Wlan Access Control - Cisco ASR 5000 series Product Overview
Hide thumbs
Also See for ASR 5000 series:
- Administration manual (509 pages) ,
- Installation manual (317 pages) ,
- Thresholding configuration manual (163 pages)
Table of Contents
Advertisement
PDG/TTG Overview
WLAN Access Control
The PDG/TTG enables WLAN access control by enabling you to limit the number of IKEv2/IPSec tunnels per
subscriber session.
In the PDG Service Configuration Mode of the system's CLI, the
specify the maximum number of IKEv2/IPSec tunnels per subscriber session.
The number of tunnels per UE is limited by the Network Service Access Point Identifier (NSAPI) range, which is 5 to
15. Hence, the configurable maximum number of tunnels is 11, within the range of 1 to 11, with a default value of 11.
RADIUS and Diameter Support
RADIUS and Diameter support on the PDG/TTG provides a mechanism for performing authentication, authorization,
and accounting (AAA) for subscribers. The benefits of using AAA are:
Higher flexibility for subscriber access control
Better accounting, charging, and reporting options
Industry-standard RADIUS and Diameter authentication
The Remote Authentication Dial-In User Service (RADIUS) and Diameter protocols can be used to provide AAA
functionality for subscribers. The PDG/TTG supports EAP authentication based on both RADIUS and Diameter
protocols.
The AAA functionality on the PDG/TTG provides a wide range of configuration options via AAA server groups, which
allow a number of RADIUS/Diameter parameters to be configured in support of the PDG service.
Currently, two types of authentication load-balancing methods are supported: first-server and round-robin. The first-
server method sends requests to the highest priority active server. A request will be sent to a different server only if the
highest priority server is not reachable. With the round-robin method, requests are sent to all active servers in a round-
robin fashion.
The PDG/TTG can detect the status of the AAA servers. Status checking is enabled by configuration in the AAA Server
Group Configuration Mode of the system's CLI. Once an AAA server is detected to be down, it is kept in the down state
up to a configurable duration of time called the dead-time period. After the dead-time period expires, the AAA server is
eligible to be retried. If a subsequent request is directed to that server and the server properly responds to the request, the
system makes the server active again.
The PDG/TTG generates accounting messages on successful session establishment. For a TTG session, the system
creates an IPSec SA for a subscriber session after it creates the GTP tunnel to the GGSN over the Gn' interface. The
TTG sends an accounting START message to the AAA server after successful completion of both GTP tunnel creation
on the Gn' interface and IPsec SA creation on the Wu interface.
OL-22938-02
Allocation Priority
3
1
2
3
af21
af21
af21
Cisco ASR 5000 Series Product Overview ▄
Features and Functionality ▀
command can be used to
Advertisement
Table of Contents
