Cisco Cisco Packet Data Interworking Function (PDIF)
SaMOG Gateway Overview
SaMOG Services ▀
SaMOG Administration Guide, StarOS Release 19 ▄
25
The SaMOG Gateway's MRME service proxies RADIUS accounting messages to a RADIUS accounting server and
selects the server based on an IMSI range. Upon receiving an Accounting Stop message, the MRME service clears the
subscriber session.
selects the server based on an IMSI range. Upon receiving an Accounting Stop message, the MRME service clears the
subscriber session.
RADIUS Authentication Server—MRME
The SaMOG Gateway's MRME service terminates RADIUS authentication requests. IEEE 802.1X authenticators will
function as RADIUS clients and generate Access Request messages to authenticate and authorize the WLAN UEs.
function as RADIUS clients and generate Access Request messages to authenticate and authorize the WLAN UEs.
RADIUS Disconnection—MRME
The SaMOG Gateway’s MRME service generates RADIUS disconnect messages that are sent to the WLCs for
network/aaa initiated detach and admin disconnections. Statistics for these RADIUS disconnect messages can be
retrieved via bulk statistics or the output of CLI show commands. For a network initiated detach, the SaMOG Gateway's
MRME service sends a RADIUS disconnect message to the WLC as per RFC 3576, which is the RADIUS client.
Disconnect Message transactions between the WLC and SaMOG are authenticated using a shared secret mechanism.
network/aaa initiated detach and admin disconnections. Statistics for these RADIUS disconnect messages can be
retrieved via bulk statistics or the output of CLI show commands. For a network initiated detach, the SaMOG Gateway's
MRME service sends a RADIUS disconnect message to the WLC as per RFC 3576, which is the RADIUS client.
Disconnect Message transactions between the WLC and SaMOG are authenticated using a shared secret mechanism.
Reauthorization Support—MRME
The SaMOG Gateway's MRME service uses an STa interface re-authorization procedure between the 3GPP AAA server
and the trusted non-3GPP access network to enable the 3GPP AAA server to modify previously-provided authorization
parameters, which may occur due to a modification of a subscriber profile in the HSS.
and the trusted non-3GPP access network to enable the 3GPP AAA server to modify previously-provided authorization
parameters, which may occur due to a modification of a subscriber profile in the HSS.
RADIUS Client Authentication—MRME
Transactions between the RADIUS client and the RADIUS server are authenticated through the use of a shared secret.
To authenticate Access Request messages containing the EAP-Message attribute, the SaMOG Gateway's MRME
service uses the Message-Authenticator as defined in RFC 3579. The Message-Authenticator is an HMAC-MD5 hash of
the entire Access-Request packet, including Type, ID, Length and Authenticator attributes, using the shared secret as the
key, as follows: Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, and Request Authenticator attributes).
To authenticate Access Request messages containing the EAP-Message attribute, the SaMOG Gateway's MRME
service uses the Message-Authenticator as defined in RFC 3579. The Message-Authenticator is an HMAC-MD5 hash of
the entire Access-Request packet, including Type, ID, Length and Authenticator attributes, using the shared secret as the
key, as follows: Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, and Request Authenticator attributes).
TWAP Triggered PDN—MRME
With StarOS Release 18 and later, the Trusted WLAN AAA Proxy (TWAP) sends the Layer 2 attach trigger to the
Trusted WLAN Access Gateway (TWAG) (with the MAC address and subscription data of the UE) after a successful
EAP authentication. The SaMOG Gateway waits until a tunnel is established for S2a/Gn procedures before forwarding
the EAP Success message to the UE.
Trusted WLAN Access Gateway (TWAG) (with the MAC address and subscription data of the UE) after a successful
EAP authentication. The SaMOG Gateway waits until a tunnel is established for S2a/Gn procedures before forwarding
the EAP Success message to the UE.
For an EoGRE access-type, the IP address of the UE is communicated using tunneled DHCP procedure.
For L3IP access-type, the IP address of the UE is communicated using out-of-band DHCP.
For call flow information, refer
access-type, and
type.