Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Diameter Base Protocol

Diameter Base Protocol Overview

The Diameter protocol is defined in RFC 3588, Diameter Base Protocol, and provides an alternative to RADIUS that is more flexible and extensible. The Diameter base protocol provides basic services to one or more applications (also called functions) that runs in a different Diameter instance. The individual application provides the extended AAA functionality. Applications that use Diameter include Gx-Plus, JSRC, NASREQ, PTSP, and S6a. Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.

Diameter peers communicate over a reliable TCP transport layer connection by exchanging Diameter messages that convey status, requests, and acknowledgments by means of standard Diameter AVPs and application-specific AVPs. The Diameter transport layer configuration is based on Diameter network elements (DNEs); multiple DNEs per Diameter instance are supported. Currently only the predefined master Diameter instance is supported, but you can configure alternative values for many of the master Diameter instance values.

Each DNE consists of a prioritized list of peers and a set of routes that define how traffic is forwarded. Each route associates a destination with a function (application), a function partition, and a metric. When an application sends a message to a routed destination, all routes within the Diameter protocol instance are examined for a match. When the best route to the destination has been selected, the message is forwarded by means of the DNE that includes that route.

Multiple routes to the same destination can exist within a given DNE and in different DNEs. In the case of multiple routes that match a request for forwarding, the best route is selected as follows:

  1. The route with the lowest metric is selected.

  2. In the event of a tie, the route with the highest specification score is selected.

  3. In the event of another tie, then the names of the DNEs are compared in lexicographical order. The route in the DNE with the lowest value is selected. For example, dne-austin has a lower value than dne-boston.

  4. If the routes are tied within the same DNE, then the route names are compared in lexicographical order. The route with the lowest value is selected.

The specification score of a route is 0 by default. Points are added to the score as follows:

  • If the destination realm matches the request, add 1.

  • If the destination host matches the request, add 2.

  • If the function matches the request, add 3.

  • If the function partition matches the request, add 4.

Multiple routes to the same destination can exist within a given DNE and in different DNEs. In the case of multiple routes that match a request for forwarding, Diameter selects the best route as follows:

  1. Diameter compares the metric of the routes and selects the route with the lowest metric.

  2. If multiple routes have the same lowest metric, then Diameter selects the most-qualified route. Diameter evaluates multiple attributes of the route to determine a score that reflects how specifically each route matches the request. By default, the score of a route is 0. Points are added to the score as follows:

    • If the destination realm matches the request, add 1.

    • If the destination host matches the request, add 2.

    • If the function matches the request, add 3.

    • If the function partition matches the request, add 4.

  3. If multiple routes are equally qualified, then Diameter compares the names of the DNEs in lexicographical order and selects the route in the DNE that has the lowest value. For example, dne-austin has a lower value than dne-boston.

  4. If the routes are tied within the same DNE, then Diameter compares the route names in lexicographical order and selects the route with the lowest value.

When the state of any DNE changes, the route lookup for all destinations is reevaluated. All outstanding messages to routed destinations are rerouted as needed, or discarded.

To configure a Diameter network element, include the network-element statement at the [edit diameter] hierarchy level, then include the route statement at the [edit diameter network-element element-name forwarding] hierarchy level.

To configure a route for the DNE, include the destination (optional), function (optional), and metric statements at the [edit diameter network-element element-name forwarding route dne-route-name] hierarchy level.

Specify the Diameter peers associated with the DNE by including one or more peer statements at the [edit diameter network-element element-name] hierarchy level.

Set the priority for each peer with the priority statement at the [edit diameter network-element element-name peer peer-name] hierarchy level.

Diameter requires you to configure information about the origin node; this is the endpoint node that originates Diameter for the Diameter instance. Include the host and realm statements at the [edit diameter] hierarchy level to configure the Diameter origin.

You can optionally configure one or more transports to specify the source (local) address of the transport layer connection. To configure a Diameter transport, include the transport statement at the [edit diameter] hierarchy level. Then include the address statement at the [edit diameter transport transport-name] hierarchy level.

You can optionally specify a logical system and routing instance for the connection by including the logical-system and routing-instance statements at the [edit diameter transport transport-name] hierarchy level. By default, Diameter uses the default logical system and default routing instance (using the main inet.0 routing table). The logical system and routing instance for the transport connection must match that for the peer, or a configuration error is reported.

Each Diameter peer is specified by a name. Peer attributes include address and the destination TCP port used by active connections to this peer. To configure a Diameter peer, include the peer statement at the [edit diameter] hierarchy level, and then include the address and connect-actively statements at the [edit diameter peer peer-name] hierarchy level.

To configure the active connection, include the port and transport statements at the [edit diameter peer peer-name connect-actively] hierarchy level. The assigned transport identifies the transport layer source address used to establish active connections to the peers. transport statements.

Benefits of Using Diameter

  • Diameter enables a lower load on the network and servers by reporting usage information at a much lower frequency compared to RADIUS. RADIUS involves periodic updates independent of usage changes. Diameter applications such as Gx enable you to set thresholds with correlating pushes of usage statistics from the router to the PCRF. The PCRF can then make appropriate adjustments to services and costs.

  • Wireless services and charging are typically performed with Diameter applications, but wireline services have generally used a RADIUS-based infrastructure. Customers with both wireline and wireless offerings can reduce the complexity and cost of maintaining separate infrastructures by migrating their wireline operations to their existing Diameter-based wireless infrastructure.

  • Applications that run over Diameter tend to be stateful (some may be either, such as NASREQ), whereas RADIUS is not stateful.

  • Multiple application protocols can run over Diameter, such as NASREQ, Gx, Gy, JSRC, and S6a.

  • Larger attribute space than RADIUS, which enables a greater number of standard and vendor-specific attributes (AVPs) than RADIUS. Diameter also supports the RADIUS standard attributes, reserving AVPs 1 through 255 for them.

Messages Used by Diameter Applications

Junos OS supports the following Diameter applications:

  • JSRC—A Juniper Networks Diameter application registered with the IANA (http://www.iana.org) as Juniper Policy-Control-JSRC, with an ID of 16777244. It communicates with the SAE (remote SRC peer).

  • PTSP—A Juniper Networks Diameter application registered with the IANA (http://www.iana.org) as Juniper JGx, with an ID of 16777273. It communicates with the SAE (remote SRC peer). Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.

  • Gx-Plus—An application that extends the 3GPP Gx interface for wireline use cases. 3GPP Gx is registered with the IANA (http://www.iana.org). It communicates with a PCRF.

    If data for a particular AVP included in a message is not available to the router, Gx-Plus simply omits the AVP from the message it sends to the PCRF. If the PCRF determines it has insufficient information to make a determination, it may deny the request. The Diameter answer messages include the Result-Code AVP (AVP 268); the values of this AVP convey success, failure, or errors to the requestor.

  • NASREQ—A Diameter-based authentication, authorization, and accounting protocol defined in RFC 7155. Junos OS supports authentication and authorization only.

Juniper Networks has also registered the Juniper-Session-Recovery application (16777296) and two new command codes (8388628 for Juniper-Session-Events and 8388629 for Juniper-Session-Discovery) with the IANA (http://www.iana.org).

Table 1 describes Diameter messages the applications use.

Table 1: Diameter Messages and Diameter Applications

Diameter Message

Code

Application

Description

AA-Request (AAR)

265

JSRC, NASREQ, PTSP

Request from the application to the SAE at new subscriber login or during SAE-application synchronization. The request can be one of three types: address-authorization, provisioning-request, or synchronization.

AA-Answer (AAA)

265

JSRC, NASREQ, PTSP

Response from the SAE to the application’s AA-Request message.

Abort-Session-Request (ASR)

274

JSRC, NASREQ, PTSP

Request from the SAE to the application to log out a provisioned subscriber.

Abort-Session-Answer (ASA)

274

JSRC, NASREQ, PTSP

Response from the application to the SAE’s ASR message. If the application sends the logout request to AAA, the ASA message includes a success notification (ACK). If the logout failed, the ASA message includes a failure notification (NAK).

Accounting-Request (ACR)

271

JSRC, PTSP

Request from the SAE to the application or from the application to the SAE for statistics.

Accounting-Answer (ACA)

271

JSRC, PTSP

Response to the ACR message to provide statistics for each installed policy (service).

Capability Exchange Request (CER)

257

Gx-Plus

Request from one peer to another when the peers establish a transport connection; initiates the capability negotiation. The CER announces the peer’s identity and capabilities, such as applications and security mechanisms supported.

Capability Exchange Answer (CEA)

257

Gx-Plus

Response to the CER message to announce this peer’s capabilities. If this peer has no capabilities in common with the peer that sent the CER, then it must set the Result-Code AVP to DIAMETER_NO_COMMON_APPLICATION and should drop the connection. Otherwise, the CEA details establish common capabilities between the peers and enable them to further establish communication.

Credit-Control-Request (CCR)

272

Gx-Plus

Request from Gx-Plus to the PCRF at subscriber login, logout, or update.

An initial request (CCR-I) is sent when a subscriber logs in and AAA is requested to activate the subscriber’s session. Gx-Plus retries the CCR-I message if a CCA-I message is not received from the PCRF within 10 seconds. The CCR-I message is retried up to 3 times.

The CCR-I message includes the Diameter AVP Subscription-Id attribute (443) with the Subscription-Id-Type Diameter AVP sub-attribute (450) set to 4 (END_USER_PRIVATE) and the Subscription-Id-Data Diameter AVP sub-attribute (444) set to reserved.

If no CCA-I is received after the 4 CCR-I messages have been sent—the first message plus 3 retries—then Gx-Plus starts sending CCR-N messages. CCR-N messages are retried forever until a success or failure response is received from the PCRF. CCR-N messages include the Juniper-Provisioning-Source AVP (AVP code 2101) set to local to notify the PCRF that the router has the authority to make a local decision regarding subscriber service activation.

An update request (CCR-U) message is sent when a usage threshold is reached. The CCR-U reports the actual usage for all statistics. The PCRF may return a CCA-U message that includes new monitoring thresholds, service activations, service deactivations.

If the PCRF times out on the CCR-U report, the router sets the threshold default to 10 minutes. When the change in threshold values is less than the minimum, the values are adjusted to the minimums. For example, the minimum increase for duration is 10 minutes.

A CCR-U is also sent to report the status of service activation or deactivation. When a monitored service is deactivated separate from a subscriber logout, the CCR-U indicates that the service is no longer active and includes the service’s usage data.

A termination request (CCR-T) is sent at subscriber logout to inform the PCRF that a provisioned subscriber session is being terminated. CCR-T messages are retried forever until a success response is received from the PCRF.

When a monitored service is deactivated as part of the subscriber logout, the CCR-T message includes monitored usage data for the service, such as bytes used.

Credit-Control-Answer (CCA)

272

Gx-Plus

Reply from the PCRF to a CCR message.

In response to a CCR-I, the PCRF returns a CCA-I message that indicates success (DIAMETER_SUCCESS) or failure (DIAMETER AUTHORIZATION REJECTED) depending on whether the subscriber has sufficient credit for the requested services. All other responses are ignored and the CCR-I is retried.

In response to a CCR-T, the PCRF returns a CCA-T message that indicates a successful termination with a value of 2001 (DIAMETER SUCCESS) in the Result-Code AVP. All other responses are ignored and the CCR-T is retried.

A CCA-N is a response to a CCR-N.

Juniper-Session-Discovery-Request (JSDR)

8388629

Gx-Plus

Discovery request from the PCRF to Gx-Plus to discover subscriber sessions on the router.

Juniper-Session-Discovery-Answer (JSDA)

8388629

Gx-Plus

Reply from router to a JSDR message; describes session information. The Result-Code AVP includes one of the following values, or an error value:

  • 2001—DIAMETER_SUCCESS; the end of the database was reached, meaning all information has been sent.

  • 2002—DIAMETER_LIMITED_SUCCESS; some of the session information was sent, but more remains to be sent.

Juniper-Session-Event-Request (JSER)

8388628

Gx-Plus

Request from router to PCRF regarding events that take place on the router. Notifies the PCRF of certain events on the router by including the Juniper-Event-Type AVP (AVP code 2103). Events reported include cold or warm boots, explicit discovery requests, substantial configuration changes, non-response or error response from PCRF, and exhaustion of fault-tolerant resources.

Juniper-Session-Event-Answer (JSEA)

8388628

Gx-Plus

Reply from PCRF to a JSER message.

Push-Profile-Request (PPR)

288

JSRC, PTSP

Request from the SAE to the router to activate or deactivate services for a subscriber.

Push-Profile-Answer (PPA)

288

JSRC, PTSP

Response from the router to the SAE’s PPR message. Includes success or failure notification for each of the service activation or deactivation commands in the request.

Re-Auth-Request (RAR)

258

Gx-Plus

Audit request from the PCRF to router to determine whether a specific subscriber is still present.

The router updates the monitoring key and threshold values when they are received in the RAR.

Re-Auth-Answer (RAA)

258

Gx-Plus

Reply from router to a RAR message; indicates whether the subscriber is active. The Result-Code AVP includes one of the following values:

  • 2001—DIAMETER_SUCCESS; subscriber entry was found.

  • 5002—DIAMETER_UNKNOWN_SESSION_ID; subscriber entry was not found.

  • 3002—DIAMETER_UNABLE_TO_DELIVER; Gx-Plus is not configured.

Session-Resource-Query (SRQ)

277

JSRC, PTSP

Request from the router to the SAE or from the SAE to the router to initiate synchronization between router and the SAE.

Session-Resource-Reply (SRR)

277

JSRC, PTSP

Response to the SRQ message to begin synchronization.

Session-Termination-Request (STR)

275

JSRC, NASREQ, PTSP

Notification from the router to the SAE that a provisioned subscriber has logged out.

Session-Termination-Answer (STA)

275

JSRC, NASREQ, PTSP

Response from the SAE to the router’s STR message. Includes success or failure notification.

Diameter AVPs and Diameter Applications

Diameter conveys information by including various attribute-value pairs (AVPs) in Diameter messages, in the same way that RADIUS conveys information in both standard IETF RADIUS attributes and vendor-specific attributes (VSAs). Table 2 lists the standard Diameter AVPs used in interactions with the supported Diameter applications. Diameter reserves AVP attribute numbers 0 through 255 for RADIUS attributes that are implemented in Diameter; the Diameter attribute numbers are the same as for the corresponding standard RADIUS attributes. Attributes numbered higher than 255 have no corresponding standard RADIUS attribute. Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.

Table 2: Standard Diameter AVPs

Attribute Number

Diameter AVP

Application

Description

Type

1

User-Name

Gx-Plus, JSRC, NASREQ

Specifies the username. For a subscriber managed by AAA, the value is the subscriber’s login name. For a static interface, the value is the interface name, which is used as the subscriber’s login name.

UTF8String

2

User-Password

NASREQ

Specifies the password of the user to be authenticated or the user's input in a multi-round authentication exchange.

OctetString

4

NAS-IP-Address

NASREQ

Specifies the IP address of the NAS that is authenticating the user.

IPAddress

6

Service-Type

NASREQ

Specifies the type of service the user has requested or the type of service to be provided. One such AVP may be present in an authentication or authorization request or response. A NAS is not required to implement all of these service types.

Enumerated

8

Framed-IP-Address

Gx-Plus, JSRC, NASREQ, PTSP

Identifies the IPv4 address configured for the subscriber. This is the same value as for RADIUS Framed-IP-Address attribute [8].

OctetString

9

Framed-IP-Netmask

NASREQ

Identifies the four octets of the IPv4 netmask.

OctetString

11

Filter-ID

NASREQ

Specifies the name of the filter list for a user. It is intended to be human readable. Zero or more Filter-Id AVPs may be sent in an authorization answer message.

UTF8String

12

Framed-MTU

NASREQ

Specifies the maximum transmission unit (MTU) to be configured for the user, when it is not negotiated by some other means (such as PPP).

Unsigned32

22

Framed-Route

NASREQ

Specifies the 7-bit US-ASCII routing information.

UTF8String

25

Class

NASREQ

Returns state information from a Diameter server to the access device.

OctetString

27

Session-Timeout

NASREQ

Specifies the maximum number of seconds of service provided to the user before termination of the session.

Unsigned32

28

Idle-Timeout

NASREQ

Specifies the maximum number of consecutive seconds of idle connection allowable to the user before termination of the session or before a prompt is issued.

Unsigned32

32

NAS-Identifier

NASREQ

Specifies the identity of the NAS that provides service to the user.

DiamIdent

44

Acct-Session-ID

NASREQ

Specifies the contents of the RADIUS Acct-Session-Id attribute.

OctetString

50

Acct-Multi-Session-ID

NASREQ

Links multiple related accounting sessions, where each session has a unique Session-Id but the same Acct-Multi-Session-Id AVP.

UTF8String

55

Event-Timestamp

Gx-Plus, JSRC, PTSP

Specifies the time of the event that triggered the message in which this AVP is included. Time is indicated in seconds since January 1, 1900, 00:00 UTC.

Time

60

CHAP-Challenge

NASREQ

Specifies the PPP Challenge-Handshake Authentication Protocol (CHAP) challenge sent by the NAS to the CHAP peer.

OctetString

61

NAS-Port-Type

NASREQ

Specifies the type of the port on which the NAS is authenticating the user.

Enumerated

62

Port-Limit

NASREQ

Specifies the maximum number of ports the NAS provides to the user.

Unsigned32

78

Configuration-Token

NASREQ

Indicates the type of user profile used.

OctetString

85

Acct-Interim-Interval

JSRC, PTSP

Specifies the number of seconds between each interim accounting update for this session.

The router uses the following guidelines for interim accounting:

  • Attribute value is within the acceptable range (600 through 86,400 seconds)—Accounting is updated at the specified interval.

  • Attribute value is less than the minimum acceptable value—Accounting is updated at the minimum interval (600 seconds).

  • Attribute value is greater than the maximum acceptable value—Accounting is updated at the maximum interval (86,400 seconds).

Unsigned32

87

NAS-Port-Id

Gx-Plus, JSRC, NASREQ, PTSP

Identifies the port of the NAS that authenticates the user. This is the same value as for RADIUS NAS-Port-Id attribute [87].

UTF8String

88

Framed-Pool

NASREQ

Specifies the name of an assigned address pool to use to assign an address for the user. If a NAS does not support multiple address pools, the NAS disregards this AVP. Address pools are usually used for IP addresses but can be used for other protocols if the NAS supports pools for those protocols.

OctetString

97

Framed-IPv6-Prefix

NASREQ

Specifies the IPv6 prefix configured for the user.

OctetString

99

Framed-IPv6-Route

NASREQ

Specifies the US-ASCII routing information configured for the user on the NAS.

UTF8String

100

Framed-IPv6-Pool

NASREQ

Specifies the name of an assigned pool to use to assign an IPv6 prefix for the user. If the access device does not support multiple prefix pools, it must disregard this AVP.

OctetString

258

Auth-Application-ID

NASREQ

Specifies support of the Authentication and Authorization portion of an application.

Unsigned32

263

Session-ID

Gx-Plus, JSRC, NASREQ, PTSP

Specifies the subscriber session identifier. The router assigns the value to uniquely identify a subscriber session.

UTF8String

264

Origin-Host

NASREQ

Specifies the host that originates a Diameter message.

DiamIdent

268

Result-Code

Gx-Plus, JSRC, NASREQ, PTSP

Indicates whether a request completed successfully. Provides an error code if the request failed.

The following classes are recognized by Diameter:

  • 1xxx—Informational

  • 2xxx—Success

  • 3xxx—Protocol errors

  • 4xxx—Transient errors

  • 5xxx—Permanent failures

Unrecognized classes, which begin with numerals 6–9 or 0, are handled as permanent failures.

JSRC and PTSP support the following values; all non-success values are treated as permanent failures:

  • 1001—DIAMETER MULTI ROUND AUTH

  • 2001—DIAMETER SUCCESS

  • 5002—DIAMETER UNKNOWN SESSION ID

  • 5012—DIAMETER UNABLE TO COMPLY

JSRC also supports the following value, which is treated as a permanent failure:

  • 3004—DIAMETER TOO BUSY; this is a transient condition, typically when the router already has a request in process for a specified subscriber.

Gx-Plus supports the following values for errors in a PCRF response; when these values are received or the response is malformed or unrecognizable, the request is retried.

  • 3001—DIAMETER COMMAND NOT SUPPORTED; the application is not running or the command is not recognized.

  • 3004—DIAMETER TOO BUSY; the received message is above either the quota of downstream transactions or the outstanding message memory limit for messages from the network.

  • 5012—DIAMETER UNABLE TO COMPLY; the received message is greater than the local limit.

Unsigned32

269

Product-Name

Gx-Plus

Specifies the value for the Product-Name field in Capability Exchange Request (CER) and Capability Exchange Answer (CEA) messages. The value is always JUNOS unless a different name is configured with the product-name option at the [edit diameter] hierarchy level.

If you change the product name, the router disconnects all existing connections to Diameter peers and reconnects using the new name.

UTF8String

277

Auth-Session-State

JSRC, NASREQ, PTSP

Indicates whether AAA session state is maintained.

  • 0—STATE MAINTAINED

  • 1—NO STATE MAINTAINED

Enumerated

279

Failed-AVP

NASREQ

Specifies debugging information in cases where a request is rejected or not fully processed due to erroneous information in a specific AVP. The value of the Result-Code AVP provides information on the reason for the Failed-AVP AVP.

Grouped

281

Error-Message

NASREQ

Specifies a human-readable error message that may accompany a Result-Code AVP. The Error-Message AVP is not intended to be useful in real-time; do not expect network entities to parse the message.

UTF8String

283

Destination-Realm

NASREQ

Specifies the Diameter realm to which the Diameter message is routed.

DiamIdent

293

Destination-Host

NASREQ

Specifies the host to which a Diamter message is routed.

DiamIdent

295

Termination-Cause

JSRC, NASREQ, PTSP

Indicates the reason why a session was terminated on the access device.

  • 1—DIAMETER LOGOUT

  • 2—DIAMETER SERVICE NOT PROVIDED

  • 3—DIAMETER BAD ANSWER

  • 4—DIAMETER ADMINISTRATIVE

  • 5—DIAMETER LINK BROKEN

  • 6—DIAMETER AUTH EXPIRED

  • 7— DIAMETER USER MOVED

  • 8—DIAMETER SESSION TIMEOUT

Enumerated

296

Origin-Realm

NASREQ

Identifies the Diameter realm of the originator of a Diameter message.

DiamIdent

402

CHAP-Auth

NASREQ

Specifies the information necessary to authenticate a user using CHAP.

Grouped

415

CC-Request-Number

Gx-Plus

Identifies a request within a session. The combination of Session-Id and CC-Request-Type is globally unique. The number is incremented for each request during the course of a session. The number is reset when a router high availability event takes place.

Unsigned32

416

CC-Request-Type

Gx-Plus

Specifies the type of credit control request:

  • INITIAL REQUEST (1)

  • UPDATE REQUEST (2)

  • TERMINATION_REQUEST (3)

  • EVENT REQUEST (4)

Enumerated

431

Granted-Service-Unit

Gx-Plus

Contains the amount that can be provided of one or more of the following requested units specified by the client: CC-Input-Octets, CC-Output-Octets, CC-Time, or CC-Total-Octets. Included in CCA-I messages, and may be included in CCA-U messages.

Grouped

443

Subscription-Id

Gx-Plus

Contains the following sub-attributes that do no appear alone:

  • Subscription-Id-Type—(450) This subattribute has one of the following integer values:

    • 0 = END_USER_E164

    • 1 = END_USER_IMSI

    • 2 = END_USER_SIP_URI

    • 3 = END_USER_NAI

    • 4 = END_USER_PRIVATE

  • Subscription-Id-Data—(444) This sub-attribute has a value of reserved.

Grouped

446

Used-Service-Unit

Gx-Plus

Contains the amount of the requested units that have been actually used; measured from 4 when the service is activated. The units are one or more of the following requested units specified by the client: CC-Input-Octets, CC-Output-Octets, CC-Time, or CC-Total-Octets. Included in CCR-U messages.

Grouped

480

Accounting-Record-Type

JSRC, PTSP

Specifies the type of account record for service accounting:

  • INTERIM_RECORD—Accounting record sent between the start and stop records, at intervals specified by the Acct-Interim-Interval AVP (AVP code 85). It contains cumulative accounting data for the existing accounting session.

  • START_RECORD—Accounting record sent when the service is activated to initiate the accounting session. It contains accounting data relevant to the initiation of that session.

  • STOP_RECORD—Accounting record sent when the service is deactivated to terminate the accounting session. It contains cumulative data relevant to that session.

Enumerated

1001

Charging-Rule-Install

Gx-Plus, NASREQ

Requests the installation of the rule (activation of the service) designated by the included Charging-Rule-Name AVP (1005). This AVP has a vendor ID of 10415 (3GPP).

Grouped

1002

Charging-Rule-Remove

Gx-Plus

Requests the removal of the rule (deactivation of the service) designated by the included Charging-Rule-Name AVP (1005). This AVP has a vendor ID of 10415 (3GPP).

Grouped

1005

Charging-Rule-Name

Gx-Plus, NASREQ

Specifies the name of a specific rule that has been installed, modified, or removed.

OctetString

1066

Monitoring-Key

Gx-Plus

Specifies which of the monitoring structures to use. Included in Charging-Rule-Install AVP (1001). The MX router does not support aggregation of statistics across services, so the value of this AVP must be different for each service. This AVP has a vendor ID of 10415 (3GPP).

OctetString

1067

Usage-Monitoring-Information

Gx-Plus

Sets monitoring thresholds. When service statistics match at least one of the granted service values, the router sends a CCR-U report with the current statistics to the PCRF. Includes the Monitoring-Key AVP (1066) and the Granted-Service-Unit AVP (431). This AVP has a vendor ID of 10415 (3GPP).

Grouped

Juniper Networks AVPs are used in addition to the standard Diameter AVPs. These AVPs have a vendor ID (enterprise number) of 2636 or 4874, and are similar in concept to RADIUS vendor-specific attributes (VSAs). Table 3 lists the Juniper Networks AVPs that the supported Diameter applications use.

Table 3: Juniper Networks Diameter AVPs

Attribute Number

Diameter AVP

Vendor ID

Application

Description

Type

213

Interface-Set-Targeting-Weight

4874

NASREQ

Specify a weight for an interface set to associate it and its member links with an aggregated Ethernet member link for targeted distribution.

Unsigned32

214

Interface-Targeting-Weight

4874

NASREQ

Specify a weight for an interface to associate it with an interface set and thus with the set’s aggregated Ethernet member link for targeted distribution. When an interface set does not have a weight, then the interface weight value for the first authorized subscriber interface is used for the set.

Unsigned32

2004

Juniper-Service-Bundle

2636

JSRC

Specifies the name of the service bundle.

OctetString

2010

Juniper-DHCP-Options

2636

JSRC

Specifies the client’s DHCP options.

OctetString

2011

Juniper-DHCP-GI-Address

2636

JSRC

Specifies the DHCP relay agent’s IP address.

OctetString

2020

Juniper-Policy-Install

2636

JSRC, PTSP

Specifies policies to be activated for the subscriber. Includes Juniper-Policy-Name and Juniper-Policy-Definition

Grouped

2021

Juniper-Policy-Name

2636

JSRC, PTSP

Defines the name of a policy decision.

OctetString

2022

Juniper-Policy-Definition

2636

JSRC, PTSP

Defines a policy decision. Includes Juniper-Policy-Name, Juniper-Template-Name, and Juniper-Substitution.

Grouped

2023

Juniper-Template-Name

2636

JSRC, PTSP

Specifies the profile name defined by the router. PTSP supports only the __svc_rule__ policy template.

UTF8String

2024

Juniper-Substitution

2636

JSRC, PTSP

Defines the substitution attributes. Includes Juniper-Substitution-Name and Juniper-Substitution-Value.

OctetString

2025

Juniper-Substitution-Name

2636

JSRC, PTSP

Defines the name of the variable to be replaced.

OctetString

2026

Juniper-Substitution-Value

2636

JSRC, PTSP

Defines the value of the variable to be replaced.

OctetString

2027

Juniper-Policy-Remove

2636

JSRC, PTSP

Specifies policies to be deactivated for the subscriber. Includes Juniper-Policy-Name.

Grouped

2035

Juniper-Policy-Failed

2636

JSRC, PTSP

Specifies the name of the policy activation or deactivation that failed.

OctetString

2038

Juniper-Policy-Success

2636

JSRC, PTSP

Specifies the name of the policy activation or deactivation that succeeded.

OctetString

2046

Juniper-Logical-System

2636

JSRC, PTSP

Specifies the logical system.

UTF8String

2047

Juniper-Routing-Instance

2636

JSRC, PTSP

Specifies the routing instance.

UTF8String

2048

Juniper-Jsrc-Partition

2636

JSRC, PTSP

Specifies the logical system and routing instance for the subscriber or request. Includes Juniper-Logical-System and Juniper-Routing-Instance

Grouped

2050

Juniper-Request-Type

2636

JSRC, PTSP

Describes the type of request:

  • 1—ADDRESS_AUTHORIZATION

  • 2—PROVISIONING_REQUEST

  • 3—SYNCHRONIZATION

  • 4—NETWORK_FAMILY_ACTIVATE

    JSRC only.

  • 5—NETWORK_FAMILY_DEACTIVATE

    JSRC only.

Enumerated

2051

Juniper-Synchronization-Type

2636

JSRC, PTSP

Describes the type of synchronization:

  • 1—FULL-SYNC

  • 2—FAST-SYNC

  • 3—NO-STATE-TO-SYNC

Enumerated

2052

Juniper-Synchronization

2636

JSRC, PTSP

Describes the state of synchronization:

  • 1—NO-SYNC; this is the default state

  • 2—SYNC-IN-PROGRESS

  • 3—SYNC-COMPLETE

Enumerated

2053

Juniper-Acct-Record

2636

JSRC, PTSP

Specifies the statistics data for each policy installed for this subscriber. Includes Juniper-Policy-Name.

Grouped

2054

Juniper-Acct-Collect

2636

JSRC, PTSP

Specifies whether to collect accounting data for the installed policy (service) when included in the Juniper-Policy-Install AVP:

  • 1—COLLECT_ACCT

  • 2—NOT_COLLECT_ACCT

Enumerated

2058

Juniper-State-ID

2636

JSRC, PTSP

Specifies the value assigned to each synchronization cycle for the purpose of identifying which messages to discard. All solicited requests containing the same Juniper-State-ID belong to the same Session-Resource-Query (SRQ) synchronization cycle. Messages from a previous synchronization cycle are discarded. When a new cycle begins, the value of the Juniper-State-ID AVP is increased by 1.

Note:

For solicited synchronization requests, the SRQ message contains the incremented Juniper-State-ID value. For unsolicited synchronization requests, the Session-Resource-Reply (SRR) message contains the incremented Juniper-State-ID value.

Unsigned32

2100

Juniper-Virtual-Router

2636

Gx-Plus, JSRC

Specifies the name of the virtual router associated with the session.

UTF8String

2101

Juniper-Provisioning-Source

2636

Gx-Plus

Specifies the provisioning source for the session in CCR-N and JSDA messages:

  • 1—Local

  • 2—Remote

Enumerated

2102

Juniper-Provisioning-Descriptor

2636

Gx-Plus

Defines the group used in JSDA messages that includes the session ID, and optionally Juniper-Provisioning-Source and subscriber data.

Grouped

2103

Juniper-Event-Type

2636

Gx-Plus

Communicates the event type in JSER messages:

  • 1–Cold boot; all sessions are lost

  • 2—Warm boot; sessions are preserved

  • 3—Discovery requested by the operator

  • 4—Are you there? (AYT); application level ping sent when the notification is due to no response or an erroneous response from the PCRF, or due to a configuration change.

  • 5—AWD; application-level watchdog sent by the router when there has been no other activity for 15 seconds. The watchdog is sent every 5 seconds unless preempted by higher-priority synchronization event.

Enumerated

2104

Juniper-Discovery-Descriptor

2636

Gx-Plus

Defines the group used in JSDR and JSDA messages that includes parameters of a discovery request: discovery type, request string, verbosity, max results.

Grouped

2105

Juniper-Discovery-Type

2636

Gx-Plus

Specifies the discovery subcommand for JSDR and JSDA messages:

  • 1—Exact: look up the data for the specified session.

  • 2—Bulk: Provide get-bulk kinds of information after the specified string.

  • 3—Done: Stop retries for all sessions up to the specified session.

Enumerated

2106

Juniper-Verbosity-Level

2636

Gx-Plus

Specifies the verbosity level for JSDR and JSDA messages:

  • 1—Summary; include only the Session-Id AVP.

  • 2—Brief; include the Session-Id, Juniper-Virtual-Router, and Framed-IP-Address AVPs.

  • 3—Detail; include the Session-Id, Juniper-Provisioning-Source, Juniper-Virtual-Router, Framed-IP-Address, and Event-Timestamp AVPs.

    4—Extensive; include all available session information.

Enumerated

2107

Juniper-String-A

2636

Gx-Plus

Specifies a generic string that is interpreted according to the context.

UTF8String

2108

Juniper-String-B

2636

Gx-Plus

Specifies a generic string that is interpreted according to the context.

UTF8String

2109

Juniper-String-C

2636

Gx-Plus

Specifies a generic string that is interpreted according to the context.

UTF8String

2110

Juniper-Unsigned32-A

2636

Gx-Plus

Specifies a generic, unsigned 32-bit integer that is interpreted according to the context.

Unsigned32

2111

Juniper-Unsigned32-B

2636

Gx-Plus

Specifies a generic, unsigned 32-bit integer that is interpreted according to the context.

Unsigned32

2112

Juniper-Unsigned32-C

2636

Gx-Plus

Specifies a generic, unsigned 32-bit integer that is interpreted according to the context.

Unsigned32

2200

Juniper-IPv6-Ndra-Prefix

2636

JSRC

If available in the subscriber’s session database IPv6Prefix entry, this AVP is included in AAR provisioning request messages sent to the SAE.

This AVP is used only when you enable JSRC dual-stack support.

IPv6Prefix

2201

Juniper-Framed-IPv6-Netmask

2636

JSRC

If available in the subscriber’s session database IPv6Address entry, this AVP is included in AAR provisioning request messages sent to the SAE.

This AVP is used only when you enable JSRC dual-stack support.

IPv6Address

2202

Juniper-Agent-Circuit-Id

2636

JSRC

Identifies the subscriber by access node and subscriber line. If available in the subscriber's session database entry, this AVP is included in AAR provisioning request messages sent to the SAE.

This AVP is used only when you enable JSRC dual-stack support.

OctetString

2203

Juniper-Agent-Remote-Id

2636

JSRC

Identifies the subscriber on the access node. If available in the subscriber's session database entry, this AVP is included in AAR provisioning request messages sent to the SAE.

This AVP is used only when you enable JSRC dual-stack support.

OctetString

2204

Juniper-Acct-IPv6-Input-Octets

2636

JSRC

Number of IPv6 octets received on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero.

This AVP is used only when you enable JSRC dual-stack support.

Unsigned64

2205

Juniper-Acct-IPv6-Output-Octets

2636

JSRC

Number of IPv6 octets sent on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero.

This AVP is used only when you enable JSRC dual-stack support.

Unsigned64

2206

Juniper-Acct-IPv6-Input-Pkts

2636

JSRC

Number of IPv6 packets received on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero.

This AVP is used only when you enable JSRC dual-stack support.

Unsigned64

2207

Juniper-Acct-IPv6-Output-Pkts

2636

JSRC

Number of IPv6 packets sent on the interface. This AVP is included in ACR accounting request messages sent to the SAE, even when the value is zero.

This AVP is used only when you enable JSRC dual-stack support.

Unsigned64

Tekelec AVPs are used only for Gx-Plus. These AVPs have an enterprise number of 21274. Table 4 lists the Tekelec AVPs. These four variables are used to provide substitution values for user-defined CoS service variables.

Table 4: Tekelec Diameter AVPs

Attribute Number

Diameter AVP

Application

Description

Type

5555

Tekelec-Charging-Rule-Argument-Name

Gx-Plus

Defines the name of the service variable to be replaced.

OctetString

5556

Tekelec-Charging-Rule-Argument-Value

Gx-Plus

Defines the value of the service variable to be replaced.

OctetString

5557

Tekelec-Charging-Rule-Argument

Gx-Plus

Defines the substitution attributes used to replace service variables. Includes Tekelec-Charging-Rule-Argument-Name AVP (5555) and Tekelec-Charging-Rule-Argument-Value AVP (5556).

Grouped

5558

Tekelec-Charging-Rule-With-Arguments

Gx-Plus

Requests the installation of the rule (activation of the service) designated by the included Charging-Rule-Name AVP (1005). Requested service variable substitutions are provided by the optionally included Tekelec-Charging-Rule-Argument AVP (5557).

Grouped

Configuring Diameter

You configure Diameter by specifying the endpoint origin, the remote peers, the transport layer connection, and network elements that associate routes with peers. Only the master Diameter instance is currently supported. You can configure alternative values for this Diameter instance only in the context of the default routing instance.

To configure Diameter base protocol:

  1. Configure the origin realm and origin host of the Diameter instance.
  2. Configure the Diameter peers.
  3. (Optional) Configure the Diameter transport layer elements.
  4. (Optional) Configure the Diameter network elements.
  5. (Optional) Configure trace options for troubleshooting the configuration.

Configuring the Origin Attributes of the Diameter Instance

You can configure the identifying characteristics of the endpoint node that originates Diameter messages for the Diameter instance. The hostname is supplied as the value for the Origin-Host AVP by the Diameter instance. The realm is supplied as the value for the Origin-Realm AVP by the Diameter instance.

To configure the origin attributes for a Diameter instance:

  1. Specify the name of the host that originates the Diameter message.
  2. Specify the realm of the host that originates the Diameter message.

Configuring Diameter Peers

You can configure the peers to which Diameter sends messages. Diameter uses the default logical system and routing instance. Port 3868 is used for active connections to peers by default.

To configure a remote peer for a Diameter instance:

  1. Specify the name of the Diameter peer.
  2. Specify the IP address of the Diameter peer. Starting in Junos OS Release 17.3R1, both IPv4 and IPv6 addresses are supported.
    Note:

    You must configure the same address family type for the peer and the corresponding local Diameter transport connection.

  3. (Optional) Specify a routing instance, a logical system, or a logical system and routing instance for the Diameter peer.
  4. (Optional) Specify the port that Diameter uses for active connections to the peer.
  5. (Optional) Specify the transport that Diameter uses for active connections to the peer.
  6. (Optional) Specify the name of the peer host and the name of the peer realm.
    Note:

    You must specify both the host and realm for the peer origin.

  7. (Optional) Include the Origin-State attribute-value pair (AVP) for the Diameter peer in Diameter base protocol-level messages to enable monitoring of changes in the AVP value.

For example, the following configuration for peer p3 specifies an IPv4 address, the routing instance ri8, destination port 49152, transport t6, an origin of host 1 in example.com, and includes the Origin-State AVP in messages.

Configuring the Diameter Transport

You can configure one or more transports for a Diameter instance to set the IPv4 or IPv6 address for the local connection, and optionally configure a logical system or routing instance context. Diameter uses the default logical system and routing instance. The logical system and routing instance for the transport connection must match that for the peer, or a configuration error is reported. Multiple peers can share the same transport.

To configure a transport for a Diameter instance:

  1. Configure the transport name.
  2. Configure the local IP address for the Diameter local transport connection. Starting in Junos OS Release 17.3R1, both IPv4 and IPv6 addresses are supported.
    Note:

    The address family must match that for the remote Diameter peer.

  3. (Optional) Configure a logical system and optionally a routing instance for the transport.
  4. (Optional) Configure a routing instance for the transport.

For example, the following configuration for transport t1 specifies an IPv6 address, logical system ls5, and routing instance ri10.

Configuring Diameter Network Elements

A Diameter network element (DNE) consists of associated applications (called functions in the CLI), a list of prioritized peers, and a set of forwarding rules. The forwarding rules define individual routes through a set of associated destinations, applications, and metrics. At least one DNE must be configured per chassis to start the Diameter process (jdiameterd).

Before you configure Diameter network elements, perform the following task:

To configure a Diameter network element:

  1. Specify the name of the network element.
  2. (Optional) Associate one or more applications with the network element. All applications are associated by default.
  3. Associate a Diameter peer with the network element and set the priority for the peer.
  4. Specify a route that is reachable through the network element based on the forwarding rules that you define.
  5. Specify a metric for the route.
  6. (Optional) Associate the route with a destination host and realm.
  7. (Optional) Specify an application associated with the route.
  8. (Optional) Specify the realm of the network element origin and optionally also specify the name of the element host.
    Note:

    Only the realm name is required.

Example: Configure S6a Application

This example shows how to configure diameter-based authentication S6a application on your SRX Series Firewall to retrieve authentication information from the subscriber server.

Requirements

This example uses the following hardware:

  • Any SRX Series Firewall

Before you begin, read Diameter Base Protocol Overview.

Overview

In this example, You create S6a partition and specify the endpoint origin, the remote peers, and the network elements that associate routes with peers to control diameter forwarding of S6a messages. You also create S6a partition to Only the master Diameter instance is currently supported. You can configure alternative values for the master Diameter instance only in the context of the default routing instance.

Configuration

Configure Access Profile and Diameter Application Parameters

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure access profile and diameter application parameters:

  1. Specify the access profile to use for authentication order.

  2. Specify the order in which authentication methods are used.

  3. Create the partition or specify the name of an existing partition.

  4. Configure the destination realm for the s6a partition.

  5. Configure the destination host for the s6a partition.

  6. Specify the Diameter instance for the s6a partition.

    Note:

    Currently, only the default Diameter instance, master, is supported.

  7. Set a limit on the number of outstanding requests.

  8. Configure the amount of time in seconds before the s6a stops attempting to send a subscriber logout message.

  9. Include the name of the realm that originates the Diameter message.

  10. Include the name of the host that originates the Diameter message.

  11. Specify the name of the network element.

  12. Associate a Diameter peer with the network element.

  13. Set the priority for the peer.

  14. Specify a route that is reachable through the network element based on the forwarding rules that you define.

  15. Specify a metric for the route.

  16. Specify the IP address of the Diameter peer.

  17. Specify the port that Diameter uses for active connections to the peer.

Results

From configuration mode, confirm your configuration by entering the show access and show diameter commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure Redundant Ethernet Interfaces

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure redundant Ethernet interfaces:

  1. Configure redundant Ethernet interfaces.

Results

From configuration mode, confirm your configuration by entering the show interfaces command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure Security Zones and Security Policies to permit the S6a Diameter Application

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure security policies and zones:

  1. Set system services and protocols on reth1.0 interface.

  2. Set system services and protocols on reth0.0 interface.

  3. Configure the security policies.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the S6a Status

Purpose

To confirm that the configuration is working properly, perform these tasks:

Action

From operational mode, enter the show network-access s6a state, show network-access s6a statistics, and show network-access s6a statistics extensive commands to check the network access state and statistics of s6a application.

Meaning

The show network-access s6a state, show network-access s6a statistics, and show network-access s6a statistics extensive commands shows the S6a application state and the statistics of the retrieved authentication information from the subscribed server.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
17.3R1
Starting in Junos OS Release 17.3R1, both IPv4 and IPv6 addresses are supported.
17.3R1
Starting in Junos OS Release 17.3R1, both IPv4 and IPv6 addresses are supported.
13.1R1
Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.
13.1R1
Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.
13.1R1
Starting in Junos OS Release 13.1R1, the packet-triggered subscribers and policy control (PTSP) feature is no longer supported.