Integrated Media Gateway
RADIUS
Release 10.5.x / 10.3.x
Printer-Friendly Documentation
This version of the IMG documentation is formatted specifically for printing.
Dialogic’s primary format for documentation is a web-based help and is available
from the Dialogic
® support site: www.cantata.com
Important Notice:
Copyright Notice and Legal Disclaimer
Copyright © 2005-2008 Dialogic Corporation. All Rights Reserved. You may not
reproduce this document in whole or in part without permission in writing from Dialogic
Corporation at the address provided below.
All contents of this document are furnished for informational use only and are subject to
change without notice and do not represent a commitment on the part of Dialogic
Corporation or its subsidiaries (“Dialogic”). Reasonable effort is made to ensure the
accuracy of the information contained in the document. However, Dialogic does not
warrant the accuracy of this information and cannot accept responsibility for errors,
inaccuracies or omissions that may be contained in this document.
INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH
DIALOGIC® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL
OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED
BY THIS DOCUMENT. EXCEPT AS PROVIDED IN A SIGNED AGREEMENT
BETWEEN YOU AND DIALOGIC, DIALOGIC ASSUMES NO LIABILITY
WHATSOEVER, AND DIALOGIC DISCLAIMS ANY EXPRESS OR IMPLIED
WARRANTY, RELATING TO SALE AND/OR USE OF DIALOGIC PRODUCTS
INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A
PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY
INTELLECTUAL PROPERTY RIGHT OF A THIRD PARTY.
Dialogic products are not intended for use in medical, life saving, life sustaining, critical
control or safety systems, or in nuclear facility applications.
It is possible that the use or implementation of any one of the concepts, applications, or
ideas described in this document, in marketing collateral produced by or on web pages
maintained by Dialogic may infringe one or more patents or other intellectual property
rights owned by third parties. Dialogic does not provide any intellectual property licenses
with the sale of Dialogic products other than a license to use such product in accordance
with intellectual property owned or validly licensed by Dialogic and no such licenses are
provided except pursuant to a signed agreement with Dialogic. More detailed information
about such intellectual property is available from Dialogic’s legal department at 9800
Cavendish Blvd., 5th Floor, Montreal, Quebec, Canada H4M 2V9. Dialogic encourages
all users of its products to procure all necessary intellectual property licenses
required to implement any concepts or applications and does not condone or
encourage any intellectual property infringement and disclaims any responsibility
related thereto. These intellectual property licenses may differ from country to
country and it is the responsibility of those who develop the concepts or applications
to be aware of and comply with different national license requirements.
Trademarks
Dialogic, Dialogic Pro, Brooktrout, Cantata, SnowShore, Eicon, Eicon Networks,
Eiconcard, Diva, SIPcontrol, Diva ISDN, TruFax, Realblocs, Realcomm 100, NetAccess,
Instant ISDN, TRXStream, Exnet Exnet Connect, EXS, ExchangePlus VSE, Switchkit,
N20, Powering The Service-Ready Network, Vantage, Connecting People to Information,
Connecting to Growth and Shiva, among others as well as related logos, are either
registered trademarks or trademarks of Dialogic. Dialogic's trademarks may be used
publicly only with permission from Dialogic. Such permission may only be granted by
Dialogic’s legal department at 9800 Cavendish Blvd., 5th Floor, Montreal, Quebec,
Canada H4M 2V9. Any authorized use of Dialogic's trademarks will be subject to full
respect of the trademark guidelines published by Dialogic from time to time and any use
of Dialogic’s trademarks requires proper acknowledgement.
Microsoft®Excel, Internet Explorer®, Windows®, Windows NT® are registered
trademarks of Microsoft Corporation in the United States and/or other countries, Other
names of actual companies and product mentioned herein are the trademarks of their
respective owners.
(if there is more than 1 Microsoft trademark mentioned in the document – the more than
1 trademark being denoted by “Microsoft®Excel, Internet Explorer®, Windows®,
Windows NT® ”)
This document discusses one or more open source products, systems and/or releases.
Dialogic is not responsible for your decision to use open source in connection with
Dialogic products (including without limitation those referred to herein), nor is Dialogic
responsible for any present or future effects such usage might have, including without
limitation effects on your products, your business, or your intellectual property rights.
Technical Support
Technical Support Number: 781-433-9600
Technical Support Fax: 781-449-9520
Industry Standards
This documentation contains many references to ITU-T standards. Originally, the CCITT
made international standards for modulation, data transfer, and data compression
protocols. The CCITT later became the ITU-T, or International Telecommunications
Union Telecommunication Standardization Sector. CCITT standards are synonymous
with ITU-T standards. For more details on these standards, go to www.itu.org.
This documentation also refers to American National Standards Institute (ANSI)
standards. ANSI administers and coordinates the U.S. voluntary standardization and
conformity assessment system for the telecommunications industry. More details on these
standards may be viewed at www.ansi.org.
Related Training
Dialogic offers a variety of training courses for the IMG 1010 Integrated Media Gateway
and IMG 1004 Integrated Media Gateway. Instructors present a comprehensive
description of hardware and software components and their interaction. Laboratory
sessions provide hands-on experience for developing efficient, robust telecommunication.
For information, call 1-508-862-3000 and ask for a Training representative.
Contacting Technical Support for Hardware Failures
To expedite the process of returning defective hardware, please provide the serial number
of the IMG and a shipping address.
Technical Support will investigate to determine whether the IMG may be defective, or if
it is instead exhibiting a software issue that can be confused as a hardware problem. An
example of an indication of a hardware defect would be an LED that fails to display any
status.
Recommendations for System Supportability
The following are key elements we have identified across our customer base that have
made them successful in their development and deployment of solutions incorporating
Dialogic® products. We are passing these onto you as suggestions to consider when
designing and building solutions. Not all of these suggestions are appropriate for all
customers, but we hope you consider them carefully.
If Your Solution Requires High Availability:
• Order redundant configurations
• Purchase onsite spares
• Follow the limitations for power and configurations as noted in the Dialogic®
Product Documentation
• Have your developers and technicians trained on the Dialogic® IMG 1010
Integrated Media Gateway
• Have your developers and technicians trained on the Dialogic® IMG 1004
Integrated Media Gateway
• Enable Logging in your application so that problems can be diagnosed and
corrected
• Develop test scripts, environments, and systems that best simulate the
environment of intended use for each release and each fix you deliver to your
customers
• Implement Software Configuration Management to track every revision and
change that you release to your customers
• Review your call flows and APIs with Dialogic Technical Support to identify
opportunities to optimize your solution with regard to our product capabilities
• Purchase a support agreement from Dialogic
If you are running a network with Dialogic® Products in them, in addition to the above
suggestions, also:
• Have backup systems for power
• Review your network design with Dialogic Technical Support to identify
opportunities to optimize your solution with respect to our product capabilities
• Design your network to allow for alternative routes and logical assignments to
more quickly address any service affecting issues.
• Control your system environment and configuration changes
• Plan your network management and monitoring strategy
• Ensure that your technicians are trained in all network elements and interfaces
• Monitor your network every day, around the clock.
• Have the ability to get someone to every site without delay
• Have a complete list of contact information for the support arm of each network
element you deploy
• Provide for supplier remote access if required to diagnose and resolve an issue
All of us at Dialogic want you, our valued customer, to be successful. For additional
information regarding our support services and how we can work more closely together
for our mutual success, contact us at our support website at
http://www.cantata.com/support or contact a sales representative at sales@cantata.com.
Table Of Contents
An Overview of RADIUS on the IMG.................................................................. 1
Overview ................................................................................................... 1
Specifications ............................................................................................. 1
Formats ..................................................................................................... 1
Scenarios ................................................................................................... 1
RADIUS Server Redundancy.......................................................................... 2
Supported Packet Types ............................................................................... 2
RADIUS Server Debug Mode ......................................................................... 2
RADIUS Server Failure Alarm ........................................................................ 2
RADIUS Scenarios.......................................................................................... 5
Generic RADIUS Attributes .............................................................................. 7
Cantata VSAs ...............................................................................................11
RADIUS Call Flow: SS7 to SIP.........................................................................17
RADIUS Call Flow: SS7 to H.323 - Release from SS7..........................................19
RADIUS Call Flow: SS7 to H.323 - Release from SS7..........................................21
RADIUS CDR Example: SS7 to H.323...............................................................23
RADIUS CDR Example: SIP-to-ISDN ................................................................27
RADIUS CDR Example: SIP to SS7 ..................................................................31
RADIUS CDR Example - SIP to SIP with Proxy and DNS ......................................35
RADIUS CDR Example: CAS to SS7 .................................................................39
RADIUS CDR Example: SS7 to CAS .................................................................41
RADIUS Call Trace Example: Pre-Paid Support ..................................................43
Incomplete Call Behavior ...............................................................................47
Configuring RADIUS ......................................................................................49
Before You Begin........................................................................................49
Task Summary...........................................................................................49
Configuring a RADIUS Authentication Server (Optional) ...................................49
Configuring a RADIUS Accounting Server.......................................................50
Configuring a RADIUS Client ........................................................................50
Configuring Free RADIUS using GCEMS as a RADIUS Server................................53
Requirements ............................................................................................53
Steps .......................................................................................................53
Radius Client ................................................................................................57
Overview ..................................................................................................57
Field Descriptions .......................................................................................57
Radius Server...............................................................................................61
Overview ..................................................................................................61
Field Descriptions .......................................................................................61
Display Table.............................................................................................62
Radius Servers .............................................................................................63
Overview ..................................................................................................63
ix
An Overview of RADIUS on the IMG
Topic Location: Product Description > RADIUS
Overview
The IMG uses Remote Authentication Dial In User Service (RADIUS) protocol for
streaming the Call Detail Records (CDR). The implementation is compliant with RFC
2865 and RFC 2866. The RADIUS messages are sent to external RADIUS servers.
The IMG RADIUS interface generates an ACCESS, a START & a STOP Request for
the inbound leg and a START & STOP Request for the outbound leg of the call, as
well as data associated with the INVITE, the 200 OK, the BYE and the CANCEL
methods for those legs utilizing a SIP protocol.
Specifications
The IMG implementation of RADIUS is based on the following RADIUS RFCs:
RFC 2865 - Remote Authentication Dial-In User Service (RADIUS)
RFC 2866 - RADIUS Accounting
Formats
The IMG 1010 supports the Cantata RADIUS formats, which Includes some
attributes defined by RFC 2865 and RFC 2866, as well as Cantata Vendor Specific
Attributes (VSA).
Scenarios
The IMG 1010 supports RADIUS Authentication and Accounting. IMG 1010
customer has the option of using one of the following scenarios:
• Authentication and Accounting
In this case an Authentication Server and an Accounting Server are both
assigned to the RADIUS client on the IMG.
• Accounting only
In this case only an Accounting Server is assigned to the RADIUS client on the
IMG.
• Authentication only
In this case only an Authentication Server is assigned to the RADIUS client on
the IMG 1010.
See RADIUS Scenarios
As per RFC 2865 and RFC 2866, the IMG 1010 uses port 1812 for Authentication
and port 1813 for Accounting by default. But these ports are also configurable.
The Authentication and Accounting servers could be the same entity, in which case
both servers will have the same IP address. Or they could be different entities with
different IP addresses.
The RADIUS attributes and VSA’s included in the messages will vary based on the
protocol for used for a specific side of the call, depending on whether it is a TDM
protocol (SS7 or ISDN) or IP protocol (SIP or H.323).
The User name and Password values configured for the Authentication Server used
will be included in the user name and password attributes in the Access Request
message sent from the IMG.
for more details.
1
RADIUS
RADIUS Server Redundancy
The IMG 1010 supports an Active Standby redundancy scheme. Redundancy logic
is independent for Authentication and Accounting Servers.
When configuring RADIUS servers you may create them with an initial priority
preference. The IMG will begin using the preferred Server(s) and switchover to an
alternate server after detecting a communication failure to the currently active
server.
Once the switchover occurs all future Radius messages will flow to the newly active
server until a failure occurs on this server. If an error is detected in trying to send
a Radius message to this newly active server, the IMG will attempt to switch again
back to the previously active server. This behaviour is repeated, until a working
server is detected. If the IMG fails to connect to a RADIUS Server an alarm will be
sent. You can monitor alarms using EventView.
Typically when a RADIUS message needs to be sent to a server, it is assembled
and passed to the OS for transport to the currently active server. These servers are
configured to send the message, wait 2 seconds and then retry sending the
message an additional 3 times. Therefor a RADIUS message will be sent a total of
4 times, with 2 second intervals, before attempting a switchover to the next
server, if one is configured. The switchover behaviour is coupled to the message
type. Therefore an Accounting Server switchover is independent of an
Authentication Server switchover.
Under typical call load it will take a while for the switchover to complete since the
IMG may have many RADIUS messages queued up to the failed server. Each of
these messages must fail and be retried on the newly active server following
notification of the send failure.
NOTE: A negative response does not constitute a server failure.
Supported Packet Types
• Access-Request
Sent to a RADIUS server - conveys information used to determine whether
a user is allowed access to a specific NAS, and any special services
requested for that user.
• Access-Accept
Sent by the RADIUS server - provides specific configuration information
necessary to begin delivery of service to the user.
• Access-Reject
Sent by the RADIUS Server if any value of the received Attributes is not
acceptable
• Accounting-start
• Accounting-stop
RADIUS Server Debug Mode
You can configure your RADIUS Client in Debug Mode so that calls will be
completed whether the RADIUS server is active or not. The IMG will not require
authentication for the RADIUS server to complete a call and no billing information
will be logged.
You enable RADIUS Debug Mode using the RADIUS Client
screen.
RADIUS Server Failure Alarm
2
An Overview of RADIUS on the IMG
The IMG provides automatic alarming notification to IMG users when a Radius
Server has changed states and can no longer be accessed. The alarm, reported in
EventView, will include the RADIUS Server Type (Access, Accounting), the Server
ID, the mode of the Radius Server (normal, debug), the state of the Radius Server
and the IP address.
Related Topics
Basic RADIUS Call Flow
Generic RADIUS Attributes
Cantata RADIUS VSAs
RADIUS Call Flow: SS7 to H.323
RADIUS CDR Example: SIP-to-ISDN
Configuring Billing and Authentication
Dialogic Corporation - IMG Printable WebHelp
3
RADIUS Scenarios
Topic Location: Product Description > RADIUS
The IMG 1010 supports RADIUS Authentication and Accounting. IMG 1010
customer has the option of using one of the following scenarios:
Authentication and Accounting
In this case an Authentication Server and an Accounting Server are both assigned
to the RADIUS client on the IMG.
Accounting only
In this case only an Accounting Server is assigned to the RADIUS client on the
IMG.
5
RADIUS
Authentication only
In this case only an Authentication Server is assigned to the RADIUS client on the
IMG.
6
Dialogic Corporation - IMG Printable WebHelp
Generic RADIUS Attributes
Topic Location: Product Description > RADIUS
RADIUS Attributes carry the specific authentication, authorization, information and
configuration details for the request and reply. Some Attributes may be included
more than once.
IETF
Attrib
ute #
1 User-Name String 50886230002 Account number or
2 User-
4 NAS-IP-
5 NAS-Port Numeric
6 Service-
14 Login-IP-
29 Termination-
30 Called-
31
Attribute
Name
Password
Address
Type
Host
Action
Station-Id
CallingStation-Id
Values Example Description
calling party number
String cantata 16 octets user password
String 192.168.0.100 IP Address of the
(4 octets)
Numeric
(4 octets)
Numeric
Values
Numeric
(4 octets
Values
String
The String
field is one
or more
octets,
containing
the phone
number
that the
user's call
came in
on.
String
The String
field is one
or more
octets,
containing
the phone
number
that the
user
placed the
call from.
1812 The Physical Port
Login-User The Type of Service the
192.168.0.100
RADIUS-Request 0 Default 1 RADIUS-
50886230002 This Attribute allows the
50886230002
requesting IMG
Number of the NAS
(Network Access Server)
that is authenticating
the user.
user has requested, or
the type of service to be
provided
Request
NAS to send in the
Access-Request packet
the phone number that
the user called, using
Dialed Number
Identification (DNIS) or
similar technology.
Note that this may be
different from the phone
number the call comes
in on. It is only used in
Access-Request packets.
This Attribute allows the
NAS to send in the
Access-Request packet
the phone number that
the call came from,
using Automatic Number
Identification (ANI) or
similar technology. It is
only used in AccessRequest packets.
7
RADIUS
g
32 NAS-
Identifier
40 Acct-Status-
Type
41 Acct-Delay-
Time
42 Acct-Input-
Octets
43 Acct-
OutputOctets
44 Acct-
Session-ID
String
The String
field is one
or more
octets, and
should be
unique to
the NAS
within the
scope of
the
RADIUS
server.
For
example, a
fully
qualified
domain
name
would be
suitable as
a NASIdentifier.
Numeric
(4 octets)
Values
Numeric
(4 octets)
Numeric
(4 octets)
Numeric
(4 octets)
String
The String
field
SHOULD
be a strin
Start Indicates whether this
0
1
1 indicates how many
00201c0405b9009000
3500001000129e48b99e
This Attribute contains a
string identifying the
NAS originating the
Access-Request. It is
only used in AccessRequest packets.
Accounting-Request
marks the beginning of
the user service (Start)
or the end (Stop).
This attribute indicates
how many seconds the
client has been trying to
send this record for, and
can be subtracted from
the time of arrival on
the server to find the
approximate time of the
event generating this
Accounting-Request.
(Network transit time is
ignored.)
Indicates how many
octets have been
received from the
port over the course of
this service being
provided, and can only
be present in
Accounting-Request
records where the AcctStatus-Type is set to
Stop.
octets have been sent to
the port in the course of
delivering this service,
and can only be present
in Accounting-Request
records where the AcctStatus-Type is set to
Stop.
This attribute is a unique
Accounting ID to make it
easy to match start and
stop records in a log file.
8
46 Acct-
47 Acct-Input-
48 Acct-
49 Acct-
60
OutputOctets
Packets
OutputPackets
TerminateCause
ChapChallenge
61 NAS-Port-
Type
Dialogic Corporation - IMG Printable WebHelp
of UTF-8
encoded
10646 [7]
characters.
Numeric
(4 octets)
Numeric
(4 octets)
Numeric
(4 octets)
Values
String
The String
field
contains
the CHAP
Challenge.
Values
Generic RADIUS Attributes
10 This attribute indicates
1 This attribute indicates
0 This attribute indicates
NAS-Request This attribute indicates
Ethernet This Attribute indicates
how many seconds the
user has received
service for, and can only
be present in
Accounting-Request
records where the AcctStatus-Type is set to
Stop.
how many packets have
been received from the
port over the course of
this service being
provided to a Framed
User, and can only be
present in AccountingRequest records where
the Acct-Status-Type is
set to Stop.
how many packets have
been sent to the port in
the course of delivering
this service to a Framed
User, and can only be
present in AccountingRequest records where
the Acct-Status-Type
is set to Stop.
how the session was
terminated, and can
only be present in
Accounting-Request
records where the AcctStatus-Type is set to
Stop.
This Attribute contains
the CHAP Challenge sent
by the NAS to a PPP
Challenge-Handshake
Authentication Protocol
(CHAP) user. It is only
used in Access-Request
packets.
the type of the physical
port of the NAS which is
authenticating the user.
9
Cantata VSAs
Topic Location: Product Description > RADIUS
Cantata RADIUS Vendor Code: 2754
IETF Attribute # for all VSAs: 26
NOTE: As of 10.3.2 ER2, the word Cantata appears at the beginning of all Cantata
VSA names.
Attribute
Name
Cantataani-posttranslate
Cantataani-pretranslate
Cantatacalldirection
Cantatacall-id
CantataCall-Origin
CantataCall-Type
Cantataconnecttime
VSA # Description Value Format Example
42 Calling number
to be sent out
of the IMG.
40 Incoming
Automatic
Number
Identification
43 The direction
of the call.
141 Value of the
Call-ID
header.
26 Gateway's
behavior in
relation to the
connection
that is active
for this leg.
27 Protocol type
or family used
on this leg of
the call.
For example,
answer on a
leg 1;
originate on a
leg 2; callback
on leg 1.
28 Connect time
in Network
Time Protocol
(NTP) format:
hour, minutes,
seconds,
microseconds,
time_zone,
day, month,
day_of_month,
and year.
String 5088623000
String 5088623000
String Calling Party
Called Party
String
Syntax is as per RFC 3261
"SIP:Session Initiation
protocol"
answer = Legs 1 and 3
originate = Legs 2 and 4
callback = Legs 1 and 3
Telephony
VOIP
VOFR
hh:mm:ss:mmm ZON
DDD MMM ## YYYY
2707-403-214200619399-Cat0@10.129.39.32
originate
h323 Call Type = SS7
12:30:00.094 EST Fri Mar 24
2006
11
RADIUS
A
A
Cantatacredit-time
Cantatadisconnecttime
Cantatadnis-posttranslate
Cantatadnis-pretranslate
Cantatah323-confid
Cantatah323-gwid
Cantatah323incomingconf-id
Cantataincomingreq-uri
102 Number of
seconds for
which the call
is authorized
29 Disconnect
time in NTP
format: hour,
minutes,
seconds,
microseconds,
time_zone,
day, month,
day_of_month,
year.
41 Called number
to be sent out
of the IMG.
39 Incoming
Dialed Number
Identification
Service
24 Unique call
identifier
generated by
the gateway.
Used to
identify the
separate
billable events
(calls) within a
single calling
session
33 Domain name
server (DNS)
name or local
name of the
voice gateway
that is sending
the VSA
35 Unique
number for
identifying a
calling session
on a gateway,
where a
session is
closed when
the calling
party hangs up
146 For inbound
Radius mess.
both Start &
Integer in decimal
3200
notation
Valid Range:1-7200 sec.
0 = unlimited seconds
hh:mm:ss:mmm ZON
DDD MMM ## YYYY
12:30:00.094 EST Fri Mar 24
2006
String 5088623000
String 5088623000
16-byte number in
hexadecimal notation with
75834551 A69E11D6 808D87C
50D5A43C
one space between each
4-byte integer
Character string boston.cantata.com
16-byte number in
hexadecimal notation with
75834551 A69E11D6 808D87C
50D5A43C
one space between each
4-byte integer
string. Syntax is as per
RFC 3261"SIP:Session
sip:5551212
@10.129.39.142user=phone
Initiation protocol"
12
Loading...