WiFi – Mobile BNG Offload Deployments

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 11© 2012 Cisco and/or its affiliates. All rights reserved.
Toronto, Canada
May 30th, 2013
WiFi - Mobile BNG
Offload Deployments
SP-T07-I
Derick Linegar, dlinegar@cisco.com

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 2
Agenda
v SP Wi-Fi - Key drivers
v Intelligent Broadband
v SP Wi-Fi Deployments
v SP WiFi Evolution with MPC Integration
v Call Flow
v References

SP-WiFi Key
Drivers

SP-WiFi Solutions

Why Should I Care About WiFi?
The “New Normal”

Wi-Fi Subscribers, Wireline/Wi-Fi & Mobile
Different Motivations
Wireline Operator with
Wi-Fi Access
Mobile Users
Mobile Operators
Wireline
Operator 1
Wireline
Operator 2
Mobile Operator Motivations
•  Data traffic growing
exponentially
•  Licensed spectrum limitations
•  Access – Trusted/Untrusted
Wireline / Wi-Fi Operator
Motivation
•  Increase Service Revenues
•  Cater to multiple Mobile
Operators
•  Provide a scalable peering
model
•  Leverage existing infrastructure
Subscriber Motivation
•  Always connected experience
•  Seamless Authentication
•  Mobility/Roaming without
disrupting apps
3G/4G delivered
via Mobile
Backhaul
Wi-Fi Access
Gateway Peering
Mobile
Operator1
Mobile
Operator2
Internet

Terminology Primer
Service Provider Wi-Fi Wireline Broadband
Session Type IP Based Sessions PPP Based Sessions
User type Mobile Users Fixed Residential
Session Control Intelligent Services Gateway (ISG) – software component
Place in Network
(PIN) Designation
Wireless Access Gateway
(WAG)
Broadband Network Gateway
(BNG)

SP Wi-Fi Solutions – At a Glance
Deployment Type Software Components
Availability
ASR1000 ASR9000
Traditional Public
Wireless LAN
(PWLAN)
Open SSID with ISG Redirect for
Web based Authentication
Available Now Available Now
Seamless
Authentication
EAP based secure authentication
using ISG
Available Now
Now – relies on Cisco
Access Registrar (CAR)
Mobile Network
Integration
ISG and Proxy Mobile (PMIP)
configured on a single box
iWAG - Available now Now – ASR5K based

Intelligent
Broadband

Evolution in Service Provider Architectures
Increased Service Revenues:
ü  Customized services
ü  Rapid deployment of new
services
ü  Subscriber Self Subscription
and Self Care
Diverged
“Per Service”
Networks
Converged
“All in One”
Networks
Converged
“User Centric”
Networks
Reduced Operational Expenses:
ü  Consolidation of multiple
networks

The New User Experience
Enabling the Next Wave of Broadband

Multi-Dimensional Identifier for Subscribers over
L2/L3 access networks
From multiple sources and events
Over session lifecycle
L2 – Pt-to-Pt vis-à-vis L3 – Pt-to-Cloud
Services and Rules updated based on
How subscriber behaves
What the subscriber requires NOW
Different Services and Rules applied based on
Who the subscriber is
Location of the subscriber
Requirement of the subscriber
Subscriber Awareness - Elements of Customization
Initiators &
Identity
Session
Services
Dynamic
Service
Management
Intelligent
Service
Gateway
Session
authentication
Dynamic Policy Push
and Pull
Session
initiation

Building the Identity and Assigning Services
Example
MAC Addr: 00:DE:34:F1:C0:28
IP Addr: ?
Username: ?
Service: DEFAULT_SRV
Subscriber Session
T0
DHCP Exchange Starts
IP Addr: 10.1.2.211
Username: ?
Service: DEFAULT_SRV
Subscriber Session
T1
DHCP Exchange Completes(*)
IP Addr: 10.1.2.211
Username: dlinegar
Service: PPU_SRV
Akshay
Subscriber Session
T2
Subscriber Authentication(*)
IP Addr: 10.1.2.211
Username: dlinegar
Service: PREMIUM_SRV
Akshay
Subscriber Session
TN
Dynamic Service Update
Identities
Services
DEFAULT_SRV
Only permits management
traffic through the session
PPU_SRV
Pay Per Use Service:
- Permits all traffic
- 512K/1Mbps US./DS
- Accounting enabled on
session
PREMIUM_SRV
Service:
- Permits all traffic
- 1M/8Mbps US/DS
ISG
Subscriber
(*) Order of operations not representative of a real call flow
Subscriber SubscriberSubscriber

Policy
Server
What Is ISG?
Cisco Intelligent Services Gateway
(ISG) is a licensed feature set on
Cisco IOS that provides Session
Management and Policy
Management services to a variety of
access networks
Subscriber Identity
Management
Policy
Management and
Enforcement
DHCP
Server
…AAA
Server
ISG
Web
Portal
Open
Northbound
Interfaces
Subscriber Policy Layer
So focal, that the entire device is often referred as an:
Intelligent Services Gateway router or simply “The
ISG”ISG

Open GardenWalled Garden
Access Technology Abstraction
ATM/Ethernet
Switch
DSL
802.11 or
802.16
Access
Distribution
Ethernet
CMTS
Cable
Subscriber-centric services regardless of Access
Technology, Access Protocol
DSLAM
BRAS/BNG
Access Technology Access Protocol
Legacy DSL/ATM
Metro Ethernet,
Wireless LAN, Cable
IP
PPP

SP-WiFi
Deployments

SP Wi-Fi Deployment Models
At a glance
Access Type Session Initiator Authentication Type MPC Integration
1 Layer 2 Unclassified MAC MAC Address None
2 Layer 2 DHCP MAC Address None
3 Layer 2 Unclassified MAC/ Radius
Proxy
MAC Address / EAP HLR based
4 Layer 3 Unclassified IP / Radius
Proxy
IP Address / EAP HLR based
5 Layer 2 DHCP / Unclassified MAC /
Radius Proxy
MAC Address / EAP PMIPv6 / GTPv1 based and HLR based
6 Layer 2 DHCP / Unclassified / Radius MAC Address / EAP PMIPv6 based, Wholesale services and
HLR based

SP Wi-Fi Access + Aggregation + Core Network
Unified Architecture
Radio Intelligence
Roaming
Partner
Core
Home
Network
Core
AP
WAG
WLC
AP
Aggregation
Switch
VLAN
AP
WLC
AP
Optional
NAT
Access & Wholesale Provider
Mobile Network
Operators
Portal DHCP AAA
PGW/LMA
GGSN
Roaming
Partner
Core
PCRFHLR OCS CGF
Internet Services
Internet Services
Internet Services
GTP
Gn’
S2a
PMIP
AP/CPE
Access Network Policy
MNO Home Network Policy
Hotspot
Public/Large
Venue
Community
WiFi

•  L2 connected network
•  FSOL: Unclassified MAC address in data packet
Connectivity
•  IPv4 Clients
•  External DHCP
IP Addressing
•  Transparent Auto Logon
•  Web Based Logon
Authorization
•  Wi-Fi Services for Residential, Enterprise users. ( per device Billing)
•  For users behind CPE (billing per CPE)
•  Pre-paid service
•  Dynamic Service Selection
Services
SP WiFi Deployment #1

ISG
AAA/
Portal HLR OCS PCRF
Traffic flow
AAA interactions
Architecture Overview
Client
Smartphone
user
PC/Laptop
user
Layer 2 network
GE (dot1Q)
VPLS/EoIP
Int or Sub-int
GE (.1Q)
Services
Web Authentication
Open Access users
EAP users
MPLS /IP
Core
Internet
DHCP Server

•  FSOL: DHCP Initiator
Connectivity
•  IPv4 Clients
•  Internal DHCP ( DHCP Server or Relay)
IP Addressing
•  Transparent Auto Logon
Authorization
Services

AAA/
Portal HLR OCS PCRF
Traffic flow
AAA interactions
Internet
EoIP
Tunnel
Server
VLAN# 2
VLAN# 3
EoIP Tunnel Transport NW
Client
Smartphone user
Access Network
SSID BLUE :: VLAN 2
SSID RED :: VLAN 3
VLAN #2
VLAN #3
SSID RED
SSID BLUE
Layer 2 network
GE (dot1Q)
VPLS/EoIP
DHCP Server
L2 L3 L2EoIP Tunnel Encap Vlan#2
L2 L3 L2EoIP Tunnel Encap Vlan#3

•  FSOL: [BLUE] DHCP Initiator or [RED] Unclassified MAC
Connectivity
•  [BLUE] Dynamic(VRF) domain customer - Internal DHCP
•  [RED] Mobile Data Offload - External DHCP
IP Addressing
•  SSID [BLUE] Transparent Auto Logon (EAP Auth)
•  SSID [RED] Web Based Logon (Open Auth)
Authorization
•  SSID [BLUE] Mobile Packet Core Integration for Billing
•  [BLUE] Dynamic VPN services for L3VPN clients
•  SSID [RED] Mobile Offload Wi-Fi Services -Web Authentication
Services

Packet core integration
ISG Accounting packet also
trigger session in ASR 5000
ISG
AAA/
Portal HLR OCS PCRF
Traffic flow
AAA interactions
Client
Smartfone
user
Access Network
SSID RED :: Simple IP Users
SSID BLUE :: Mobile Offload
VLAN #3
VLAN #2
SSID RED
SSID BLUE
Trusted
Wi-Fi
Mobile
Core
NAT-FW
InternetIPSG
DHCP Server
Accounting Trigger

•  FSOL: Unclassified IP, Radius Accounting Request
Connectivity
•  IPv4 Clients
•  External DHCP (DHCP Server or any L3 Router - Access Zone Router)
IP Addressing
•  IP/ MAC Based Transparent Auto Logon (Collect MAC using DHCP Lease Query)
Authorization
Services

AZR
Hotspot 1
Open Garden
Services
Access Zone Router
(simple L3 Router)Open no-WEP
Web Authentication
EAP
Client
Open no-WEP
Web Authentication
Switch
L2
IOS AP
EAP
Client
IP
ASR1K
Client
Smartphone user
PC/Laptop user
Access Network
Client-to-ISG
L3 network
Hotspot 2
L2
Service
Web authentication for Unclassified IP session.
RADIUS Proxy session with accounting from AZR.
MPLS /IP
Core
Internet
AAA/
Portal HLR OCS PCRF
DHCP Server

SP-WiFi Walk-by
Subscriber Management

Walk-by Subscriber Management
vv
$
•  Walkby users are attached to network.. but not interested in WiFi service
•  Today 9/10 users are Walk-by users ..
•  WiFi resources are oversubscribed .. !!!

Session Life cycle
29
Session
Initiation
Authentication Termination
Service
Activation
Web Logon Phase
Session Allocated with full
resource
Minimal Resource ( Lite session) at session initiation
Dedicated resource for a session during authentication

Default and Dedicated Session Resource Utilization
30
One Default
Session
Upto 128K
Lite
Session
Default session
created for
interface.
To create Default
session
Interfaces are
configured with
default policy.
Lite Session inherits Default Sessions
Lite sessions are always Unauthenticated
sessions.
Lite session is created for the user on
following cases.
Session creation with First sign of Life.
Default-apply (Optional) to create Lite
session on TAL failure case.
Upto 48 K Dedicated sessions
•  Dedicated session is
created for the user on
following cases.
•  Default-exit from Lite
session – (Refer TAL
scenario)
•  Portal-Login attempted by
user- (Refer Portal Login)
One Dedicated
Session
$$$ user
SameCPU/MemoryUtilized

SP-WiFi Evolution &
MPC Integration

Radio Intelligence
Internet
Core
AP
WAG
WLC
AP
Aggregation
Switch
VLAN
AP
WLC
AP
Optional
NAT
Portal DHCP AAA
Internet ServicesAP/CPE
Hotspot
Public/Large
Venue
Community
WiFi
Walled
Garden
Services

Radio Intelligence
Internet
Core
AP
WAG
WLC
AP
Aggregation
Switch
VLAN
AP
WLC
AP
Optional
NAT
Portal DHCP AAA
Internet ServicesAP/CPE
Hotspot
Public/Large
Venue
Community
WiFi
Walled
Garden
Services
Roaming
Partner
Core
Mobile Network
Operators
PGW/LMA
GGSN
Roaming
Partner
Core
PCRFHLR OCS CGF
Internet Services
Internet Services
GTP
Gn’
S2a
PMIP
MNO Home Network Policy

Intelligent Wireless
Access Gateway (iWAG)

Mobile IP Subscriber
•  Subscribers using mobility services (either GTP
or PMIPv6)
•  Subscriber session is anchored on the MPC
(PGW/GGSN) and also maintained on iWAG
•  IP address for the subscribers are allocated from
the MPC, iWAG acts as a proxy DHCP server
•  Subscribers maintain IP address persistency
while roaming across Wi-Fi to Wi-Fi or Wi-Fi to
3G/4G
•  Subscriber authentication is typically performed
using out-of-band or in-band (w.r.t iWAG) EAP-
SIM/AKA
§  Simple IP users do not receive a mobility
service (either GTP or PMIPv6)
§  Subscriber session is anchored and
maintained on iWAG
§  IP address for the subscribers are allocated
either via external DHCP server or via iWAG
itself
§  Subscribers are not expected to have IP
persistency while roaming
§  Subscriber authentication is typically
performed using web-authentication or/and
Transparent Auto-Logon
Simple IP Subscriber

What is iWAG?
GPRS Tunneling Protocol (GTP) for
integrating Wi-Fi traffic into Gateway
GPRS Support Node (GGSN)
ISG Features
•  IPoE Sessions: DHCP initiated, unclassified IP
or MAC-address initiator, Radius-Proxy initiator
•  Layer-4 Redirect
•  Traffic Classes
•  Postpaid & Prepaid Accounting
•  Dynamic Rate Limiting
•  Lawful Intercept
•  Radius based authentication and accounting
•  Radius CoA Interface
•  Per-subscriber QoS
•  IP Session keep-alives, timeouts
•  VRF Transfer
•  Port Bundle Host Key (PBHK)
•  Walk-by session handling/optimization
§  Local Breakout of subscriber traffic for
Simple IP subscribers
§  …..and more http://www.cisco.com/go/isg
Mobile Access Gateway (MAG)
using Proxy Mobile IPv6 (PMIPv6)
for integrating Wi-Fi traffic into
Packet Data Network Gateway
(PGW)
iWAG aka Intelligent
Wireless Access Gateway

ASR 1000 iWAG – IOS XE 3.8S
4G Core
Internet
Portal
GGSN
DHCP
GTP
PGW/LMA
3G Core
L2 Connected
AP
WLC
AP
AAA
Mobile Home Network Policy
PCRFHLR OCS CGF
Gy Gx Ga
Gn’
S2a
PMIPv6
User based Local
Breakout (LBO)
Features:
•  L2 Access & AAA Policy
1.  EAP-SIM/AKA (via WLC) / FSOL – DHCP
2.  EAP-SIM/AKA (via ISG) / FSOL – Radius Proxy
3.  Web Logon /TAL. FSOL – Unclassified MAC
•  GGSN selection via DNS
•  Overlapping MNO address support with multiple SSID
iWAG
ASR1K

PMIPv6 –
Proxy Mobile IPv6

Proxy Mobile IPv6 in a nutshell
§  Proxy Mobile IPv6 Domain: A network where the mobility
management of a mobile node is handled using the Proxy
Mobile IPv6 protocol.
§  Local Mobility Anchor (LMA): LMA is the home agent for
the mobile node in a PMIPv6 domain. It is the topological
anchor point for the mobile node's home network prefix and
is the entity that manages the mobile node's binding state.
§  Mobile Access Gateway (MAG): MAG is a function on an
access router that manages the mobility-related signaling for
a mobile node that is attached to its access link. It is
responsible for tracking the mobile node's movements to
and from the access link
§  Mobile Node (MN): An IP host or router whose mobility is
managed by the network. The MN may be an IPv4-only
node, IPv6-only node, or a dual-stack node and is not
required to participate in any IP mobility related signaling for
achieving mobility for an IP address that is obtained in that
PMIPv6 domain.
§  Correspondent Node (CN): The device that the mobile
node (MN) is communicating with such as a web server. A
correspondent node may be either mobile (e.g. another MN)
or stationary (e.g. server).

How PMIPv6 Facilitates IP Mobility?
§ Retain IP Address & Gateway
§ Attach to same Anchor Point LMA/PGW/GGSN
§ Resolve to same Gateway’s MAC (or Link-Layer address in
IPv6) – RFC6543
Benefits
§  Location Based service by tracking the movement of
Mobile Node – intra & inter MAG movements

PMIPv6 Supports both IPv4 & IPv6
Cisco PMIPv6 implementation is address family
agnostic:
§  Mobile Nodes in a PMIPv6 domain operating in IPv4-
only, IPv6-only, or in dual-stack mode
§  Transport network between the MAG and LMA can be
either IPv4-only, IPv6-only or dual-stack (where IPv4
would be preferred)

Benefits of iWAG
§  Mobile Operator
ü  Reduce network congestion: Reduce OpEx and increase network efficiency by
offloading 3G/4G traffic
ü  Provide access to 3G/4G core inspite of lack of / weak cell signal
ü  Provide access to mobile backhaul which could have better bandwidth and thus
provide better service
§  Wireline/ WiFi Service Providers
ü  Provide Wi-Fi security and subscriber control: Deliver scalable, manageable,
and secure wireless connectivity
ü  Deliver a Wi-Fi platform that offers new, location-based services and enables
new revenue-sharing business models
§  Users
ü  Provide a good QoE to subscribers on Wi-Fi networks
ü  Unified Billing across access network
ü  More options with Wi-Fi platform that enables Location-Based Services

SP-WIFi – iWAG
Deployment Models

•  FSOL: DHCP Initiator or Unclassified MAC or RADIUS Proxy
Connectivity
•  IPv4 Clients
IP Addressing
•  MAC Based Transparent Auto Logon for EPC/MPC integration [PMIP/ GTPv1]
•  Web Based Logon for Local Break Out [LBO]
Authorization
•  Seamless Mobile Packet Core Integration for Policy & Billing
•  Local Break Out [ LBO ] Mobile Offload Wi-Fi Services
Services

Wi-Fi Aggregation with Mobile Packet Core (MPC)

•  FSOL: DHCP Initiator or Unclassified MAC or RADIUS Proxy
Connectivity
•  IPv4 Clients
IP Addressing
•  MAC Based Transparent Auto Logon for EPC/MPC integration [PMIP/ GTPv1]
•  Web Based Logon for Local Break Out [LBO]
Authorization
•  Local Break Out [ LBO ] Mobile Offload Wi-Fi Services
•  Wholesale service to 4G ( Mobile Offload) based on
•  NAI: "mn0@serviceprovider.com" Client-id i.e. DHCP option 61
•  MAC: Calling-station ID ( Radius attribute 31)
Services

Wi-Fi Aggregation with Multiple Mobile Network Operator
(MNO)

WAG Configs

Structured ISG Configuration Model
control policy
Global
On Box
Out Of Box
interface
I.
II.
III.
IV.
III.
Some global configuration
also required
II.
IV.
V.
IV.
I. Configure Northbound interfaces
AAA
Portal/Policy Server - CoA
II. Configure Services and User Profiles
Session Services
Traffic Class Services
User Profiles
III. Configure Subscriber Access
Configure session type and initiator
Create and apply the control policy
IV. Configure Subscriber Authentication
V. Dynamic Management of
Subscriber Services

Control Policy Structure…
•  Configuring ISG mostly implies configuring the control policy
•  Control policy determines the operations to be executed on a session upon different
events
Events:
• Session-start
• Account-logon
• Service-start
• ....
Actions:
• apply/unapply a service
• authenticate (Web Logon)
• authorize (TAL)
• ....
policy-
Event 1
Action 1
Action 2
Event 2
Control policy
Event1
Action1
Action2

Structure of a Policy Map…
•  Configuring ISG mostly implies configuring the control policy
•  Control policy determines the operations to be executed on a session upon different
events
Event 1
Action 1
Action 2
policy-map type control <map name>
class type control always event session-start
10 service-policy type service name <service name>
20 authorize aaa password lab identifier mac
Events:
• Session-start
• Account-logon
• Service-start
• ....
Actions:
• apply/unapply a service
• authenticate (Web Logon)
• authorize (TAL)
• ....
class type control <condition> event service-start
Condition:
Qualify in what cases the event is valid
Configured as a control class:
class-map type control <name>
The event is
always valid

Example: Configure Services and UserProfiles
Traffic Class Services: L4 Redirect
HTTP
IP SA: 192.168.11.1
IP DA: 74.125.19.99
TCP: <SSAP>:80
www.google.com
HTTP
IP SA: 192.168.11.1
IP DA: 192.168.110.10
TCP: <SSAP>:<redirect port>
Web Portal
192.168.110.10 74.125.19.99
class-map type traffic match-any L4R_CM
match access-group input L4R_ACL_IN
!
policy-map type service L4R_SERV
10 class type traffic L4R_CM
redirect to group REDIR_GRP
Service-Name = “L4R_SERV”
Service Password = “servicecisco”
AVPair: ip:traffic-class=input access-group
name L4R_ACL_IN priority 10
AVPair: ip:l4redirect=redirect to group REDIR_GRP
CLI AAA Service Profiles
redirect server-group REDIR_GRP
server ip 192.168.110.10 port 8091
!
ip access-list extended L4R_ACL_IN
permit tcp any any eq www
•  Subscriber’s traffic, matching a flow
description, is redirected to a destination
and a L4 port defined on the ISG
•  Any TCP and UDP traffic can be redirected
•  The target server responsible to handle the
redirected traffic
Additional Configuration required on the ISG
Configure the redirect group
• redirect address
• redirect destination port
Match traffic eligible for
redirection

Example: Configure Services and UserProfiles
Traffic Class Services: OpenGarden
Subscriber
Management Network
• Used to permit specific traffic over an unauthenticated session while dropping everything else
• Typically used to allow bidirectional communication w/ the subscriber management network
• Also used to grant access to guest access networks
• DHCP Server
• DNS Server
• AAA Server
• Policy Server
• Web Portal
• ....
class-map type traffic match-any OG_CM
match access-group input OG_ACL_IN
match access-group output OG_ACL_IN
!
policy-map type service OPENGARDEN_SERV
20 class type traffic OG_CM
!
class type traffic default in-out
drop
Service-Name = “OPENGARDEN_SERV”
Service Password = “servicecisco”
AVPair: ip:traffic-class=input access-group
name OG_ACL_IN priority 20
AVPair: ip:traffic-class=output access-group
name OG_ACL_OUT priority 20
AVPair: ip:traffic-class=in default drop
AVPair: ip:traffic-class=out default drop
ip access-list extended OG_ACL_IN
permit ip any 192.168.110.0 0.0.0.255
!
ip access-list extended OG_ACL_OUT
permit ip 192.168.110.0 0.0.0.255 any
192.168.110.0
allow bidirectional communication w/ the subscriber
management network
A more specific ACL targeting exact servers can and should
be cfged

WAG Call-Flows

Portal AAADHCP
IP Packet
Session-start
event posted
2 BNG session creation
3 PBHK service applied (*)
4a Access-Request
username = mac
4bAccess-Reject
5 OpenGarden and L4R services
applied (*)
2
6 Authentication Timer started
(*) assumes that the definition of
PBHK, L4R and OpenGarden are
already available on the BNG
class type control always event session-start
10 service-policy type service name PBHK_SRV
20 authorize aaa list IP_AUTHOR_LIST password
cisco123 identifier mac-addr
30 service-policy type service name OG_SRV
40 service-policy type service name L4R_SRV
50 set-timer AUTHEN_TMR 10
2
3
4a
5
6
interface GigabitEthernet 0/0.1
encapsulation dot1Q 10
ip address ...
service-policy type control IP_SESSION_RULE1
ip subscriber l2-connected
initiator unclassified-mac
policy-map type control IP_SESSION_RULE1
<snip>
2
Client obtains IP address
independent of the BNG
1

Portal AAADHCP
http://www.cisco.com
7 L4Redirect to Portal8
HTTP Redirect. User self-registers9
CoA Req. Account Logon
username, password
11bAccess-Accept
service: BASIC_HSI_SRV
Access-Request
username, password
Account-
Logon event
posted
Service-start
event posted
11a
12bAccess-Accept BASIC_HSI_SRV
definition
Access-Request
BASIC_HSI_SRV, srvpwd
12a
13 BASIC_HSI_SRV is applied
L4R and OpenGarden services are unapplied
10a
CoA Ack. Account Logon
http://www.cisco.com14
10c
11a
15
Accounting-Request (Start) and
Response
Simplified call flow
10b
10b
11c
aaa author subscriber-service default
SERVER_GRP1
subscriber service password servicecisco
class type control always event account-logon
10 authenticate aaa list IP_AUTHEN_LIST
20 service-policy type service unapply
name L4R_SRV
30 service-policy type service unapply
name OG_SRV
!
class type control BASIC_HSI_SRV_CM event service-start
10 service-policy type service identifier service- name
Service-Name: “BASIC_HSI_SRV”
Service-Password: “servicecisco”
Attr 28: idle-timeout = 600
AVPair: “subscriber:accounting-list= IP_ACCNT_LIST”
ServiceInfo: QU;256000;D;768000;
12a
12b
11c

interface Ethernet0/0
service-policy type control default <default-pmap-name>
service-policy type control <regular-pmap-name>
ip subscriber [l2conected | routed]
initiator [radius-proxy | unclassified-ip | unclassified-mac ]
Default session created when the default
service-policy defined.
Supported initiators:
unclassified-mac
unclassified-ip
radius-proxy for DHCP-accounting
DHCP initiator in roadmap
Walk-by Interface configuration

Walk-by
58
Default Policy
Step1 :: Default interface Session to manage Walkby
Subscribers
Data Traffic from User towards Gateway
(BNG)
Step2 :: Based on the Default policy a Lite session is created
dynamically for Walkby Subscribers (inherits Default
Session)
Account / Service
Logon
3) User enters credentials in Portal for authorizing
Step 4 ::
Dedicated
User Session
Created
Walkby User
Lite SessionDedicated
Session

interface bundle-ether100.1
ipv4 point-to-point
ipv4 unnumbered loopback2000
service-policy type control subscriber WEB_LOGON
encapsulation dot1q 10
ipsubscriber ipv4 l2-connected
initiator dhcp
dhcp ipv4
profile IP_DEFAULT proxy
helper-address <DHCP Server> giaddr <giaddr>
relay information option
relay information policy keep
relay information option allow-untrusted
interface Bundle-Ether100.1 proxy profile IP_DEFAULT
PORTAL
Session-start
BNG session creation
aaa attribute format USERNAME
format-string length 253 "%s" client-mac-address
dynamic-template
type ipsubscriber UNAUTH_TPL
ipv4 unnumbered Loopback100
policy-map type control subscriber WEB_LOGON_PM
event session-start match-first
class type control subscriber DHCP do-until-failure
10 activate dynamic-template UNAUTH_TPL
20 authorize aaa list format USERNAME password cisco
DHCP-Discover
DHCP-Offer
DHCP-Accept
DHCP-Request
http://www.cisco.com – HTTP TCP SYN
HTTP TCP SYN ACK
HTTP TCP ACK
HTTP GET
HTTP 307 (redirect URL)
HTTP session establishment
WAG HTTP Redirect from XR 4.2.1 ASR9000
For Your
Reference

Portal AAADHCP
HTTP Redirect. User self-registers
CoA Req. Account Logon
username, password
Access-Request
username, password
Account-
Logon event
posted
HTTPRDRT service is unapplied
CoA Ack. Account Logon
http://www.cisco.com
Accounting-Request (Start) and
Response
Simplified call flow
dynamic-template
type ipsubscriber HTTPRDRT_TPL
service-policy type pbr HTTPRDRT_PBR
policy-map type pbr HTTPRDRT_PBR
class type traffic OpG_CM
transmit
class type traffic HTTPRDRT_CM
http-redirect http://192.168.210.168/
class type traffic class-default
drop
end-policy-map
policy-map type control subscriber WEB_LOGON
event authorization-failure match-first
10 activate dynamic-template HTTPRDRT_TPL
20 set-timer UNAUTH_TMR 7
event account-logon match-all
class type control subscriber DHCP do-all
1 authenticate aaa list default
10 deactivate dynamic-template HTTPRDRT_TPL
event timed-policy-expiry match-first
10 disconnect
Access-Accept
WAG HTTP Redirect from XR 4.2.1 ASR9000 For Your
Reference

SP WiFi-4G Integration Architecture
L2 Connected
AP
WLC
AP
Internet
iWAG
ASR1K
AAA
Mobile Home Network Policy
PCRFHLR OCS CGF
EAP-SIM/AKA
Authentication
(out-of-band)
FSOL: DHCP Discover
Gy Gx Ga
Model #
Access
Type
Authentication FSOL Service IP
1 Layer 2
EAP-SIM/AKA (out-of-
band)
DHCP
Discover
PGW/LMA
DHCP
Service IP
4G Core
S2a PMIP
PGW/LMA

4G Mobile user: EAP-SIM (out-of-band), FSOL: DHCP,
tunnel: PMIPv6
Device AP+WLC HLRAAA
CAR+ITP
802.1x
EAP Request/ID
EAP ID Response/ID
EAP-SIM Method, Recover IMSI from Pseudonym or Fast Re-Auth ID
RADIUS Access Accept
MAP SEND
AUTH INFO Res
MAP SEND
AUTH INFO Req
iWAG P-GW PCRF
MAP SRI for
LCS Req (IMSI)
MAP SRI for LCS
Res (MSISDN)
Cache MAC,
IMSI, MSISDN,
subscriber profile
Policy Manager
Sub DB
Recover Subscription
Profile (IMSI)
Store MSISDN
Configure authorized IMSIs on the
Subscriber database with WiFi
Subscriber Profile.
WiFi Subscriber Profile:
Realm, WiFi APN, Charging
Characteristics, IPv4/IPv6 service
IMSI Authenticated, but MSISDN
unknown
ITPITPITPITP
RADIUS Access Request
(username= EAP ID, calling station ID = MAC, called-station-ID = AP:SSID)
EAP SUCCESS
VLAN

Call flow 4G EAP-SIM out-of-band (2/2)
Device AP+WLC HLRDHCP/MAG
DHCP Offer (a.b.c.d)
DHCP Req/Ack
(Primary DNS recovered from
PBA)
P-GW/LMA PCRF
PBU
Gx:CCR-I
Gx:CCA-I
PBA
PMIPv6
PBA: IPv4 Home Address (HoA)
PCO: Primary DNS
SPR/
Sub DB
Open PGW-CDR
With container for WiFi
Service, subscriber ID =
MSISDN
RF: Diameter ACR
RF: Diameter ACA
Gx:CCR-I: IMSI, MSISDN, APN,
RAT Type
Subscriber ID Type = E.164,
RAT=WiFi
SP: Recover Subscriber Profile
Policy Profile to Apply
IPv4 HoA = 0.0.0.0
MN-ID (imsi@realm), SSMO (APN),
MSISDN, CHARGING
CHARACTERISTICS , ATT = Wi-Fi
iWAG
ITPITPITPITP
AAA
CAR+ITP
RADIUS Access Request (Calling Station ID = Source MAC address)
RADIUS Access Accept(User Profile)
Source MAC Address: DHCP Discover
User Profile VSAs:
CISCO-SERVICE-SELECTION (APN),
CISCO-MOBILE-NODE-IDENTIFIER
(IMSI@realm) , LMA,
CISCO-MSISDN,
3GPP-CHARGING-CHARS,
CISCO-MN-SERVICE (IPv4)
4G Mobile user: EAP-SIM (out-of-band), FSOL: DHCP,
tunnel: PMIPv6

SP Wi-Fi Deployment Models
At a glance
Access Type Session Initiator Authentication Type MPC Integration
1 Layer 2 Unclassified MAC MAC Address None
2 Layer 2 DHCP MAC Address None
3 Layer 2 Unclassified MAC/ Radius
Proxy
MAC Address / EAP HLR based
4 Layer 3 Unclassified IP / Radius
Proxy
IP Address / EAP HLR based
5 Layer 2 DHCP / Unclassified MAC /
Radius Proxy
MAC Address / EAP PMIPv6 / GTPv1 based and HLR based
6 Layer 2 DHCP / Unclassified / Radius MAC Address / EAP PMIPv6 based, Wholesale services and
HLR based

Recommended Reading for BRKSPG-2687
6565
Please visit the Cisco Book Store in the
World of Solutions and browse through the
extensive range of Cisco Press titles.

Complete Your Paper
“Session Evaluation”
Give us your feedback and you could win
1 of 2 fabulous prizes in a random draw.
Complete and return your paper
evaluation form to the room attendant
as you leave this session.
Winners will be announced today.
You must be present to win!
..visit them at BOOTH# 100

Thank you.

68
Satellite
Links
SW
Radio
MW
Radio
FM
Radio
Mobile
TelephonyWLANsBlueooth
1,000 Km100 Km10 Km1 Km100 m10 m1 m
Wireless Systems: Range Comparison
Source : Introduction to IEEE Std. 802.22-2011 and its Amendment PAR for P802.22b:
Broadband Extension and Monitoring – Apurva N. Mody & team
Wireless Communication Dr. B. Baha, University of Brighton, UK
For Given Range of Power there are several
Wireless communication Possible

Bit rate (Mbit/s) – Values are approximated for overview
Standard Peak Downlink Peak Uplink Range
CDMA 4.9 1.8000 ~29 km (18 mi)
GSM EDGE Evolution 1.9 0.9472 ~26 km (16 mi)
LTE 326.4 86.4
WiMAX : 802.16e 70 70 ~6.4 km (4 mi)
WiFi : 802.11a 54 54 ~30m
WiFi: 802.11b 11 11 ~30m
WiFi: 802.11g 54 54 ~30m
WiFi: 802.11n 600 600 ~50m
WiGi: 802.11ac & 802.11ad >1000 >1000 ~!!!!!
SP Wireless Communication standards

WiFi – Mobile BNG Offload Deployments

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (7)

Semelhante a WiFi – Mobile BNG Offload Deployments

Semelhante a WiFi – Mobile BNG Offload Deployments (20)

Mais de Cisco Canada

Mais de Cisco Canada (20)

Último

Último (20)

WiFi – Mobile BNG Offload Deployments