Diameter NASREQ application

The Diameter NASREQ application is used for Authentication, Authorization, and Accounting services in the Network Access Server (NAS) environment. The SR OS supports a stateless operation of NASREQ authentication and authorization, interacting with a NASREQ server that does not maintain session state.

Subscriber host or session authentication results in an AA-Request (AAR) message being sent to the Diameter NASREQ server. An Auth-Session-State AVP with value equal to 1 (No State Maintained) is included in the AAR to inform the server of the stateless mode. The server responds with an AA-Answer (AAA) message and must include the Auth-Session-State AVP with value equal to 1 (No State Maintained), together with the authorization AVPs.

Diameter NASREQ accounting is not supported.

Table: Supported Diameter NASREQ messages lists the supported Diameter NASREQ messages. Vendor-specific AVPs are shown as: v-<vendor-id>-<AVP id>.

Table: Supported Diameter NASREQ messages
Diameter message		Code
AAR	AA-Request	265
AAA	AA-Answer	265

Diameter NASREQ authentication is supported for IPoE hosts and sessions, PPPoE PTA PAP/CHAP authentication. Diameter NASREQ authentication is not supported for L2TP LAC/LNS.

NASREQ and RADIUS authentication cannot be configured simultaneously on a capture-sap, local-user-database, or group-interface. They have the same priority in the hierarchy of different sources (such as local user database, Gx, defaults, and so on) for obtaining the subscriber host or session authorization parameters.

Multi-chassis redundancy is supported via separate Diameter NASREQ peers on each redundant node. Each node of the multi-chassis redundancy pair has its own Diameter Identity (origin host or realm). The subscriber host or session is authenticated on the BNG where it is initially connected. Because of the stateless operation, there is no need to synchronize NASREQ session state. Alternatively, Diameter Multi-Chassis Redundancy can be deployed as described in Diameter redundancy.

The following rules apply for stateless NASREQ re-authentication:

For PPPoE sessions, there is no re-authentication.
For the IPoE host model, only forced re-authentication of DHCP renews when the circuit ID, interface ID, or remote ID has changed.
For the IPoE session model, re-authentication of DHCP renews when the ipoe-session min-auth-interval expired or forced re-authentication of DHCP renews when the circuit ID, interface ID, or remote ID has changed.

Stateless NASREQ authentication can be complemented with Diameter Gx policy management for policy control and mid-session changes. Diameter NASREQ and Gx applications are supported simultaneously on a single Diameter peer.

Figure: Sample Diameter NASREQ call flow shows a sample call flow for a subscriber using Diameter NASREQ for authentication and Diameter Gx for policy management.

Figure: Sample Diameter NASREQ call flow

Table: AA-Answer message — accepted authorization AVPs lists the authorization AVPs that are accepted in a Diameter NASREQ AA-Answer message. Vendor-specific AVPs are shown in the table as: v-<vendor-id>-<AVP-id>.

Table: AA-Answer message — accepted authorization AVPs
AVP ID	AVP name	Description
1	User-Name	Overrides the ‟Radius User-Name”.
8	Framed-IP-Address	The IPv4 address of the subscriber host.
9	Framed-IP-Netmask	The IPv4 netmask of the subscriber host.
22	Framed-Route	IPv4 managed route to be configured on the NAS for a routed subscriber host.
25	Class	Opaque value; echoed in RADIUS accounting.
88	Framed-Pool	The name of an IPv4 address pool.
97	Framed-IPv6-Prefix	SLAAC IPv6 prefix (wan-host).
99	Framed-IPv6-Route	IPv6 managed route to be configured on the NAS for a v6 routed subscriber host.
100	Framed-IPv6-Pool	The name of an IPv6 IA-NA address pool (wan-host).
123	Delegated-IPv6-Prefix	DHCPv6 IA-PD IPv6 prefix (pd-host).
26.6527.9	Alc-Primary-Dns	The IPv4 address of the primary DNS server.
26.6527.10	Alc-Secondary-Dns	The IPv4 address of the secondary DNS server.
26.6527.11	Alc-Subsc-ID-Str	Unique subscriber ID string.
26.6527.12	Alc-Subsc-Prof-Str	Subscriber profile string.
26.6527.13	Alc-SLA-Prof-Str	SLA profile string.
26.6527.16	Alc-ANCP-Str	ANCP string.
26.6527.17	Alc-Retail-Serv-Id	The service-id of the retailer to which this subscriber host belongs.
26.6527.18	Alc-Default-Router	The default gateway for the user (DHCP option [3] default-router for a DHCPv4 proxy)
26.6527.28	Alc-Int-Dest-Id-Str	Intermediate destination ID string.
26.6527.29	Alc-Primary-Nbns	The IPv4 address of the primary NetBios Name Server (NBNS).
26.6527.30	Alc-Secondary-Nbns	The IPv4 address of the secondary NetBios Name Server (NBNS).
26.6527.31	Alc-MSAP-Serv-Id	Service ID where the managed SAP is to be created.
26.6527.32	Alc-MSAP-Policy	Managed SAP policy used to create the MSAP.
26.6527.33	Alc-MSAP-Interface	Group-interface name where the managed SAP is to be created.
26.6527.45	Alc-App-Prof-Str	Application profile string.
26.6527.99	Alc-Ipv6-Address	DHCPv6 IA-NA IPv6 address (wan-host).
26.6527.105	Alc-Ipv6-Primary-Dns	The IPv6 address of the primary DNSv6 server.
26.6527.106	Alc-Ipv6-Secondary-Dns	The IPv6 address of the secondary DNSv6 server.
26.6527.131	Alc-Delegated-Ipv6-Pool	The name of an IPv6 IA-PD prefix pool (pd-host).
26.6527.161	Alc-Delegated-Ipv6-Prefix-Length	DHCPv6 IA-PD prefix length (pd-host).
26.6527.174	Alc-Lease-Time	The lease-time for proxy, in seconds.
26.6527.181	Alc-SLAAC-IPv6-Pool	The name of an IPv6 SLAAC prefix pool (wan-host).
26.6527.1036	Alc-SPI-Sharing	grouped AVP Sets the SLA Profile Instance (SPI) sharing method for this subscriber session to SPI sharing per group or default.
26.6527.1037	Alc-SPI-Sharing-Type	Must be included in an Alc-SPI-Sharing grouped AVP. Sets the SPI sharing method. value 0 = default as specified in the SLA profile with def-instance-sharing. The Alc-SPI-Sharing-Id AVP should not be present. value 2 = per group; the group identifier is specified with the Alc-SPI-Sharing-Id AV.
26.6527.1038	Alc-SPI-Sharing-Id	Must be included in an Alc-SPI-Sharing grouped AVP. Specifies the group identifier when SPI sharing is per group.