Configuring Hotlining for a Foreign Agent

Contents

1Overview
1.1Hotlining Rules and Restrictions
1.2NAS Filter and HTTP Redirection Rules
1.3Hotlining Deactivation

2

Configuration Tasks
2.1Configuring Hotlining Services for an FA

3

Configuration Examples
Copyright

© Ericsson AB 2009–2011. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.

Disclaimer

The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List
SmartEdge  is a registered trademark of Telefonaktiebolaget LM Ericsson.
NetOp  is a trademark of Telefonaktiebolaget LM Ericsson.

1   Overview

This document provides an overview of the SmartEdge® OS hotlining features and describes the tasks used to configure these features. This document also provides configuration examples of hotlining features.

In a WiMAX network, the SmartEdge router functions as an Access Serving Network-Gateway (ASN-GW) Enforcement Point (EP) that activates hotlining rules passed by the ASN-GW Decision Point (DP). In this configuration, the SmartEdge router supports hotlining services for mobile foreign agent (FA) users, providing WiMAX operators with a self-subscription service that handles user-related issues which would otherwise result in service denial.

When configured as an ASN-GW EP, the SmartEdge router filters and redirects traffic for users based on the set of rules obtained from the ASN-GW DP. Hotlining is activated when the SmartEdge router receives the hotline indicator vendor-specific attribute (VSA) and HTTP redirection rules from the ASN-GW DP. The network access server (NAS) filter rules are also sent to the SmartEdge router, if required.

Hotlining allows WiMAX operators to efficiently redirect subscribers to a portal controlled by a service provider for service registration, updates, service advertisements, and address issues that require immediate attention, such as virus attacks and missed payments.

In a WiMAX network where the SmartEdge router functions as an ASN-GW EP, a subscriber is hotlined as follows:

  1. A new mobile user without subscription sends an IP registration request to the network.
  2. The home authentication, authorization, and accounting (H-AAA) device grants the user limited access to the network and sends a RADIUS Access-Accept message to the ASN-GW DP with hotlining status of the user. The RADIUS Access-Accept message contains the HTTP redirect rules and NAS filter rules that determine what kind of traffic is permitted in the WiMAX network.
  3. The ASN-GW DP sends information about the user (including hotlining instructions) to the SmartEdge ASN-GW EP through an R7 interface.
  4. The user is hotlined, the SmartEdge ASN-GW EP filters and redirects uplink traffic from the user to the Captive Portal based on the set of redirect rules obtained from the ASN-GW DP, and a new user account is created with information for the user.
  5. The subscriber management server informs the Open Mobile Alliance (OMA) Device Management (DM) application that a new mobile station (MS) needs to be managed. If the OMA DM application bootstraps the MS to update the software or provision data on the MS, then the OMA URL is sent to the MS. The MS uses the OMA URL to perform provisioning.

    From this point on, the HTTP traffic is redirected to the OMA-DM instead of the Web Portal. Because the Web Portal and the OMA-DM are in different domains, the packet identification for traffic to OMA-DM is different from the traffic to Web Portal.

When the hotlining subscription process is finished, the SmartEdge ASN-GW EP removes the HTTP and IP redirect and filter rules and normal data sessions resume.

1.1   Hotlining Rules and Restrictions

Keep the following rules and restrictions in mind when configuring a SmartEdge router as an ASN-GW EP:

In an ASN-GW EP configuration, the SmartEdge router supports the following hotlining features:

1.2   NAS Filter and HTTP Redirection Rules

The R7 interface transfers the following hotlining rules from the ASN-GW DP to the ASN-GW EP:

The SmartEdge OS can receive and apply any combination of the following hotlining rules to the FA:

Note:  
Both NAS filter and HTTP redirection rules are applied in the order received by the ASN GW DP. However, NAS filter rules are always applied before HTTP redirection rules.

Note:  
If HTTP redirection rules are present, at least one pass rule and one redirect rule must exist. A pass rule must be present before a redirect rule can be applied.

For a new hotlining session, hotlining attributes are sent in an Access-Accept message. For midsession hotlining, the hotlining rules are sent in a CoA message.

Note:  
The SmartEdge OS supports only one HTTP redirect URL.

NAS filter rules determine whether the system permits or denies access to incoming packets based on the type of information in the IP packet headers. NAS filter rules are sent in every CoA message in the following circumstances:

NAS filter rules are evaluated in the order received. Each packet is evaluated once, and the first matched rule terminates the evaluation process. If no rules match, the packet is dropped. Packets are filtered based on the information in Table 1.

Table 1    Supported NAS Filter Rules

Filter

Rules

Action

Determines whether the packet is permitted or denied on the destination router. Can be one of the following:


  • permit —Allow packets that match the rule.

  • deny—Drop packets that do not match the rule.

Direction

Defines whether the packet is arriving from or leaving the terminal. Can be one of the following:


  • in—Packets arriving from the terminal.

  • out—Packets leaving the terminal.

Proto

Specifies an IP protocol. Packets that have a matching IP keyword are permitted.

src/dst

Specifies the source-and-destination address or mask and the port for a packet. Can be expressed in any of the following formats:


  • ipno —IPv4 number in dotted-quad or canonical form. Only those packets with an IP number that matches this rule exactly are permitted. Note that IPv6 is not supported.

  • ipno bits—IP number specified in the format address/mask. The bit width must be valid for the IP version, and the IP number cannot have bits set beyond the mask. For a match to occur, the same IP version must be present in the packet IP address.

  • any—Source-and-destination IP address is 0.0.0.0/0. Packets that have any IP address are considered a match are permitted.

  • assigned—Address or set of addresses assigned to the terminal. Packets that have an IP address that matches the assigned address are permitted.

  • ports—Optional source and destination ports. For the TCP, UDP, and SCTP protocols, the optional ports are specified in the format ports/port-port[,port[...]]

  • src / dst “assigned”——Address or set of addresses assigned to the terminal. Packets that have a matching address are permitted.

  • port range—Range of ports. Packets whose destination port matches one of the ports in this range are permitted.

IP Options

Determines which packets are permitted or denied. The following TCP flags are supported:


- established—Packets that have the RST or ACK bits set are permitted. Note that this flag applies to TCP packets only.


- setup—Packets that have the SYN bit set and no ACK bit are permitted. Note that this flag applies to TCP packets only.


- Icmptypes types—Packets that have one or more of the following ICMP types are permitted. Note that each type is represented by a number:


  • 0—echo reply

  • 3—destination unreachable

  • 4—source quench

  • 5—redirect

  • 8—echo request

  • 9—router advertisement

  • 10—router solicitation

  • 11—excessive time-to-live

  • 12—bad IP header

  • 13—time stamp request

  • 14—time stamp reply

  • 15—information request

  • 16—information reply

  • 17—address mask request

  • 18—address mask reply


Note that the SmartEdge router supports those rules received with one ICMP type only or several ICMP types that are separated by commas. If a rule has multiple ICMP types, each type must be separated by a comma. The list of multiple ICMP types is converted into individual rules for each ICMP type.


Note that the Icmptypes types flag applies to ICMP packets only.

The SmartEdge ASN-GW EP does not allow subscriber traffic to pass if the traffic does not conform to the hotlining rules until all rules have been applied on the line cards. Control traffic, such as MIP control traffic, is processed when received. The ASN-GW DP sends the NAS filter rules to ASN-GW EP to permit RRQ traffic.

The SmartEdge FA cannot apply a new set of hotlining HTTP redirection rules to a subscriber that has already been hotlined. To apply a new set of hotlining rules, hotlining is first deactivated on the subscriber and then reactivated with the new set of rules.

Note:  
The performance of the SmartEdge router may be impacted if the number of rules received is large because of the overhead required to process the rules for each subscriber.

Table 2 lists the RADIUS attributes that are included in the following messages:

Table 2    RADIUS Attribute Support

Attribute

access request

access-accept

CoA message

accounting Start

accounting Stop

User-Name

Yes

Yes

Yes

Yes

Yes

Calling-station-ID

Yes

Yes

Yes

Yes

Yes

Message Authenticator

Yes

Yes

No

No

No

NAS-IP-Address

Yes

No

No

Yes

Yes

EP-Request-Type

Yes

No

No

No

No

CoA-IPv4

Yes

No

No

No

No

AAA-Session-ID

No

Yes

Yes

Yes

Yes

Accounting-Mode

No

Yes

No

No

No

Hotline-Indication

No

Yes

Yes

No

No

HTTP-redirection-rule

No

Yes

Yes

No

No

NAS-filter-rule

No

Yes

Yes

No

No

FA-hHA-Key

No

Yes

No

No

No

FA-hHA-SPI

No

Yes

No

No

No

FA-hHA-Lifetime

No

Yes

No

No

No

FA-vHA-Key

No

Yes

No

No

No

FA-vHA-SPI

No

Yes

No

No

No

FA-vHA-Lifetime

No

Yes

No

No

No

hHA-IP-MIP4

No

Yes

No

No

No

vHA-IP-MIP4

No

Yes

No

No

No

Acct-Status-Type

No

No

No

Yes

Yes

Acct-Term-Cause

No

No

No

Yes

Yes

Acct-Multi-Session-ID

No

No

No

Yes

Yes

Session_Error_Message

No

No

No

No

Yes

Error-Cause

No

No

Yes (in CoA NAK messages only)

No

No

Note:  
If multiple unique URLs are received in HTTP redirection rules, a provisioning error is reported to the R7 interface because only one URL is supported per subscriber.

Note:  
Any Hotline-Profile-ID attribute that is received in an Access_Accept or CoA message is rejected.

Note:  
Any Hotline-Session-Timer attribute that is received in an Access_Accept or CoA message is ignored.

Note:  
When an access request is rejected, an Access Reject message is sent with the User-Name and Message Authenticator attributes.

Note:  
The Acct-Multi-Session-ID attribute is sent only when the AAA-Session-ID attribute is received for hotlining and NAS filter rules provisioning.

1.3   Hotlining Deactivation

Hotlining is deactivated when the ASN-GW DP sends the SmartEdge ASN-GW EP a RADIUS CoA request that contains a hotline-indicator VSA with a null value or that does not have a hotline-indicator VSA. HTTP Redirection rules with a flush action are included. If new NAS filter rules are included in the COA-Request, the ASN-GW EP replaces the pre-existing NAS Filter rules with the new NAS filter rules. If the COA-Request contains NAS Filter rules with a null value, the existing NAS filter rules are removed for the affected subscriber.

2   Configuration Tasks

Note:  
Hotlining is a WiMAX feature that supports only WiMax subscribers. Hotlining does not support IP and GRE header field values in packets

2.1   Configuring Hotlining Services for an FA

To configure hotlining services for an FA, perform the tasks described in Table 3.

Table 3    Configuring Hotlining Services for an FA

#

Task

Root Command

Notes

1.

Configure the local HTTP server on the active controller Card, as described in “Configure the Local HTTP Server on the Active Controller Card” earlier in this document.

2.

Configure the RADIUS server to send the hotlining rules:

 

Configure context-specific RADIUS authentication.

aaa authentication subscriber radius.

For more information about configuring RADIUS authentication, see Configure Subscriber Authentication.

 

Identify the RADIUS server from which hotlining rules are received.

radius server {ip-addr | hostname} encrypted-key key

Use the ip-addr or hostname argument to specify the RADIUS server from which the SmartEdge router receives hotlining rules. Replace the key argument with the authentication key that must be shared with the RADIUS server. For more information about configuring a RADIUS server, see Configuring RADIUS .

 

Configure a CoA server from which CoA messages are accepted.

radius coa server {ip-addr | hostname} key key

AAA accepts messages from this server only. Use the ip-addr or hostname argument to specify the RADIUS server from which the SmartEdge router receives hotlining rules. Replace the key argument with the authentication key that must be shared with the CoA server.

3.

Configure the accounting server.

 

Identify a RADIUS accounting server to be used if the accounting mode is enabled for the subscriber.

radius accounting server {ip-addr | hostname} key key

Use the ip-addr or hostname argument to specify the RADIUS accounting server from which the SmartEdge router receives hotlining rules. For more information about configuring a RADIUS accounting server, see Configuring RADIUS .

 

Enable the accounting server to receive accounting packets from AAA.

aaa accounting subscriber radius attribute-guided

Enter this command in context configuration mode. This command ensures that the RADIUS accounting server is ready to send and receive accounting packets. Note that accounting packets are sent to a subscriber only when the Accounting-Mode VSA is present in the authentication response that is received from the subscriber. For more information about configuring subscriber accounting on the SmartEdge router, see Configure Subscriber Accounting .

4

Configure a RADIUS-guided forward policy with PASS, REDIRECT, and DROP classes. For general information about configuring forward policies, see Configure a Forward Policy.

 

Select a RADIUS-guided forward policy and access forward policy configuration mode.

forward policy name radius-guided

Replace the name argument with the name of the forward policy you want to access. Note that no default configuration must exist for the forward policy because the configuration translates to a pass action for default class traffic.

 

Access policy group configuration mode.

access-group

 
 

Create a class called “redirect” and access policy group class configuration mode.

class redirect

 
 

Redirect incoming packets associated with the specified class to the local server.

redirect destination local

 
 

Exit policy group class configuration mode.

exit

 
 

Create a class called “pass” and access policy group class configuration mode.

class pass

 
 

Create a class called “drop” and access policy group class configuration mode.

class drop

 
 

Exit policy group class configuration mode.

exit

 
 

Configure the router to drop incoming packets for this forward policy

drop

 

5.

Configure the RSE profile with the forward policy. For more information on configuring a RADIUS service profile that references RADIUS-guided policies, see Configure a RADIUS-Guided Service Profile in Configuring RADIUS .

 

Select an existing RSE profile or create a new RSE profile and access service profile configuration mode.

radius service profile

Enter this command in context configuration mode. Map this profile to the FA subscriber rules.

 

Specify a service condition for the redirect service profile and its default condition.

parameter value redir_class “redirect”

Applies redirect rules to the subscriber traffic.

 

Specify a service condition for the pass service profile and its default condition.

parameter value pass_class “pass”

Applies pass rules to the subscriber traffic.

 

Specify a service condition for the drop service profile and its default condition.

parameter value drop_class “drop”

Applies drop rules to the subscriber traffic.

 

Assign the class from the redirect parameters to the appropriate attribute

set class

 
 

Assign the class from the pass parameters to the appropriate attribute

set class

 
 

Assign the class from the drop parameters to the appropriate attribute

set class

 

6.

Convert all the rules in HTTP-Redirect-Rule attributes into Dynamic-IP-Filter rules. For general information about specifying attributes for service conditions in a profile, see Configure a RADIUS-Guided Service Profile in Configuring RADIUS .

 

Apply the service policy attribute for incoming traffic .

attribute attribute-name in attribute-value

Enter this command to specify an attribute for each service condition in this profile.

 

Copy the URL value from the HTTP-Redirect Rule attribute and assign it to HTTP-Redirect-url.

attribute HTTP-Redirect -url from HTTP-Redirect-Rule url

 
 

Extract the IP filter rules present in the HTTP-Redirect-Rules and convert them to Dynamic-IP-Filter rules.

attribute Dynamic-IP-Filter from HTTP-Redirect-Rule

If you do not want to drop nonconforming HTTP traffic, then this line should be removed from the RSE profile configuration.

 

Adds more IP filters as desired.

attribute [vendor-specific {rbak | vendor-num}] {attribute-name | attribute-num} drop [msg-type-1... msg-type-n]

Repeat this step to add as many IP filters as desired.


If you do not want to drop non-confirming HTTP traffic then this line should be removed from the RSE profile configuration.

7.

Map the RADIUS service profile to MIP FA subscribers.

 

Specify the default subscriber and access subscriber configuration mode.

subscriber default

Enter this command in context configuration mode.

 

Specify the RSE profile that references the policy that defines the classes to which you want to map the HTTP redirect rules.

service profile hotline profile-name

This command maps the HTTP redirect rules to classes defined in the policy that is referenced in the specified RSE profile for a MIP FA subscriber.

8.

Enable the sending of the NAS IP Address attribute in RADIUS packets. For more information about configuring and sending attributes RADIUS packets, see Configure and Send Attributes in RADIUS Packets (Optional) in Configuring RADIUS .

 

Include the NAS IP Address attribute in the RADIUS Access-Request and Accounting-Request packets sent by the SmartEdge router.

radius attribute NAS_IP_Address interface if-name

Enter this command in context configuration mode. Replace the if-name argument with the name of the interface whose primary IP address you want use as the source IP address sent in RADIUS packets. Note that, if the interface is not configured or is unreachable, the IP address of the outgoing interface is used instead as the source IP address for packets.

9.

Enable the forwarding of nonmobile IP traffic for the FA to prevent traffic leaks. For general information about configuring an FA, see Mobile IP Foreign Agent.

 

Access Mobile IP configuration mode.

router mobile-ip

Enter this command in context configuration mode.

 

Select the FA instance in this context and access FA configuration mode.

foreign-agent

 

10.

On the RADIUS server, configure the forward policy to intercept incoming packets by default. For more information, see the appropriate RADIUS documentation.

3   Configuration Examples

The following example shows how to configure hotlining for an FA on a SmartEdge router that is acting as an ASN-GW EP in a WiMAX network:

! Configure a local HTTP redirect server on the controller card:

[local]Redback(config)#http-redirect server
[local]Redback(config-hr-server)#port 80
[local]Redback(config-hr-server)#exit

! Configure the RADIUS server. All the hotlining rules are received from 
R7 interface or the RADIUS server:

[local]Redback(config)#context local
[local]Redback(config-ctx)#aaa authentication subscriber radius
[local]Redback(config-ctx)#radius server 10.12.209.3 encrypted-key 
3828082561D6BDD6

! Configure the accounting server. This configuration is used if the 
accounting_mode is set for the subscriber:

[local]Redback(config-ctx)#radius accounting server 1.1.1.1 key redback
[local]Redback(config-ctx)#aaa accounting subscriber radius 
attribute-guided

! Configure the CoA server so that AAAd will accept CoA messages from the 
configured server only

[local]Redback(config-ctx)# radius coa server 2.2.2.2 key 1234567

! Configure a RADIUS guided Forward policy with pass, redirect and drop
 classes.

[local]Redback(config)#forward policy captive-portal radius-guided
[local]Redback(config-policy-frwd)#access-group
[local]Redback(config-policy-frwd)#class redirect
[local]Redback(config-policy-frwd)#redirect destination local
[local]Redback(config-policy-frwd)#class pass
[local]Redback(config-policy-frwd)#class drop
[local]Redback(config-policy-frwd)#drop

! Configure the RADIUS service profile with the forward policy to apply 
HTTP redirect rules:

[local]Redback(config)# context local
[local]Redback(config-ctx)# radius service profile WIMAX-HTTP-Redirect
[local]Redback(config-service-profile)# parameter value redir_class 
“redirect”
[local]Redback(config-service-profile)# parameter value pass_class 
“pass”

! Set the class name from the given parameters to the appropriate attributes:

[local]Redback(config-service-profile)# set class $redir_class 
HTTP-Redirect-Rule redirect
[local]Redback(config-service-profile)# set class $pass_class 
HTTP-Redirect-Rule pass

!Apply the Captive-Portal forward policy to incoming traffic:

[local]Redback(config-service-profile)# attribute Forward-Policy in 
Captive-Portal

!Copy the URL value from HTTP-Redirect-Rule and assign it to 
HTTP-Redirect-url:

[local]Redback(config-service-profile)#attribute HTTP-Redirect-url from 
HTTP-Redirect-Rule url

!Convert all the rules in HTTP-Redirect-Rule into Dynamic-IP-Filter rules:

[local]Redback(config-service-profile)#attribute Dynamic-IP-Filter from 
HTTP-Redirect-Rule
[local]Redback(config-service-profile)#attribute Dynamic-IP-Filter "in 
6 from any to any 80 class drop fwd"
[local]Redback(config-service-profile)#attribute Dynamic-IP-Filter "in 
6 from any to any 8080 class drop fwd"
[local]Redback(config-service-profile)#attribute Dynamic-IP-Filter "in 
6 from any to any 443 class drop fwd"