When a GTPv2 Create Session Request message arrives, SR OS looks up the required authentication mechanism in the applicable APN policy. To aid in the identification process, you can configure both RADIUS and NASREQ with GTP-specific include attributes such as IMSI, MSISDN, and IMEI. If a PAP message is present in the PCO IE of the Create Session request, the system uses that username and password for authentication; if not, it falls back to the username and password configured in the configure subscriber-mgmt authentication-policy context. For LUDB-based authentication, it is recommended to use derived-id for identification values.
Authentication is performed per GTP session and not per IP stack (host). Therefore, the initial authentication returns parameters for all stacks that need to be set up.
After a successful authentication, a Create Session Response message is sent, which includes all relevant parameters including assigned addresses, DNS servers, and applicable QoS values. The Create Session Response message is followed by an initial Modify Bearer Request message. When the host setup is completed with a Modify Bearer Response message, downstream data can then flow toward the eNodeB. If IPv6 is enabled, an unsolicited RA is sent.
Figure: High-level example of GTP access setup shows a high-level overview of the setup call flow using RADIUS authentication.