Cisco Cisco Packet Data Gateway (PDG)
How Passing on UE tunnel Endpoint Address over SWm works
The provisioning of UE Tunnel Endpoint-IP (IKEv2 tunnel endpoint incase of NAT) to AAA server will help
the operator in identifying the UE's location at AAA server. The operator uses this information to control the
access or to decide the UE connections. For example, Operator can lookup the GeoIP database (GeoDB)
against the UE tunnel endpoint IP to identify the country from where the UE is connecting from. Based on
this information operator can allow the call or reject it(using auth-failure) according to the policy configured.
Lets say the policy dictates that the VoWiFi calls are allowed only for UEs connecting from home country
but not allowed while roaming outside the country, they can save the revenue leakage using this information.
the operator in identifying the UE's location at AAA server. The operator uses this information to control the
access or to decide the UE connections. For example, Operator can lookup the GeoIP database (GeoDB)
against the UE tunnel endpoint IP to identify the country from where the UE is connecting from. Based on
this information operator can allow the call or reject it(using auth-failure) according to the policy configured.
Lets say the policy dictates that the VoWiFi calls are allowed only for UEs connecting from home country
but not allowed while roaming outside the country, they can save the revenue leakage using this information.
The value will be sent in UE-Local-IP-Address AVP(IPv4/IPv6) in all the DER messages to AAA server in
SWm interface. The AVP is sent as part of standard SWm dictionary (aaa-custom16). In case of AAA server
rejects the call based on the tunnel endpoint IP, ePDG will send AUTHENTICATION_FAILED/24 as NOTIFY
error message in IKEv2 message to communicate the same to UE.
SWm interface. The AVP is sent as part of standard SWm dictionary (aaa-custom16). In case of AAA server
rejects the call based on the tunnel endpoint IP, ePDG will send AUTHENTICATION_FAILED/24 as NOTIFY
error message in IKEv2 message to communicate the same to UE.
This feature is supported for EAP based authentication mechanism and not for non UICC deployment using
certificate based device authentication.
certificate based device authentication.
Passing on IMEI to AAA for EIR Support on WiFi
ePDG receives the IMEI information from the UE over SWu interface and communicates the same to AAA
server over the SWm interface.
server over the SWm interface.
The IMEI information is communicated to ePDG from UE as part of the CFG_REQUEST payload of the
IKE_AUTH_REQ message. A new private attribute is added for the UE to communicate the IMEI information
to ePDG. Also ePDG encodes and sends the received IMEI as Terminal Information AVP on the SWm
interface.
IKE_AUTH_REQ message. A new private attribute is added for the UE to communicate the IMEI information
to ePDG. Also ePDG encodes and sends the received IMEI as Terminal Information AVP on the SWm
interface.
ePDG is configured to have the private attribute value as configurable for the IMEI which gives the operator
the flexibility of choosing the private attribute value for its deployment.
the flexibility of choosing the private attribute value for its deployment.
Custom SWm to SWu error code mapping
ePDG does supports mapping of SWm to SWu error codes so that device can identify whether its temporary
failure or permanent and can accordingly try connecting to the ePDG.
failure or permanent and can accordingly try connecting to the ePDG.
The communication service providers (CSP) would like the ability to take different actions depending on the
severity of the error received from the AAA (SWm interface). If there is a temporary congestion in the network,
a retry is appropriate.
severity of the error received from the AAA (SWm interface). If there is a temporary congestion in the network,
a retry is appropriate.
In compliance with RFC 5996 2.21.2 ePDG sends AUTHENTICATION_FAILED/24 as Notify Error message
type in IKE_AUTH_RESP message on SWu interface for all the SWm interface error codes.
type in IKE_AUTH_RESP message on SWu interface for all the SWm interface error codes.
The ePDG needs mapping of SWm to SWu error codes for communicating different error codes to device,
enabling device to identify whether its temporary failure or permanent and can accordingly try connecting to
the ePDG.
enabling device to identify whether its temporary failure or permanent and can accordingly try connecting to
the ePDG.
The ePDG continues to release the call while notifying the UE about the SWm error, however the UE based
on error code shall take decision when to try connecting again.
on error code shall take decision when to try connecting again.
For the mapping ePDG uses Notify Error Message type between 31 to 8191 from the range reserved for IANA
or from the private range 8192 to 16383.
or from the private range 8192 to 16383.
ePDG Administration Guide, StarOS Release 19
54
Evolved Packet Data Gateway Overview
Passing on IMEI to AAA for EIR Support on WiFi