Access Points in Nokia Siemens Networks Flexi ISN

FISNFI40EMED.
03
Nokia Siemens Networks Flexi ISN, Rel.
4.0,
Operating Documentation, v. 4
Access Points in Nokia Siemens
Networks Flexi ISN
DN04134496
Issue 6-3 en
Access Points in Nokia Siemens Networks Flexi ISN
The information in this document is subject to change without notice and describes only the
product defined in the introduction of this documentation. This documentation is intended for the
use of Nokia Siemens Networks customers only for the purposes of the agreement under which
the document is submitted, and no part of it may be used, reproduced, modified or transmitted
in any form or means without the prior written permission of Nokia Siemens Networks. The
documentation has been prepared to be used by professional and properly trained personnel,
and the customer assumes full responsibility when using it. Nokia Siemens Networks welcomes
customer comments as part of the process of continuous development and improvement of the
documentation.
The information or statements given in this documentation concerning the suitability, capacity,
or performance of the mentioned hardware or software products are given "as is" and all liability
arising in connection with such hardware or software products shall be defined conclusively and
finally in a separate agreement between Nokia Siemens Networks and the customer. However,
Nokia Siemens Networks has made all reasonable efforts to ensure that the instructions
contained in the document are adequate and free of material errors and omissions. Nokia
Siemens Networks will, if deemed necessary by Nokia Siemens Networks, explain issues which
may not be covered by the document.
Nokia Siemens Networks will correct errors in this documentation as soon as possible. IN NO
EVENT WILL Nokia Siemens Networks BE LIABLE FOR ERRORS IN THIS DOCUMENTATION OR FOR ANY DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL OR ANY LOSSES, SUCH AS BUT NOT LIMITED
TO LOSS OF PROFIT, REVENUE, BUSINESS INTERRUPTION, BUSINESS OPPORTUNITY
OR DATA,THAT MAY ARISE FROM THE USE OF THIS DOCUMENT OR THE INFORMATION
IN IT.
This documentation and the product it describes are considered protected by copyrights and
other intellectual property rights according to the applicable laws.
The wave logo is a trademark of Nokia Siemens Networks Oy. Nokia is a registered trademark
of Nokia Corporation. Siemens is a registered trademark of Siemens AG.
Other product names mentioned in this document may be trademarks of their respective
owners, and they are mentioned for identification purposes only.
Copyright Nokia Siemens Networks 2010. All rights reserved
Important Notice on Product Safety

Elevated voltages are inevitably present at specific points in this electrical equipment.
Some of the parts may also have elevated operating temperatures.
Non-observance of these conditions and the safety instructions can result in personal
injury or in property damage.
Therefore, only trained and qualified personnel may install and maintain the system.
The system complies with the standard EN 60950 / IEC 60950. All equipment connected
has to comply with the applicable safety standards.
Id:0900d8058071050b
DN04134496
Issue 6-3 en
Table of Contents
This document has 62 pages.
DN04134496
Issue 6-3 en
1
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
Changes in access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Changes in release 4.0 CD4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Changes in release 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes between releases 3.2 and 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changes between releases 3.1 and 3.2 . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changes in release 3.1 CD1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Changes between releases 3.0 and 3.1 . . . . . . . . . . . . . . . . . . . . . . . . 10
Changes in release 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Changes between releases 2.0 and 3.0 . . . . . . . . . . . . . . . . . . . . . . . . 11
2
2.1
2.2
2.2.1
2.2.2
2.2.3
2.2.4
2.3
2.4
2.5
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.6
2.6.1
2.6.2
2.6.3
2.7
2.7.1
Introduction to access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Purpose of access points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic access point functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access point name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Alias name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access points for corporations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Access point types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Licensing and access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Service aware configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IP management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dynamic and static mobile addresses . . . . . . . . . . . . . . . . . . . . . . . . . .
Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Basic DHCP functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network address translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS Disconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IMS functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
P-CSCF discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
13
13
13
13
14
14
15
15
15
16
16
17
17
18
18
18
18
19
19
19
19
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
Configuring IPv4 access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Creating IPv4 access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP IPv4 limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP IPv4 authentication and address allocation methods . .
Configuring AP IPv4 DHCP interfaces. . . . . . . . . . . . . . . . . . . . . . . . . .
Defining RADIUS profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP IPv4 RADIUS interfaces . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP IPv4 L2TP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP IPv4 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP IPv4 toll-free network . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring AP IPv4 DNS server IP addresses . . . . . . . . . . . . . . . . . . .
21
21
26
26
28
29
35
37
38
38
39
Id:0900d8058071050b
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
Configuring AP IPv4 WINS server IP addresses . . . . . . . . . . . . . . . . . . 40

Configuring AP IPv4 session timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Configuring AP IPv4 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring AP IPv4 P-CSCF discovery . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configuring AP IPv4 charging options . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configuring AP IPv4 Roaming Profile charging options . . . . . . . . . . . . . 45
Activating the access point configuration . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring default services for IPv4 access point . . . . . . . . . . . . . . . . . 47
4
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
Configuring IPv6 access points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Creating IPv6 access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring AP IPv6 limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuring AP IPv6 user equipment IP addresses . . . . . . . . . . . . . . . . 50
Configuring AP IPv6 security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuring AP IPv6 session timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring AP IPv6 Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . 53
Configuring AP IPv6 DNS discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configuring AP IPv6 P-CSCF discovery . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configuring AP IPv6 charging options . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Activating the access point configuration . . . . . . . . . . . . . . . . . . . . . . . . 56
5
5.1
5.2
5.3
5.4
Other access point operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Configuring aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Copying access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Deactivating access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Deleting access points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Id:0900d8058071050b
DN04134496
Issue 6-3 en
List of Figures
Figure 1
Figure 2
DN04134496
Issue 6-3 en
Roaming Profile Charging configuration . . . . . . . . . . . . . . . . . . . . . . . . 45

OCS Diameter Peer Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Id:0900d8058071050b
List of Tables
Table 1
RADIUS-related configuration parameters . . . . . . . . . . . . . . . . . . . . . . 35
Id:0900d8058071050b
DN04134496
Issue 6-3 en
Changes in access points
1 Changes in access points

1.1
Changes in release 4.0 CD4

Changes in content
A new access point mode, PCRF, is supported.
Changes in documentation
The following sections have been updated with information about the PCRF access
point mode:
Creating IPv4 access points

Configuring default services for IPv4 access point
Access points for corporations
Service aware configuration
Configuring aliases
Section Licensing and access points has been updated with information about the
Diameter Policy Control license.
Section Configuring AP IPv4 Roaming Profile charging options has been updated.
A Note has been added in Section Configuring AP IPv4 authentication and address allocation methods.
1.2

Changes in content
The feature Roaming Profile is supported.
New parameters, concerning RADIUS servers, that cannot be changed while an IPv4
Access Point is active have been added.
A new note has been added in step Define the user equipment IP addresses.
Section Configuring AP IPv4 Roaming Profile charging options has been added.
Section Creating IPv4 access points has been updated.
1.3

Changes in content
GTP Information Enrichment can be configured for each access point.
Optional Radius Accounting in 3GPP mode is now supported by Flexi ISN.
In the RADIUS Profile Configuration, the description of the parameter Optional Authentication has been updated.
Section Defining RADIUS profiles has been updated with the above-mentioned content
changes.
DN04134496
Issue 6-3 en
Id:0900d805807104e2
Section Configuring AP IPv4 authentication and address allocation methods has been
updated with the addition of the Use GTP Information Enrichment drop-down list.
Section Defining RADIUS profiles has been updated with the addition of 3GPP, server
optional option for the Account Server Operation parameter.
Sections Configuring AP IPv4 charging options and Configuring AP IPv6 charging
options have been updated with new information about disabling CDRs for Flat-rate
Users.
1.4
Changes in release 4.0

Changes in content
In the L2TP access point configuration, the default values for Shared Secret and
Hostname have been changed.
A new license has been added, which affects access points: Network Based QoS.
A new parameter has been added to access point Quality of Services: TREC ID for
roamers.
The Go interface is no longer supported.
Section Configuring AP IPv4 L2TP has been updated with the above-mentioned content
changes.
Section Licensing and access points has been updated with the new license.
The instructions in Section Configuring AP IPv4 Quality of Service have been updated
with the new parameter.
1.5
Changes between releases 3.2 and 4.0

Changes in content
The IP pool configured in the LNS is now optional to configure in the AP Configuration,
when the Dynamic Tunnels parameter is enabled and the RADIUS server is configured to provide L2TP tunnel attributes during the authentication phase.
Antispoofing can now be disabled for L2TP access points.
The IP address lifetime feature is now supported. That is, there is a time period when
the same addresses from the local IP pool are not re-allocated. This is configured with
the new Quarantine Time parameter.
Charging has been enhanced with overbilling protection.
A new license has been added, which affects access points: Mobile Router.
The value option None has been removed from the User Authentication Method
parameter.
The Account Server Operation parameter no longer has the value None as one
of the options.
RADIUS profiles for access points are now configured on separate Voyager pages.
The access point configuration can now contain multiple static IP range definitions.
Id:0900d805807104e2
DN04134496
Issue 6-3 en
Section Creating IPv4 access points has been updated with the above-mentioned
content change.
Section Licensing and access points has been updated with the new license.
Section Configuring AP IPv4 authentication and address allocation methods: the values
for the User Authentication Method parameter have been updated.
Sections Configuring AP IPv4 limitations and Configuring AP IPv6 limitations: instructions have been added for defining the IP address quarantine time.
Section Configuring AP IPv4 security: instructions have been added for the new IP
Spoofing Prevention parameter.
Configuring AP IPv4 charging options and Configuring AP IPv6 charging options:
instructions have been added for the new Overbilling Protection parameter.
A new section has been added: Defining RADIUS profiles.
The following section has been removed: Configuring RADIUS switch-over time (the
instructions for this are now included in Section Defining RADIUS profiles.
Section Creating IPv4 access points: the instructions for defining the user equipment IP
addresses has been updated.
Section Configuring AP IPv4 RADIUS interfaces: additional information has been added
related to RADIUS accounting servers 3-7.
1.6

Changes in content
Charging options configuration:
A new parameter has been added (CDR Generation).

A new value has been added to the Default Charging Profile parameter
(Postpaid with Credit Control).
Section Access point types: the descriptions concerning Generic Routing Encapsulation
(GRE) and IP over IP have been modified.
Section Network address translation (NAT): the information about disabling the NAT
functionality has been updated.
The instructions in the following sections have been updated with the above-listed
parameter changes:
Configuring AP IPv4 charging options

The document has also been updated to reflect the layout changes in the Voyager interface.
DN04134496
Issue 6-3 en
Id:0900d805807104e2
1.7

Changes in content
A new parameter has been added to RADIUS interface configuration: Accounting to
Authenticated Server.
A new parameter has been added to access point common configuration: RADIUS
Switchover Time.
The instructions in Section Configuring AP IPv4 RADIUS interfaces have been updated
with the new parameter.
The following new section has been added: Configuring RADIUS switch-over time.
1.8

This includes all changes made in release 3.0 (and listed further below).
Changes in content
The number of dynamic IP address ranges that can be configured for an access point
has been increased from 4 to 10.
Hot billing can be configured for the default charging profile.
The following sections have been updated:
1.9

Configuring AP IPv4 RADIUS interfaces
Configuring AP IPv4 DNS server IP addresses
Configuring AP IPv4 Quality of Service
Changes in release 3.0

Changes in content
NetBIOS name servers (WINS) can be configured for IPv4 access points.
The values for the Send Interim When Container Closed parameter have been
modified: the only possible values now are Disabled or Enabled.
The following access point types have been removed:
GRE (all)
IP over IP (all)
New RADIUS configuration attributes have been added:
10
Send Interim When Container Closed

RADIUS Accounting Mode
Tunneling in Authentication
Tunneling in Accounting
RADIUS Client Tunneling IP Address
Id:0900d805807104e2
DN04134496
Issue 6-3 en
A new attribute has been added for DHCP interface configuration: Tunneling.
A new attribute has been added for configuring charging options: Charging Limit Profile.
The following sections have been updated:
1.10
Access point types

Configuring AP IPv4 DHCP interfaces
Configuring AP IPv4 session timeouts

Changes in content
IPv6 access points are supported.
New RADIUS configuration attributes have been added:
Four sets of RADIUS Disconnect Server configuration entries have been added into
the IPv4 access point. Each set consists of: Disconnect Server IP Address, Disconnect Server Secret Key, and Disconnect Server Description.
Vendor-specific attributes can be encoded in one attribute or each in a separate
attribute, depending on the configuration.
Responses to RADIUS authentication requests can be marked as optional.
It is possible to define whether the Flexi ISN sends RADIUS Accounting STOP or
OFF message when an access point is disabled or enabled.
The 'Override User Name Containing APN/MSISDN' function now also applies to L2TP
access points.
The Go interface in IPv4 and IPv6 access points is supported.
A new configuration defines attributes used in P-CSCF discovery.
The TREC identifier in access point configuration defines the default QoS for PDP contexts.
CDR generation for flat-rate users can be disabled in the access point configuration.
Section Configuring AP IPv4 RADIUS interfaces has been updated.
Section Configuring AP IPv4 allocation methods has been updated and renamed Configuring AP IPv4 authentication and address allocation methods.
More information has been added to Sections Configuring AP IPv4 session timeouts
and Configuring AP IPv6 session timeouts.
Instructions for configuring IPv6 access points have been added.
Configuration of services has been placed in a new separate document, Service Configuration in Flexi ISN.
Descriptions related to routing and tunnelling have been moved to Routing and Tunnelling in Flexi ISN.
DN04134496
Issue 6-3 en
Id:0900d805807104e2
11
RADIUS attributes are no longer listed in this document, as they can be found in
RADIUS Interface Description, Flexi ISN.
12
Id:0900d805807104e2
DN04134496
Issue 6-3 en
Introduction to access points
2 Introduction to access points

2.1
Purpose of access points

An access point encapsulates the information required to access a particular service.
Every PDP context creation request defines the access point. Based on this information
the Flexi ISN will then define what services are allowed in the PDP context. The static
access point configuration groups together many configuration parameters such as:
access point type, which defines the Gi connection type for the user plane traffic of
the PDP context
IP address allocation and IP address pools associated with the access point
RADIUS authentication and accounting
overload control, for example the maximum number of PDP contexts
security control for inter-mobile traffic
DNS configuration
IMS configuration for the P-CSCF discovery
access-point-specific QoS control
determination of allowed services for service aware PDP contexts
default charging profile
Static access point configuration also states how the dynamically defined information is
determined. For example, if the access point mode is RADIUS, the Flexi ISN will fetch
the user profile from the RADIUS authentication server, and the access point configuration also defines the used RADIUS authentication server.
The number of access points required in the Flexi ISN depends on the services that are
accessed through Flexi ISN. The minimum requirement is to have at least the following
access points:
1 AP for general service access

1 AP for each corporate connection supported in Flexi ISN
If service awareness is not enabled in Flexi ISN, or the single access point name
concept has not been taken fully into use, the following additional differentiation may be
required:
1 AP for Internet access

1 AP for MMS traffic
1 AP for WAP access
Additional access points may be required for various intranet connections. In general, at
least one access point is required for each distinct data network, which has different IP
connectivity.
2.2
2.2.1
Basic access point functionality

Access point name
In the GPRS/3G backbone, the access point name (APN) is a reference that the Flexi
ISN uses to select the correct access point. The APN is also used towards external
control elements as the access point identifier. The APN is included, for example, in
charging interfaces and RADIUS interfaces.
DN04134496
Issue 6-3 en
Id:0900d805806955ee
13
To make the APN available to the SGSN, the APN must be configured in the packet core
domain name system (DNS) as an A-type resource record. If the access point mode is
context prohibited, then the APN is not configured to the DNS system, because the APN
cannot be used directly in PDP context activations.
The APN is composed of two parts: the APN network identifier and the APN operator
identifier. When a PDP context is activated, the SGSN selects the correct Flexi ISN for
the PDP context creation based on the full APN, which consists of both the APN network
identifier and APN operator identifier. When the PDP context activation request arrives
at the Flexi ISN, the request contains only the APN network identifier.
The APN is defined in 3GPP specification 23.003.
APN network identifier
The APN network identifier is a mandatory label (for example, corporation), or a set of
labels separated by dots. The labels are fully qualified domain names according to the
DNS naming conventions (for example, company.com). To guarantee the identity of the
APN, the GPRS/3G PLMN should allocate, either to an internet service provider (ISP)
or a corporation, an APN network identifier identical to their domain name in the public
Internet. The APN network identifier should not end in '.gprs' because that value is used
in the APN operator identifier.
The APN configured in the Flexi ISN defines the APN network identifier.
APN operator identifier
The APN operator identifier is composed of three labels. The last label (or domain) must
be 'gprs'. The first and second labels together uniquely identify the GPRS PLMN. For
each operator, there is a default APN operator identifier (that is, the domain name). This
default APN operator identifier is derived from the IMSI as follows:
mnc<MNC>.mcc<MCC>.gprs.
The APN operator identifier is not used in the Flexi ISN configuration.
2.2.2
Alias name
Access points can also have alternative short names called aliases (but not in the
context prohibited mode. For more information, see Section Creating IPv4 access
points). To make an alias available to the SGSN, the alias has to be configured in the
packet core DNS as a CNAME-type resource record. This means that the alias name
should not point to an access point that has the context prohibited mode.
An alias is indistinguishable from a real access point from the point of view of the GPRS
subscriber. The charging records resulting from the sessions to an alias will always
indicate the name of the requested access point (that is, the alias), which can be used
to differentiate charging as if there were two separate actual access points.
2.2.3
Access points for corporations

In Flexi ISN each corporation requires either their own access point with the GGSN,
NPS, PCRF, RADIUS mode or a normal AP. In the first case, it is possible to activate
additional access points and use the corporate AP together with a general service. The
latter option is for cases where exclusive corporate access is required. The security of
the Flexi ISN guarantees that there is no direct connection between the corporate
access point and another access point.
14
Id:0900d805806955ee
DN04134496
Issue 6-3 en
2.2.4
Access point types

The access point configuration defines how the user plane traffic packets are forwarded
to external packet data networks, which are connected to Flexi ISN through the Gi interface. The following IPv4 access point types are supported by the Flexi ISN:
2.3
Normal (IPv4)
User plane traffic is forwarded as plain IPv4 traffic in the Gi interface. The Flexi ISN
supports multiple routing instances and virtual LAN networking. This means that it is
possible to define plain IPv4 access points, which still provide distinct IPv4 connectivity.
Generic Routing Encapsulation (GRE)
User plane traffic is encapsulated inside a GRE tunnel. The access point configuration defines the end points of the GRE tunnel.
IP over IP
User plane traffic is encapsulated inside an IP-IP tunnel. The access point configuration defines the end points of the IP-IP tunnel.
Native IPv6
User plane traffic is forwarded as plain IPv6 traffic in the Gi interface.
IPv6 tunnelling over IPv4
User plane traffic is encapsulated inside an IPv4 tunnel.
Layer 2 Tunneling Protocol (L2TP)
User plane traffic is encapsulated inside an L2TP tunnel. There is one L2TP session
for each activated PDP context.
Licensing and access points

The following Flexi ISN licenses affect access points:
2.4
IPv6 Access Point Support

Tunnelling (L2TP, GRE)
RADIUS additions
Alias APN
IMS Support
Service Based QoS
User Profile LDAP/Radius
Mobile Router
Network Based QoS
Diameter Policy Control
Service aware configuration

Purpose of service awareness
If service awareness is enabled in the Flexi ISN, the full potential of the access point
functionality can be realized. One of the main reasons for having service awareness is
the simplified access point provisioning to user equipment. This so-called single access
point name (APN) concept makes it possible to provision just one APN to the user equipment, and the activated services for the PDP context are determined dynamically during
PDP context activation. In addition, service awareness makes it possible to activate
multiple services in the same PDP context, even if they are using a distinct Gi connec-
DN04134496
Issue 6-3 en
Id:0900d805806955ee
15
tion defined by separate access points. For more information about service awareness,
see Service Awareness in Nokia Siemens Networks Flexi ISN.
Access point modes
The service awareness functionality is enabled by the access point Mode parameter in
the access point configuration. The access point Mode parameter defines the Flexi
ISN's behavior regarding the subscriber's session when the access point is directly
requested by the subscriber in a Create PDP Context request or though an alias. The
access point modes are the following:
Normal
The session will use the access point in the traditional way, with no support for
service awareness. This is the only mode available for IPv6 access points.
GGSN
The session will use service awareness. The active services and the charging profile
are defined in the local configuration, but the active services may also be imposed
by the PCS/OCS.
PCRF
The session will use service awareness. The active services and the charging profile
are defined in the local configuration, but the active services may also be imposed
by the PCS.
RADIUS
The session will use service awareness. The user profile is fetched from the
RADIUS authentication server.
NPS
The session will use service awareness. The user profile is fetched from the Nokia
Siemens Networks Profile Server
Context prohibited
The activation request will be rejected when the AP is directly requested by the subscriber in a Create PDP Context request or through an alias. In this case the access
point is a private access point and it can be used only as service access points (see
Service Awareness in Nokia Siemens Networks Flexi ISN).
In summary, the access point mode defines how the user profile is defined when a PDP
context is activated. The user profile defines what services are active in the PDP
context. Each service is linked to an access point. Based on this linkage, the Flexi ISN
will activate one or more Gi connections for the new PDP context, and access points
define the configuration of these Gi connections.
2.5
2.5.1
IP management
Dynamic and static mobile addresses
The Flexi ISN can accept a static IP address for the user equipment or it can provide a
dynamic address that is valid only during the PDP context activation. Static addresses
are useful in some special cases, but usually dynamic addressing is preferred. Static
addresses are stored in the user profile in the HLR. Because the address defines the
router through which the Internet is accessed, the fixed address must be allocated either
from the accessed intranet or from the Flexi ISN network mask. The access point configuration defines the IP addresses that can be accepted as static addresses.
16
Id:0900d805806955ee
DN04134496
Issue 6-3 en
In most cases, the user equipment will request a dynamic IP address. There are four
ways to allocate a dynamic IP address:
2.5.2
The Flexi ISN has its own address pool. This is the only address allocation method
supported by the Flexi ISN when the address is an IPv6 address.
The Dynamic Host Configuration Protocol (DHCP) is able to discover a free IP
address in the address pool that is maintained by a DHCP server. Many other configuration parameters within the network can be set by the same negotiation.
A RADIUS server can give an IP address when authentication is done. The Flexi ISN
sends Accounting Start and Accounting Stop messages to release the allocated IP
address.
When using an L2TP type access point, the L2TP network server (LNS) assigns the
dynamic address for the user equipment.
Routing
Access point configuration defines the routing functionality. It is possible to rely on static
routes, but dynamic routing protocols such as OSPF can be also enabled in the access
point configuration. The available routing configuration depends on the access point
type. For example, OSPF is supported only in access points that are using a tunnelled
Gi connectivity. For more information about routing and tunnelling, see Routing and
Tunnelling in Nokia Siemens Networks Flexi ISN.
2.5.3
Basic DHCP functionality

When a Flexi ISN access point is configured to obtain user equipment (UE) IP
addresses from the Dynamic Host Configuration Protocol (DHCP) servers, the access
point configuration contains up to four DHCP server addresses. Multiple DHCP servers
are configured for providing server redundancy. The Flexi ISN does not broadcast
DHCP messages, but sends the DHCP messages to the servers named in the access
point configuration. The Flexi ISN plays the part of a Relay Agent towards the DHCP
servers and sends the DHCP messages across the local area networks. In addition to
that, the Flexi ISN also runs the DHCP client state machines for the UEs. This involves
taking care of all the IP address leases for the UEs by requesting, accepting, renewing,
rebounding, and releasing them at appropriate times. When the DHCP server gives the
DNS server IP addresses, they are sent to the UE in the GTP Protocol Configuration
Options parameters.
The sending of the release message can be either enabled or disabled. When the PDP
context is deleted, it is possible either to give the allocated IP address away or to let the
DHCP server hold it for the rest of the lease time. If the number of available IP addresses
is small, it is better to release the allocated address whenever possible. If there are
plenty of addresses available, it might be better not to release the allocated address,
because the next time the subscriber makes a GPRS/3G call the subscriber will be given
the same address if there is some lease time left.
g The Flexi ISN generates the hardware address for the DHCP sessions from the last
12 digits of the IMSI. Therefore, it is important to make sure that none of the subscribers using a particular DHCP access point will be creating two sessions (that is,
two primary PDP contexts) to this access point simultaneously from the same equipment, by error or intentionally. If the Flexi ISN reports 'PDP address collision' under
a DHCP access point, it is a strong indicator of this problem.
DN04134496
Issue 6-3 en
Id:0900d805806955ee
17
If this cannot be avoided, it is advisable to use the IP address allocation from the
internal Flexi ISN pool.
2.5.4
DNS
User equipment may also need to get the IP address of DNS servers. This information
can be configured in the access point. The Flexi ISN may also receive the DNS server
address from the DHCP or RADIUS server. If L2TP is used in the access point, the LNS
may define the IP address of the DNS server.
Additional DNS servers may be defined in the secondary access point. The Flexi ISN is
able to redirect DNS requests to these servers, if needed. For more information, see
Service Awareness in Nokia Siemens Networks Flexi ISN.
2.5.5
Network address translation (NAT)

By default, a new dynamic IP address is allocated for each activated access point. If
more than one access point is activated when the PDP context is created, the user
profile defines the primary access point (see Service Awareness in Nokia Siemens
Networks Flexi ISN). The IP address of the user equipment will be defined by the
primary access point. The Flexi ISN may have to allocate additional IP addresses to be
used in the secondary Gi connections, which are defined by the secondary access point.
If another IP address is allocated for the user equipment based on secondary access
point configuration, the IP address(es) are not passed to the user equipment. Instead,
they are stored internally in the Flexi ISN. When an uplink packet is to be sent to the
other access point, the downlink IP address of the packet is changed. Similarly, when a
downlink packet is received and it belongs to another access point, the downlink IP
address of the packet is changed. In other words, the Flexi ISN uses the network
address translator (NAT).
The NAT functionality may be disabled if all of the following conditions are true:
NAT is disabled in the secondary access point configuration (the Use Primary
Address for Secondary Connection parameter is set to Enabled).
The IP address of the user equipment in the primary access point is valid also in the
secondary access point (it matches the static IP range defined in the secondary
access point).
The primary and the secondary access points are in different routing instances.
Access point provisioning should make sure that NAT is not used in cases where NAT
would break application protocols. For more information, see RFC 2993 and 3027. For
example, the FTP passive mode must be used according to the recommendation in
Section 4 of RFC 2428.
2.6
2.6.1
RADIUS servers
RADIUS authentication
Remote authentication dial-In user service (RADIUS) authentication is performed when
a primary PDP context is created. The RADIUS server can then authenticate the PDP
context and deny PDP context activation, if necessary. The RADIUS server may also
provide information to the PDP context, such as the IP address of the user equipment
18
Id:0900d805806955ee
DN04134496
Issue 6-3 en
and the DNS server address. RADIUS may also define the user profile used in service
aware PDP contexts.
The access point configuration defines whether RADIUS authentication is performed.
Responses to RADIUS authentication can be marked optional if RADIUS authentication
is used only to inform the RADIUS server about new PDP contexts. The access point
configuration defines 1-2 RADIUS authentication servers. The same servers can be
used in many access points.
2.6.2
RADIUS accounting
RADIUS accounting messages are sent in following cases:
when a PDP context is created (RADIUS accounting START message)

when a PDP context is updated (RADIUS accounting INTERIM message)
when a PDP context is terminated (RADIUS accounting STOP)
when an access point or the Flexi ISN is enabled (RADIUS ON message)
when an access point or the Flexi ISN is disabled (RADIUS OFF message)
The access point configuration defines whether sending these accounting messages is
enabled. It also defines the used RADIUS accounting servers. The access point configuration defines the primary and secondary RADIUS server, and additional 1-5 RADIUS
servers.
2.6.3
RADIUS Disconnect
The Flexi ISN also supports RADIUS Disconnect messages. The access point configuration defines the RADIUS servers that may send Disconnect messages. If the Flexi ISN
receives a Disconnect message, it will terminate the related PDP context.
2.7
2.7.1
IMS functionality
P-CSCF discovery
To use Session Initiation Protocol (SIP) services, the user equipment needs to know the
IP address of the P-CSCF. If this information is not configured in the user equipment,
3GPP has defined following alternatives in specification 23.228:
P-CSCF discovery based on DHCP

P-CSCF discovery based on GPRS procedure
The Flexi ISN supports both of these methods, and they are supported in both IPv4 and
IPv6 access points.
If the GPRS procedure is used for P-CSCF discovery, the user equipment uses special
protocol configuration options (PCO) when it requests PDP context activation. The Flexi
ISN then returns P-CSCF addresses in the PDP context activation response. The
access point configuration defines how many P-CSCF addresses are returned to the
user equipment. The actual P-CSCF addresses are not part of the access point configuration.
If DHCP is used for P-CSCF discovery, the user equipment will send a DHCP request
after the PDP context has been activated. The Flexi ISN is then acting as a DHCP relay
agent and it will forward the DHCP request to the actual DHCP server. The access point
DN04134496
Issue 6-3 en
Id:0900d805806955ee
19
configuration defines the IP address of the DHCP relay agent and where the DHCP
requests are relayed. This DHCP configuration is separate from the basic DHCP configuration, which is used to allocate IP addresses for user equipment. The DHCP server
will then define the IP address of the P-CSCF and the Flexi ISN will relay the response
back to the user equipment.
20
Id:0900d805806955ee
DN04134496
Issue 6-3 en
Configuring IPv4 access points
3 Configuring IPv4 access points

3.1

Purpose
This procedure provides instructions for creating a new access point (AP) and sets the
ID information for a newly created AP. Creating and configuring the new AP provides
the foundation for the remaining configuration tasks for IPv4 APs.
Before you start
Before configuring IPv4 APs, make sure that the system is fully configured for the Flexi
ISN and that all the required physical interfaces have been set up.
Before starting this procedure, you need a name for the AP.
Summary
Below are listed all the parameters that cannot be changed on the fly, that is, when the
access point is active:
DN04134496
Issue 6-3 en
Identification
Name
Mode
Connection Type
Type
Virtual Mobile Address
Tunnel Local IP Address
Tunnel Remote IP Address
Routing Instance
Secondary Tunnel Address
RADIUS Servers
From Radius Authentication Profile
Routing Instance
Primary Authentication Server IP Address/Port and Secondary Authentication Server IP Address/Port
Authentication Operation
Client IP Address
Client Tunneling IP Address
From Radius Accounting Profile
Routing Instance
All Accounting Server IP Addresses and Ports
Account Server Operation
Secondary Account Server Mode
Client IP Address
Id:0900d80580710501
21

From Radius Disconnect Profile
Disconnect Server IP addresses 1-4
Client IP Address
Limitations
Methods
IP Address Generation Method
User Authentication Method
Mobile's IP Addresses
Steps
1
On the Voyager home page, click Routing Instance.

An AP belongs to one of the existing routing instances. There is always at least the
'default' instance. All of the traffic on the Gi side is controlled by the selected instance
routing tables.
In Routing Instances, click Config (default).
On the main configuration page, click Flexi ISN Configuration.
In the Access Point Configuration section, click Access Points.
Click Create a new access point.
Choose the type for the access point.

Select the type from one of the following:
normal IPv4
IP over IP
GRE tunnel
L2TP
This hides the configuration fields that are not used by the selected connection
type access points and reveals L2TP-specific fields.
For more information about the types, see Section Access point types.
22
Click Apply.
In the new screen, continue with access point definition.
In the Name text box, enter the access point name (APN).
Id:0900d80580710501
DN04134496
Issue 6-3 en
The APN Network Identifier is a label (for example 'corporation') or a set of labels
separated by dots, which is a fully qualified domain name according to the DNS
naming conventions (for example 'company.com').
10 In the Description text box, enter a description for the access point.
11 Verify that Row Status is Not in Service.
Some of the fields cannot be changed if the access point is active.
12 Select a mode from the following: Normal, GGSN, PCRF, Radius (not used in
L2TP), NPS, or Context prohibited.
For information about the different AP modes, see Section Access point modes.
13 In the Numeric ID text box, give the possibility to substitute the APN with an integer
in the RADIUS and Diameter messages' Called Station ID attribute.
This feature is required sometimes for the RADIUS servers that do not understand
an alphanumeric string. The maximum value is 2147483647. An empty edit box
value (or the value zero) indicates the use of the Name as the APN.
14 Define the connection type.
Steps
1. If APs utilizing tunnelling are used, follow the steps below, otherwise start with
step b:
Steps
1.1 Select the Tunnel Local IP Address.
This is the address for the remote end-router to use as the destination
address for the tunnelled packets. Select the address from the list of
loopback interface addresses.
1.2 Enter the Tunnel Remote IP Address.
This is the address to use as the destination address for the tunnelled
packets. If there are several APs using the tunnel to the same remote IP
address, make sure the Tunnel Remote IP Address is also the same in all
these access points.
1.3 Enter the Secondary Tunnel Address.
This is the destination address of secondary GRE/IP-over-IP or L2TP tunnel.
When both tunnel destination addresses are specified, under normal conditions load balancing is performed between the tunnels. When one of the
tunnels fail, the other tunnel is used for all traffic if the tunnel is of type
GRE/IPIP. For L2TP, the PDP contexts of the failed tunnel are deleted and
new PDP contexts are created solely to the not failed tunnel.
DN04134496
Issue 6-3 en
Id:0900d80580710501
23
g The primary/secondary tunnel address pair must be the same for all
access points that have the same tunnelling protocol, MRI and tunnel
local address.
Further Information
If the dynamic tunnelling is enabled in the access point and the Flexi ISN
receives tunnel parameters from the RADIUS server, the Flexi ISN will use those
parameters for the user instead of the ones described above.
2. Enter the Virtual Mobile Address.
The Virtual Mobile Address is the address that the Flexi ISN uses when it is
acting as the DHCP relay agent. The Virtual Mobile Address is the first of
several addresses from the IP address space of the user equipment. The Virtual
Mobile Address is also used for setting up static routes for GRE/IP over IP
tunnels.
3. For Normal IPv4 type APs, enable or disable the Redistribute to RIP setting.
4.
5.
6.
7.
If this option is enabled, static routes created for collecting packets for this
access point will be marked for redistribution to RIP.
For Normal IPv4 type APs, enable or disable the Redistribute to OSPF External
setting.
access point will be marked for redistribution to OSPF.
Enable or disable OSPF.
The open shortest path first (OSPF) protocol can be enabled for the GRE or IPin-IP tunnels. OSPF is a routing protocol that advertises the dynamic and/or
static mobile address spaces to the remote end router.
To use OSPF, the Virtual Mobile Address must be set. It is used as the router
identifier.
Other settings, such as the OSPF area or OSPF hello/dead intervals, are not
necessary since the Flexi ISN learns those from the OSPF hello packets of the
remote router.
Select the routing instance for the Gi connection defined by the AP.
An AP belongs to one of the existing routing instances. There is always at least
the 'default' instance. All of the traffic on the Gi side is controlled by the selected
instance routing tables.
For other than L2TP type APs, enter the ping interval
The delay, in seconds, between the Internet Control Message Protocol (ICMP)
Echo messages (ping) sent to the tunnel Remote IP Addresses. This parameter
specifies the interval that a single service blade uses when sending the ping
messages. Because all the service blades send these messages, the observed
interval is shorter than configured one. If this is set to zero, no ICMP Echo
messages are sent.
15 Define the user equipment IP addresses.

Steps
24
Id:0900d80580710501
DN04134496
Issue 6-3 en
1. Use the IP Address Range and the corresponding Mask Length text boxes to
allocate IP addresses for the user equipment.
The type of the subnetwork IP address can be dynamic or static.
If the IP Address Generation Method is DHCP or RADIUS, the allocated IP

address is checked to be within the subnetwork. If the IP Address Generation
Method is GGSN, the subnetwork is a pool of addresses to be allocated for the
user equipment.
When the Dynamic Tunnels parameter is enabled and the RADIUS server is
configured to provide L2TP tunnel attributes during the authentication phase, or
when the access point is of type L2TP, the dynamic address pool configured in
the LNS is not mandatory to be configured in the AP Configuration.
If any of the IP Address Range text boxes is set to 0.0.0.0 and the corresponding Mask Length text box is set to 0, all IP addresses are accepted. If all the IP
Address Range text boxes are set to 0.0.0.0 and the corresponding Mask
Length text boxes are set to 32, none of the IP addresses are accepted.
g When the Connection Type is Normal IPv4, do not set the IP address Mask
Length to 0, since the subnetworks are used for configuring static routes.
When the Connection Type is one of the tunnels, it is possible to set the
static IP address Mask Length to 0. When GRE or IP-in-IP tunnels are used,
OSPF cannot advertise the subnetworks and static routes are needed at the
other endpoint of the tunnel.
2. For IPv4 and L2TP access points, define whether broadcast type IP addresses
are allowed.
If this parameter is set to Enabled, the broadcast type IP addresses are allowed.
This parameter determines whether addresses with zero or 255 in the last octet
are excluded from the mobile pools.
g When the IP Address generation method is GGSN, then the minimum
number of dynamic IP Addresses calculated by the pools should be at least
DN04134496
Issue 6-3 en
Id:0900d80580710501
25
equal to the number of the SBs available in the Chassis. This ensures that
all the SBs will get their fair-share of IP Addresses and guarantee a better
system performance.
16 Click Apply.
Note that the access point is not ready yet.
If the creation and naming of the access point fails, you will receive an error message.
Otherwise, the procedure has been successful.
3.2
Configuring AP IPv4 limitations

Purpose
This procedure sets restrictions on the maximum number of PDP contexts and the
maximum number of dynamic addresses that can be active. The license key may set
additional restrictions.
Before you start
The creation of an access point with the identification information is a prerequisite. For
more information, see Section Creating IPv4 access points.
Note that these parameters cannot be modified when the Row Status is Active.
Steps
1
In the Max Active PDP Contexts text box, enter the maximum number of active
PDP contexts allowed.
In the Max Dynamic IP Addresses text box, enter the maximum number of dynamic
IP addresses allowed.
Define the quarantine period for the IP address.

This defines the time period (in seconds) when the same IP addresses from the local
IP pools are not reallocated. When an allocated IP address is released, it cannot be
re-allocated during the configured quarantine period. If all IP addresses are in use
or in quarantine, no new PDP contexts can be created.
Click Apply.
3.3
Configuring AP IPv4 authentication and address allocation methods

Purpose
This procedure provides instructions for user authentication, dynamic address allocation, and disabling the network address translator (NAT).
26
Id:0900d80580710501
DN04134496
Issue 6-3 en
Before you start

more information, see Creating IPv4 access points. Note the following procedures also:
Configuring AP IPv4 DHCP interfaces and Configuring AP IPv4 RADIUS interfaces.
Steps
1
Select the method for allocation of the dynamic IP address from the IP Address
Generation Method text box.
The Flexi ISN may use the DHCP server, the RADIUS server, or its own address
pool. When the connection type is L2TP, the value is always L2TP.
Define the user authentication method.

If RADIUS authentication is used, select one of the following from the User Authentication Method drop-down list:
Radius: PAP tokens from the user equipment are required to be used as a user
name and a password.
Radius With MSISDN: the MSISDN of the user equipment is used as the user
name and 'password' is used as the password.
Radius With APN: the access point name (APN) is used as the user name and
'password' is used as the password.
When the Connection Type is L2TP, select one of the following authentication
methods:
DN04134496
Issue 6-3 en
L2TP PAP: PAP/PPP/L2TP authentication, PAP tokens from the user are
required.
L2TP PAP with MSISDN: PAP/PPP/L2TP authentication, where the MSISDN is
used as the username, and 'password' is the password.
L2TP PAP with APN: PAP/PPP/L2TP, where the APN is used as the username,
and 'password' is the password.
L2TP PAP with IMSI: PAP/PPP/L2TP, where the IMSI is used as the username,
and 'password' is the password.
L2TP CHAP: CHAP/PPP/L2TP, PAP tokens from the user are required.
g CHAP credentials received from PCO IE in Create PDP Context Request
can not be used for L2TP Authentication. If CHAP challenge and response
are sent from UE, then the only possible options for L2TP are not to use any
authentication or to use the L2TP proxy authentication, where CHAP challenge and response are simply forwarded to LNS and there is no real CHAP
authentication.
L2TP CHAP with MSISDN: CHAP/PPP/L2TP, where the MSISDN is the
username and 'password' is the password.
L2TP CHAP with APN: CHAP/PPP/L2TP, where the APN is the username and
'password' is the password.
L2TP CHAP with IMSI: CHAP/PPP/L2TP, where the IMSI is the username and
'password' is the password.
Id:0900d80580710501
27
L2TP Proxy Auth: CHAP/L2TP, where proxy CHAP authentication is done

according to RFC 2661, Section 4.4.5, based on the CHAP tokens received from
the user.
When Override User Name Containing APN/MSISDN is set to Enabled, the Flexi
ISN's behavior is modified as follows:
If PAP or CHAP authentication tokens are received from the UE in PCO IE, and the
user name token is not empty, both the user name and the password from the corresponding tokens will be submitted for authentication. If the password provided by
the UE is 'password', the authentication will be immediately rejected.
If the User Authentication Method is set as:
Radius With MSISDN, the MSISDN of the user equipment is used as the user
name and 'password' as password.
Radius With APN, the APN is used as the user name and 'password' as password.
Select Enabled or Disabled from the Use Primary Address for Secondary Connection drop-down list.
The secondary connection may use the IP address of the primary connection if this
variable is enabled and if the IP address belongs to the address space defined by
static IP address/mask of the Access Point of the secondary connection. In this
case, network address translation (NAT) is disabled. Address spaces cannot be
overlapping if they use the same tunnel or both APs are of type Normal IPv4 in the
same routing instance. For more information about overlapping addresses, see
Routing and Tunnelling in Nokia Siemens Networks Flexi ISN. If the Flexi ISN fails
to use the secondary address, it tries to allocate a new dynamic address for the secondary connection.
Select Enabled or Disabled from the Use GTP Information Enrichment drop-down
list.
This option permits the use of GTP Information Enrichment feature for this access
point. If this parameter is set to Enabled, the GTP Information Enrichment feature is
enabled for every pdp context created on this access point. This feature must be
configured for each access point separately and is under GTP Information Enrichment licence. If the GTP Information Enrichment licence is set to Off, the Use
GTP Information Enrichment drop-down list is not visible.
Click Apply.
3.4
Configuring AP IPv4 DHCP interfaces

Purpose
This procedure provides instructions for configuring DHCP interfaces and specifically
provides for address allocation from DHCP servers.
Before you start
Before configuring IPv4 access points, make sure that the system is fully configured for
Flexi ISN and that all the physical interfaces have been made.
28
Id:0900d80580710501
DN04134496
Issue 6-3 en
Before starting these instructions, make sure that you have the IP address of the DHCP
server.
Steps
1
In the IP address edit boxes, enter the IP addresses of the DHCP servers that may
be used.
Start filling from IP address 1. Unused DHCP servers should have an IP address of
0.0.0.0.
Choose whether Release Message Sending is enabled or disabled.

When the PDP context is deleted, it is possible either to give the allocated IP
address away or to let the DHCP server hold it for the rest of the lease time. When
the number of available IP addresses is small, it is better to release the allocated
address whenever possible. When there are plenty of IP addresses it is advisable
not to release the available IP address. This means that the next time the user
equipment makes a GPRS/3G call it will have the same IP address if there is sufficient lease time left for the IP address.
Define whether DHCP messages are tunnelled according to the other access point
tunnelling configuration.
This parameter is visible only if the access type is GRE Tunnel or IP over IP.
Click Apply.
3.5
Defining RADIUS profiles

Purpose
RADIUS profiles are required when configuring the access point RADIUS interface.
These are not used in L2TP.
Before you start
DN04134496
Issue 6-3 en
Id:0900d80580710501
29
Steps
1
On the main Flexi ISN configuration page in Voyager, in the External Interface Configuration section, click RADIUS Profiles.
Define the RADIUS authentication profile.

Steps
1. On the RADIUS Profile Configuration page click the Authentication Profile Configuration link.
2. Click Create a new Authentication Profile.
3. Enter the profile name.
4. Define the primary and secondary authentication servers.
30
Primary/Secondary Authentication Server IP Address: The address of a

possible RADIUS authentication server. Leave the default value if the server
is not used.
Port Number: The port number of the RADIUS server.
Primary/Secondary Authentication Server Key: The secret key of the
server. The maximum length is 255 characters. Do not use excessively long
shared secrets because this will unnecessarily penalize the performance
when processing RADIUS messages.
Server Description: Additional information about the server.
Id:0900d80580710501
DN04134496
Issue 6-3 en
5. Configure the following parameters.
Retransmission Timeouts: The number of timeouts in this list specifies the

number of attempts the Flexi ISN tries to contact the RADIUS servers. Using
the following format: <1st time-out> <2nd time-out> <3rd time-out> (in
seconds, separated by a space).
Authentication Operation
: Select one of the following values:
- IMSI SGSN: the IMSI and SGSN IP address attributes are included in the
Access Request packet.
- IMSI SGSN-3GPP: the IMSI and SGSN IP address attributes, among
others, are included in the Access Request packet.
- Simple Authentication: the Access Request message has no new attributes included in the message.
Optional Authentication: If this variable is set to Enabled, the GGSN will
ignore the cases when the RADIUS authentication fails, that is, when the
RADIUS authentication server does not return a response or rejects the
authentication. Note that in some cases the authentication can fail even if
this variable is set to Enabled. The GGSN needs a response from RADIUS
authentication server to be able to continue, if the Access Point is set to
RADIUS mode, or if IP Address Generation Method is set to RADIUS. The
default value is Disabled.
Client IP Address: The Flexi ISN will use this address as the source
address for RADIUS messages for the access point. It is also used as the
value for the NAS-IP-Address attribute. If RADIUS is enabled, the Client IP
Address cannot be set to 0.0.0.0.
RADIUS Switchover Time: This determines the switch-over time (in
minutes) for all RADIUS servers defined in the access points. If the primary
RADIUS server has failed to reply and the Flexi ISN has switched to use the
secondary RADIUS server, the Flexi ISN will try the primary server again
after the configured switchover time. The default value is 5 (minutes).
Note that this can be set only if the ISN Function has been disabled.
Tunnel Local IP Address: The local tunnel IP address for an access point
(tunnel GRE, IP-over-IP, or L2TP).
Client Tunneling IP Address: If the access point type is GRE Tunnel or IP
over IP and RADIUS authentication is configured to be tunnelled, this IP
address will be put into the NAS-IP-Address attribute of the RADIUS
request. This parameter specifies the actual source address of the RADIUS
message.
6. Click Apply and Save.
DN04134496
Issue 6-3 en
Id:0900d80580710501
31
Define the RADIUS accounting profile.

Steps
1. On the RADIUS Profile Configuration page click the Accounting Profile Configuration link.
2. Click Create a new Accounting Profile.
4. Configure the primary and secondary RADIUS accounting servers in the same
manner as for RADIUS authentication servers.
5. Configure up to up to five possible fire-and-forget RADIUS accounting servers

in the same manner as for the primary and secondary accounting servers.
The configured servers are used only if a primary/secondary accounting server
is configured.
Note that If there is no reply to a RADIUS Accounting Start message for a PDP
context from the primary or secondary accounting servers, nothing will be sent
to accounting servers 3 to 7 regarding the PDP context.
6. Configure the following parameters.
32
Id:0900d80580710501
DN04134496
Issue 6-3 en
DN04134496
Issue 6-3 en
Account Server Operation: Select one of the following values.

Note that this parameter cannot be changed if the Row Status is Active.
- WAP Gateway: The account server is actually a WAP gateway that uses
the supplied information for special purposes (for more information, see the
WAP gateway documentation). When the connection to the server fails, the
PDP context creation is rejected.
- WAP Gateway, server optional: The account server is a WAP gateway.
The PDP context creation is accepted even when there is failure of either
authentication or connection to the server. The WAP gateway may then offer
a limited set of services.
- IP Address Release: This is extra information that is sent to the accounting
server whenever a new PDP context is either created or deleted. This information may be used to release an allocated IP address.
- 3GPP: If this option is chosen, an encoding that complies with 3GPP standards is used for the attributes that are sent in the Accounting Request
packet (IMSI, SGSN Address, GGSN Address, and Charging Id). In addition, some other 3GPP attributes and the Input-Gigawords attributes are
included in the Accounting Request STOP and Accounting Request InterimUpdate packets.
- 3GPP, server optional: This option combines the 3GPP mode with the
capability of creating PDP context, even when there is a failure in the
accounting process.
When the Account Server Operation value is WAP-Gateway, server
optional, or 3GPP, server optional PDP context creation is not depending
on a response to the accounting request. For more information, see RADIUS
Interface, Interface Description.
Retransmission Timeouts: The number of timeouts in this list specifies the
number of attempts the Flexi ISN tries to contact the RADIUS servers. Using
the following format: <1st time-out> <2nd time-out> <3rd time-out> (in
seconds, separated by a space).
Secondary Account Server Mode: If Backup is chosen, the Flexi ISN
contacts the primary accounting server first and, if there is no response, then
the secondary server. If Redundancy is chosen, the Flexi ISN contacts the
primary and secondary servers at the same time. For more information, see
Section RADIUS servers.
Interim Accounting: If Enabled is selected, the Flexi ISN sends an
Accounting Request Interim-Update message to the RADIUS server when
the PDP context is updated.
Send Interim When Container Closed: If Enabled is selected, an interim
message is sent when a threshold value is reached and a minimum of 60
seconds has elapsed since the previous periodic interim accounting
message.
RADIUS Switchover Time: This determines the switch-over time (in
minutes) for all RADIUS servers defined in the access points. If the primary
RADIUS server has failed to reply and the Flexi ISN has switched to use the
Id:0900d80580710501
33
secondary RADIUS server, the Flexi ISN will try the primary server again
after the configured switchover time. The default value is 5 (minutes).
Note that this can be set only if the ISN Function has been disabled.
Notify AP Status Change: This determines whether RADIUS will act on the
access point status change.
- ON/OFF: changing the access point status from Active to Not in Service
leads to the sending of a 'RADIUS accounting OFF' message but no
'RADIUS accounting STOP' messages are sent. Changing the access point
status from Not in Service to Active leads to the sending of a 'RADIUS
accounting ON' message.
- ON/OFF/STOP: changing the access point status from Active to Not in
Service leads to the sending of a 'RADIUS accounting OFF' message and
possible 'RADIUS accounting STOP' messages. Changing the access point
status from Not in Service to Active leads to the sending of a 'RADIUS
accounting ON' message.
- STOP: no 'RADIUS accounting ON or OFF' messages are sent but
possible 'RADIUS accounting STOP' messages are sent if the access point
status is changed from Active to Not in service.
Accounting to Authenticated Server: If this parameter is set to Enabled
and if authentication is used, accounting for the PDP context will be transmitted to the RADIUS server which has the same configuration parameters
except the port number (fixed value 1813)
message.
4
Define the RADIUS disconnect profile.

Steps
1. On the RADIUS Profile Configuration page click the Disconnect Profile Configuration link.
2. Click Create a new Disconnect Profile.
4. Define the possible disconnect servers.
Leave the default values if the servers are not used.
Disconnect Server IP Address: The IP address of the RADIUS server from
which a disconnect message is accepted.
Disconnect Server Secret Key: The secret that is used to authenticate the
RADIUS disconnect server.
Disconnect Server Description: A description of the server.
5. Define the following parameters.
Tunnel Remote IP Address: This is defined in the general Creating IPv4
access points.
Secondary Tunnel Address: This is defined in the general Creating IPv4
access points.
34
Id:0900d80580710501
DN04134496
Issue 6-3 en
message.
3.6

Purpose
This procedure provides instructions on the configuration of RADIUS interfaces. These
are not used in L2TP.
Before you start
The creation of the following is a prerequisite:
an access point with the identification information. For more information, see Section
the RADIUS profiles. For more information see Section Defining RADIUS profiles.
Before starting the configuration of RADIUS interfaces, you should become familiar with
the items in Table 1. The information is essential to RADIUS configuration.
Parameter
Value range
Description
Identification
Numeric ID
Integer
Some RADIUS servers cannot handle

access point names (APNs) and therefore
require a numeric value for identification.
See Section Creating IPv4 access points.
Methods
IP Address Gen- Options:
eration Method
GGSN
DHCP
RADIUS
The dynamic IP address allocation

method: to allocate an IP address for the
user equipment during authentication.
User Authentication Method
The RADIUS authentication method to be

used.
Options:
Table 1
DN04134496
Issue 6-3 en
RADIUS
RADIUS with
MSISDN
RADIUS with APN
See Section Configuring AP IPv4 authentication and address allocation methods.
RADIUS-related configuration parameters
Id:0900d80580710501
35
Parameter
Override User
Name Containing APN/
MSISDN
Value range
Enabled/Disabled
Description
This parameter may be used to fine-tune
the Flexi ISN's behaviour when the User
Authentication Method is RADIUS /
L2TP PAP / L2TP CHAP with MSISDN /
APN / IMSI.
When Enabled, the Flexi ISN's behaviour
is modified as follows:
If PAP or CHAP authentication tokens are
received from the UE in the PCO information element (IE), and the user name token
is not empty, both the user name and the
password from the corresponding tokens
will be submitted for authentication. If the
password provided by the UE is 'password', the authentication will be immediately rejected.
Table 1
RADIUS-related configuration parameters (Cont.)
Use the information in Table 1, along with the following instructions:
Steps
1
On the access point configuration page, from the Dynamic Tunnels drop-down list,
select Enabled or Disabled.
If Enabled is selected, the RADIUS server can specify the tunnel type and the
parameters for opening a dynamic tunnel. Attributes are included in the AccessResponse packets.
In Encode Vendor-Specific Attributes Separately, select Enabled or Disabled.

RADIUS supports two encoding methods for vendor-specific attributes. If the value
enabled is selected, each vendor-specific attribute is encoded to a separate
RADIUS attribute.
If the value is disabled, multiple vendor-specific attributes can be bundled to one
RADIUS attribute, if they all use the same vendor identifier.
From the Accounting Mode drop-down list, select Asynchronous or Synchronous.

In the asynchronous mode the Flexi ISN sends the PDP context response to the
SGSN before the accounting reply has been received. This makes the PDP context
activation faster.
36
Id:0900d80580710501
DN04134496
Issue 6-3 en
In the synchronous mode the Flexi ISN waits for the accounting reply to arrive before
responding to the SGSN. The PDP context will not be activated unless the accounting reply has been received.
4
Select the RADIUS profiles to be used, if any.

For instructions on creating RADIUS authentication, accounting, and disconnect
profiles, see Section Defining RADIUS profiles.
Click Apply.
Note that the AP is not ready yet.
Further Information
For instructions on how to select user authentication and address allocation
methods, see Section Configuring AP IPv4 authentication and address allocation
methods.
3.7
Configuring AP IPv4 L2TP

Purpose
Follow the instructions below if the chosen access point type is L2TP.
Before you start
The access point must be created. For more information, see Section Creating IPv4
access points.
Steps
1
Enter a shared secret for L2TP.

The shared secret is used for authenticating the access point and LNS. The default
value is Default Shared Secret.
g Do not use excessively long shared secrets, this will penalize performance
when processing RADIUS messages.
2
Enter the hostname for the L2TP.

This value is used as the hostname attribute when establishing an L2TP tunnel. The
default value is Default Hostname.
Change the remote port number if necessary.

The remote port number is 1701 by default (RFC2661).
Set the value of the Hello interval.

The Hello interval is the delay between sending Hello messages to the L2TP
network server (LNS). The default value is 60 seconds. If you set the value of the
Hello interval to 0 (zero), no Hello messages will be sent.
Click Apply.
DN04134496
Issue 6-3 en
Id:0900d80580710501
37
3.8
Configuring AP IPv4 security

Purpose
Traffic between two user equipment is a potential security problem when the user equipment are connected to the same Flexi ISN, because the traffic does not go through any
external firewall.
Before you start
Steps
1
Select Enabled from the Intermobile Traffic drop-down list to allow traffic from one
user equipment to another user equipment if they belong to the same access point.
g The flow initiation rules apply also here and the uplink/downlink packets may be
dropped if the flow initiation is not allowed.
2
Traffic from one user equipment to another user equipment inside different access
points is allowed if you select Enabled from the Inter-AP Traffic drop-down menu.
This applies only to access points inside one Flexi ISN.
When the Selection Mode value in the GTP message indicates that the user equipment is not verified, the Flexi ISN will reject the PDP context activation request
unless you set Unverified Mobile Acceptance to Enabled.
Select whether IP spoofing is enabled or disabled.

If you want to use to use routable subnets behind the GPRS/3G modem or router,
you must disable IP spoofing, because antispoofing prevent the uplink packets originating from the mobile router subnet.
This parameter is configurable if the access point type is L2TP or the Dynamic
Tunnels parameter is set to enabled for any other access point type.
Click Apply.
3.9
Configuring AP IPv4 toll-free network

Purpose
It is possible to define a network that is free of charge, that is, toll-free. The charging
counters are updated separately for toll-free and non-toll-free traffic. To determine if a
network is toll-free, the destination address is checked for uplink traffic and the source
address is checked for downlink traffic.
There can be four toll-free networks.
g The configuration of toll-free networks is not necessary for service aware sessions,
because the charging of the traffic flows is determined based on the charging class
configuration. If a toll-free network is nevertheless used, it must be configured in the
38
Id:0900d80580710501
DN04134496
Issue 6-3 en
AP which allocates the IP address visible to the user of this session, that is, the
primary service access point. Toll-free networks from other service access points of
this session will not apply to it.
Before you start
more information, see Section Creating IPv4 access points. Note the following procedures also: Configuring AP IPv4 DHCP interfaces and Configuring AP IPv4 RADIUS
interfaces.
Steps
1
In the Toll Free Network and the Toll Free Network Mask Length edit boxes,
determine the network to be used.
Click Apply.
3.10
Configuring AP IPv4 DNS server IP addresses

Purpose
In Service Aware Flexi ISN, most of the services that are available are DNS based. This
procedure provides brief instructions on DNS addresses.
Before you start
interfaces.
Steps
1
In the DNS 1 and the DNS 2 text boxes, verify that the set values are not 0.0.0.0.
Define the primary DNS server in DNS1 and the secondary DNS server in DNS2.
Note that DNS redirection is configured by defining additional DNS servers to the
secondary access point. If DNS redirection is not required, the same DNS servers
are defined for both the primary and secondary access points.
DNS server IP addresses may be overridden by RADIUS, DHCP, or L2TP.
In the IP Address for L7 DNS Queries text box, enter the IPv4 address that layer 7
proxy analysers use as a source address in DNS queries.
This parameter should be defined when L7 analysers are used, in other cases it has
no meaning.
DN04134496
Issue 6-3 en
Id:0900d80580710501
39
Click Apply.
3.11
Configuring AP IPv4 WINS server IP addresses

Purpose
This procedure provides brief instructions for NetBIOS naming service (WINS) server
addresses.
Before you start
interfaces.
Steps
1
Enter the IP address of the primary NetBIOS name server (WINS).
Enter the IP address of the secondary NetBIOS name server (WINS).
Click Apply.
3.12

Purpose
Session timeouts restrict the lifetime of PDP contexts.
Before you start
interfaces.
Steps
1
Use the Session Timeout text box to limit the overall lifetime of a PDP context.
Note that because of the internal implementation the actual time is longer than the
configured value. This additional time varies from 0 seconds to 1 minute.
In the Idle Timeout text box, set the maximum time the PDP context can stay idle
without any traffic.
Or
40
Id:0900d80580710501
DN04134496
Issue 6-3 en
If you choose not to use timeouts, in the Session Timeout or the Idle Timeout text
box, either leave the field empty or set the value to 0 to indicate that the time-out
function is not used.
Further Information
Timeouts are expressed in seconds. Timeouts may be overridden by the attributes
in the RADIUS Access Accept message.
Timeouts are not dynamic. The PDP context activation is done with the information
available in the APN settings during activation or supplied by RADIUS during activation only. If the settings are changed during the lifetime of a PDP context, the
timeouts are not changed for that PDP context.
The duration of the G-CDR differs from the Session Timeout value. When you set
the Session Timeout to a certain value, the G-duration within the G-CDR is not automatically the same value.
For service-aware sessions, the session timeouts and idle timeouts calculated for
the primary service access point will be applied to the whole session, and the
timeouts from the other access points will be ignored.
3
Click Apply.
3.13

Purpose
You can either remark the DSCP of mobile-originated IP packets or leave it untouched.
The same marking system is used in the GPRS/3G backbone.
Before you start
interfaces.
Steps
1
Enable the DSCP marking. When enabled, the DSCP of IP packets is remarked.
OR
Disable the DSCP marking. When disabled, the DSCP of IP packets is not touched
Set the limit of total bit rate capacity for real time contexts.
In the Max Bitrate for Realtime Traffic text box, set the limit for the total bit rate
capacity that can be used for real-time (conversational and streaming) contexts. The
dimension is kilobits per second. It should be greater than or equal to the sum of Max
Bitrate for Conversational Traffic and Max Bitrate for Streaming Traffic.
DN04134496
Issue 6-3 en
Id:0900d80580710501
41
Set the limit of total bit rate capacity used for the conversational class.
In the Max Bitrate for Conversational Traffic, set the limit for the total bit rate
capacity used for the Conversational class. The dimension is kilobits per second.
When summed with Max Bitrate for Streaming Traffic it should be smaller than or
equal to Max Bitrate for Realtime Traffic.
Set the limit of total bit rate capacity used for the streaming class.
In the Max Bitrate for Streaming Traffic, set the limit for the total bit rate capacity
used for the Streaming class. The dimension is kilobits per second. When summed
with Max Bitrate for Conversational Traffic it should smaller than or equal to Max
Bitrate for Realtime Traffic.
Select the TREC ID.

This refers to an existing treatment class (TREC). If the value 'Not used' is selected,
the TREC is not used for the given access point.
Note that TREC is not used when the access point mode is Normal. In that case only
the 'Not used' option is available.
Select the TREC ID for roamers.

This refers to an existing treatment class (TREC) and defines the TREC used for
roamers. If the value 'Not used' is selected, TREC ID for roamers is not used for the
given access point.
TREC ID for roamers is not configurable when the access point mode is either
Normal or IPv6. In that case only the 'Not used' option is available.
Note that this option is available only when the Network Based QoS license is
installed.
Determine whether real-time primary PDP context activations are permitted to the
access point.
Select the policing method.

This parameter is a workaround solution for situations where some mobile stations
and some streaming servers do not co-operate very well when dealing with the
maximum bit rate. '3GPP Policing' means strict policing according to 3GPP standards. 'Modified Policing' should work in practice in most cases. The default value is
'3GPP Policing'.
Click Apply.
g Configuring the maximum bit rates has an effect only on non-service aware
access points (Normal mode).
3.14
Configuring AP IPv4 P-CSCF discovery

Purpose
This procedure provides instructions for configuring the Dynamic Host Configuration
Protocol for IPv4 (DHCPv4) server and the relay agent address for P-CSCF discovery.
In this case the user equipment sends the DHCP request and the Flexi ISN acts as a
DHCP relay agent. The Flexi ISN may also have a locally configured list of P-CSCF
42
Id:0900d80580710501
DN04134496
Issue 6-3 en
addresses if the GPRS procedure for P-CSCF discovery is required. Here you can configure how many of these addresses are returned to the user equipment.
Before you start
The creation of an access point with the identification information, the selection of the
connection type, and configuring the P-CSCF addresses are prerequisites. For more
information, see Section Creating IPv4 access points.
Steps
1
Enter the IPv4 address of the DHCP server in the corresponding text box.
This is the IPv4 address of a DHCPv4 server that the Flexi ISN contacts as a
DHCPv4 relay agent. If this address is not specified, the DHCP relay agent functionality for P-CSCF discovery is not supported under this access point.
Enter the IPv4 address of the DHCP relay agent in the corresponding text box.
For example, the IP address configured in the Virtual Mobile Address.
This is the IPv4 address of the Flexi ISN acting as a DHCPv4 relay agent announced
to the DHCPv4 server. If this address is not specified, the DHCPv4 relay agent functionality P-CSCF discovery under this access point is not supported.
Enter the number of the P-CSCF IP addresses.

This defines the number of P-CSCF IP addresses to be sent in the response
message to the activate PDP context message. These addresses are defined on the
P-CSCF Configuration page in Voyager. This parameter is valid for all types of IPv4
and IPv6 access points. The default value is 1.
This configuration applies to the GPRS procedure for P-CSCF discovery.
Click Apply.
3.15

Purpose
The charging profile defines how the mobile subscriber is charged. The source for the
charging profile is either one of the following:
If the user profile is fetched from the NPS or RADIUS authentication server, the user
profile defines the charging profile, otherwise
The user profile is defined by the local configuration and the charging profile is
selected based on the access point configuration.
If no charging profile is selected, the default will be used.
DN04134496
Issue 6-3 en
Id:0900d80580710501
43
Before you start

The creation of an AP with the identification information is a prerequisite. For more information, see Section Creating IPv4 access points.
Steps
1
In the Default Charging Profile, select Prepaid, Postpaid, Postpaid with Credit
Control, HLR, or Hot Billing.
The selection determines the default charging profile.
If the default charging profile is applied and set to Postpaid or Hot Billing, the online
charging system (OCS) is not used.
If the value 'HLR' has been selected, the charging characteristics field coming from
the HLR is used to determine the types of CDRs generated. (For more information
about which CDRs the PDP context will generate, see Section How to find out the
type of CDR created in Charging in Nokia Siemens Networks Flexi ISN.) If the HLR
does not send the field, the Flexi ISN sets the default value as Postpaid.
The value Hot Billing can only be used if the value for the Version Level for CDRs
parameter (on the Basic Charging Configuration page) is ISN3.1 or higher.
The value Postpaid with Credit Control can only be used if the OCS is in use.
Select the charging limit profile from the drop-down list.

This refers to a profile in the Charging Limit Profile table. There must be a reference
to a charging profile in every access point. The default value refers to the default
charging profile.
For instructions on configuring a charging limit profile, see Creating limit profile configuration in Charging in Nokia Siemens Networks Flexi ISN.
Determine how CDRs are generated.

Select one of the following values:
No CDRs: Neither G-CDRS nor SA-CDRs are generated.

Single CDR: Only one type of CDR is generated. If the access point mode is
Normal, this value enables G-CDR generation. If the access point mode is not
Normal, it means that the access point is a service aware access point and this
value enables SA-CDR generation.
Both CDRs: Both G-CDRs and SA-CDRs are generated. This value can be used
only if the access point mode is other than Normal.
Select Enabled or Disabled for CDR Generation For Flat-rate Users.

In order to disable CDRs for Flat-rate Users, it is required to have the following configuration:
1. Select HLR from the drop-down list for the Default Charging Profile.
2. On General Configuration, the PLMN ID should be defined under Home PLMN
ID Configuration.
44
Id:0900d80580710501
DN04134496
Issue 6-3 en
If Disabled is selected, CDRs are not generated if the respective AP is the primary
AP and flat rate charging has been enabled for the PDP context. The concept
'primary AP' is explained in Service Awareness in Nokia Siemens Networks Flexi
ISN.
5
Select Enabled or Disabled for overbilling protection.

Sometimes it is possible that PDP context termination information (for example, an
Accounting-Request Stop message from AAA or NAS) does not reach the Flexi ISN.
If overbilling protection is enabled, the Flexi ISN deletes an existing (hanging) PDP
context when conflicting identification is received in the creation of a new PDP
context. This ensures that the old PDP context is not charged erroneously for the
traffic of the new PDP context.
Click Apply.
3.16
Configuring AP IPv4 Roaming Profile charging options

Purpose
This section describes the necessary steps to configure the Roaming Profile feature
using Voyager. The Roaming Profile is configurable only when the Roaming Profile
license is purchased and activated. This feature applies for outbound roamers only.
The Roaming Profile feature is only applicable when the Credit Control Protocol is
DCCA. When either RCC or NONE Protocol is selected in OCS configuration, the
Roaming Profile Options are not visible.
1
In the Voyager homepage, click Routing Instance.
In Routing Instance, click Config. (Default)
In the Configuration page, click Flexi ISN Configuration.
In Flexi ISN Configuration, click Access Points
In Access Points Configuration, click the access point you want to configure.
Figure 1
6
Click Apply
Click Save
Roaming Profile Charging configuration
g In RADIUS and Nokia Profile Server (NPS) mode the context is created to service
access point, hence the roaming DCCA must be configured to service access point.
In case of NPS, when the NPS mode access point has the default services, it is recommended to add also the roaming DCCA in this Access point.
Primary Online Charging Server
This is the Primary Roaming Charging Server. The default value is None. While this
value is None, the Roaming Profile feature, is considered disabled.
DN04134496
Issue 6-3 en
Id:0900d80580710501
45
g If the primary online charging server - prepaid is the same with the one already used
for a prepaid subscriber, either from the Online Charging Configuration or the
NPS/RADIUS server, the Roaming Profile feature is considered disabled.
Secondary Online Charging Server
This is the Secondary Roaming Charging Server. The default value is None. It is up to
the operator to choose or not secondary Online Charging System (OCS) for roamers.
The values of the primary and secondary online charging servers correspond to the id
of the OCS Diameter Peer Configuration to be used for roamers. See Figure 2 for more
information.
Figure 2
OCS Diameter Peer Configuration
Restrictions
The operator needs to have the correct configuration. In this way the subscribers
coming from cooperating PLMNs (for example, sharing the same SGSN/GGSN) will
not be considered as outbound roamers and the feature will not apply to them even
if they are in the same country.
The failure handling mechanism of the OCS Configuration in Voyager provides the
option to turn a prepaid subscriber into a postpaid one, in case both primary and secondary OCSs fail. It is up to the operator to configure prepaid roamers not to use this
option, by setting the Roaming entry field to continue as postpaid. This mechanism
also applies to postpaid roamers that turn into prepaid due to the Roaming Profile
feature. For more information, see Section Configuring the interface to online
charging system (OCS) in General Configuration in Nokia Siemens Networks Flexi
ISN.
When the feature gets activated and enabled for an AP, then it is only on the next
PDP Create/Update that the Roaming Profile feature will take effect.
g The Roaming Profile feature is independent of the connection type, for example
IPv4 or IPv6.
3.17
Activating the access point configuration

Purpose
After all the relevant access point configuration phases have been carried out, the
access point must be activated for it to become effective.
46
Id:0900d80580710501
DN04134496
Issue 6-3 en
Steps
1
On the access point configuration page in Voyager, make sure that the Row Status
is set to Active.
Click Apply and Save.
Further Information
g The row status can also be changed on the main access point configuration page in
Voyager.
After changing the row status in the Access Point table, click Apply and Save.
3.18
Configuring default services for IPv4 access point

Purpose
If the AP mode is set to GGSN or PCRF, you must configure in the Flexi ISN which
services are activated. These services are called default services. They apply for each
user. The default services are also used when the Nokia Siemens Networks Profile
Server does not supply a profile.
Before you start
Before configuring default services for an AP, make sure that there is an IPv4 AP configured in the GGSN or PCRF mode. For more information, see Section Creating IPv4
access points.
Steps
1
In Routing Instances, click Config (Default).
Click Def.services in the Default Services column on the row of the access point
you want to set default services for.
This link is visible only if the AP mode is GGSN, NPS or PCRF.
DN04134496
Issue 6-3 en
Click Create a new row.
Select a service from the drop-down menu.
Click Apply.
To make the changes permanent, click Save.
Id:0900d80580710501
47
4 Configuring IPv6 access points

4.1

Purpose
This procedure provides instructions for creating and configuring the IPv6 Access Point
(AP).
Summary
Below are listed all the parameters that cannot be changed on the fly, that is, when the
access point is active:
Identification
Name
Mode
Connection Type
Type
Limitations
Mobile's IP Addresses
Steps
1

An AP belongs to one of the existing routing instances. There is always at least the
'default' instance. All of the Gi side traffic is controlled by the selected instance
routing tables.
In Routing Instance, click Config.
Click Create a new access point.
Choose the type for the IPv6 access point.

Select from either of the following:
48
Native IPv6 (IPv6)

IPv6 Tunnel over IPv4 (IPv6)
g When the AP is configured for the IPv6 type, only the AP types for normal
IPv6 routing are used, or the IPv6 traffic is tunnelled over IPv4 to the remote
IPv4 tunnel endpoint.
For more information about the types, see Section Access point types.
Click Apply.
Id:0900d8058069561f
DN04134496
Issue 6-3 en
On the new page, continue with the access point definition.
In the Name text box, enter the access point name (APN).
The APN Network Identifier is a label (for example, 'corporation') or a set of labels
separated by dots which is a fully qualified domain name according to the DNS
naming conventions (for example, 'company.com').
10 In the Description edit box, enter a description for the access point.
11 Verify that Row Status is Not in Service.
Some of the fields cannot be changed if the access point is active.
12 Select AP mode Normal.
Select Normal to create an AP. The normal mode AP means an AP without service
aware functionality.
g The normal mode is the only option when creating APs for IPv6.
It is not possible to configure DHCP and RADIUS for IPv6 APs.
13 Define the connection type.
Steps
1. If the AP type is native IPv6, do the following:
1.1 Enable or disable Redistribute to RIP.

access point will be marked for redistribution to the Routing Information Protocol.
1.2 Enable or disable Redistribute to OSPF External.
access point will be marked for redistribution to the open shortest path first
protocol.
2. If the AP type is IPv6 tunnel over IPv4, do the following:
2.1 Enter the Tunnel Remote IP Address.

This is the address to use as the destination address for the tunnelled
packets. If there are several access points using the tunnel to the same
remote IP address, make sure the Tunnel Remote IP Address is also the
same in all these APs.
DN04134496
Issue 6-3 en
Id:0900d8058069561f
49
2.2 Enter the Tunnel Local IP Address.

This is the address for the remote end-router to use as the destination
address for the tunnelled packets. Select the address from the list of
loopback interface addresses.
2.3 Enter the ping interval.
The delay, in seconds, between the Internet Control Message Protocol
(ICMP) Echo messages (ping) sent to the Tunnel Remote IP Addresses.
This parameter specifies the interval that a single service blade uses when
sending the ping messages. Because all the service blades send these messages, the observed interval is shorter than configured one. If this is set to
zero, no ICMP Echo messages are sent.
14 Click Apply.
4.2
Configuring AP IPv6 limitations

Purpose
This procedure provides instructions on restricting the number of PDP contexts and the
number of IP addresses that can be permitted.
Before you start
See also Section Creating IPv6 access points.
Note that these parameters cannot be changed when the Row Status is set to Active.
Steps
1
In the Max. Active PDP Contexts text box, enter the maximum number of active
PDP contexts allowed.
In the Max. Dynamic IP Addresses text box, enter the maximum number of
dynamic IP addresses allowed.
Define the quarantine period for the IP address.

This defines the time period (in seconds) when the same IP addresses from the local
IP pools are not reallocated. When an allocated IP address is released, it cannot be
re-allocated during the configured quarantine period. If all IP addresses are in use
or in quarantine, no new PDP contexts can be created.
Click Apply.
4.3
Configuring AP IPv6 user equipment IP addresses

Purpose
This procedure provides instructions for allocating an IPV6 address for user equipment.
Before you start
The creation of an AP with the identification information and the selection of connection
type are prerequisites. For more information, see Section Creating IPv6 access points.
50
Id:0900d8058069561f
DN04134496
Issue 6-3 en
Note that these parameters cannot be changed when the Row Status is set to Active.
Steps
1
Make sure that the IPv6 prefix entered in the corresponding text box conforms to the
connection type of the IPv6 access point.
Only dynamic IP addresses from the Flexi address pool can be used with the IPv6
connections. The IPv6 prefix of an access point (AP) is delivered to all user equipment that are connected to the AP. When IPv6 to IPv4 tunnelling is used for the AP,
use the IPv4 address in the prefix. In practice that means the address
2002:<IPv4_address> is to be used, where the <IPv4_address> is the same as the
Local IPv4 address on the Voyager IPv6 to IPv4 configuration page (Routing
Instance Config IPv6 Configuration IPv6 to IPv4).
Enter the mask length for the prefix in the corresponding text box.
The mask length and the prefix define the IPv6 prefix pool from which the prefixes
of the user equipment are defined.
Click Apply.
4.4
Configuring AP IPv6 security

Purpose
This procedure provides instructions for ensuring the security of IPv6 access points
(AP). Traffic between two user equipment (UE) is a potential security problem when the
UEs are connected to the same Flexi ISN, since the traffic does not go through any
external firewall.
Before you start
The creation of an AP with the identification information and the selection of connection
type are prerequisites. For more information, see Section Creating IPv6 access points.
Steps
1
If
the access point type is native IPv6,
Then
Do the following steps:
1. All the traffic from one UE to another UE will be prohibited unless the two UEs
belong to the same access point and you set Intermobile Traffic to Enabled.
2. Traffic from one UE to another UE inside different access points (in the same
GGSN) is allowed if you set the Inter-AP Traffic edit box to Enabled in these
access points.
DN04134496
Issue 6-3 en
Id:0900d8058069561f
51
When the Selection Mode value in the GTP message indicates that the UE is not
verified, the Flexi ISN rejects the PDP context activation request unless you set
Unverified Mobile Acceptance to Enabled.
This applies to both connection types, native IPv6 and IPv6 tunnel over IPv4.
Click Apply.
4.5

Purpose
This procedure provides instructions for limiting the amount of time before timeout. The
procedure also provides information about disabling or avoiding the use of timeouts.
A session consists of one or more PDP contexts (which are sometimes called secondary
PDP contexts, but there is no real difference between them once they are created), and
it is automatically created with each primary PDP context.
Before you start
The creation of an access point with the identification information and the selection of
connection type are prerequisites. For more information, see Section Creating IPv6
access points.
Steps
1
Use the Session Timeout text box to limit the overall lifetime.
Timeouts are expressed in seconds.
Note that because of the internal implementation the actual time is longer than the
configured value. This additional time varies from 0 seconds to 1 minute.
In the Idle Timeout text box, set the maximum time the session may stay idle
without any traffic.
If you choose not to use timeouts, leave the text box for Session Timeout or Idle
Timeout empty or set to the value, '0'.
Such settings as '0' or empty indicates that the timeout function is not used.
Click Apply.
Further Information
Timeouts are not dynamic. The session activation is done with the information available
in the APN settings during activation. If the settings are changed during the lifetime of a
session, the timeouts are not changed for that session.
The duration of the G-CDR differs from the Session Timeout value. When you set the
Session Timeout to a certain value, the G-duration within the G-CDR is not automatically the same value.
52
Id:0900d8058069561f
DN04134496
Issue 6-3 en
4.6

Purpose
You can either remark the DSCP of the mobile-originated IP packet or leave it
untouched. The same marking system is used as the one in the GPRS/UMTS backbone.
Before you start
access points.
Steps
1
To use the DSCP marking for uplink packets in IPv6 access points, select Enabled
from the DSCP Mark Uplink Packets drop-down list.
When enabled, the DSCP of the IP packet is remarked.
Set the limit of total bitrate capacity realtime contexts.

In the Max bitrate for Realtime Traffic, set the limit of the total bitrate capacity that
can be used for real-time (Conversational and Streaming) contexts. The dimension
is kilobits per second. It should be greater than the sum of Max bitrate for Conversational Traffic and Max bitrate for Streaming traffic.
Set the limit of total bitrate capacity used for conversational class.
In the Max bitrate for Conversational Traffic, set the limit of the total bitrate
capacity used for Conversational class. The dimension is kilobits per second. When
summed with Max bitrate for Streaming traffic, it should be less than or equal to
Max bitrate for Realtime Traffic.
Set the limit of total bitrate capacity used for streaming class.
In the Max bitrate for Streaming traffic, set the limit for the total bitrate capacity
used for the Streaming class. The dimension is kilobits per second. When summed
with Max bitrate for Conversational Traffic, it should be less than or equal to Max
bitrate for Realtime Traffic.
Define the policing method.

From the Policing drop-down list, choose the policing method. This parameter is a
workaround solution for situations where some mobile stations and some streaming
servers do not co-operate very well when dealing with the maximum bit rate. '3GPP
Policing' means strict policing according to 3GPP standards. 'Modified Policing'
should work in practice in most cases. The default value is '3GPP Policing'.
Click Apply.
DN04134496
Issue 6-3 en
Id:0900d8058069561f
53
4.7
Configuring AP IPv6 DNS discovery

Purpose
This procedure provides instructions for configuring the IPv6 address of the domain
name server (DNS) to be sent in the response message to the Activate PDP context
message.
Before you start
access points.
Steps
1
Enter the IPv6 address of the primary DNS.
Enter the IPv6 address of the secondary DNS.
Click Apply.
4.8
Configuring AP IPv6 P-CSCF discovery

Purpose
This procedure provides instructions for configuring the Dynamic Host Configuration
Protocol for IPv6 (DHCPv6) server and relay agent address for P-CSCF discovery. In
this case the user equipment sends the DHCP request and the Flexi ISN acts as a
DHCP relay agent. The Flexi ISN may also have a locally configured list of P-CSCF
addresses if the GPRS procedures for P-CSCF discovery are required. Here you can
configure how many of these addresses are returned to the user equipment.
Before you start
The creation of an access point with the identification information, the selection of the
connection type, and configuring the P-CSCF addresses are prerequisites. For more
information, see Section Creating IPv6 access points.
Steps
1
Enter the IPv6 address of the DHCPv6 server in the corresponding text box.
This is the IPv6 address of a DHCPv6 server that the Flexi ISN contacts as a
DHCPv6 relay agent. If the address is unspecified, the Flexi ISN uses the
All_DHCP_Server's multicast address (specified in IETF RFC 3315) as the default.
Enter the IPv6 address of the DHCPv6 relay agent in the corresponding text box.
This is the address of the Flexi ISN acting as a DHCPv6 relay agent announced to
the DHCPv6 server. If this address is specified, the Flexi ISN sets an O-flag in the
Router Advertisement messages (described in IETF RFC 2461) to indicate the user
54
Id:0900d8058069561f
DN04134496
Issue 6-3 en
equipment to start the DHCPv6 session to retrieve the other configuration information. If this address is unspecified, the DHCPv6 relay agent functionality under this
access point is not supported.
3
Enter the number of the P-CSCF IP addresses.

This defines the number of P-CSCF IP addresses to be sent in the response
message to the Activate PDP context message. These addresses are defined on the
P-CSCF Configuration page in Voyager. The default value is 1.
This configuration applies to the GPRS procedures for P-CSCF discovery.
Click Apply.
4.9

Purpose
You can define the charging method for the users with this configuration parameter.
Before you start
The creation of an AP with the identification information is a prerequisite. For more information, see Section Creating IPv6 access points.
Steps
1
In the Default Charging Profile, select Prepaid, Postpaid, Postpaid with Credit
Control, HLR, or Hot Billing.
The selection determines the default charging profile.
If the default charging profile is applied and set to Postpaid or Hot Billing, the online
charging system (OCS) is not used.
If the value 'HLR' has been selected, the charging characteristics field coming from
the HLR is used to determine the types of CDRs generated. For more information
about which CDRs the PDP context will generate, see Section How to find out the
type of CDR created in Charging in Nokia Siemens Networks Flexi ISN. If the HLR
does not send the field, the Flexi ISN sets the default value as Postpaid.
The value Hot Billing can only be used if the value for the Version Level for CDRs
parameter (on the Basic Charging Configuration page) is ISN3.1 or higher.
The value Postpaid with Credit Control can only be used if the OCS is in use.
Select the charging limit profile from the drop-down list.

This refers to a profile in the Charging Limit Profile table. There must be a reference
to a charging profile in every access point. The default value refers to the default
charging profile.
For instructions on configuring a charging limit profile, see Creating charging limit
profile configuration in General Configuration of Nokia Siemens Networks Flexi ISN.
DN04134496
Issue 6-3 en
Id:0900d8058069561f
55
Determine how CDRs are generated.

Select one of the following values:
No CDRs: Neither G-CDRS nor SA-CDRs are generated.

Single CDR: Only one type of CDR is generated. If the access point mode is
Normal, this value enables G-CDR generation. If the access point mode is not
Normal, it means that the access point is a service aware access point and this
value enables SA-CDR generation.
Both CDRs: Both G-CDRs and SA-CDRs are generated. This value can be used
only if the access point mode is other than Normal.
Select Enabled or Disabled for CDR Generation For Flat-rate Users.

In order to disable CDRs for Flat-rate Users, it is required to have the following configuration:
1. Select HLR from the drop-down list for the Default Charging Profile.
2. On General Configuration, the PLMN ID should be defined under Home PLMN
ID Configuration.
If Disabled is selected, CDRs are not generated in the respective AP and flat rate
charging has been enabled for the PDP context.
Select Enabled or Disabled for overbilling protection.

Sometimes it is possible that PDP context termination information (for example, an
Accounting-Request Stop message) does not reach the Flexi ISN. If overbilling protection is enabled, the Flexi ISN deletes an existing (hanging) PDP context when
conflicting identification is received in the creation of a new PDP context. This
ensures that the old PDP context is not charged erroneously for the traffic of the new
PDP context.
Click Apply.
To make your changes permanent, click Save.

The access point is now ready.
4.10
Activating the access point configuration

Purpose
After all the relevant access point configuration phases have been carried out, the
access point must be activated for it to become effective.
Steps
1
On the access point configuration page in Voyager, make sure that the Row Status
is set to Active.
Click Apply and Save.
Further Information
56
Id:0900d8058069561f
DN04134496
Issue 6-3 en
g The row status can also be changed on the main access point configuration page in
Voyager.
After changing the row status in the Access Point table, click Apply and Save.
DN04134496
Issue 6-3 en
Id:0900d8058069561f
57
Other access point operations
5 Other access point operations

5.1
Configuring aliases
Purpose
Aliases enable the smart use of access points (APs). APs that can be used in the Create
PDP Context request can have alternative short names called aliases. By binding an
alias name to a traditional access point name, you can use traditional APs without
further reconfiguration requirements. Aliases can apply to all AP types in the Normal,
GGSN, PCRF, NPS, or RADIUS mode.
g In order to make the alias available to the SGSN, the alias has to be configured also
in the packet core DNS as a CNAME-type resource record.
Before you start
Before configuring an alias for an AP, make sure that there is an AP configured in the
Flexi ISN.
g Aliases cannot point to context prohibited access points.

Steps
5.2
In Routing Instances, click Config (Default).
In the Access Point Configuration section, click Aliases.
Click Create a new row.
Enter the alias and choose an access point from those previously configured.
Click Apply.
Click Save to make the changes permanent.
Copying access points

Purpose
Use this procedure to create a new access point using the information from an already
created access point.
Steps
58
Id:0900d8058069563f
DN04134496
Issue 6-3 en
Select the access point you want to copy.
At the bottom of the page, click Create new Access Point using this as a template.
Change the name of the access point.

Make all other desired changes to the parameter values.
5.3
Click Apply.
Deactivating access points

Purpose
Use this procedure to deactivate access points (APs) and to make changes that can only
be done when the row status is not Active.
Before you start
Check the statistics of the AP to make sure that there are not too many active PDP contexts. When the PDP contexts are deleted, the Flexi ISN sends messages to other
network elements. If the number of messages becomes too high, other network
elements may not be able to handle them properly.
Steps
1
In the Access Point Configuration section, select Access Points.
From the Row Status drop-down list for the access point you want to deactivate,
select Not in Service.
Click Apply.

Expected outcome
All PDP contexts in the deactivated AP are deleted. If the AP uses RADIUS accounting, the Flexi ISN sends an Accounting OFF message and an Accounting Stop
message for each deleted PDP context to the RADIUS server (for more information,
see parameter Notify AP Status Change in Section Configuring AP IPv4 RADIUS
interfaces). If the connection type of the access point is L2TP, the Flexi ISN disconnects the L2TP tunnel.
5.4
Deleting access points

Purpose
Use this procedure to delete access points.
Note that you cannot delete an access point if there are aliases configured.
DN04134496
Issue 6-3 en
Id:0900d8058069563f
59
Before you start

Check the statistics of the AP to make sure that there are not too many active PDP contexts. When the PDP contexts are deleted, the Flexi ISN sends messages to other
network elements. If the number of messages becomes too high, other network
elements may not be able to handle them properly.
Steps
1
In the Access Point Configuration section, select Access Points.
In the row for the access point you want to delete, select the Delete check box.
Or
1. Select the access point you want to delete.
2. At the bottom of the page, select the Delete check box.
Click Apply.

Expected outcome
All PDP contexts in the deactivated access point are deleted. If the access point
uses RADIUS accounting, the Flexi ISN sends an Accounting OFF message and an
Accounting Stop message for each deleted PDP context to the RADIUS server (for
more information, see parameter Notify AP Status Change in Section Configuring
AP IPv4 RADIUS interfaces. If the connection type of the access point is L2TP, the
Flexi ISN disconnects the L2TP tunnel.
60
Id:0900d8058069563f
DN04134496
Issue 6-3 en
Abbreviations
6 Abbreviations
This section lists the abbreviations used in this document. See the general Nokia
Siemens Networks Glossary if you cannot find the term that you need.
DN04134496
Issue 6-3 en
AP
Access Point
APN
Access Point Name
CCR
Credit Control Request
CHAP
Challenge Handshake Authentication Protocol
DCCA
Diameter Credit Control Application
DHCP
Dynamic Host Configuration Protocol
DNS
Domain Name Server
GGSN
Gateway GPRS Support Node
GPRS
General Packet Radio Service
HLR
Home Location Register
IE
Information Element
IMSI
International Mobile Subscriber Identity
ISN
Intelligent Service Node
ISP
Internet Service Provider
L2TP
Layer 2 Tunnelling Protocol
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol
LNS
L2TP Network Server
MCC
Mobile Country Code
MMS
Multimedia Messaging Service
MNC
Mobile Network Code
NAT
Network Address Translation
NBNS
NetBIOS Name Service
NPS
Nokia Profile Server
OCS
Online Charging System
PAP
Password Authentication Protocol
PCO
Protocol Configuration Option
PCRF
Policy and Charging Rule Function
PDP context
Packet Data Protocol context
RADIUS
Remote Authentication Dial-in User Service
SGSN
Serving GPRS Support Node
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
UE
User Equipment
URI
Uniform Resource Identifier
URL
Uniform Resource Locator
Id:0900d805806955d6
61
Abbreviations
62
WAP
Wireless Application Protocol
WINS
Windows Internet Name Service
Id:0900d805806955d6
DN04134496
Issue 6-3 en

Access Points in Nokia Siemens Networks Flexi ISN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Access Points in Nokia Siemens Networks Flexi ISN

Uploaded by

Copyright:

Available Formats

FISNFI40EMED.