Cisco Cisco Packet Data Gateway (PDG)
Support for AAA Failure Indication
▀ Feature Description
▄ AAA Interface Administration and Reference, StarOS Release 19
68
Feature Description
Important:
This enhancement is applicable to 18.4.3 and later releases.
ePDG, P-GW and SaMOG connects with the AAA server over SWm, S6b and STa Diameter interfaces respectively.
When a subscriber PDN connects, the PDN is authenticated over these authentication interfaces. P-GW sends AAR
whereas ePDG/SaMOG sends DER to authorize the subscriber. ePDG/P-GW/SaMOG has the capability to select one of
the available AAA servers based on priority or round robin method. ePDG/P-GW/SaMOG sends DER/AAR to the
selected AAA server. If the HSS indicates that the subscriber is currently being served by a different AAA server, it
sends the DIAMETER_REDIRECT_INDICATION Result-Code (3006) over SWm/S6b/STa interfaces requesting
ePDG/P-GW/SaMOG to redirect the AAR/DER request to the already bound AAA server.
When a subscriber PDN connects, the PDN is authenticated over these authentication interfaces. P-GW sends AAR
whereas ePDG/SaMOG sends DER to authorize the subscriber. ePDG/P-GW/SaMOG has the capability to select one of
the available AAA servers based on priority or round robin method. ePDG/P-GW/SaMOG sends DER/AAR to the
selected AAA server. If the HSS indicates that the subscriber is currently being served by a different AAA server, it
sends the DIAMETER_REDIRECT_INDICATION Result-Code (3006) over SWm/S6b/STa interfaces requesting
ePDG/P-GW/SaMOG to redirect the AAR/DER request to the already bound AAA server.
If the redirection of DER/AAR fails for some reason (Diameter TCP connection being down or Diameter Response-
Timeout), the ePDG/P-GW/SaMOG redirects this message to any other available AAA server with the AAA-Failure-
Indication AVP set to 1. AAA server forwards the AAA-Failure-Indication AVP to HSS, which will reset the initial
binding of the PDN with the failed AAA and bind the PDN with the AAA server that forwarded the AAA-Failure-
Indication AVP.
Timeout), the ePDG/P-GW/SaMOG redirects this message to any other available AAA server with the AAA-Failure-
Indication AVP set to 1. AAA server forwards the AAA-Failure-Indication AVP to HSS, which will reset the initial
binding of the PDN with the failed AAA and bind the PDN with the AAA server that forwarded the AAA-Failure-
Indication AVP.
On successful authentication at ePDG/P-GW/SaMOG, the ePDG/P-GW/SaMOG disconnects any other previously
connected PDN for the same subscriber. This is done so that the PDNs are reestablished and are bound to the new AAA
server.
connected PDN for the same subscriber. This is done so that the PDNs are reestablished and are bound to the new AAA
server.
In order to support a geo-redundant architecture for VoWiFi service, ePDG/P-GW/SaMOG supports the AAA-Failure-
Indication AVP as described in 3GPP TS 29.273 specification. This AVP value is set to 1 to indicate that a previously
assigned AAA Server is unavailable.
Indication AVP as described in 3GPP TS 29.273 specification. This AVP value is set to 1 to indicate that a previously
assigned AAA Server is unavailable.
In support of this feature, a new bulk statistics field is added to the output of
show diameter aaa-statistics
command to track the number of times the AAA-Failure-Indication AVP is sent over these authentication interfaces.
Limitations and Dependencies
This section identifies the known limitations and dependencies for this feature.
It is assumed that the Redirect-Host AVP contains a valid known host. If the host is invalid, ePDG/P-
GW/SaMOG will terminate the connecting PDN.
When the AAA server sends redirection indication, it is expected that the Result-Code is 3006
(DIAMETER_REDIRECT_INDICATION) and it should also send the Redirect-Host-Usage AVP with its
value as 1 (ALL_SESSION) and set the Redirect-Max-Cache-Time AVP to the validity time for the Redirect-
Route to exist. By default, the Redirect-Host-Usage is DON'T-CACHE (0) and in this scenario, only the
redirected message will be forwarded to Redirect-Host. Any further messages belonging to the same Diameter
session will undergo a fresh route-lookup and might contact a different AAA server.
value as 1 (ALL_SESSION) and set the Redirect-Max-Cache-Time AVP to the validity time for the Redirect-
Route to exist. By default, the Redirect-Host-Usage is DON'T-CACHE (0) and in this scenario, only the
redirected message will be forwarded to Redirect-Host. Any further messages belonging to the same Diameter
session will undergo a fresh route-lookup and might contact a different AAA server.
AAA-Failure-Indication AVP is included only in these Diameter dictionaries:
aaa-custom21 for S6b
aaa-custom22 for SWm
aaa-custom23 for STa