Authentication is a Major function of HSS/AuC. AIR/AIA is an important and first message on s6a/s6d interface that has been exchange between MME/SGSN and HSS during very first attach procedure. Here MME/SGSN asks for authentication credentials from HSS usually called as Authentication Vectors to authenticate and authorize the subscriber.
As we know MME uses EPS authentication vectors and SGSN can ask for UMTS or GERAN authentication vectors. while combined MME/SGSN can ask for all kind of authentication vectors in a single request. MME/SGSN shall tell the number of authentication vector it needs, generally between 1-5, if this information is missing then HSS shall send one authentication vector to MME.
AVP structure used by MME to ask for EPS vectors
Requested- EUTRAN-Authentication-Info ::= <AVP header:10415 >
[ Number-Of-Requested-Vectors]
[ Immediate-Response-Preferred ]
[ Re-synchronization-Info ]
AVP structure used by SGSN to ask for UTRAN/GERAN vectors
Requested-UTRAN-GERAN-Authentication-Info ::= <AVP header: 10415>
[ Number-Of-Requested-Vectors]
[ Immediate-Response-Preferred ]
[ Re-synchronization-Info ]
Combined MME/SGSN can use "Immediate-Response-Preferred" AVP to tell HSS which Authentication Vector it wants on urgent basis; then other type of vector could be sent in same response but they are optional. For example: Combined node sends "Immediate-Response-Preferred" in Requested- EUTRAN-Authentication-Info AVP then HSS must send EUTRAN authentication vectors; HSS may send GERAN/UTRAN vector but they are optional; it totally depends on HSS whether it want to send them or not; because it will not be immediately consumed by combined node.
Generally a time-period on MME/SGSN end for which if more than one vector are downloaded at MME/SGSN are treated as fresh; After that time is elapsed the vectors are treated as stale and shall be deleted by MME from its end.
MME/SGSN can send "Re-synchronization-Info" if sequence number mis-match at UE end and shall be discussed whole scenario in following article.
Re-synchronization Failure
HSS generates responses after processing request and shall send AIA
GERAN Vector are generated by HSS as discussed in Article
HSS sends GERAN vector in following AVP
GERAN-Vector ::= <AVP header: 1416 10415>
[ Item-Number ]
{ RAND }
{ SRES }
{ Kc }
UTRAN Vector are generated by HSS as discussed in Article
[UMTS - 3G] UTRAN Authentication Procedure
HSS sends UTRAN vector in following AVP
UTRAN-Vector ::= <AVP header: 1415 10415>
[ Item-Number ]
{ RAND }
{ XRES }
{ AUTN }
{ Confidentiality-Key }
{ Integrity-Key }
EUTRAN Vector are generated by HSS as discussed in Article
HSS sends EUTRAN vector in following AVP
E-UTRAN-Vector ::= <AVP header: 1414 10415>
[ Item-Number ]
{ RAND }
{ XRES }
{ AUTN }
{ KASME }
Usage of OP/OPc and Transport Key in authentication procedure is explained in following article
Your Comments /Suggestions and Questions are always welcome, shall clarify with best of our knowledge. So feel free to put Questions.
Thanks for you valuable help
ReplyDeleteWe appreciate you support.
DeleteThanks for your valuable time.
Team-Diameter
Hi,
ReplyDeleteWhen SGSN asks for UTRAN/GERAN vectors from HSS, how does HSS know whether to respond with UTRAN or GERAN vectors? Why would a 2G/3G SIM be hosted on a HSS? Shouldn't the SGSN use SS7 MAP Gr interface for the 2G/3G SIMs and only S6d for the 4G?
Thanks
What about those cases in which eNodeB is receiving data from BTS i.e. 4G->3g or 2G failover over radio services but at backend only LTE is supported for all the subscriber. It can be the cases where LTE coverage is not supported but subscriber has taken LTE connection.
DeleteThere should be each avp have the
Delete"avp code "that has to recognise the type of info that has to contain....u just check the s6 spec for those info
I have a similar question. I've got an AIR with Requested-UTRAN-GERAN-Authentication-Info because the Attach came from IuPS.
DeleteBut the HSS is rejecting with a Failed AVP.
What would be the reason ?
Note that if the Attach is coming from S1, then I've got an AIR with Requested-EUTRAN-Auth-Info, then no problem
Can anybody please share LTE attaché (s6a/s6d) process in detail. Mail Id : parthapratim.hazra@gmail.com
ReplyDeleteHi
DeleteFollowing link might help you.
http://diameter-protocol.blogspot.in/2012/07/s6as6d.html
Thanks for your query.
Happy to help you again.
Team-Diameter
Hi ,
ReplyDeleteCan anybody help to me to explain when mme sends AIR request to Hss and hss responds back to mme in AIA . then MME sends u.e to Authn. challenge request when u.e responds back with Auth. Challenge Answer . in u.e case u.e sends ans in "" RES "" and mme have XRES ok . me seen in traces the value are different i jus confuse about it please help me to solve my query
Hi Sanjeev,
DeleteUE sends (RES) to MME and then MME Compares (RES) with (XRES) [i.e. XRES received form HSS in AIA].
if Both RES and XRES are equal then Authenticaiton is successful.
In Diameter Error Answer Message What are all the AVP will present
ReplyDeleteHi Stanley Paul,
DeleteAIA in error case will contain experimental result code AVP
Following links will help you
http://diameter-protocol.blogspot.in/2012/10/result-code-and-experimental-result-code.html
http://diameter-protocol.blogspot.in/2012/10/list-of-experimental-result-codes.html
hello
ReplyDeleteI'm curious about LTE roaming restrict why HSS doesn't consider VPLMN-ID in AIR instead of ULR ?
Because in AIR also have this VPLMN-ID as mandatory?
Hi songkram tientong
DeleteHSS considers VPLMN-ID for Authentication, VPLMN-ID is used for PLMN-Based authentication, to generate KASME for considered plmn.
For Roaming restriction ULR is used because their may be the case of Limited-Restriction i.e. only few services(limited-services) are allowed to use by user in that PLMN(You can check HPLMN_ODB and ODB) then only that data is downloaded to MME, therefore Authentication is must for that plmn to initiate ULR and receive ULA with only limited data.
Hope it suffice your query.
Happy to help you again.
Team-Diameter
Can someone explain to me, how authorization is performed in s6a?
ReplyDeleteWhat should MME behavior when no response received from HSS for AIR during initial attach procedure.
ReplyDeleteShould MME retry S6a procedure OR start a timeout & reject attach request (no retry on S6a)
Hi Amit,
DeleteMME should retry to send AIR depending upon operator's policy on retry. It is the usually the operator's call on network policies in failure case.
Thanks for your query.
Happy to help you again.
Team-Diameter
Requested-EUTRAN-Authentication-Info is rejected by HSS with DIAMETER_AUTHORIZATION_REJECTED (5003). There is no specific information in the message. What could be the reason HSS is rejecting the request.
ReplyDeleteHi Baskaran,
DeleteRef: 3gpp- 29272
If the AuC is unable to calculate any corresponding AVs due to unallowed attachment for the UE, e.g. the UE is attaching via E-UTRAN with a SIM card equipped, the HSS shall return an error DIAMETER_AUTHORIZATION_REJECTED,
Means you are trying to do something that is not ideal in that tracking area. "No suitable cells in tracking area"
Thanks for your query.
Happy to help you again.
Team-Diameter