RADIUS-Initiated Traffic Mirroring Process for Logged-In Subscribers
Figure 1 shows the process for a RADIUS-initiated subscriber mirroring operation that is initiated after the subscriber has logged in.
1 — The subscriber logs in, requesting authentication by the RADIUS server. The RADIUS server authenticates the subscriber (no mirroring activity occurs). | 6 — The IAP sends the original subscriber traffic to its intended destination. |
2 — The LEA sends provisioning information for a subscriber whose traffic is to be mirrored over the HI-1 interface to the mediation device. | 7 — As subscriber-related events occur, the IAP sends the events in SNMP traps over the INI-2 interface to the mediation device. |
3 — The mediation device sends the provisioning information over the INI-1 interface to the RADIUS server. | 8 — The mediation device provides events over the HI-2 interface to the LEA. |
4 — The RADIUS server sends a CoA message containing the mirroring-related RADIUS attributes and VSAs to the IAP (the router). | 9 — The IAP encapsulates the mirrored subscriber content in a packet header and sends it to the mediation device over the INI-3 interface. The IAP uses the destination IP address that it received in the Access-Accept messaged from the RADIUS server. |
5 — The RADIUS CoA message initiates the mirroring operation. The IAP creates the subscriber secure policy based on the mirroring VSAs and immediately begins mirroring subscriber traffic. | 10 — The mediation device sends mirrored content over the HI-3 interface to the LEA. |