iWAG – Intelligent Wireless Access Gateway

Cisco Public © 2012 Cisco and/or its affiliates. All rights reserved. 1

iWAG – Intelligent Wireless Access Gateway

(Integrating Wi-Fi Traffic into 3G / 4G Core)

pmipv6-‐[email protected]

Cisco Public

GPRS Tunneling Protocol (GTP) for integraCng Wi-‐Fi traffic into Gateway GPRS Support Node (GGSN)

ISG Features

•  IPoE Sessions: DHCP ini=ated, unclassified IP or MAC-‐address ini=ator, Radius-‐Proxy ini=ator

•  Layer-‐4 Redirect •  Traffic Classes •  Postpaid & Prepaid Accoun=ng •  Dynamic Rate Limi=ng •  Lawful Intercept •  Radius based authen=ca=on and accoun=ng •  Radius CoA Interface •  Per-‐subscriber QoS •  IP Session keep-‐alives, =meouts •  VRF Transfer •  Port Bundle Host Key (PBHK) •  Walk-by session handling/optimization   Local Breakout of subscriber traffic for

Simple IP subscribers   …..and more http://www.cisco.com/go/isg

Mobile Access Gateway (MAG) using Proxy Mobile IPv6 (PMIPv6) for integraCng Wi-‐Fi traffic into Packet Data Network Gateway (PGW)

iWAG = Intelligent Wireless Access Gateway

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

ASR 1000 iWAG – IOS XE 3.8S

4G Core

Internet

Portal

GGSN

DHCP

GTP

PGW/LMA

3G Core

L2 Connected

AP WLC

AP

AAA

Mobile Home Network Policy

PCRF HLR OCS CGF

Access Network Policy

Gy Gx Ga

Gn’

Features: •  L2 Access & AAA Policy

1.  EAP-SIM/AKA (via WLC) / FSOL – DHCP 2.  EAP-SIM/AKA (via ISG) / FSOL – Radius Proxy 3.  Web Logon /TAL. FSOL – Unclassified MAC

•  GGSN selection via DNS •  Overlapping MNO address support with multiple

SSID

iWAG ASR1K


  Service Providers   Reduce network congestion: Reduce OpEx and increase network

efficiency by offloading 3G/4G traffic   Provide Wi-Fi security and subscriber control: Deliver scalable,

manageable, and secure wireless connectivity with a low TCO   Deliver a Wi-Fi platform that offers new, location-based services and

enables new revenue-sharing business models

  Users   Provide access to 3G/4G core inspite of lack of / weak cell signal   Provide a good QoE to subscribers on Wi-Fi networks similar to that

provided on 3G/4G networks   QoS based on subscriber profile and traffic classification   Provide access to mobile backhaul which could have better bandwidth and

thus provide better service   Deliver a Wi-Fi platform that enables location-based services


Deployment Model #

Access Type Authentication FSOL Service IP

1 Layer 2 EAP-SIM/AKA (out-of- band)

DHCP Discover PGW/LMA

2 Layer 2 EAP-SIM/AKA (in-band) Radius Proxy PGW/LMA

3 Layer 2 Web Logon Unclassified MAC PGW/LMA


DHCP Discover GGSN

5 Layer 2 EAP-SIM/AKA (in-band) Radius Proxy GGSN

6 Layer 2 Web Logon Unclassified MAC GGSN

4G –

PM

IPv6

3G

– G

TPv1


L2 Connected

AP WLC

AP

Internet

iWAG ASR1K

AAA


PCRF HLR OCS CGF


EAP-SIM/AKA Authentication (out-of-band)

FSOL: DHCP Discover

Gy Gx Ga

Model # Access Type Authentication FSOL Service IP


DHCP Discover PGW/LMA

DHCP

Service IP

4G Core

PGW/LMA


Device AP+WLC HLR AAA CAR+ITP

802.1x

EAP Request/ID

EAP ID Response/ID

EAP-SIM Method, Recover IMSI from Pseudonym or Fast Re-Auth ID

RADIUS Access Accept

MAP SEND AUTH INFO

Res

MAP SEND AUTH INFO

Req

iWAG P-‐GW PCRF

MAP SRI for LCS Req (IMSI)

MAP SRI for LCS Res (MSISDN)

Cache MAC, IMSI, MSISDN,

subscriber profile

Policy Manager Sub DB

Recover SubscripCon Profile (IMSI)

Store MSISDN

Configure authorized IMSIs on the Subscriber database with WiFi Subscriber Profile. WiFi Subscriber Profile: Realm, WiFi APN, Charging Characteristics, IPv4/IPv6 service

IMSI Authenticated, but MSISDN unknown

ITPITPITPITP

RADIUS Access Request (username= EAP ID, calling staCon ID = MAC, called-‐staCon-‐ID = AP:SSID)

EAP SUCCESS VLAN


Device AP+WLC HLR DHCP/MAG

DHCP Offer (a.b.c.d)

DHCP Req/Ack (Primary DNS recovered from

PBA)

P-‐GW/LMA PCRF

PBU Gx:CCR-‐I

Gx:CCA-‐I PBA

PMIPv6 PBA: IPv4 Home Address (HoA) PCO: Primary DNS

SPR/ Sub DB

Open PGW-CDR With container for WiFi Service, subscriber ID

= MSISDN

RF: Diameter ACR

RF: Diameter ACA

Gx:CCR-I: IMSI, MSISDN, APN, RAT Type Subscriber ID Type = E.164, RAT=WiFi

SP: Recover Subscriber Profile

Policy Profile to Apply

IPv4 HoA = 0.0.0.0 MN-‐ID (imsi@realm), SSMO (APN), MSISDN, CHARGING CHARACTERISTICS , ATT = Wi-‐Fi

iWAG

ITPITPITPITP

AAA CAR+ITP

RADIUS Access Request (Calling StaCon ID = Source MAC address)

RADIUS Access Accept(User Profile) Source MAC Address: DHCP Discover

User Profile VSAs: CISCO-SERVICE-SELECTION (APN), CISCO-MOBILE-NODE-IDENTIFIER (IMSI@realm) , LMA, CISCO-MSISDN, 3GPP-CHARGING-CHARS, CISCO-MN-SERVICE (IPv4)


L2 Connected

AP WLC

AP

Internet

GGSN Gn’

EWAG ASR1K

GTP 3G Core

AAA


PCRF HLR OCS CGF


EAP-SIM/AKA Authentication (out-of-band)

FSOL: DHCP Discover

Service IP

Gy Gx Ga

DHCP

Model # Access Type Authentication FSOL Service IP


DHCP Discover GGSN


Device AP+WLC HLR AAA CAR+ITP

802.1x

EAP Request/ID

EAP ID Response/ID

EAP-SIM Method, Recover IMSI from Pseudonym or Fast Re-Auth ID

RADIUS Access Accept

MAP SEND AUTH INFO

Res

MAP SEND AUTH INFO

Req

iWAG P-‐GW PCRF

MAP SRI for LCS Req (IMSI)

MAP SRI for LCS Res (MSISDN)

Cache MAC, IMSI, MSISDN,

subscriber profile

Policy Manager Sub DB

Recover SubscripCon Profile (IMSI)

Store MSISDN

Configure authorized IMSIs on the Subscriber database with WiFi Subscriber Profile. WiFi Subscriber Profile: Realm, WiFi APN, Charging Characteristics, IPv4/IPv6 service

IMSI Authenticated, but MSISDN unknown

ITPITPITPITP

RADIUS Access Request (username= EAP ID, calling staCon ID = MAC, called-‐staCon-‐ID = AP:SSID)

EAP SUCCESS VLAN


WiFi client AP+WLC AAA GGSN @g.g.g.g

DHCP Req [client requested IP=c.c.c.c; server=e.e.e.e]

Access Req

Access Accept

Create PDP Resp [IP addr=c.c.c.c]

DHCP ACK [client IP=c.c.c.c; server=e.e.e.e; renewal

time…] client’s traffic client’s traffic tunneled

iWAG

Vlan connectivity

Create PDP Req [IP addr=0.0.0.0]

DHCP Offer [client IP =c.c.c.c; server=e.e.e.e]

Access Accept [IMSI, MSISDN, APN, ssg-service=GTP-svc, etc]

Regenerate a DHCP offer to send back to the client

Activate session on DP fully after finding it having a valid

IP addr

DHCP Discover [MAC=client-

MAC] Access Req [client-MAC]

Out of band EAP authentication

Cisco Public © 2012 Cisco and/or its affiliates. All rights reserved. 12


Cisco-AVPair = [email protected] Cisco-AVPair = mn-service=IPv4 Cisco-AVPair = home-lma-ipv6-address=2001:db8:cafe:1024::101 Cisco-AVPair = home-lma-ipv4-address=5.8.24.101 Cisco-AVPair = home-lma=lma1 Cisco-AVPair = mn-apn=serviceprovider.com Cisco-AVPair = cisco-mpc-protocol-interface=pmipv6

3G mobile user RADIUS profile

GTP based

4G mobile user RADIUS profile PMIPv6 based

Cisco-AVPair = [email protected] Cisco-AVPair = mn-service=IPv4 Cisco-AVPair = cisco-service-selection=service1.com Cisco-AVPair = cisco-msisdn=919448927815 Cisco-AVPair = cisco-imsi = 262020000000642 Cisco-AVPair = mn-apn=serviceprovider.com Cisco-AVPair = cisco-mpc-protocol-interface=gtpv1


interface GigabitEthernet0/1/0.3074 description “4G Mobile users access interface” encapsulation dot1Q 3074 ip address 5.8.22.15 255.255.255.0 ipv6 address FE80::200:5EFF:FE00:5213 link-local service-policy type control PMIP_PROFILE ip subscriber l2-connected initiator dhcp

interface GigabitEthernet0/3/6.1 description “”3G Mobile users access interface” encapsulation dot1Q 1 native ip address 192.168.10.1 255.255.255.0 ipv6 address FE80::300:5EFF:FE00:5213 link-local service-policy type control GTP_PROFILE ip subscriber l2-connected initiator dhcp

Access interface definition for 4G

user

Access interface definition for 3G

user

Integration to ISG

mcsa enable sessionmgr


! ipv6 mobile pmipv6-domain D1 mn-profile-load-aaa lma lma1 ipv6-address 2001:DB8:CAFE:1024::101 ! ipv6 mobile pmipv6-mag M1 domain D1 role 3GPP address ipv6 2001:DB8:CAFE:1025::15 interface GigabitEthernet0/1/0.3074 !

PMIPv6 domain

definition

PMIPv6 MAG

definition

iWAG access

interface(s)

PMIPv6 LMA to which iWAG as

MAG sends traffic to


policy-map type control PMIP_PROFILE class type control always event session-start 5 service-policy type service name INTERNET_SERVICE 30 authorize aaa list ISG_LIST password cisco identifier mac-address ! ! policy-map type control GTP_PROFILE class type control always event session-start 5 service-policy type service name INTERNET_SERVICE 30 authorize aaa list ISG_LIST password cisco identifier mac-address

aaa authorization network ISG_LIST group iWAG-MOBILE-USERS!

AAA definition for iWAG to know where to get

authorization from

Policy-map to control

autorization of 4G user going to

PMIPv6 tunnel

Policy-map to control

autorization of 3G user going to GTP

tunnel


gtp n3-request 3 interval t3-response 10 interval echo-request 60 information-element rat-type wlan interface local GigabitEthernet0/3/0 apn 1 apn-name cisco1.com ip address ggsn 192.170.10.2 default-gw 192.168.10.1 prefix-len 16 dns-server 192.165.1.1 dhcp-server 192.168.10.1 dhcp-lease 30000

GTP definition

RAT: Radio Access Technology

iWAG access

interface(s)

Details for iWAG to reach the

GGSN


Command Remarks mcsa enable sessionmgr Enable subsciber session manager on iWAG

ip dhcp pool pmipv6_dummy_pool Enable DHCP on the MAG ipv6 mobile pmipv6-domain <Domain_Name D1> Create the PMIPv6 domain e.g. D1.

mn-profile-load-aaa Loads the profile configuration from AAA to the MN within the PMIPv6 domain

lma lma1 ipv6-address 2001:DB8:CAFE:1024::101 ipv4-address 5.8.24.101

Configure LMA name and address

ipv6 mobile pmipv6-mag <MAG M1> domain D1 Enable the MAG service on a router, for the above configured PMIPv6 domain e.g. MAG M1

sessionmgr Enable subscriber session manager under MAG

address ipv4 5.8.25.15 address ipv6 2001:DB8:CAFE:1025::15

Configure IPv4 (required only when transport is IPv4 only)& IPv6 address acting as the MAG. LMA would keep track of MAG using this IP address.

interface GigabitEthernet0/0/0.3074 Enable MAG services on the access interface towards the MN/WLAN

For Your Reference


Platform RP/Memory ESP

ASR1001 16GB integrated

ASR1002-X 16GB integrated

ASR1004 RP2 16GB ESP40

ASR1006/13 RP2 16GB ESP40/100

Existing broadband licenses support iWAG http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c07-448862.html

IOS XE 3.8S Releasing in mid Nov’2012


  SP Wi-Fi becomes an access solution to the MPC

  iWAG enables Wi-Fi integration into 3G via GTP

  iWAG enables Wi-Fi integration into 4G via PMIPv6

  iWAG provides service providers with new revenue-sharing business models

  Enables SP to use common subscriber Billing and Policy [Gx, Gy, Gi] across 3G,4G and Wi-Fi network

  Enable residential Wi-Fi with EoGRE tunneling solution

  Building block of an integrated solution providing:   Seamless experience to customers (clientless)   Support for evolution of mobile operator services


Interface Components Standard RADIUS AAA Server/ Policy

Server and NAS RFC 2865

RADIUS Change of Authorization

Portal Server and NAS

RFC 3576, RFC 5176

Proxy Mobile IPv6 MAG and LMA RFC 5213, RFC 5844, RFC 5845, RFC 5846, RFC 6543

PMIPv6 http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_13-3/133_pmipv6.html RADIUS Interface Document http://www.cisco.com/en/US/docs/ios/ios_xe/isg/coa/guide/3s/isg-coa.html


  ISG: Cisco ASR 1000 http://www.cisco.com/en/US/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book.html

  MAG : Cisco ASR 1000

  http://www.cisco.com/en/US/docs/ios-xml/ios/mob_pmipv6/configuration/xe-3s/asr1000/mob-pmipv6-xe-3s-asr1000-book.html

  MAG: Cisco ISR http://www.cisco.com/en/US/docs/ios-xml/ios/mob_pmipv6/configuration/15-2mt/imo-pmipv6-mag-support.html

  MAG: Cisco WLC http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd4100.shtml

  PMIPv6 CEC Page: http://wwwin.cisco.com/ios/tech/mobile/proxyipv6/

  ISG CEC Page: http://wwwin.cisco.com/ios/tech/broadband/isg/

  Whitepapers on SP Wi-Fi http://www.cisco.com/go/spwifi


  SP Wi-Fi NOSTG Product manager Amrit Hanspal – [email protected]

  SP Wi-Fi ASR1000 Product manager Greg Cote – [email protected]

  SP Wi-Fi Technical Marketing Engineers Akshaya Kumar – [email protected] Boris Mimeur – [email protected] Prashant Jhingran – [email protected]

  Or simply write to us: [email protected]

Thank you.

Date post:	18-Nov-2014
Category:	Technology
Upload:	get-your-build-on-with-software-for-the-network-beyond
View:	5,113 times
Download:	9 times