured or received from the AAA server.
Transparent Auto-logon (TAL) Phase
During the TAL phase, the subscriber profile is cached on the AAA server for a designated duration to enable
subscribers to reconnect without further portal authentication, thus enabling a semless user experience.
subscribers to reconnect without further portal authentication, thus enabling a semless user experience.
Multiple PDN Connections
Using web authorization, a subscriber can connect multiple non-EAP devices and one EAP based device using the same
IMSI-based subscription at the same time. All PDN connections of a subscriber have different bearer IDs. The
connections are routed to the same P-GW or GGSN in order to apply the APN level QoS on all the PDN connections.
The SaMOG Gateway performs P-GW, GGSN, or L-GW selection for the first PDN connection for the subscriber, and
all subsequent connections are routed to the same P-GW, GGSN, or L-GW.
IMSI-based subscription at the same time. All PDN connections of a subscriber have different bearer IDs. The
connections are routed to the same P-GW or GGSN in order to apply the APN level QoS on all the PDN connections.
The SaMOG Gateway performs P-GW, GGSN, or L-GW selection for the first PDN connection for the subscriber, and
all subsequent connections are routed to the same P-GW, GGSN, or L-GW.
Session Recovery
The SaMOG Gateway can recover AAA manager and Session manager failures for both pre-authentication phase and
TAL phase as long as the sessions are fully connected. SaMOG maintains the MAC to IMSI mapping and MAC to
Session manager mapping with the IPSG manager to ensure that the PDN connections of the subscriber is connected to
the same Session manager.
TAL phase as long as the sessions are fully connected. SaMOG maintains the MAC to IMSI mapping and MAC to
Session manager mapping with the IPSG manager to ensure that the PDN connections of the subscriber is connected to
the same Session manager.