(Public) Build An Inexpensive Carrier-WiFi Network On Your Laptop With Magma (54dc60e7a v1.1)

US HEADQUARTERS
Campbell, CA
900 E Hamilton Avenue, Suite 650,
Campbell, CA 95008
+1-650-963-9828 Phone
+1-650-963-9723 Fax
Build an inexpensive
Carrier-WiFi network
on your laptop with
Magma
Wojciech Nawrot
Contributors:
Chandra Reddy Dodda
Denys Myrhorodskyi
Kishwar Hossain
2020-2022
© 2005–2022 All Rights Reserved www.mirantis.com Page 1

Table of contents
Table of contents 2
1 Introduction 7
2 Purpose of this document 8
3 Carrier-WiFi architecture 9
3.1 What is Carrier-WiFi? 9
Figure 1. Carrier-WiFi architecture 10
3.2 Carrier-WiFi Lab components 10
Figure 2. Carrier-WiFi Lab components 11
3.3 Software inventory 12
3.3.1 Orchestrator (Orc8r) 12
Figure 3. Orc8r overview 12
3.3.2 NMS 13
3.3.3 Carrier-WiFi Access Gateway (CWAG) 13
Pipelined 13
Sessiond 13
DPId 13
PolicyDB 13
Radiusd 13
Radius 14
Aaa_server 14
Control proxy 14
Magmad 14
Directoryd 14
Eventd 14
Td-agent-bit 14
Health checker 14
Redirectd 15
3.3.4 Federation Gateway (FEG) 15
session_proxy 15
swx_proxy 15
3.3.5 Home Subscriber Server (HSS) 16
3.3.6 Policy and Charging Rules Function (PCRF) 16
3.3.7 Online Charging System (OCS) 16

3.4 Hardware specifications 16
Figure 4. Physical network setup 18
3.5 High-level user flows 19
3.5.1 User Authentication/Attach flow 19
Figure 5. User Authentication / Attach flow 20
3.5.2 User Data flow 21
Figure 6. User Data flow 21
3.6 USIM-based authentication and authorization - deep dive 22
3.6.1 EAP-AKA and MILENAGE 22
Figure 7. MILENAGE overview 23
3.6.2 Message flow 24
Figure 8. USIM-based authentication and authorization 25
Step 1 25
Step 2 26
Step 3 26
Step 4 26
Step 5 26
Step 6 27
Step 7 27
Step 8 28
Step 9 29
Step 10 30
Step 11 31
Step 12 32
Step 13 33
Step 14 33
Step 15 33
Step 16 33
Step 17 34
Step 18 34
Step 19 35
Step 20 35
4 Carrier-WiFi Lab deployment 37

4.1 Reference Lab diagram 37
Figure 9. Reference Lab diagram 37
4.2 UE setup 37
4.2.1 Programming USIM cards 38

Figure 10. USIM parameters 38
USIM parameters summary 39
4.2.2 Configuring WiFi profiles 40
4.2.2.1 Android 40
4.2.2.2 IOS 41
4.3 Configuring Cisco Access Point 49
4.3.1 AP lightweight to autonomous conversion (optional) 49
4.3.2 AP command set 51
4.4 Collecting Mac OS tooling for Magma 56
4.4.1 Pyenv, python, pip and python packages 56
4.4.2 Docker Desktop for Mac 57
4.4.3 Virtualbox for Mac 58
4.4.4 Vagrant 59
4.5 Cloning and checking out Magma repository 59
4.6 Deploying Orc8r 60
4.7 Deploying NMS and creating networks for FEG/CWAG 63
4.8 Deploying FEG 68
4.9 Deploying CWAG 93
4.10 Deploying FreePCRF 109
4.11 Creating data plans 115
4.11.1 Data plans summary and relevant configuration items 116
4.11.2 Define Subscribers (FreePCRF HTTP - Subscriber Management Interface)
118
4.11.3 Define Services (FreePCRF HTTP - SPR Configuration Interface) 119
4.11.4 Assign Services to Subscribers (FreePCRF HTTP - Subscriber
Management Interface) 120
4.11.5 Create Accumulator Schemes (FreePCRF CLI) 121
4.11.6 Add Accumulator information (FreePCRF CLI) 123
4.11.7 Assign Accumulators to Subscribers (FreePCRF HTTP - Subscriber
Management Interface) 123
4.11.8 Verify subscriber settings (FreePCRF MiniCRM) 124
4.11.9 Configure Policies (rules.xml) 126
4.11.10 Configure Policy selection in Policy Engine (engine.lua) 129
4.11.11 Add missing configuration items in PCEF (CWAG) 132
5 Carrier-WiFi in action 137

5.1 Preliminary steps 137
5.2 Testing “200MB per Week” data plan 139

5.3 Testing “Full Freedom Silver” data plan 152
5.4 Testing remaining data plans 157
5.5 CWAG metrics 157
5.6 FreePCRF metrics 159
6 To Dos 159
6.1 Enable FUA redirect 160
6.2 Application-based Internet access 160
6.3 AGW and eNodeB 160
7 Logging, debugging and troubleshooting 161

7.1 Orc8r 161
7.1.1 Errors and bugs 161
7.1.1.1 “400 Bad Request - No required SSL Certificate was sent” error when
entering https://localhost:9443/apidocs/v1/#/ in Firefox 161
7.2 NMS 161
7.3 FEG 161
7.3.1 Extended logging 162
7.3.2 Useful diagnostics commands 163
7.4 CWAG 163
7.4.1 Extended logging 163
7.4.3 Pipelined/OvS debugging 166
7.4.4.1 “c++: internal compiler error: Killed (program cc1plus)” 171
7.5 FreePCRF 171
7.5.2.1 No SSH or web access to FreePCRF VM on forwarded ports 172
7.5.2.2 No connection to mandatory Diameter peer
gx-mgm.magmalab.com:3870 173
7.6 Cisco Access Point 174
7.6.2 AP (Authenticator) log 175
7.6.3.1 AP sends Disconnect-NAK to CWAG instead of Disconnect-ACK 185
7.7 UEs 186
7.7.1 Collecting UE logs with Android Debug Bridge (ADB) 186
7.7.2 UE (Supplicant) log 187

7.7.3 ADB cheat sheet 191
8 Appendices 191
APPENDIX 1 - USIM Parameters 193
APPENDIX 2 - Suspend / resume Magma and FreePCRF 195
APPENDIX 3 - Access credentials 196
APPENDIX 4 - Collection of links 197
Magma 197
OvS, pipelined 198
QoS 198
VirtualBox 198
Cisco AP 198
802.1x, EAP-AKA, EAPoL, MILENAGE, USIMs, Diameter, SWx, Gx, Gy 201
Yota/Telexir FreePCRF 204

1 Introduction
Magma is an open-source software platform that gives Mobile Network Operators
(MNOs) an open, flexible and extendable mobile core network solution. It allows
MNOs to offer cellular service without vendor lock-in with a modern, open source
core network and enables operators who are constrained with licensed spectrum to
add capacity and reach by using WiFi.

2 Purpose of this document
The main purpose of this document is to provide detailed guidelines on how to
construct an affordable, fully functional Magma Lab enabling mobile users to access
the Internet with the use of Carrier-WiFi. Apart from providing the deployment
instructions, the document is also intended to fill an educational role in multiple
technical areas including USIM-based authentication/authorization procedures and
protocols (e.g. 802.1x/EAP-AKA, RADIUS, gRPC, Diameter), flow-based OvS datapath
and enforcement of policy decisions specified in Policy and Charging Control (PCC)
rules, creation of subscriber data plans, troubleshooting, and many, many more.

3 Carrier-WiFi architecture
3.1 What is Carrier-WiFi?
Carrier-WiFi is the deployment of a large number of WiFi Access Points in dense
geographic areas by a cellular carrier in order to augment its cell phone network. All
mobile devices have WiFi, and the capability of offloading cellular traffic to WiFi
eliminates cellular congestion. The cellular carrier may also be able to generate
additional revenue with a WiFi hotspot plan added on top of the regular LTE data
plan.
Phones switch from LTE to WiFi automatically if the carrier’s WiFi network is
detected. They authenticate with the carrier’s USIM card and access the Internet
according to data plan-specific Policy and Charging Control (PCC) rules. A phone is
disconnected from the WiFi network (or the Internet slows down) if the subscriber's
data pack for a specific validity period is exhausted. However, for some traffic
categories, data usage tracking can be disabled so that specific apps such as
Facebook or WhatsApp can be used totally free of charge.
A high-level architecture of the Magma Carrier-WiFi solution integrated with WLAN

access network and an MNO’s core elements is shown in the diagram below:

Figure 1. Carrier-WiFi architecture
3.2 Carrier-WiFi Lab components

Hardware and software components used in the Lab are shown in the diagram
below:

Figure 2. Carrier-WiFi Lab components
As opposed to typical Magma deployments with eNodeBs and Access Gateways

(AGW) implementing Evolved Packet Core (EPC), a Carrier-WiFi Lab doesn’t require
expensive LTE RAN equipment operating in licensed spectrum to connect an
end-user. Instead, a pre-owned, affordable, enterprise-class WiFi Access Point with
802.1x/EAP-AKA, CoA and L2GRE support can be used. Other hardware peripherals
required for the Lab include blank USIM cards, Android/IOS phones (UEs) and a
regular home wired NAT router (see 3.4 Hardware specifications for details).
Remaining, crucial Lab components listed below will be implemented as Docker

Desktop containers or VirtualBox VMs running on the top Mac Operating System:
● Magma - Orchestrator (Orc8r) [Docker Desktop@MacOS],

● Magma - Network Management System (NMS) [Docker Desktop@MacOS],
● Magma - Carrier-WiFi Access Gateway (CWAG) [VirtualBox@MacOS],
● Magma - Federation Gateway (FEG) [VirtualBox@MacOS],
● Carrier’s core - Home Subscriber Server (HSS) [Docker@VirtualBox@MacOS],
● Carrier’s core - Policy and Charging Rules Function (PCRF)
[VirtualBox@MacOS].
Refer to the next chapter for description of respective software components and
subcomponents.
3.3 Software inventory

3.3.1 Orchestrator (Orc8r)
Orc8r is a centralized controller for a set of networks. It handles the control plane for
various types of gateways in Magma. Its functionality is composed of two primary
subcomponents:
● A standardized, vendor-agnostic northbound REST API which exposes
configuration and metrics for network devices,
● A southbound interface which applies device configuration and reports device
status.
Figure 3. Orc8r overview

Orc8r supports:
● Network entity configuration (networks, gateway, policies, etc.)
● Metrics querying via Prometheus and Grafana
● Event and log aggregation via Fluentd and Elasticsearch Kibana
● Config streaming for gateways, policies, etc.
● Device state reporting (metrics and status)
● Request relaying between Access Gateways and Federated Gateways
3.3.2 NMS
Magma’s NMS provides a single pane of glass for managing Magma based networks.
NMS provides the ability to configure gateways, visibility into status, events and
metrics observed in these networks; and the ability to configure and receive alerts.
3.3.3 Carrier-WiFi Access Gateway (CWAG)

CWAG terminates L2GRE tunnels from WiFi Access Points, participates in user
authentication, and provides Internet access to UEs through the OvS datapath
according to static and/or dynamic PCC rules.
The CWAG VM comprises Open vSwitch, which is used to implement basic PCEF
functionality for user plane traffic as well as the following services running inside
Docker containers:
Pipelined
Pipelined is the control application that programs the OvS OpenFlow rules. Pipelined
is a set of services that are chained together.
Sessiond
Sessiond implements the control plane for the PCEF functionality in Magma. It is
responsible for the lifecycle management of the session state (credit and rules)
associated with a user. It interacts with the PCEF datapath through pipelined for
L2-L4 and DPId for L4-L7 policies.
DPId
DPId is a deep packet inspection service to enforce policy rules.
PolicyDB
PolicyDB is the service that supports static PCRF rules. This service runs in both the
CWAG and the Orc8r. Rules managed through the REST API are streamed to the
PolicyDB instances on the CWAG. Sessiond ensures these policies are implemented
as specified.

Radiusd
Radiusd is the service which fetches metrics from the running radius server and
exports them.
Radius
Radius is a service which exchanges encapsulated EAP-RADIUS and accounting
messages with a WiFi Access Point (802.1x Authenticator).
Aaa_server
The 3GPP AAA server provides USIM-based EAP-AKA authentication, authorization
and policy control to the packet gateway for 3GPP WiFi access.
Control proxy
The control proxy manages the network transport between gateways and the Orc8r.
It also provides the following functionality:
● Abstract service addressing by providing a service registry, mapping a
user-addressable name to its remote IP and port.
● Push all traffic over HTTP/2, encrypted using TLS. The traffic is routed to
individual services by encoding the service name in the HTTP/2 authority
header.
● Individual gRPC calls between a gateway and the controller are multiplexed
over the same HTTP/2 connection, avoiding connection setup time per RPC
call.
Magmad
Parent service to start all Magma services, owns the collection and reporting of
metrics of services, and also acts as the bootstrapping client with Orc8r.
Directoryd
Lookup service that provides the ability to push different keys and attribute pairs for
each key. Commonly used keys include subscriber ID and session ID.
Eventd
Service that acts like an intermediary for different Magma services, using the
service303 interface. It receives and pushes the generated registered events to the
td-agent-bit service on the gateway, so these can be then later sent to the Orc8r.
These events will be sent to Elasticsearch, where they can be queried.
Td-agent-bit
Enables log aggregation and event logging, where it takes input from syslog and the
events service and forwards the output to the Orc8r. It is received on the Orc8r by
Fluentd then stored in Elasticsearch.

Health checker
The health checker service verifies the state on sessiond and pipelined and cleans
the corrupt state if necessary.
Redirectd
Redirectd is a service which supports FUA (Final Unit Action) redirection for users
whose service units have been exhausted.
3.3.4 Federation Gateway (FEG)

The Federated Gateway (FEG) provides remote procedure call (gRPC) based
interfaces to standard 3GPP components, such as HSS (SWx), OCS (Gy), and PCRF
(Gx).
FEG supports the following features and functionalities:

● Hosting the centralized control plane interface towards HSS, PCRF, and OCS
on behalf of CWAG.
● Establishing Diameter connections with HSS, PCRF and OCS.
● Interfacing with CWAG over gRPC interface by responding to remote calls
from the AAA Server and Sessiond components, converting these remote calls
to 3GPP compliant messages, and then sending these messages to the
appropriate core network components, such as HSS, PCRF, and OCS. Similarly,
the FEG receives 3GPP compliant messages from HSS, PCRF, and OCS and
converts these to the appropriate gRPC messages before sending them to the
CWAG.
The key containerized services running on the Federated Gateway include:
session_proxy
The session_proxy service translates calls from gRPC to the Gx/Gy protocol between
CWAG and PCRF/OCS. It controls the session of each subscriber with the following
interfaces:
● Notifies the PCRF/OCS of a new session and returns rules associated with a
subscriber, along with credits for each rule.
● Updates the PCRF/OCS with each used credit and terminations from CWAG.
● Terminates the session in PCRF/OCS for a subscriber.
● Updates a monitor given its usage and session information.
● Processes QoS information.
● Creates a session request.
● Updates rules for each session.

swx_proxy
The swx_proxy service translates gRPC interface to SWx protocol between CWAG
(AAA Server) and HSS. The SWx interface is used when UE does non-3GPP access.
3.3.5 Home Subscriber Server (HSS)

The Home Subscriber Server (HSS) is a master user database that contains the
subscription-related information (subscriber profiles) and performs authentication
and authorization of the user. In the Lab environment basic (mock) HSS will be
implemented as a docker container running inside FEG VM.
3.3.6 Policy and Charging Rules Function (PCRF)

PCRF is a centralized policy decision point that deploys business policy and charging
rules to allocate broadband network resources and manages flow-based charges for
subscribers and services. PCRF pushes the rules down to the Policy and Charging
Enforcement Function (PCEF) using the 3GPP Gx protocol and online policy
interface. In the Lab environment, PCRF functionality will be provided using Yota
FreePCRF software launched on a dedicated VirtualBox VM.
Reference
Refer to Yota PCRF 3.6. Product Description.pdf for product architecture and
features.
3.3.7 Online Charging System (OCS)

OCS is a specialized communications function that allows a service provider to
charge a user for services in real-time. The OCS handles the subscriber’s account
balance, rating, charging transaction control, and correlation. With the OCS, a
telecom operator ensures that credit limits are enforced and resources are
authorized on a per transaction basis.
Decision
The OCS component is not mandatory for the Magma Carrier-WiFi solution to
work and will not be deployed in the Lab.
3.4 Hardware specifications

The list of hardware components required for the Lab and the physical network
setup are presented below.

1. MacBook Pro 15”
● 2,9 Ghz Quad Core Intel Core i7
● 16 Gigs of RAM
● 512 GB SSD
● MacOS 10.15.6
2. 2 x USB-C⟺ Ethernet adapter (Green Cell AK61).
3. WiFi Access Point

● Cisco AiroNet AIR-AP1142N-E-K9
● 48V PSU
● Image c1140-k9w7-mx.153-3.JD17 (autonomous mode)
Pre-owned bundle, price 65 PLN / ~17 USD
4. SIM card reader / writer:

● OYEITIMES MCR3516
● 5 x blank 4G LTE USIM card
● SIM Personalize Tools 3.1.18 software (Windows)
Price 73 PLN /~46 USD (Oct. 2020)

https://www.aliexpress.com/item/33042823324.html

5. UEs (mobile phones):
● Apple iPhone 7+ (IOS 14.2)
● Samsung Galaxy SM-G350 (Android 4)
● Huawei P smart 2019 (Android 10)
6. Home router:
● Ubiquiti ER-10X router
Figure 4. Physical network setup
Note
● Make sure that your Mac has at least 8 CPUs and 16 Gigs of RAM,

● For Internet access, any wired home/office router can be used (don’t use
Mac’s wireless interface to connect with the router),
● Magma Carrier-WiFi requires an enterprise-class Access Point supporting
802.1x/EAP-AKA authentication, CoA, and L2GRE features, which are
typically not offered by basic APs (check used Cisco AiroNet 1100, 2600 or
3500 series on eBay),
● Don’t try this with pre-programmed USIM cards from mobile operators.
They won’t work !
3.5 High-level user flows

There are primarily two user flows as part of the Carrier-WiFi solution, i.e.,
Authentication / Attach and User Data.
3.5.1 User Authentication/Attach flow

The User Authentication / Attach flow is shown in the diagram below:

Figure 5. User Authentication / Attach flow
● The EAP-AKA WiFi profile is configured manually or pushed to User

Equipment (UE) - see 4.2.2 Configuring WiFi profiles for details.
● The UE performs 802.1x EAP-AKA authentication via the WiFi Access Point to
which it is associated.
○ The UE is 802.1x Supplicant exchanges EAP-AKA messages with Radius
components in Carrier-WiFi Access Gateway (CWAG).
○ The Access Point acts as a Radius client (802.1x Authenticator) that
forwards the user’s EAP-RADIUS messages to CWAG (802.1x
Authentication Server).
● The CWAG eap_aka process (3GPP AAA) interacts with an emulated HSS
component (mock HSS) placed on FEG via the SWx diameter interface to fetch

user authentication parameters and thereby authenticate / authorize the user
for Carrier-WiFi offload service.
● As part of the attach procedure, the PCRF component is also contacted to
fetch subscriber policy/charging rules.
● Based on the outcome, a subscriber is either authorized on PCRF (as well as
HSS previously) and is allowed to latch on to the Carrier-WiFi SSID, or rejected
from connecting on the Carrier-WiFi SSID.
3.5.2 User Data flow

The User Data flow is shown in the diagram below:
Figure 6. User Data flow

● Should the HSS and PCRF authentication/authorisation be successful, the
subscriber goes through the DHCP DORA process and gets an IP address
from the DHCP server (home router) included in the Carrier-WiFi setup.
● As the Access Point can be connected to Carrier-WiFi setup over a routed
network (which is typical to production deployments), the L2GRE tunnel is
established between the AP and CWAG (OvS/pipelined). The AP is also
configured in bridge mode to create an L2 path between the user and CWAG.
This solution serves the following main purposes:
○ DHCP process - L2 broadcast,
○ Preserve user MAC addresses all the way to the CWAG - for user
authorization and analytics purposes.
● As depicted in the diagram above (see green lines), user traffic is encapsulated
inside an L2GRE tunnel all the way from the AP to the CWAG, and then exits to
the Internet via the home/office router. The subscriber previously performs
DHCP and ARP procedures through the same L2GRE tunnel.
● The CWAG decides to allow or block the user traffic based on the PCC rules
pushed by PCRF.
3.6 USIM-based authentication and authorization -

deep dive
3.6.1 EAP-AKA and MILENAGE
Extensible Authentication Protocol Method for UMTS Authentication and Key
Agreement (EAP-AKA) defined in RFC 4187, is an EAP mechanism for authentication
and session key distribution using the UMTS Subscriber Identity Module (USIM).
EAP-AKA is used by the Magma Carrier-WiFi solution for bi-directional

authentication, i.e., the Network authenticates UEs and UEs also authenticate that
Network. Authentication on both sides should be passed for the communication to
proceed.
There are three main components of the authentication process :

● Input Parameters
● Authentication Algorithm
● Output Values (computed by Authentication Algorithm using the Input
Parameters)

Both the UE and the Network use the same Input Parameters and the same
Authentication Algorithm (MILENAGE), so they both should produce the same
Output Values, otherwise authentication fails.
The illustration of the MILENAGE algorithm with Input and Output Parameters is
shown in the diagram below:
Reference: https://www.sharetechnote.com/html/Handbook_LTE_Authentication.html
Figure 7. MILENAGE overview
The configurable Input Parameters for the MILENAGE algorithm in the Carrier-WiFi
Lab include K, OP (and AMF 1) values, which are stored in USIM cards and in the HSS
service/subscriber config. OPc is derived from OP, Ek is derived from K, while the
other parameters are either pre-configured/hardcoded (c1-c5, r1-r5, SQN) or
1
Note that AMF is configurable only on the HSS side.

randomly generated (RAND).
The Output Parameters include:

1) AUTN (XAUTN) - Authentication Key (Expected Authentication Key)
2) RES (XRES) - Result (Expected Result)
3) IK - Session key for integrity check
4) CK - Session key for encryption
3.6.2 Message flow

Interaction between Magma Lab components shown in the message sequence
chart below is broken down into 20 steps detailed under the chart.
The provided description is based on Magma documentation, ETSI 3GPP
specifications, RFCs, technical articles, and most of all, the author’s own analysis of
logs and PCAPs captured from the CWAG, FEG, UE, Wi-FI Access Point, PCRF and
HSS.
The self-created message flow may be slightly inaccurate, but it is good enough for
the reader to get a general understanding of 802.1x/EAP-AKA authentication,
HSS/PCRF authorization, data usage reporting or user traffic encryption.

Figure 8. USIM-based authentication and authorization
Step 1
a. At the beginning of the 802.11 authentication and association process, the UE
scans all of the available frequencies in search of SSIDs to join. The UE sends
probe request frames which contain supported data rates and 802.11
capabilities. APs in proximity reply with probe response frames that contain
the SSID and BSSID.
b. When the UE finds an SSID that matches its configuration, it sends a null
authentication request (algorithm: Open System), after which the AP sends

an authentication response (the real authentication occurs after association
through 802.1x and EAP authentication mechanisms).
c. Once the null authentication frame exchange is successful, the association
request is initiated by the UE with capability information (data rates and
security settings). If both the UE and AP agree on the minimal capabilities to
join the BSS, the AP responds with an association response with status code
successful and provides the association ID to the UE.
After this process is completed, 802.11 data frames can be sent between the
UE and AP. These data frames are limited to 802.1x frames until the 802.1x/EAP
authentication is completed and successful.
Step 2
Once association is successful, EAP frame exchange is started by AP with the first
frame as EAP-Request/Identity frame. In this frame exchange AP is asking for identity
information from UE to start the authentication process with core network elements.
Step 3
On receiving the EAP identity request, UE responds with an EAP-Response/ Identity
frame, which includes the IMSI information to be used as user identity against which
the user will be authenticated by HSS. In identity “0” is used as a WLAN Identity
Prefix meaning that the authentication algorithm type is EAP-AKA and not EAP-SIM
or EAP-AKA'.
The EAP-Response/Identity from UE is sent by AP to AAA Server (CWAG) in the
Radius Access-Request packet.
Step 4
AAA Server responds to AP with a Radius Access-Challenge packet containing
EAP-Request/AKA-Identity message with AT_PERMANENT_ID_REQ attribute to
indicate that the server wants the peer to include permanent identity in the
AT_IDENTITY attribute of the EAP-Response/AKA-Identity message.
AP forwards the obtained EAP-Request to UE.

Step 5
UE responds to AP with an EAP-Response/AKA-Identity message containing the
requested AT_IDENTITY attribute. The message is then sent by AP to AAA Server in a
Radius Access-Request packet.
Step 6
AAA Server contacts FEG through gRPC and provides it with user identity, which is
further contained in MAR and SAR Diameter messages sent to HSS through SWx.
MAR (Multimedia Authentication Request) is a request for security information
{
"userName": "101012345678911",
"sipNumAuthVectors": 3,
"authenticationScheme": "EAP_AKA",
"resyncInfo": null,
"retrieveUserProfile": true
}
while SAR (Server Assignment Request) is a request for a non-3gpp user profile
(Server-Assignment-Type AVP set to AAA_USER_DATA_REQUEST).

Step 7
FEG responds to AAA Server through gRPC on receiving MAA (response to MAR) and
SAA (response to SAR) messages from HSS.
MAA (Multimedia Authentication Answer) contains authentication vector being a

combination of RAND and the Output Parameters computed by MILENAGE:
● RAND/AUTN - concatenated Random Number/Auth. key (256bit),

● XRES - Expected Result key (64bit),
● CK - Confidentiality key (128bit),
● IK - Integrity key (128bit).
"userName": "101012345678911",
"sipAuthVectors": [
{
"randAutn": "GO/KoWplNNCY4EV3Z6FnI5usLKhs1oAA6ttgGj3HA6M=",
"xres": "UOrLcSPTl9Y=",
"confidentialityKey": "M+hN2I29cZwXkXvFAJoToA==",
"integrityKey": "scHXKlKAf1rKZFwiYSM0vg=="
},
SAA (Server Assignment Answer) includes 3GPP-AAA-Server-Name AVP as well as

Non-3GPP-User-Data AVP containing among other things the information if a user
has non-3GPP subscription and is authorized to use non-3GPP access network or not
(Non-3GPP-IP-Access: NON_3GPP_SUBSCRIPTION_ALLOWED(0) /
NON_3GPP_SUBSCRIPTION_BARRED(1))
Reference
Refer to ETSI TS 129 273 "3GPP EPS AAA interfaces" as of page 112 for full SWx
description including procedures and messages.
At this point, AAA Server generates MK (Master Key) using UE identity and the CK / IK
values obtained from HSS as a part of authentication vector:
MK = SHA1(Identity|IK|CK)
The MK is then fed into a Pseudo-Random number Function (PRF), which generates
separate Transient EAP Keys (TEKs) for protecting EAP-AKA packets, as well as a
Master Session Key (MSK) for link layer security.

Step 8
AAA Server sends obtained RAND and AUTN values to AP as attributes of
EAP-Request/AKA-Challenge message inside the Radius Access-Challenge packet.
AP then forwards received EAP-Request message to UE.
Note that apart from RAND and AUTN there is additional MAC attribute included to
ensure authenticity of the message.
UE (USIM) leverages MILENAGE along with received RAND and locally stored Input
Parameters to compute XAUTN and RES values (in the same way the HSS computed
AUTN and XRES). Then it compares XAUTN and received AUTN to make sure they
match. If they do, the Network gets authenticated.
At this point UE generates keying material (MK, TEKs and MSK) in the same manner
as AAA Server did previously.
Step 9
UE sends back its RES to AP as an attribute of EAP-Response/AKA-Challenge
message which is forwarded to AAA Server in the Radius Access-Request packet.

Note that apart from RES and aforementioned MAC attribute, CHECKCODE is also
included as an additional protection.
Once AAA Server receives RES, it is compared with XRES previously obtained from
HSS. If both match, UE (USIM) gets authenticated.
Step 10
AAA Server contacts PCRF through gRPC/Gx in order to collect the Charging Rule
Definition comprising rule name/precedence, flow description, monitoring method,
Monitoring-Key, as well as Usage Monitoring Information including service units
granted for the UE, and the level of data usage monitoring. Requested information is
provided in the CCA-I (Credit Control Answer-Initial) message sent as a response to
CCR-I (Credit Control Request-Initial).

If the user has sufficient credits for the service, CCA-I’s result code is set to 2001
(Success), otherwise the authorization is rejected with result code 5003.
Reference
Refer to ETSI TS 129 212 "Policy and Charging Control (PCC)" for Gx protocol
description, including procedures, messages and related stuff.
Step 11
a. Upon unsuccessful authorization from PCRF, AAA Server sends EAP-Failure
message in Radius Access-Reject packet to AP, and the entire authentication
process for UE is restarted. The process will fail as long as no credits are
available for the user.

b. Upon successful authorization from PCRF, AAA Server responds to AP with a
Radius Access-Accept packet containing EAP-Success message. The
EAP-Success message is then forwarded to UE.
At this point the EAP-AKA full authentication procedure is complete but UE still can
not send/receive data over the wireless medium due to the lack of encryption keys
which need to be generated and installed at both UE and AP.
To start with encryption keys generation both UE and AP must possess the MSK. UE
already derived its MSK in step 8 while AP needs to obtain the MSK from AAA Server.
AAA Server sends the 64-byte MSK to AP inside the Radius Access-Accept packet in
which the EAP-Success message is contained. The MSK is broken down into two
32-byte keys; i.e. MS-MPPE-Recv-Key and MS-MPPE-Send-Key:
Step 12
Given that both UE and AP already have the same copy of MSK , the 4-way
handshake process can be started between Supplicant and Authenticator.
The products of 4-way handshake are Pairwise Transient Key (PTK) and Group
Temporal Key (GTK) used for encryption of unicast and multicast/broadcast traffic
respectively. The PTK/GTK keys are generated by some source key material (MSK ⇨
PMK/GMK), nonces (random numbers) and MAC addresses of UE and AP.
Once the 4-way handshake is completed successfully, UE gets associated, a virtual

control port which blocks all user traffic is open and traffic encrypted with AES-CCMP
starts to flow between UE and AP.
Reference

Refer to this article for a detailed description of the 4-way handshake process.
Step 13
AP sends Radius Accounting-Request (Acct-Status-Type: Start) packet to AAA Server
which is responded to by Radius Accounting-Response.
At the same time UE begins the DHCP DORA process with the router, obtains IP
address / default GW / DNS server and accesses the Internet according to OvS flows
obtained previously from PCRF within Charging Rule Definition (see Step 10).
Note that L2 traffic between AP’s SSID and CWAG (OvS) is encapsulated in GRE so
the entire data path between UE and router is L2.
Step 14
AP may periodically send interim Radius accounting updates (Acct-Status-Type:
Interim-Update) with UE’s data usage to AAA Server, but provided metrics are not
used for user’s quota management between PCEF (CWAG) and PCRF. They are used
for creating traffic graphs in NMS/Grafana and optionally e.g. for alerting (see RFC
2866 for Radius accounting details).
Step 15
UE data usage monitoring is performed on CWAG per each individual PCC rule and
reported to PCRF in Diameter CCR-U (Credit Control Request-Update) messages
sent through Gx interface. CCA-U contains used Input/Output/Total octets and a
Monitoring-Key associated with the rule.
PCRF responds to CCR-Us with CCA-Us (Credit Control Answer-Update) including the
Monitoring Key as well as a number of service units granted to the UE (typically small
value of e.g. 1MB).

Step 16
Every time PCRF receives a usage report it adds consumed service units to the
Accumulator associated with the Monitoring Key and checks if Accumulator value
has reached its maximum level (e.g. 100MB) defined in the Accumulator Scheme.
If the entire data pack for the UE/subscriber has been exhausted, PCRF sends
server-initiated Diameter RAR (Re-Auth Request) message to PCEF (CWAG) as per
RFC 6733 (page 109) and RFC 4006 (page 29) with Re-Auth-Request-Type:
RE_AUTH_AUTHORIZE_ONLY (0) and Session-Release-Cause:
UE_SUBSCRIPTION_REASON (1) AVPs:
The UE_SUBSCRIPTION_REASON (1) value is used to indicate that the subscription of

UE has changed (e.g. removed) and the IP-CAN session (an association between a UE
and an IP network) needs to be terminated.
PCEF (CWAG) removes respective PCC rules and responds to RAR with RAA (Re-Auth
Answer) and a result code of 2001 (Diameter Success).
Reference
Refer to ETSI TS 129 212 "Policy and Charging Control (PCC)" chapters 4.5.9 Request
of IP-CAN Session Termination and 5.3.44 Session-Release-Cause for details.
Step 17
PCEF (CWAG) sends the CCR-T (Credit Control Request-Termination) to PCRF to
indicate that the IP-CAN session is being terminated. The termination cause is
DIAMETER_LOGOUT(1).
PCRF responds to CCR-T with CCA-T (Credit Control Answer-Termination) and a
result code of 2001 (Diameter Success):

Step 18
AAA Server sends a Radius Disconnect-Request packet to AP in order to terminate a
user session on a NAS and discard all associated session context. The
Disconnect-Request packet sent to UDP port 3799 identifies the user session to be
terminated by inclusion of Calling-Station-Id (UE MAC address) and Acct-Session-Id
identification attributes (see RFC 3576).
Step 19
AP generates a Radius Accounting Stop packet (Acct-Status-Type: Stop) and sends
that to AAA Server, which replies with an acknowledgement that the packet has
been received (see RFC 2866).
Step 20
AP responds to a Radius Disconnect-Request packet sent by AAA Server with a
Radius Disconnect-ACK if all associated session context is discarded and the user
session is no longer connected.
After UE is deauthenticated and disassociated from the AP it will retry the entire
attach procedure from scratch, but the authentication will fail until a new credit pool
is available for the user at PCRF (it takes place when new validity period begins).

Reference
Refer to the PCAPs and logs below for better understanding of USIM-based
authentication and authorization
1) CWAG RADIUS pcap

2) FEG DIAMETER HSS/PCRF pcap*
3) FEG DIAMETER HSS/PCRF pcap (no credits available)*
4) PCRF DIAMETER pcap*
5) AP (Authenticator) log
6) UE (Supplicant) log
(*) To make Wireshark decode Diameter dialogue properly add 3868, 3870, 3901,
2901 TCP ports under Preferences ⇨Protocols ⇨ DIAMETER.
Use the Wireshark filter below to display relevant Diameter messages:

diameter.cmd.code==303 or diameter.cmd.code==301 or diameter.cmd.code==272 or diameter.cmd.code==258

4 Carrier-WiFi Lab deployment
4.1 Reference Lab diagram
The diagram below shows the IP addressing scheme for physical and virtual Lab
components to be deployed and illustrates how these components are accessed.
Figure 9. Reference Lab diagram
4.2 UE setup

4.2.1 Programming USIM cards
The reason for using blank USIM cards is the necessity of encoding some confidential
information which is inaccessible from preprogrammed real carrier USIMs.
This information comprises Ki and OP keys used by MILENAGE to compute Output
Parameters required in EAP-AKA authentication process, and leveraged to derive
TEKs and MSK.
Perform the following steps on a Windows PC:
1. Plug the Smart Card Reader to any USB port.

2. Launch the SIM Personalize tools app supplied with the Smart Card Reader.
3. Insert a blank USIM card into the reader and click on Read Card.
4. Fill out USIM parameters as shown in the screenshot below:
Figure 10. USIM parameters
5. Click on Write Card when complete.

6. Insert another blank USIM, set new ICCID and IMSI15 values
(all other parameters don't change).
7. Click on Write Card when complete.
8. Repeat the last two steps for remaining USIMs.

Note
● Only IMSI15, Ki and OP codes are significant for EAP-AKA authentication.
● Most of the other parameters (including the entire GSM Parameters section)
are irrelevant for the Carrier-WiFi setup.
● Individual USIMs differ only by ICCID and IMSI (all Ki/OP HEX32 keys are set
to 11111111111111111111111111111111 for simplicity's sake).
● IMSI18 is populated automatically when IMSI15 is entered.
● PIN code is not required when the USIM is inserted into the UE.
Reference
Refer to APPENDIX 1 and https://nickvsnetworking.com/usim-basics/ for the
description of USIM parameters.
USIM parameters summary
Parameter USIM1 USIM2
ICCID 2 89600117113000044547 89600117113000044554
IMSI15 3 101012345678911 101012345678922
Ki 4 11111111111111111111111111111111 11111111111111111111111111111111
OP 5 11111111111111111111111111111111 11111111111111111111111111111111
Parameter USIM3 USIM4
ICCID 89600117113000044562 89600117113000044570
IMSI15 101012345678933 101012345678944
Ki 11111111111111111111111111111111 11111111111111111111111111111111
OP 11111111111111111111111111111111 11111111111111111111111111111111
2
Dummy value created using ICCID generator http://www.heicard.com/en/check_iccid , not referenced
by Magma.
3
Dummy value - can not start from “0” and must match with IMSI configured in FEG’s “hss.yml”
subscribers file.
4
Dummy value - must match with “auth_key” configured in FEG’s “hss.yml” subscribers file.
5
Dummy value - must match with “lte_auth_op” defined in FEG's HSS config provided by API
(BASE64 "EREREREREREREREREREREQ==").

Parameter USIM5
ICCID 89600117113000044588
IMSI15 101012345678955
Ki 11111111111111111111111111111111
OP 11111111111111111111111111111111
4.2.2 Configuring WiFi profiles

To make mobile phones connect to the “magma” wireless network and authenticate
with USIM, respective WiFi network settings must be configured on UEs. Follow the
instructions below to set up the Lab Android and IOS devices.
4.2.2.1 Android
Setting up WiFi network on Android devices is easy and can be completed in less
than one minute:
1. Insert recently configured micro USIM1 card into the USIM card slot of Huawei
P smart 2019 phone (no PIN code is required).
2. Go to Settings ⇨ Wifi.
3. Tap on Add network in the bottom of the screen.
4. Complete network settings as follows:

5. Tap Connect.
6. Repeat steps 2-5 for the USIM2 and Samsung Galaxy SM-G350 phone.
Note
Android UEs won’t join the “magma” WiFi network until the Lab’s Access
Point and all Magma components are deployed and configured.
4.2.2.2 IOS
As opposed to Android, IOS devices do not allow for selecting EAP authentication for
WiFi networks being configured manually and also attempts of joining “magma”
network from the list of broadcasted SSIDs end up with an undesired username and
password prompt.
To make the iPhone authenticate with the USIM card, the configuration profile with
respective network settings must be pushed to the device beforehand.
Follow the steps below for profile creation and distribution.
1. Create empty “magma iOS_Profile.mobileconfig” file and fill it out with the
following configuration items:
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
<dict>
<key>ConsentText</key>
<dict>
<key>default</key>
<string>Connect to magma Wifi network automatically</string>
</dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AutoJoin</key>
<true/>
<key>CaptiveBypass</key>
<false/>
<key>EAPClientConfiguration</key>
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>23</integer>
</array>
</dict>
<key>EncryptionType</key>
<string>WPA</string>
<key>HIDDEN_NETWORK</key>
<false/>
<key>IsHotspot</key>
<false/>
<key>PayloadDescription</key>
<string>Configures Wi-Fi settings</string>
<key>PayloadDisplayName</key>
<string>Wi-Fi</string>
<key>PayloadIdentifier</key>
<string>com.apple.wifi.managed.0BBCE1ED-882D-4D23-8D53-E20C2D219148</string>
<key>PayloadType</key>
<string>com.apple.wifi.managed</string>
<key>PayloadUUID</key>
<string>0BBCE1ED-882D-4D23-8D53-E20C2D219148</string>
<key>PayloadVersion</key>
<key>ProxyType</key>
<string>None</string>
<key>SSID_STR</key>
<string>magma</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>WiFi Profile to automatically connect to magma network</string>
<key>PayloadDisplayName</key>
<key>PayloadIdentifier</key>
<key>PayloadOrganization</key>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>

<string>8B6D1F76-0C50-4CC6-98AB-591C2E1287F4</string>
<key>PayloadVersion</key>
</dict>
</plist>
Note
● EAP type 23 is EAP-AKA,
● Encryption type is WPA as configured later on the Carrier-WiFi Access
Point,
● The SSID string is “magma”.
Reference
Refer to Apple’s documentation for more information on IOS configuration
profiles.
2. Once the profile file is saved, upload it to any cloud drive (e.g. Dropbox or
Google Drive) and get the shareable link:
https://drive.google.com/file/d/1kXoRiIZ9hWho4z8UoYO3My255p-weDhB/view
?usp=sharing
3. Send the above link to iPhone through e.g. WhatsApp or email and tap it.
4. Tap the Or continue to website button:
5. Tap Download ⇨ Direct download:

6. Tap Allow:
7. Choose iPhone:

8. Tap Close:
9. Go to Settings ⇨ General ⇨ Profile ⇨ magma:

10. Tap More Details ⇨ WiFi to check profile properties:
11. Get back to Settings ⇨ General ⇨ Profile ⇨ magma and tap Install:

12. Enter iPhone’s passcode:
13. Tap Next:
14. Tap Install:

15. Tap Install again:
16. Tap Done:

17. Insert micro USIM3 card into the USIM card slot (no PIN code required).
18. Go to Settings ⇨ Wi-Fi and tap magma in MY NETWORKS to connect.
Note
iPhone won’t join the “magma” WiFi network until the Lab’s Access Point
and all Magma components are deployed and configured.
4.3 Configuring Cisco Access Point
4.3.1 AP lightweight to autonomous conversion (optional)

The pre-owned Cisco access point AIR-AP1142N-E-K9 has been supplied with the
lightweight IOS destined for setups with Cisco WLC. To make it work in the Magma
Lab it needs to be converted to autonomous AP.
Follow the instructions below to convert the AP:
1. Configure Mac’s Ethernet port with a static IP:

Note
Set the IP address of 172.16.0.1/24
(subnet 172.16.0.0/24 the above IP belongs to will be used later on in this Lab)
2. Download autonomous IOS file: “c1140-k9w7-tar.153-3.JD17.tar”.

3. Configure TFTP server on Mac:
$ sudo launchctl load -F /System/Library/LaunchDaemons/tftp.plist

$ sudo launchctl start com.apple.tftpd
$ sudo chmod 777 /private/tftpboot
$ cp c1140-k9w7-tar.152-3.JD17.tar /private/tftpboot
$ sudo chmod 777 /private/tftpboot/*
4. Connect the AP to Mac’s Ethernet port.

5. Connect AP’s console interface to Mac’s USB port with an appropriate cable
and execute:
$ ls -ltr /dev/*usb*
crw-rw-rw- 1 root wheel 18, 10 Jul 9 16:34 /dev/tty.usbserial-AL02V1O4

crw-rw-rw- 1 root wheel 18, 11 Jul 9 16:34 /dev/cu.usbserial-AL02V1O4
$ screen /dev/tty.usbserial-AL02V1O4 9600

6. Log in the AP when the prompt shows up and enter the following
commands:
debug capwap console cli

conf t
ip default-gateway 172.16.0.1
int g0
ip address 172.16.0.2 255.255.255.0
no sh
ping 172.16.0.1
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2

seconds: !!!!!
archive download-sw /force-reload /overwrite

tftp://172.16.0.1/c1140-k9w7-tar.152-3.JD17.tar
examining image... Loading c1140-k9w7-tar.152-3.JD17.tar from

172.16.10.1 (via GigabitEthernet0): ……
en (default password: Cisco)

sh ver
… Version 15.3(3)JD17 …
Reference
Refer to the links below for details on AP conversion:
● https://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversi
on/
● https://community.cisco.com/t5/wireless/converting-a-lightweight-ap-
to-an-autonomous-ap/td-p/2284278
4.3.2 AP command set

Connect to the AP with console cable and provide the configuration statements
available here. Once complete, execute “wr mem” and make sure that the AP
running config looks as follows:
magma-ap#sh run
!
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname magma-ap
!
!

logging rate-limit console 9
!
aaa new-model
!
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_eap
server name 172.16.0.3
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server name 172.16.0.3
!
aaa group server radius rad_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
!
aaa group server radius rad_acct1
!
aaa authentication attempts login 10
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login SSH-ACCESS local
aaa authentication login CONSOLE-ACCESS local
aaa authentication enable default line enable
aaa authorization exec default local
aaa authorization commands 1 default local if-authenticated
aaa authorization commands 15 default local if-authenticated
aaa accounting update periodic 1
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
aaa server radius dynamic-author
client 172.16.0.3
server-key 7 055A545C751918
port 3799
!
aaa session-id common
clock timezone GMT 1 0
no ip source-route
ip routing
ip cef
no ip domain lookup
ip domain name test
ip name-server 8.8.8.8
!
!
!
!

dot11 pause-time 100
no dot11 igmp snooping-helper
dot11 syslog
!
dot11 ssid magma
tunnel CWAG
authentication open eap eap_methods
authentication key-management wpa
accounting acct_methods
guest-mode
!
!
dot11 holdoff-time 60
dot11 aaa csid ietf
dot11 wpa handshake timeout 500
!
dot11 tunnel CWAG
type gre
source 172.16.0.2
destination 172.16.0.3
mss 1410
mtu 1500
!
no ipv6 cef
!
crypto pki trustpoint TP-self-signed-3496216344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3496216344
revocation-check none
rsakeypair TP-self-signed-3496216344
!
!
crypto pki certificate chain TP-self-signed-3496216344
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343936 32313633 3434301E 170D3032 30333031 30313137
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34393632
31363334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810098AD 5068349B 37029147 AB288B38 CB3FF405 D7223B35 A7A2B255 D8F8AE1D
D970536C 06F5EC17 69365D2F BDC8F4BC E6DB299B F9728CC6 64EB6FBF 77D32FAC
28BFF2A7 65AD25BF 6A3FE07E D9285A61 E9F1FE35 DF84D742 A92C09B5 A26DB87C
EBC07CD1 987F38FA 7EAEBE2E B80CB49D 53768997 22132066 74EFEAE2 3C15C414
605D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14580FE9 B9941291 6266CCDE 159EB3B6 4D325B2D F0301D06
03551D0E 04160414 580FE9B9 94129162 66CCDE15 9EB3B64D 325B2DF0 300D0609
2A864886 F70D0101 05050003 81810044 8245DC74 9910229A 25A15036 0882D94C
9708DA33 83FAFF61 1A046561 8442315E 362107C8 6AFD56B5 52B53DC7 95777156
BA63A65C 282AE609 2987E076 6A378898 84F6B6FA 606334B9 381B9168 F4837BAA
F31F2926 E8B824D4 936C6131 8E4146D5 9E912EE1 6CC4FA08 7CBAF64E 0D3B51AC
514C8CE9 F8EA7212 71DE5AAF 36879A
quit
username magma privilege 15 secret 5 $1$uAdY$2Krg35gMI0o5fE7nhJ9sC/
!
!
bridge irb
!

!
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
ssid magma
!
antenna gain 128
channel 2447
station-role root
world-mode dot11d country-code EE both
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
encryption mode ciphers aes-ccm
antenna gain 0
peakdetect
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no keepalive
bridge-group 1
!
interface BVI1
description LAN interface
mac-address 5475.d064.0718
ip address 172.16.0.2 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication aaa
ip http secure-server
ip http timeout-policy idle 600 life 120 requests 60
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1

!
logging facility local0
no cdp run
!
snmp-server location Poznan
radius-server attribute 44 include-in-access-req all
radius-server timeout 30
!
radius server 172.16.0.3
address ipv4 172.16.0.3 auth-port 1812 acct-port 1813
key 7 101F5B4A514244
!
bridge 1 route ip
!
!
wlccp wds aaa csid ietf
!
line con 0
session-timeout 15
privilege level 15
logging synchronous
line vty 0 4
session-timeout 15
logging synchronous
login authentication SSH-ACCESS
transport input ssh
!
end
Verify AP ssh access: ssh magma@172.16.0.2 (password: magma)

Verify AP http access: http://172.16.0.2 (username: magma password: magma)
Note
● “magma” SSID placed on 802.11N 2,4GHz radio (Dot11Radio0) should show
up in the broadcasted wireless network list. It’s accessible only from UEs
with inserted Lab’s USIM cards and configured with respective WiFi profiles
(see 4.2 UE setup).
● “magma” SSID is configured with an open eap authentication method. The

key management for authenticated clients is handled by WPA. WPA uses
AES-CCMP cipher to encrypt 2,4GHz radio transmission.
● User’s data from the “magma” wireless network is sent to CWAG through
the wired link using L2 GRE tunnel terminated on CWAG’s eth1 interface
(172.16.0.3). Encapsulated Ethernet traffic has no vlan tag as opposed to
production Magma environments.

● 172.16.0.3 is also an IP address of the CWAG radius server participating in
EAP-AKA authentication and collecting accounting information for wireless
clients (UEs). An unencrypted radius key for the encrypted 101F5B4A514244
string is 123456. This key must match with the RADIUS_SECRET value in the
docker-compose.yaml file on CWAG.
● The aaa server radius dynamic-author section defines the radius client
(CWAG) from which the AP accepts Change of Authorization (CoA) and
disconnect requests (e.g. if a subscriber burned through the entire WiFi
data package defined by the policy). The AP’s AAA server listens on port
3379 and is configured with an encrypted 055A545C751918 key
(unencrypted string: 123456).
Reference
Refer to the collection of links in the Cisco AP section for AP configuration
guidelines.
4.4 Collecting Mac OS tooling for Magma
4.4.1 Pyenv, python, pip and python packages
Execute the following commands in Mac’s terminal:
$ brew install pyenv
$ echo -e 'if command -v pyenv 1>/dev/null 2>&1; then\n eval "$(pyenv init -)"\nfi'
>> ~/.bash_profile
$ source .bash_profile
$ pyenv install 3.7.3
Installed Python-3.7.3 to /Users/wojciechnawrot/.pyenv/versions/3.7.3
$ pyenv global 3.7.3
$ pyenv versions
system
2.7.18
* 3.7.3 (set by /Users/wojciechnawrot/.pyenv/version)
$ python --version
Python 3.7.3

$ cd /Users/wojciechnawrot/.pyenv/versions/3.7.3/bin
$ python3.7 -m pip install --upgrade pip
Successfully installed pip-20.2.4
$ pip3 install ansible fabric3 jsonpickle requests PyYAML
Note
Make sure you are using python 3.7.3 globally !
4.4.2 Docker Desktop for Mac
1. Download and install Docker Desktop for Mac community version

(https://www.docker.com/products/docker-desktop):
2. Verify docker and docker-compose versions in Mac’s terminal:
$ docker --version
Docker version 19.03.13, build 4484c46d9d
$ docker-compose --version
docker-compose version 1.27.4, build 40524192
3. Allocate Mac’s resources for docker:

Note
● According to the Magma guide the minimum amount of memory for
Docker Engine is 4GB. Set 6GB or more to avoid build errors.
● Allocate 50+ GB for images.
4. Sign-in Docker Hub with your Docker account:
4.4.3 Virtualbox for Mac
Install VirtualBox for Mac (https://www.virtualbox.org/wiki/Downloads):

4.4.4 Vagrant
1. Install Vagrant for Mac (https://www.vagrantup.com/downloads)

2. Check version and add extra plugins:
$ vagrant --version
Vagrant 2.2.13
$ vagrant plugin install vagrant-disksize

$ vagrant plugin install vagrant-scp
$ vagrant plugin install vagrant-vbguest
$ vagrant plugin list
vagrant-disksize (0.1.3, global)

vagrant-scp (0.5.7, global)
vagrant-vbguest (0.26.0, global)
4.5 Cloning and checking out Magma repository

Perform the following steps on your Mac:
1. Clone Magma repo:
$ mkdir <YOUR MAGMA_CLONE_DIR>

$ export MAGMA_CLONE_DIR=<YOUR MAGMA_CLONE_DIR>
$ cd ${MAGMA_CLONE_DIR}
$ git clone https://github.com/facebookincubator/magma

2. Go to https://github.com/magma/magma/commits/master and select the 10
days old commit number:
54dc60e7a071461b584245e6b89349eaad0c194f (Jul21.2021)
3. Perform git checkout:
$ cd ${MAGMA_CLONE_DIR}/magma
$ git checkout 54dc60e7a071461b584245e6b89349eaad0c194f
$ git describe --tags
v1.0.0-rc1-6799-g54dc60e7a
Note
At the time of this writing more recent Magma commits are available but to
make your deployment process smooth and compliant with the
documentation checkout to the above number.
4.6 Deploying Orc8r

1. Initiate creation of Orc8r’s build context and images:
$ cd ${MAGMA_CLONE_DIR}/magma/orc8r/cloud/docker/
$ ./build.py -a
2. Grab a cup of coffee and relax.

3. (Optional) Push Orc8r images into Docker Registry:
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE

orc8r_controller latest 251e7fd98ac3 5 hours ago 1.6GB
<none> <none> 1166250d42fc 5 hours ago 3.96GB
orc8r_test latest eeff099742d1 5 hours ago 2.34GB
orc8r_nginx latest 8df2090eae70 5 hours ago 517MB
orc8r_fluentd latest 7c979a65bb37 5 hours ago 52.4MB
ubuntu xenial 065cf14a189c 5 weeks ago 135MB
nginx 1.17 9beeba249f3e 14 months ago 127MB
fluent/fluentd v1.7-1 f7b0c84773fe 20 months ago 49.5MB

$ export PUBLISH=${MAGMA_CLONE_DIR}/magma/orc8r/tools/docker/publish.sh
$ export REGISTRY=docker.io/wnawrot
$ export MAGMA_TAG=54dc60e7a
$ for image in controller nginx ; do ${PUBLISH} -r ${REGISTRY} -i ${image} -v ${MAGMA_TAG} ; done
Note
● Enter your Docker Registry username and password when prompted
● MAGMA_TAG is the first nine characters of the commit number
4. (Optional) Open Docker Desktop and make sure that Orc8r images are in
place:
5. Start up the Orc8r containers:
$ ./run.py --metrics
$ docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
elasticsearch /usr/local/bin/docker-entr ... Up 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp
fluentd tini -- /bin/entrypoint.sh ... Up 0.0.0.0:24224->24224/tcp, 0.0.0.0:24224->24224/udp, 0.0.0.0:24225->24225/tcp, 0.0.0.0:24225->24225/udp, 5140/tcp
orc8r_alertmanager-configurer_1 alertmanager_configurer -p ... Up
orc8r_alertmanager_1 /bin/alertmanager --config ... Up 0.0.0.0:9093->9093/tcp
orc8r_controller_1 /bin/sh -c /usr/local/bin/ ... Up
orc8r_kibana_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:5601->5601/tcp
orc8r_maria_1 docker-entrypoint.sh mysql ... Up 3306/tcp
orc8r_nginx_1 /bin/sh -c /usr/local/bin/ ... Up 80/tcp, 0.0.0.0:7443->8443/tcp, 0.0.0.0:7444->8444/tcp, 0.0.0.0:9443->9443/tcp
orc8r_postgres_1 docker-entrypoint.sh postg ... Up 0.0.0.0:5432->5432/tcp
orc8r_postgres_test_1 docker-entrypoint.sh postg ... Up 0.0.0.0:5433->5432/tcp
orc8r_prometheus-cache_1 prometheus-edge-hub -limit ... Up 0.0.0.0:9091->9091/tcp, 0.0.0.0:9092->9092/tcp
orc8r_prometheus-configurer_1 prometheus_configurer -por ... Up
orc8r_prometheus_1 /bin/prometheus --config.f ... Up 0.0.0.0:9090->9090/tcp
orc8r_test_1 /bin/bash -lc echo Hello W ... Exit 0
orc8r_user-grafana_1 /run.sh Up 0.0.0.0:3000->3000/tcp

6. Install client certificate to enable Orc8r swagger API access (Firefox):
a. Make a copy of admin_operator.pfx:
$ mkdir ${MAGMA_CLONE_DIR}/Backup/
$ cp ${MAGMA_CLONE_DIR}/magma/.cache/test_certs/admin_operator.pfx
${MAGMA_CLONE_DIR}/Backup/
b. Open Firefox and paste “about:preferences#privacy” in the address field.

c. Go to View Certificates... ⇨ Your Certificates ⇨ Import.
d. Select “admin_operator.pfx” from “${MAGMA_CLONE_DIR}/Backup/”,
enter password "magma" and click OK.
e. Click OK to close the Certificate Manager window.
f. Enter https://localhost:9443/apidocs/v1/#/
Note
Click here in case of “400 Bad Request - No required SSL Certificate
was sent” error
7. Check remaining URLs:

● Kibana: http://localhost:5601/app/kibana
● Alert Manager: http://localhost:9093/#/alerts
● Prometheus: http://localhost:9090/graph
● Grafana: http://localhost:3000/grafana/login

4.7 Deploying NMS and creating networks for
FEG/CWAG
1. Add DNS static entries for respective organisations:
$ sudo vim /etc/hosts
127.0.0.1 magma-test.localhost
127.0.0.1 master.localhost
127.0.0.1 fb-test.localhost
2. Perform NMS build:
$ cd ${MAGMA_CLONE_DIR}/magma/nms/app/packages/magmalte/
$ export COMPOSE_PROJECT_NAME=magmalte
$ docker-compose build magmalte
3. Take another cup of coffee
Note
In case of the following error: "info There appears to be trouble with your
network connection. Retrying..." and build interruption, relaunch
"docker-compose build magmalte"
4. (Optional) Push NMS image into Docker Registry
$ cd ${MAGMA_CLONE_DIR}/magma/nms/app/packages/magmalte/
$ export PUBLISH=${MAGMA_CLONE_DIR}/magma/orc8r/tools/docker/publish.sh
$ export REGISTRY=docker.io/wnawrot
$ export MAGMA_TAG=54dc60e7a
$ ${PUBLISH} -r ${REGISTRY} -i magmalte -v ${MAGMA_TAG}
Note
● Enter your Docker Registry username and password when prompted
● MAGMA_TAG is the first nine characters of the commit number

5. (Optional) Open Docker Desktop and make sure that NMS image (magmalte)
is in place:
6. Start up the NMS containers:
$ docker-compose up -d
Creating magmalte_postgres_1 ... done

Creating magmalte_magmalte_1 ... done
Creating magmalte_nginx-proxy_1 ... done
$ docker-compose ps

-------------------------------------------------------------------------------------------------------------------------------
magmalte_magmalte_1 docker-entrypoint.sh /usr/ ... Up (healthy) 0.0.0.0:8081->8081/tcp
magmalte_nginx-proxy_1 /docker-entrypoint.sh ngin ... Up 0.0.0.0:443->443/tcp, 80/tcp
magmalte_postgres_1 docker-entrypoint.sh postgres Up 5432/tcp
7. Create NMS user for master and magma-test organisations :
$ cd scripts
$ ./dev_setup.sh
...
$ node -r '@fbcnms/babel-register' scripts/setPassword.js magma-test admin@magma.test password1234
Creating a new user: email=admin@magma.test, password=password1234
...
$ node -r '@fbcnms/babel-register' scripts/setPassword.js master admin@magma.test password1234
Creating a new user: email=admin@magma.test, password=password1234
...

8. Log-in the NMS master organisation:
a. Open https://master.localhost/ in Firefox or Chrome.

b. Enter user name and password: “admin@magma.test” /
“password1234”:
c. Click on magma-test and make sure that Enable All Networks is

checked:

9. Log-in the magma-test organisation:
a. Open https://magma-test.localhost/ in Firefox or Chrome.

b. Enter user name and password: “admin@magma.test” /
“password1234”.
10. Create FEG/CWAG networks:
a. Go to: Administrative Tools ⇨ Networks and lick on Add Network.

b. Provide FEG parameters exactly as follows:
c. Click on Save.
d. Click Add Network again and complete CWAG parameters:

e. Click on Save.
11. (Optional) Look into CWAG/FEG networks description through the swagger
API:
a. Go to: https://localhost:9443/apidocs/v1/#/ (Firefox)

b. Click on cwf in the left panel, scroll down to the Carrier WiFi Networks
section and click on:
c. Click on Try it out and enter Network ID as follows:
d. Click on Execute and check the response body.

e. Click on feg in the left panel, scroll down to the Federation Networks
section and click on:
f. Click on Try it out and enter Network ID as follows:
g. Click on Execute and check the response body.
4.8 Deploying FEG
1. Build and push FEG images
Perform the steps below on your Mac.
a. Make sure you are signed in Docker Desktop with your Docker Hub
credentials:

b. Build FEG images:
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway/docker
$ docker-compose build
c. Watch an episode of your favorite TV show.

d. Tag created FEG images and push them into Docker Registry:
$ docker images | grep feg_gateway_
feg_gateway_go latest 1e6b3140d347 8 minutes ago 859MB

feg_gateway_python latest 7182260e4959 14 minutes ago 1.24GB
feg_gateway_go_base latest 38c5da1c3436 33 minutes ago 2.45GB
$ docker tag 1e6b3140d347 wnawrot/feg_gateway_go:54dc60e7a

$ docker tag 7182260e4959 wnawrot/feg_gateway_python:54dc60e7a
$ docker push wnawrot/feg_gateway_go:54dc60e7a

$ docker push wnawrot/feg_gateway_python:54dc60e7a
Note
● Only feg_gateway_go and feg_gateeway_python images are
relevant.
● Tag respective images with the first nine characters of the
commit number
e. Open Docker Desktop and make sure that FEG (feg_)images are in
place:

f. Delete needles local images created by FEG build:
$ docker images

feg_gateway_go latest 1e6b3140d347 44 minutes ago 859MB
wnawrot/feg_gateway_go 54dc60e7a 1e6b3140d347 44 minutes ago 859MB
<none> <none> 2c4743867ff5 45 minutes ago 287MB
<none> <none> 027133eff470 45 minutes ago 3.31GB
feg_gateway_python latest 7182260e4959 49 minutes ago 1.24GB
wnawrot/feg_gateway_python 54dc60e7a 7182260e4959 49 minutes ago 1.24GB
<none> <none> 1dd966a7bf10 About an hour ago 1.44GB
feg_gateway_go_base latest 38c5da1c3436 About an hour ago 2.45GB
….
$ docker image rm -f 1e6b3140d347 2c4743867ff5 027133eff470

7182260e4959 1dd966a7bf10 38c5da1c3436
2. Create the NAT network in VirtualBox
Go to Preferences ⇨ Network, add a new NAT network, and fill out parameters
exactly as follows:

Click OK when complete.
Note
This network will be used in FEG’s Vagrantfile for PCRF VM interconnect.
3. Define FEG VM and spin it up
a. Replace original FEG “Vagrantfile” with the new one:
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway/
$ mv Vagrantfile Vagrantfile.bak
$ touch Vagrantfile
b. Populate new “Vagrantfile” exactly as follows:
$ vim Vagrantfile
VAGRANTFILE_API_VERSION = "2"
Vagrant.require_version ">=1.9.1"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.synced_folder "../..", "/home/vagrant/magma"
config.vm.define :feg, primary: true do |feg|
feg.vm.box = "generic/ubuntu1804"
feg.vm.box_version = "1.9.12"
feg.vbguest.auto_update = false
feg.vm.hostname = "magma-feg-dev"
feg.ssh.password = "vagrant"

feg.ssh.insert_key = true
feg.vm.network "private_network", ip: "192.168.50.3", virtualbox__intnet: "NatNetwork"
feg.vm.provider "virtualbox" do |vb|
vb.name = "feg-dev"
vb.linked_clone = true
vb.customize ["modifyvm", :id, "--memory", "1024"]
vb.customize ["modifyvm", :id, "--cpus", "1"]
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
end
end
end
or download complete “Vagrantfile” here.
Note
● FEG VM will be started with two network interfaces:
○ eth0 - not specified in the Vagrantfile and running in
NAT mode (default IP address=10.0.2.15). This interface
will be used for FEG ssh access (port forwarding) and
outgoing communication with the Orc8r listening on
the lo0 interface of the MacOS.
○ eth1 - specified in the Vagrantfile, connected to the
private “NatNetwork” and assigned 192.168.50.3/24 IP
address. This IP will be used for communication with the
external PCRF system.
c. Spin up FEG VM:
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway/
$ vagrant validate
Vagrantfile validated successfully.
$ vagrant up feg
$ vagrant status
…
feg running (virtualbox)
…
$ vagrant ssh feg
4. Check FEG VM’s connectivity with the Orc8r
Perform the steps below on the FEG VM (vagrant ssh feg).
a. Add the following DNS static entries to enable FEG to access the Orc8r:

$ sudo -i
# vim /etc/hosts
10.0.2.2 controller.magma.test
10.0.2.2 bootstrapper-controller.magma.test
10.0.2.2 fluentd.magma.test
Note
The above FQDNs are Orc8r services referenced in the
“/etc/magma/control-proxy.yaml” file and listening on ports: TCP/7443,
TCP/7444, and TCP/24224 respectively.
b. Verify FEG’s TCP connectivity with the Orc8r:
$ telnet controller.magma.test 7443
Trying 10.0.2.2...
Connected to controller.magma.test.
Escape character is '^]'.
$ telnet bootstrapper-controller.magma.test 7444
Trying 10.0.2.2...
Connected to bootstrapper-controller.magma.test.
$ telnet fluentd.magma.test 24224
Trying 10.0.2.2...
Connected to fluentd.magma.test.
5. Set up FEG main services
a. Copy relevant files from the mounted share into FEG’s local directory:
$ sudo -i
# mkdir /tmp/install_dir
# cd /tmp/install_dir
# cp /home/vagrant/magma/orc8r/tools/docker/install_gateway.sh .
# cp /home/vagrant/magma/feg/gateway/configs/control_proxy.yml .
# cp /home/vagrant/magma/feg/gateway/docker/.prod_env .
# cp /home/vagrant/magma/.cache/test_certs/rootCA.pem .
b. Adjust the “.env” file as follows:

# mv .prod_env .env
# vim .env
COMPOSE_PROJECT_NAME=feg
DOCKER_USERNAME=wnawrot
DOCKER_PASSWORD='<REPLACE_WITH_YOUR_DOCKER_REGISTRY_PASSWORD>'
DOCKER_REGISTRY=docker.io/wnawrot/feg_
IMAGE_VERSION=54dc60e7a
GIT_HASH=54dc60e7a
BUILD_CONTEXT=https://github.com/facebookincubator/magma.git#master
ROOTCA_PATH=/var/opt/magma/certs/rootCA.pem
CONTROL_PROXY_PATH=/etc/magma/control_proxy.yml
CONFIGS_DEFAULT_VOLUME=/etc/magma
CONFIGS_TEMPLATES_PATH=/etc/magma/templates
SNOWFLAKE_PATH=/etc/snowflake
CERTS_VOLUME=/var/opt/magma/certs
CONFIGS_VOLUME=/var/opt/magma/configs
CONFIGS_OVERRIDE_VOLUME=/var/opt/magma/configs
LOG_DRIVER=journald
or download complete “.env” file here.
Note
● Replace Docker registry name, username and password with
your Docker Hub credentials.
● Assign the “image version” / “git hash” variables with the string
you set while pushing FEG images into the registry.
c. Launch FEG main services:
# ./install_gateway.sh feg
....
Creating td-agent-bit ... done
Creating swx_proxy ... done
Creating eventd ... done
Creating eap_aka ... done
Creating session_proxy ... done
Creating csfb ... done
Creating redis ... done
Creating feg_hello ... done
Creating s6a_proxy ... done
Creating control_proxy ... done
Creating radiusd ... done
Creating magmad ... done
Creating eap_sim ... done
Creating s8_proxy ... done

Creating health ... done
Creating aaa_server ... done
Installed successfully!!
# cd /var/opt/magma/docker/
# docker-compose ps

---------------------------------------------------------------------------------------------
aaa_server envdir /var/opt/magma/envd ... Up
control_proxy /bin/bash -c /usr/local/bi ... Up
csfb envdir /var/opt/magma/envd ... Up
eap_aka envdir /var/opt/magma/envd ... Up
eap_sim envdir /var/opt/magma/envd ... Up
eventd python3.8 -m magma.eventd.main Up
feg_hello envdir /var/opt/magma/envd ... Up
health envdir /var/opt/magma/envd ... Up
magmad python3.8 -m magma.magmad.main Up
radiusd envdir /var/opt/magma/envd ... Up
redis /bin/bash -c /usr/local/bi ... Up
s6a_proxy envdir /var/opt/magma/envd ... Up
s8_proxy envdir /var/opt/magma/envd ... Up
session_proxy envdir /var/opt/magma/envd ... Up
swx_proxy envdir /var/opt/magma/envd ... Up
td-agent-bit /bin/bash -c /usr/local/bi ... Up (healthy)
d. Forward FEG’s syslog to the cloud:
# cp
/tmp/magmagw_install/magma/orc8r/tools/ansible/roles/fluent_bit/files/6
0-fluent-bit.conf /etc/rsyslog.d/
# service rsyslog restart
6. Configure and launch mock HSS
Note
Mock HSS to be launched locally on FEG VM is emulating real carrier’s HSS
core service accessible through the SWx DIAMETER interface. Refer to 3.3.5
Home Subscriber Server (HSS) for details.
a. Create empty “docker-compose.override.yml” file and paste the

following content into it (be careful on spacing):
# touch /var/opt/magma/docker/docker-compose.override.yml
# vim docker-compose.override.yml

version: "3.7"
# Standard logging for each service
x-logging: &logging_anchor
driver: "json-file"
options:
max-size: "10mb"
max-file: "10"
# Standard volumes mounted
x-standard-volumes: &volumes_anchor
- ${ROOTCA_PATH}:/var/opt/magma/certs/rootCA.pem
- ${CERTS_VOLUME}:/var/opt/magma/certs
- ${CONFIGS_OVERRIDE_VOLUME}:/var/opt/magma/configs
- ${CONFIGS_DEFAULT_VOLUME}:/etc/magma
- ${CONFIGS_TEMPLATES_PATH}:/etc/magma/templates
- ${CONTROL_PROXY_PATH}:/etc/magma/control_proxy.yml
- /etc/snowflake:/etc/snowflake
x-generic-service: &service
volumes: *volumes_anchor
logging: *logging_anchor
restart: always
network_mode: host
x-feg-goservice: &feggoservice
<<: *service
image: ${DOCKER_REGISTRY}gateway_go:${IMAGE_VERSION}
services:
hss:
<<: *feggoservice
container_name: hss
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/hss -logtostderr=true -v=0
volumes:
gwcerts:
gwconfigs:
or download the completed file here.
b. Populate mock HSS with subscribers (be careful on spacing):
# touch /var/opt/magma/configs/hss.yml
# vim /var/opt/magma/configs/hss.yml
# HSS Config
#
# ---
#subscribers:
# <imsi>:
# <auth_key>: - required (hex string)
# <non_3gpp_enabled>: - optional (bool)
subscribers:
# OYEI USIM1
"101012345678911":
auth_key: "11111111111111111111111111111111"
non_3gpp_enabled: true
# OYEI USIM2
"101012345678922":

auth_key: "11111111111111111111111111111111"
# OYEI USIM3
"101012345678933":
auth_key: "11111111111111111111111111111111"
# OYEI USIM4
"101012345678944":
auth_key: "11111111111111111111111111111111"
# OYEI USIM5
"101012345678955":
auth_key: "11111111111111111111111111111111"
or download the completed “hss.yml” file here.
Note
● The above subscriber settings are USIMs’ IMSI and Ki
parameters configured in 4.2.1 Programming USIM cards.
● non_3gpp_enabled: true means that the user has non-3GPP
subscription and is allowed to use access technologies not
specified in 3GPP (e.g. WiFi or Wimax). This setting makes HSS
send Non-3GPP-IP-Access:
NON_3GPP_SUBSCRIPTION_ALLOWED(0) AVP in SAA
message to the AAA Server.
c. Start up mock HSS container:
# cd /var/opt/magma/docker
# docker-compose -f docker-compose.override.yml up -d
Creating hss ... done
7. Display FEG’s ID and key
# docker-compose exec magmad /usr/local/bin/show_gateway_info.py
Hardware ID
-----------
951b76cb-2f90-4b05-ba1f-8581b7f9cf57
Challenge key

-------------
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEdYuK33vf22odUFypdqw3VEv9H5eLQ+IpbUd/3jpN08UCNEiNZfOkiioe3F45Bn
I9qckH4hNLkIbX8wUIhBW/Hr3bEmIwGe0lFcnZ2VPjYQ1xemJEZRpndpGtjparEJnG
Note
Save the “Hardware ID” and the “Challenge Key” in a safe place. They both
will be required for FEG registration.
8. Register FEG and configure relevant Diameter interfaces
The configuration below will be provided through the NMS GUI. Some
verification steps will be performed directly on the FEG VM.
a. Go to the NMS: https://magma-test.localhost/user/login?to=%2F and

sign-in with “admin@magma.test” / “password1234” credentials.
b. Add a new gateway in the previously configured feg_net by clicking

https://magma-test.localhost/nms/feg_net/gateways/new and populate
its configuration fields as shown below. To avoid typos, copy and paste
values stored in this file.
Note
Use “Hardware UUID” and the “Challenge Key” you noted down in the
previous step. They both will be different from values shown in the
screenshot above.

Note
The above parameters must match the PCRF Peer config (see here).
Don’t use long names e.g. xxx.epc.mnc001.mcc001.3gppnetwork.org
due to communication issues with FreePCRF.

Note
“Gy” section is relevant only in deployments with OCS. The Gy
interface will be disabled but its parameters must be provided.

Note
SWx is a DIAMETER-based interface between the AAA Server (running
on CWAG) and the HSS. It is used for UE authentication when the UE
does non-3GPP access.

Note
● Keep the “S6A” interface section empty as it’s not relevant for
the carrier WiFi Lab.
● S6A is relevant only for 3GPP setups with Magma Access
Gateway (AGW) and eNodeB. The MME node communicates
with HSS through S6A to register UEs for mobile internet
Note
● Keep the “CSFB” section empty as it’s not relevant for the
Carrier-WiFi Lab.
● CSFB (Circuit Switched Fallback) delivers voice and SMS
services to LTE devices.
Click on Save once all the above settings are entered.
c. Go to the FEG VM (vagrant ssh feg) and verify gateway’s registration:
$ sudo -i
# docker-compose exec magmad /usr/local/bin/checkin_cli.py
1. -- Testing TCP connection to controller.magma.test:7443 --

2. -- Testing Certificate --
3. -- Testing SSL --
4. -- Creating direct cloud checkin --
5. -- Creating proxy cloud checkin --
Success!
# docker-compose logs magmad | grep Success
magmad | INFO:root:Bootstrapped Successfully!
Note

The above means that FEG properly interacts with the Orc8r.
d. Check if the gateway config provided by the Orc8r is streamed to FEG

(vagrant ssh feg):
# ls -al --time-style=full-iso /var/opt/magma/configs/gateway.mconfig
-rw-r--r-- 1 root root 3518 2021-07-23 07:45:08.884215955 -0700 /var/opt/magma/configs/gateway.mconfig
Note
The “gateway.mconfig” file is updated every single minute.
9. Adjust FEG config
The adjustments described below will be done using Orc8r’s API (NMS does
not support all configuration items).
a. Open
https://localhost:9443/apidocs/v1/#/Federation%20Gateways/get_feg__n
etwork_id__gateways__gateway_id__federation in Firefox, enter
Network/Gateway ID (“feg_net”/”feg_01”) and hit Execute:
b. Create a new temporary text file and copy the response body from point
a. onto it.
c. Add missing configuration statements to the text file (in red) as shown
below:

{
"aaa_server": {},
"csfb": {
"client": {}
},
"eap_aka": {
"plmn_ids": null
},
"gx": {
"disableGx": false,
"server": {
"address": "192.168.50.4:3868",
"dest_host": "test.freepcrf.com",
"dest_realm": "freepcrf.com",
"disable_dest_host": true,
"host": "gx-mgm.magmalab.com",
"local_address": "192.168.50.3:3870",
"product_name": "magma",
"protocol": "tcp",
"realm": "magmalab.com"
},
"servers": null,
"virtual_apn_rules": []
},
"gy": {
"disableGy": true,
"init_method": 2,
"server": {
"address": "127.0.0.1:3869",
"dest_host": "hw-ocs.epc.mnc001.mcc001.3gppnetwork.org",
"dest_realm": "epc.mnc001.mcc001.3gppnetwork.org",
"host": "gy-mgm1.epc.mnc001.mcc001.3gppnetwork.org",
"local_address": "127.0.0.1:4869",
"protocol": "tcp",
"realm": "epc.mnc001.mcc001.3gppnetwork.org"
},
"servers": null,
"virtual_apn_rules": []
},
"health": {
"health_services": null
},
"hss": {
"default_sub_profile": {
"max_dl_bit_rate": 200000000,
"max_ul_bit_rate": 100000000
},

"lte_auth_amf": "gAA=",
"lte_auth_op": "EREREREREREREREREREREQ==",
"server": {
"address": "127.0.0.1:2901",
"dest_host": "hw-hss.epc.mnc001.mcc01.3gppnetwork.org",
"local_address": "127.0.0.1:3901",
"protocol": "tcp"
},
"sub_profiles": {
"additionalProp1": {
},
},
}
}
},
"s6a": {
"plmn_ids": [],
"server": {
"protocol": "tcp"
}
},
"served_network_ids": [
"cwag_net"
],
"swx": {
"hlr_plmn_ids": null,
"server": {
"address": "127.0.0.1:2901",
"dest_host": "hw-hss.epc.mnc001.mcc001.3gppnetwork.org",
"host": "swx-mgm1.epc.mnc001.mcc001.3gppnetwork.org",
"local_address": "127.0.0.1:3901",
"protocol": "tcp",
"realm": "epc.mnc001.mcc001.3gppnetwork.org"
},
"servers": null
}
}

Note
● Gy is disabled making OCS core service not being contacted at
all. See description of disableGx/disableGy parameters here.
● Make sure that AMF and OP parameters in the HSS section
have the following base64 values:
○ "lte_auth_amf": "gAA="
○ "lte_auth_op": "EREREREREREREREREREREQ=="
These base64 values correspond to “8000” and

“11111111111111111111111111111111” hex values stored in USIMs.
Notice that during USIM programming only OP code has been
configured because there was no AMF field in the card writer
software. Nevertheless, the value of “gAA=” in HSS matches the
USIMs’ AMF default value because the authentication works
properly.
d. (Optional) Compare your completed FEG config with the reference

configuration stored in this file.
e. Open
https://localhost:9443/apidocs/v1/#/Federation%20Gateways/put_feg__n
etwork_id__gateways__gateway_id__federation in Firefox , click Try it
out, enter Network/Gateway ID (“feg_net”/”feg_01”), replace the entire
example config with the content of the text file from point c. and hit
Execute:

If no syntax errors have been made the HTTP response should be:
f. Open
https://localhost:9443/apidocs/v1/#/Federation%20Gateways/get_feg__n
etwork_id__gateways__gateway_id__federation in Firefox again, enter
Network/Gateway ID (“feg_net”/”feg_01”) and hit Execute to make sure
that configuration changes to FEG have been saved.
Note
From now on do not modify FEG’s settings with NMS because the
config adjustments made through the API will be removed !
g. Restart FEG services to apply new settings (vagrant ssh feg):
# docker-compose down && docker-compose up -d

Note
Perform services restart at least one minute after new settings have
been applied to FEG.
10. FEG post-deployment checks
a. Check “gateway.mconfig” contents:
# cat /var/opt/magma/configs/gateway.mconfig | python3 -mjson.tool

{
"configsByKey": {
"aaa_server": {
"@type": "type.googleapis.com/magma.mconfig.AAAConfig",
"logLevel": "INFO"
},
"control_proxy": {
"@type": "type.googleapis.com/magma.mconfig.ControlProxy",
"logLevel": "INFO"
},
"csfb": {
"@type": "type.googleapis.com/magma.mconfig.CsfbConfig",
"logLevel": "INFO",
"client": {}
},
"eap_aka": {
"@type": "type.googleapis.com/magma.mconfig.EapAkaConfig",
"logLevel": "INFO"
},
"eventd": {
"@type": "type.googleapis.com/magma.mconfig.EventD",
"logLevel": "INFO",
"eventVerbosity": -1
},
"health": {
"@type": "type.googleapis.com/magma.mconfig.GatewayHealthConfig"
},
"hss": {
"@type": "type.googleapis.com/magma.mconfig.HSSConfig",
"server": {
"protocol": "tcp",
"address": "127.0.0.1:2901",
"localAddress": "127.0.0.1:3901",
"destHost": "hw-hss.epc.mnc001.mcc01.3gppnetwork.org",
"destRealm": "epc.mnc001.mcc01.3gppnetwork.org"
},
"lteAuthOp": "EREREREREREREREREREREQ==",
"lteAuthAmf": "gAA=",
"subProfiles": {
"maxUlBitRate": "100000000",
"maxDlBitRate": "200000000"
},
},
}
},

"defaultSubProfile": {
}
},
"magmad": {
"@type": "type.googleapis.com/magma.mconfig.MagmaD",
"logLevel": "INFO",
"checkinInterval": 60,
"checkinTimeout": 10,
"autoupgradeEnabled": true,
"autoupgradePollInterval": 300,
"packageVersion": "0.0.0-0"
},
"metricsd": {
"@type": "type.googleapis.com/magma.mconfig.MetricsD",
"logLevel": "INFO"
},
"ovpn": {
"@type": "type.googleapis.com/magma.mconfig.OpenVPN"
},
"s6a_proxy": {
"@type": "type.googleapis.com/magma.mconfig.S6aConfig",
"logLevel": "INFO",
"server": {
"protocol": "tcp"
}
},
"session_proxy": {
"@type": "type.googleapis.com/magma.mconfig.SessionProxyConfig",
"logLevel": "INFO",
"gx": {
"server": {
"protocol": "tcp",
"address": "192.168.50.4:3868",
"localAddress": "192.168.50.3:3870",
"productName": "magma",
"realm": "magmalab.com",
"destRealm": "freepcrf.com",
"destHost": "test.freepcrf.com",
"disableDestHost": true
},
"servers": [
{
"protocol": "tcp",
"address": "192.168.50.4:3868",
"localAddress": "192.168.50.3:3870",
"realm": "magmalab.com",
"destRealm": "freepcrf.com",
"destHost": "test.freepcrf.com",
}
]
},
"gy": {
"server": {
"protocol": "tcp",
"address": "127.0.0.1:3869",
"localAddress": "127.0.0.1:4869",
"realm": "epc.mnc001.mcc001.3gppnetwork.org",
"destRealm": "epc.mnc001.mcc001.3gppnetwork.org",
"destHost": "hw-ocs.epc.mnc001.mcc001.3gppnetwork.org",
},
"initMethod": "PER_KEY",
"servers": [
{
"protocol": "tcp",
"address": "127.0.0.1:3869",

"localAddress": "127.0.0.1:4869",
"destHost": "hw-ocs.epc.mnc001.mcc001.3gppnetwork.org",
}
],
"DisableGy": true
}
},
"swx_proxy": {
"@type": "type.googleapis.com/magma.mconfig.SwxConfig",
"logLevel": "INFO",
"server": {
"protocol": "tcp",
"address": "127.0.0.1:2901",
"localAddress": "127.0.0.1:3901",
},
"servers": [
{
"protocol": "tcp",
"address": "127.0.0.1:2901",
"localAddress": "127.0.0.1:3901",
}
]
},
"td-agent-bit": {
"@type": "type.googleapis.com/magma.mconfig.FluentBit",
"extraTags": {
"gateway_id": "feg_01",
"network_id": "feg_net"
},
"throttleRate": 1000,
"throttleWindow": 5,
"throttleInterval": "1m"
}
},
"metadata": {
"created_at": 1652433289
}
}
b. Make sure that HSS is listening on port TCP/2901:
# netstat -tulpn --sctp | grep hss
tcp 0 0 127.0.0.1:2901 0.0.0.0:* LISTEN 2757/hss
c. Verify that Gy interface is disabled:

# docker-compose logs -f session_proxy | grep OCS
session_proxy | I0513 09:14:42.325429 1 main.go:168] Gy Disabled by configuration, not connecting to OCS
d. Validate HSS subscribers
Verify subscriber data by entering consecutive USIM IMSI numbers

configured here:
# docker-compose exec hss bash
# ./var/opt/magma/bin/hss_cli get -subscriber_id 101012345678911
Retreived subscriber data: sid:<id:"101012345678911" > gsm:<state:ACTIVE > lte:<state:ACTIVE

auth_key:"\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021" > state:<>
non_3gpp:<msisdn:"12345" apn_config:<> >

auth_key:"\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021" > state:<>

auth_key:"\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021" > state:<>

auth_key:"\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021" > state:<>

auth_key:"\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021\021" > state:<>
e. Validate SWx interface
Perform the following test from any FEG container, e.g. csfb:
# docker-compose exec csfb bash
# ./var/opt/magma/bin/swx_cli mar 101012345678933
Sending MAR to 127.0.0.1:9110:

{
"userName": "101012345678933",

"sipNumAuthVectors": 3,
"resyncInfo": null,
"retrieveUserProfile": true
}
protos.AuthenticationRequest{UserName:"101012345678933", SipNumAuthVectors:0x3, AuthenticationScheme:0,
ResyncInfo:[]uint8(nil), RetrieveUserProfile:true, XXX_NoUnkeyedLiteral:struct {}{}, XXX_unrecognized:[]uint8(nil),
XXX_sizecache:0}
Received successful MAA:

{
"userName": "101012345678933",
"sipAuthVectors": [
{
"randAutn": "Dp1J8ZwCcezMhdHOzqJwfMfcwt26/oAAtCeVRr8FuFQ=",
"xres": "SBdW/f05j60=",
"confidentialityKey": "k8uBxJa086RTkmxtxtnEZQ==",
"integrityKey": "ZYA0y+Nx4F+ErTH72OmMLQ=="
},
{
"randAutn": "hCVLGk7lLDHpKg8HkzxCB941FaFK9YAAr3rQbHWl2/0=",
"xres": "fkRt1suiS/0=",
"confidentialityKey": "zlv9g1gNCKSjNlnsRNgYnQ==",
"integrityKey": "HkiEOKDfb6zsJagEx7CjXw=="
},
{
"randAutn": "e4DsNw5EjyIGKtNfdI0j/U7cOI2Fz4AA5MvABhlHnW8=",
"xres": "xvip2wQwn0s=",
"confidentialityKey": "y3uiBEiu2hwECs2JzoKoYA==",
"integrityKey": "2GdKlDDKbdD2VxHNFZMsmg=="
}
],
"userProfile": {
"msisdn": "12345"
},
"sessionId": "magma-swx;7436822641859105973;973511096;IMSI101012345678933"
}
{UserName:101012345678933
SipAuthVectors:[rand_autn:"\016\235I\361\234\002q\354\314\205\321\316\316\242p|\307\334\302\335\272\376
\200\000\264'\225F\277\005\270T" xres:"H\027V\375\3759\217\255"
confidentiality_key:"\223\313\201\304\226\264\363\244S\222lm\306\331\304e"
integrity_key:"e\2004\313\343q\340_\204\2551\373\330\351\214-"
rand_autn:"\204%K\032N\345,1\351*\017\007\223<B\007\3365\025\241J\365\200\000\257z\320lu\245\333\375"
xres:"~Dm\326\313\242K\375" confidentiality_key:"\316[\375\203X\r\010\244\2436Y\354D\330\030\235"
integrity_key:"\036H\2048\240\337o\254\354%\250\004\307\260\243_"
rand_autn:"{\200\3547\016D\217\"\006*\323_t\215#\375N\3348\215\205\317\200\000\344\313\300\006\031G\2
35o" xres:"\306\370\251\333\0040\237K"
confidentiality_key:"\313{\242\004H\256\332\034\004\n\315\211\316\202\250`"
integrity_key:"\330gJ\2240\312m\320\366W\021\315\025\223,\232" ] UserProfile:msisdn:"12345"
SessionId:magma-swx;7436822641859105973;973511096;IMSI101012345678933 XXX_NoUnkeyedLiteral:{}
XXX_unrecognized:[] XXX_sizecache:0}
Note
● MAR (Multimedia Authentication Request) is a command sent
by AAA Server to the HSS through the SWx interface for
accessing security information.

● MAA (Multimedia Authentication Answer) command is
returned by HSS if a subscriber (IMSI) is found and allowed to
use non-3GPP access methods. The command contains
security information including auth vector.
● Click here for more information on MAR/MAA SWx Diameter
messages
11. (Optional) Enable extended logging
See here for details.
4.9 Deploying CWAG
1. Build and push CWAG images
a. Make sure you are signed in Docker Desktop with your Docker Hub
credentials:
b. Build CWAG images:
$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway/docker

$ docker-compose build --parallel
c. Go for a walk.
Note
If the build fails due to the following error "c++: internal compiler
error: Killed (program cc1plus)", increase Docker Desktop memory to
10G and re-launch docker-compose build (click here for details).
d. Tag created CWAG images and push them into Docker Registry:
$ docker images | grep cwf_ | grep latest
cwf_gateway_python latest b92103ceeb33 3 minutes ago 1.24GB

cwf_gateway_sessiond latest 8e9498acb390 48 minutes ago 945MB
cwf_gateway_pipelined latest 32d2bd311288 51 minutes ago 1.51GB
cwf_gateway_go latest f40ceeb38cda 54 minutes ago 859MB
cwf_cwag_go latest 1404fa3aadbe About an hour ago 202MB
$ docker tag 8e9498acb390 wnawrot/cwf_gateway_sessiond:54dc60e7a

$ docker tag 32d2bd311288 wnawrot/cwf_gateway_pipelined:54dc60e7a
$ docker tag b92103ceeb33 wnawrot/cwf_gateway_python:54dc60e7a
$ docker tag f40ceeb38cda wnawrot/cwf_gateway_go:54dc60e7a
$ docker tag 1404fa3aadbe wnawrot/cwf_cwag_go:54dc60e7a
$ docker push wnawrot/cwf_gateway_sessiond:54dc60e7a

$ docker push wnawrot/cwf_gateway_pipelined:54dc60e7a
$ docker push wnawrot/cwf_gateway_python:54dc60e7a
$ docker push wnawrot/cwf_gateway_go:54dc60e7a
$ docker push wnawrot/cwf_cwag_go:54dc60e7a
Note
Tag respective images with the first nine characters of the commit
number
e. Open Docker Desktop and make sure that all CWAG (cwf_) images are
in place:

f. Delete needles local images created by CWAG build:
$ docker images

cwf_gateway_python latest b92103ceeb33 49 minutes ago 1.24GB
wnawrot/cwf_gateway_python 54dc60e7a b92103ceeb33 49 minutes ago 1.24GB
<none> <none> 6bcd485fc198 54 minutes ago 287MB
<none> <none> eeed8bb95b2e 54 minutes ago 3.32GB
<none> <none> 3f2d5b04695a About an hour ago 1.44GB
cwf_gateway_sessiond latest 8e9498acb390 2 hours ago 945MB
wnawrot/cwf_gateway_sessiond 54dc60e7a 8e9498acb390 2 hours ago 945MB
cwf_gateway_pipelined latest 32d2bd311288 2 hours ago 1.51GB
wnawrot/cwf_gateway_pipelined 54dc60e7a 32d2bd311288 2 hours ago 1.51GB
<none> <none> 1442d027812c 2 hours ago 1.9GB
cwf_gateway_go latest f40ceeb38cda 2 hours ago 859MB
wnawrot/cwf_gateway_go 54dc60e7a f40ceeb38cda 2 hours ago 859MB
<none> <none> f6bda13f8ace 2 hours ago 287MB
<none> <none> 470277f1f30a 2 hours ago 3.31GB
cwf_cwag_go latest 1404fa3aadbe 2 hours ago 202MB
wnawrot/cwf_cwag_go 54dc60e7a 1404fa3aadbe 2 hours ago 202MB
<none> <none> 90e76e3b9c46 2 hours ago 2.44GB
<none> <none> 06492e6efff3 3 hours ago 1.09GB
<none> <none> b9ed46c596e6 3 hours ago 306MB
….
$ docker image rm -f b92103ceeb33 6bcd485fc198 eeed8bb95b2e

3f2d5b04695a 8e9498acb390 32d2bd311288 1442d027812c f40ceeb38cda
f6bda13f8ace 470277f1f30a 1404fa3aadbe 90e76e3b9c46 06492e6efff3
b9ed46c596e6
2. Define CWAG VM and spin it up
a. Replace original CWAG “Vagrantfile” with the new one:

$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway/
$ mv Vagrantfile Vagrantfile.bak
$ touch Vagrantfile
b. Populate new “Vagrantfile” exactly as follows:
$ vim Vagrantfile
VAGRANTFILE_API_VERSION = "2"
Vagrant.require_version ">=1.9.1"
# Install vagrant-disksize to allow resizing the vagrant box disk.

unless Vagrant.has_plugin?("vagrant-disksize")
raise Vagrant::Errors::VagrantError.new, "vagrant-disksize plugin is missing. Please install it using
'vagrant plugin install vagrant-disksize' and rerun 'vagrant up'"
end
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.synced_folder "../..", "/home/vagrant/magma"
config.vm.define :cwag, primary: true do |cwag|
cwag.vm.box = "generic/ubuntu1804"
cwag.disksize.size = '50GB'
cwag.vm.box_version = "1.9.12"
cwag.vbguest.auto_update = false
cwag.vm.hostname = "cwag-dev"
#eth1 - RADIUS and L2GRE iface
cwag.vm.network "public_network", bridge: "en7: USB 10/100/1000 LAN", ip: "172.16.0.3", nic_type: "82540EM"
#eth2 - Uplink iface
cwag.vm.network "public_network", bridge: "en9: USB 10/100/1000 LAN 2", nic_type: "82540EM", auto_config: false
config.vm.provision "shell",
run: "always",
inline: "ifconfig eth2 up"
cwag.ssh.password = "vagrant"
cwag.ssh.insert_key = true
cwag.vm.provider "virtualbox" do |vb|
vb.name = "cwag-dev"
vb.linked_clone = true
vb.customize ["modifyvm", :id, "--memory", "2048"]
vb.customize ["modifyvm", :id, "--cpus", "2"]
end
end
end
or download complete “Vagrantfile” here.
Note
● Do not use Mac’s Wi-Fi (Airport) as an uplink interface
interconnecting CWAG with the home router. Magma won’t
work in such a scenario.

● CWAG VM will be spawned with three network interfaces:
○ eth0 - not specified in the Vagrantfile and running in
NAT mode (default IP address=10.0.2.15). This interface
will be used for CWAG ssh access (port forwarding) and
outgoing communication with the Orc8r listening on
the lo0 interface of the MacOS.
○ eth1 - specified in the Vagrantfile, bridged with the Mac’s
Ethernet interface (en7) and assigned 172.16.0.3/24 IP
address. This IP will be used to terminate the L2GRE
tunnel from the Magma AP and to handle CWAG’s
radius server traffic.
○ eth2 - specified in the Vagrantfile, bridged with the
Mac’s Ethernet 2 interface (en9) and not assigned an IP
address. This interface will be used as an Internet uplink
for UEs which have been authenticated/authorized
successfully. It will also provide router’s DHCP/DNS
services to UEs (see Figure 9. Reference Lab diagram)
● Before you proceed with spinning up the CWAG VM make sure
that interface numbers (enX) and their names referenced in
the Vagrantfile are identical as in your MacOS:
c. Spin up CWAG VM:
Note
Make sure that both USB-C ⟺ Ethernet adapters are connected to
your Mac while spinning up the CWAG VM (see Figure 4. Physical
network setup )
$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway/
$ vagrant up cwag
$ vagrant status
…
cwag running (virtualbox)
…

$ vagrant ssh cwag
d. After the CWAG VM is spun up make sure that its network adapters 2
and 3 operate in Promiscuous Mode: “Allow All”:
3. Check CWAG VM’s connectivity with the Orc8r and the AP
Perform the steps below on the CWAG VM (vagrant ssh cwag).

a. Add the following DNS static entries to enable CWAG to access the
Orc8r:
$ sudo -i
# vim /etc/hosts
10.0.2.2 controller.magma.test
10.0.2.2 bootstrapper-controller.magma.test
10.0.2.2 fluentd.magma.test
Note
The above FQDNs are Orc8r services referenced in the
“/etc/magma/control-proxy.yaml” file and listening on ports: TCP/7443,
TCP/7444, and TCP/24224 respectively.
b. Check Orc8r TCP connectivity:
$ telnet controller.magma.test 7443
Trying 10.0.2.2...
Connected to controller.magma.test.
$ telnet bootstrapper-controller.magma.test 7444
Trying 10.0.2.2...
Connected to bootstrapper-controller.magma.test.
$ telnet fluentd.magma.test 24224
Trying 10.0.2.2...
Connected to fluentd.magma.test.
c. Check AP connectivity:
Note
Make sure that the AP is configured (see 6.2.2. AP command set),
powered up and connected to your Mac with Ethernet cable.
$ ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.

64 bytes from 172.16.0.2: icmp_seq=1 ttl=255 time=0.995 ms

$ ssh magma@172.16.0.2
Password:
4. Set up CWAG services
a. Copy relevant files from the mounted share into CWAG’s local directory:
$ sudo -i
# mkdir /tmp/install_dir
# cp /home/vagrant/magma/orc8r/tools/docker/install_gateway.sh .
# cp /home/vagrant/magma/cwf/gateway/configs/control_proxy.yml .
# cp /home/vagrant/magma/cwf/gateway/docker/.prod_env .
# cp /home/vagrant/magma/.cache/test_certs/rootCA.pem .
c. Adjust the “.env” file as follows:
# mv .prod_env .env
# vim .env
COMPOSE_PROJECT_NAME=cwf
DOCKER_USERNAME=wnawrot
DOCKER_PASSWORD='**********'
DOCKER_REGISTRY=docker.io/wnawrot/cwf_
IMAGE_VERSION=54dc60e7a
GIT_HASH=54dc60e7a
BUILD_CONTEXT=https://github.com/magma/magma.git#master
ROOTCA_PATH=/var/opt/magma/certs/rootCA.pem
CONTROL_PROXY_PATH=/etc/magma/control_proxy.yml
CONFIGS_TEMPLATES_PATH=/etc/magma/templates
CERTS_VOLUME=/var/opt/magma/certs
CONFIGS_OVERRIDE_VOLUME=/var/opt/magma/configs
CONFIGS_DEFAULT_VOLUME=/etc/magma
SECRETS_VOLUME=/var/opt/magma/secrets
RADIUS_STORAGE_TYPE=memory
RADIUS_REDIS_ADDR=
## cwf Interface override

INGRESS_PORT=eth1
UPLINK_PORTS=eth2

LI_PORT=eth5
LOG_DRIVER=journald
or download complete “.env” file here.
Note
● Replace Docker registry name, username and password with
your Docker Hub credentials.
● Assign the “image version” / “git hash” variables with the string
you set while pushing CWAG images into the registry.
● Specify Ingress and Uplink ports accordingly, i.e. eth1 for AP
connectivity and eth2 for Internet access.
● Set dummy eth5 interface as Lawful Interception port (not
relevant for the Lab).
e. Launch CWAG services:
# ./install_gateway.sh cwag
....
Creating td-agent-bit ... done
Creating radiusd ... done
Creating redis ... done
Creating magmad ... done
Creating health ... done
Creating redirectd ... done
Creating radius ... done
Creating eap_aka ... done
Creating eap_sim ... done
Creating pipelined ... done
Creating control_proxy ... done
Creating aaa_server ... done
Creating eventd ... done
Creating directoryd ... done
Creating policydb ... done
Creating state ... done
Creating sessiond ... done
Installed successfully!!
# cd /var/opt/magma/docker/
# docker-compose ps

-----------------------------------------------------------------------------------------------
aaa_server envdir /var/opt/magma/envd ... Up (healthy)
control_proxy sh -c /usr/local/bin/gener ... Up
directoryd python3.5 -m magma.directo ... Up (healthy)
eap_aka envdir /var/opt/magma/envd ... Up (healthy)
eap_sim envdir /var/opt/magma/envd ... Up (healthy)

eventd python3.5 -m magma.eventd.main Up
health envdir /var/opt/magma/envd ... Up
magmad python3.5 -m magma.magmad.main Up
pipelined sh -c set bridge cwag_br0 ... Up (healthy)
policydb python3.5 -m magma.policyd ... Up (healthy)
radius /bin/bash -c envsubst < /e ... Up (healthy)
radiusd envdir /var/opt/magma/envd ... Up
redirectd python3.5 -m magma.redirec ... Up
redis /bin/bash -c /usr/local/bi ... Up
sessiond /usr/local/bin/sessiond Up (healthy)
state python3.5 -m magma.state.main Up
Td-agent-bit /bin/bash -c /usr/local/bi ... Up
f. Forward CWAG’s syslog to the cloud:
# cp
/tmp/magmagw_install/magma/orc8r/tools/ansible/roles/fluent_bit/files/6
0-fluent-bit.conf /etc/rsyslog.d/
# service rsyslog restart
5. Display CWAG’s ID and key
Perform the steps below on the CWAG VM (vagrant ssh feg).
# docker-compose exec magmad /usr/local/bin/show_gateway_info.py
Hardware ID
-----------
40d31441-38dd-44be-9bed-c58067c412c7
Challenge key
-------------
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYqFfZwhGWoN3EotmE3HUC6UsHez69axCV++WGsMG1Mg2+V3nSluDRuRO
J5uGgJlDV+4PJwIE65yM+4jda0ybPu9JoIvQuxtfd6pIG98z1+IioBHXgShh0DsZk79o3CdI
Note
Save the “Hardware ID” and the “Challenge Key” in a safe place. They both
will be required for CWAG registration.
6. Register CWAG


b. Add a new gateway in the previously configured cwag_net by clicking
https://magma-test.localhost/nms/cwag_net/gateways/new and
populate its configuration fields as shown below:
Click on Save when complete.
Note
Use “Hardware UUID” and the “Challenge Key” you noted down in the
previous step. They both will be different from values shown in the
screenshot above.
c. Edit cwag_01 by clicking

https://magma-test.localhost/nms/cwag_net/gateways/edit/cwag_01.
d. Specify subnet for the GRE peers (in our case a GRE peer is Cisco Access
Point running GRE on 172.16.0.2), and click on Save when complete:

e. Go to the CWAG VM (vagrant ssh cwag) and verify gateway’s
registration:
$ sudo -i
# docker-compose exec magmad /usr/local/bin/checkin_cli.py
1. -- Testing TCP connection to controller.magma.test:7443 --

2. -- Testing Certificate --
3. -- Testing SSL --
4. -- Creating direct cloud checkin --
5. -- Creating proxy cloud checkin --
Success!
# docker-compose logs magmad | grep Success
magmad | INFO:root:Checkin Successful! Successfully sent states to the cloud!
Note
The above means that CWAG properly interacts with the Orc8r.
f. Check if the gateway config provided by the Orc8r is streamed to CWAG

(vagrant ssh cwag):
Note

The “gateway.mconfig” file is updated every single minute.
7. Adjust CWAG config
Perform the steps below on the CWAG VM (vagrant ssh cwag)

.
a. Modify pipelined settings as follows:
$ sudo -i
# vim /etc/magma/pipelined.yml
…
static_services: [
'ue_mac',
'arpd',
'check_quota',
'access_control',
'tunnel_learn',
'vlan_learn',
# 'ipfix',
#'li_mirror',
'ryu_rest_service',
'startup_flows',
#'packet_tracer',
…
qos:
# enable: false
enable: true
# impl: ovs_meter
impl: linux_tc
max_rate: 1000000000
linux_tc:
min_idx: 2
max_idx: 65534
ovs_meter:
min_idx: 2
max_idx: 100000
Use Lab’s “pipelined.yml” as a reference.
Note
Disable (comment out) ipfix and enable linux_tc QoS.
b. Fix “tc” issues by adding the following red lines in docker-compose.yml:

# vim docker-compose.yml
pipelined:
<<: *ltepyservice

container_name: pipelined
volumes:
- ${ROOTCA_PATH}:/var/opt/magma/certs/rootCA.pem
- ${CERTS_VOLUME}:/var/opt/magma/certs
- ${CONFIGS_OVERRIDE_VOLUME}:/var/opt/magma/configs
- ${CONFIGS_DEFAULT_VOLUME}:/etc/magma
- ${CONFIGS_TEMPLATES_PATH}:/etc/magma/templates
- ${CONTROL_PROXY_PATH}:/etc/magma/control_proxy.yml
- /etc/snowflake:/etc/snowflake
- /var/run/openvswitch:/var/run/openvswitch
- /sbin/tc:/sbin/tc
cap_add:
- NET_ADMIN
healthcheck:
…..
c. Modify sessiond settings as follows:
Changes not needed. Use defaults !
d. Restart CWAG services to apply new settings:
8. CWAG post-deployment checks
a. Check “gateway.mconfig” contents:
# cat /var/opt/magma/configs/gateway.mconfig | python3 -mjson.tool
{
"configsByKey": {
"aaa_server": {
"@type": "type.googleapis.com/magma.mconfig.AAAConfig",
"logLevel": "INFO",
"IdleSessionTimeoutMs": 500000,
"AccountingEnabled": true,
"CreateSessionOnAuth": true
},
"control_proxy": {
"@type": "type.googleapis.com/magma.mconfig.ControlProxy",
"logLevel": "INFO"
},
"directoryd": {
"@type": "type.googleapis.com/magma.mconfig.DirectoryD",
"logLevel": "INFO"
},

"eap_aka": {
"@type": "type.googleapis.com/magma.mconfig.EapAkaConfig",
"logLevel": "INFO"
},
"eventd": {
"@type": "type.googleapis.com/magma.mconfig.EventD",
"logLevel": "INFO",
"eventVerbosity": -1
},
"health": {
"@type": "type.googleapis.com/magma.mconfig.CwfGatewayHealthConfig",
"grePeers": [
{
"ip": "172.16.0.0/24"
}
]
},
"magmad": {
"@type": "type.googleapis.com/magma.mconfig.MagmaD",
"logLevel": "INFO",
"checkinInterval": 60,
"checkinTimeout": 10,
"autoupgradeEnabled": true,
"autoupgradePollInterval": 300,
"packageVersion": "0.0.0-0"
},
"metricsd": {
"@type": "type.googleapis.com/magma.mconfig.MetricsD",
"logLevel": "INFO"
},
"ovpn": {
"@type": "type.googleapis.com/magma.mconfig.OpenVPN"
},
"pipelined": {
"@type": "type.googleapis.com/magma.mconfig.PipelineD",
"logLevel": "INFO",
"ueIpBlock": "192.168.128.0/24",
"services": [
"ENFORCEMENT",
"DPI"
],
"allowedGrePeers": [
{
"ip": "172.16.0.0/24"
}
]
},
"redirectd": {
"@type": "type.googleapis.com/magma.mconfig.RedirectD",
"logLevel": "INFO"
},
"sessiond": {
"@type": "type.googleapis.com/magma.mconfig.SessionD",
"logLevel": "INFO",
"walletExhaustDetection": {
"terminateOnExhaust": true
},
"gxGyRelayEnabled": true
},
"td-agent-bit": {
"@type": "type.googleapis.com/magma.mconfig.FluentBit",
"extraTags": {

"gateway_id": "cwag_01",
"network_id": "cwag_net"
},
"throttleRate": 1000,
"throttleWindow": 5,
"throttleInterval": "1m"
}
},
"metadata": {
"created_at": 1652454925
}
}
b. Check OvS bridges and their interfaces:
# ovs-vsctl show
Bridge "cwag_br0"
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip=flow}
Port li_port
Interface li_port
type: internal
Port "mon1"
Interface "mon1"
type: internal
Port cwag_patch
Interface cwag_patch
type: patch
options: {peer=uplink_patch}
Port "cwag_br0"
Interface "cwag_br0"
type: internal
Bridge "uplink_br0"
fail_mode: secure
Port "gw0"
Interface "gw0"
type: internal
Port "eth2"
Interface "eth2"
Port uplink_patch
Interface uplink_patch
type: patch
options: {peer=cwag_patch}
Port "uplink_br0"
Interface "uplink_br0"
type: internal
ovs_version: "2.12.0"

c. Send “hello” to FEG
# docker-compose exec radiusd bash
# /var/opt/magma/bin/hello_cli message 0
Sending Greeting: 'message', Code: 0

Received Greeting: 'message'
Note
If CWAG⟺FEG connectivity is fine, FEG will echo “message” to CWAG
as shown above.
9. (Optional) Enable extended logging
See here for details.
4.10 Deploying FreePCRF

The Policy and Charging Rules Function (PCRF) component will be deployed as a
separate VM with pre-configured Yota FreePCRF software. To work with Magma
(PCEF) a few basic configuration steps must be performed on the PCRF VM
including network setup and DIAMETER integration. When complete, subscription
specific settings will be made including creation and association of subscribers,
services, schemes, accumulators and policies. Also a customized engine.lua file
containing policy selection conditions will be provided as a part of the deployment.
Reference
Before you proceed with configuration steps refer to YotaPCRF concepts available
here.
1. Download Yota FreePCRF VM from here.

2. Import appliance “freePCRF.ova” in VirtualBox.
3. Go to VM settings, click the Network tab and make sure that Adapter 1 is
configured exactly as follows:

Note
The “NatNetwork” has been already added in this step.
4. Go to VirtualBox Preferences ⇨ Network, edit the “NatNetwork”, click on Port

Forwarding and add the following forwarding rules:
Click OK when complete.

Note
The above rules will enable PCRF WebUI/SPR/ssh access from your Mac’s
browser/terminal.
5. Start the FreePCRF VM.
6. Launch the graphical console of FreePCRF VM and log in the VM with root /
password credentials.
7. Adjust FreePCRF VM network/time settings and make sure that FEG VM is

reachable:
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
PREFIX=24
IPADDR=192.168.50.4
DEFROUTE=YES
GATEWAY=192.168.50.1
DNS1=8.8.8.8
# vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=test.freepcrf.com
# service network restart

# ping 192.168.50.3
PING 192.168.50.3 (192.168.50.3) 56(84) bytes of data.

64 bytes from 192.1
"68.50.3: icmp_seq=1 ttl=64 time=10.5 ms
# vi /etc/hosts
192.168.50.4 test.freepcrf.com
192.168.50.3 gx-mgm.magmalab.com
# vi /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server 0.rhel.pool.ntp.org iburst


# service ntpd restart
# chkconfig ntpd on
# ntpq -p
# date
Note
● From now on you can ssh the FreePCRF VM directly from MacOS
(ssh root@localhost).
● Refer to 7.5.2.1 No SSH or web access to FreePCRF VM on forwarded
ports in case you can not access the FreePCRF VM through ssh/http
although networking has been configured as described.
8. Verify FreePCRF web access on forwarded ports:
http://localhost:9080/
9. Verify settings for existing (preconfigured) PCRF cluster and PCRF Peer
a. Access FreePCRF O&M Console http://localhost:9080/.
Reference
Refer to the YotaPCRF Administrators Guide (page 44) for O&M
Console description.
b. Navigate to Configuration ⇨ Network Topology ⇨ Clusters and make

sure that that the following preconfigured PCRF Cluster exists:
Cluster ID: 1
Cluster Role: 3 (Cluster Role PCRF with SPR )
Cluster SSR Subscription: 0 (Cluster SSR NONE)
Cluster Name: PCRF 1
Cluster Description:
c. Navigate to Configuration ⇨ Network Topology ⇨ Peers and make sure

that the following preconfigured PCRF Peer exists:
Peer ID: 1
Cluster ID: 1 (PCRF 1)

Dialect: 0(Default)
Host: test.freepcrf.com
Realm: freepcrf.com
Address: test.freepcrf.com
Port: 3868
Protocol: 6(TCP)
Auto Connect: 1(Enabled)
Enabled: 1(Enabled)
Priority: 0
Mandatory: 1(Enabled)
10. Create PCEF Cluster and add PCEF Peer
a. Navigate to Configuration ⇨ Network Topology ⇨ Clusters, click on Add

and fill out cluster settings as follows:
Cluster ID: 999

Cluster Role: 8 (Cluster Role PCEF)
Cluster SSR Subscription: 0 (Cluster SSR NONE)
Cluster Name: Magma
Cluster Description: Magma
b. Navigate to Configuration ⇨ Network Topology ⇨ Peers, click on Add

and fill out peer settings as follows:
Peer ID: 999

Cluster ID: 999(Magma)
Dialect: 0(Default)
Host: gx-mgm.magmalab.com
Realm: magmalab.com
Address: gx-mgm.magmalab.com
Port: 3870
Protocol: 6(TCP)
Auto Connect: 0(Disabled)
Enabled: 1(Enabled)
Priority: 0
Mandatory: 1(Enabled)
c. Make sure PCRF / PCEF Cluster / Peer settings look as follows:

11. Set the default region
Navigate to Configuration ⇨ Server Settings and set

default_region=MagmaLAB
12. Verify PCRF integration with Magma (PCEF)
a. Make sure that all FreePCRF sensors are green:
Note
All the Diameter parameters including IPs, ports, hostnames, realms,
etc. must match at both sides, i.e. PCRF and PCEF (Magma).
b. Check Gx interface
● Go to http://localhost:9080/trace/ and make sure that DWR/DWA

messages are exchanged between PCEF and PCRF every 3
seconds:

Note
The DWR (Device-Watchdog-Request) / DWA
Device-Watchdog-Answer) message sequence is standard
Diameter messaging used on idle connections to check peer
availability and detect transport failures.
● From your Mac, log in the FreePCRF VM (ssh root@localhost)

and type “lv”:
The DWR/DWA sequences should be visible as in graphical trace.
4.11 Creating data plans

Every subscriber (IMSI) in the Carrier-WiFi Lab will be served in a different way in
terms of assigned data volumes/rates, validity periods and access conditions (e.g. if a
data pack is exhausted a subscriber can be either disconnected or his Internet access
may slow down).
Furthermore, for educational purposes, FreePCRF configuration items will be

provided using both CLI and HTTP and the PCC rules will be implemented in a static
and dynamic fashion.

Note
Static PCC rules are configured in PCEF (Magma) and activated/deactivated by
PCRF whereas dynamic PCC rules are dynamically provisioned by PCRF to the
PCEF via the Gx interface).
4.11.1 Data plans summary and relevant configuration items
Refer to the table below for the summary of subscribers’ data plans and relevant
configuration items:
Subscriber ID (IMSI): 101012345678911
Data plan name: “100MB per Hour”
Data plan description: The subscriber is assigned a WiFi plan with unlimited download/upload data
rate (Internet speed) and 100MB of cumulative download/upload data volume
granted every single hour. If the 100MB data pack is exhausted, the
subscriber's session is disconnected immediately and new sessions are not
allowed. The subscriber can join the Carrier-WiFi network again as soon as the
data accumulator value is reset automatically (every single hour) or manually
by the administrator.
PCRF Service: 01_SRV_100MB_FULL_SPEED_1HOUR
PCRF Policy: 01_POLICY_100MB_FULL_SPEED
PCRF Policy 01_RULE_100MB_FULL_SPEED /

PCC Rule / Monitoring-Key: 01_KEY_100MB_FULL_SPEED
PCRF Accumulator / 01_ACCUM_100MB_FULL_SPEED /

Associated Monitoring-Key: 01_KEY_100MB_FULL_SPEED
PCRF Scheme: 01_SCHEME_100MB_FULL_SPEED_1HOUR
Data plan name: “200MB per Week”
Data plan description: The subscriber is assigned a WiFi plan with unlimited download/upload data
rate (internet speed) and 200MB of cumulative download/upload data volume
granted every week. If the 200MB data pack is exhausted, a new policy with
QoS is installed and the Internet speed is reduced to 2Mbit/s. The low data
rate for existing and new sessions persists until the accumulator value is reset

automatically (every week) or manually by the administrator.
PCRF Service: 02_SRV_200MB_SLOW_2MBPS_1WEEK
PCRF Policy 1: 02_POLICY_200MB_FULL_SPEED
PCRF Policy 1 02_RULE_200MB_FULL_SPEED /

PCC Rule / Monitoring-Key: 02_KEY_200MB_FULL_SPEED
PCRF Policy 2: 02_POLICY_200MB_2MBP
PCRF Policy 2 02_RULE_200MB_2MBPS /

PCC Rule / Monitoring-Key: 02_KEY_200MB_2MBPS_DUMMY
PCRF Accumulator / 02_ACCUM_200MB_FULL_SPEED /

Associated Monitoring-Key: 02_KEY_200MB_FULL_SPEED
PCRF Scheme: 02_SCHEME_200MB_FULL_SPEED_1WEEK
Data plan name: “Full Freedom Gold”
Data plan description: The subscriber is assigned a WiFi plan with unrestricted download/upload
Internet speed and unlimited data volume forever.
PCRF Service: 03_SRV_UNLIM_MB_FULL_SPEED
PCRF Policy: 03_POLICY_UNLIM_MB_FULL_SPEED
PCRF Policy 03_RULE_UNLIM_MB_FULL_SPEED /

PCC Rule / Monitoring-Key: not applicable
PCRF Accumulator / not applicable /

Associated Monitoring-Key: not applicable
PCRF Scheme: not applicable
Data plan name: “Full Freedom Silver”
Data plan description: The subscriber is assigned a WiFi plan with download/upload Internet speed
limited to 8Mbit/s and unlimited data volume forever.

PCRF Service: 04_SRV_UNLIM_MB_8MBPS
PCRF Policy 04_POLICY_UNLIM_MB_8MBPS
PCC Rule / Monitoring-Key: 04_RULE_UNLIM_MB_8MBPS /

not applicable
QoS Profile: 04_QOS_PROF_8MBPS
PCRF Accumulator / not applicable /

Associated Monitoring-Key: not applicable
PCRF Scheme: not applicable
Data plan name: T.B.D.
Data plan description: T.B.D.
PCRF Service: T.B.D.
PCRF Policy 1: T.B.D.
PCRF Policy 1 PCC rule / T.B.D.

monitoring key:
PCRF Accumulator / T.B.D.

associated monitoring key:
PCRF Scheme: T.B.D.
4.11.2 Define Subscribers (FreePCRF HTTP - Subscriber Management Interface)
1. Add PCRF Subscribers according to the table below using FreePCRF’s

Subscriber Management Interface:
Subscriber ID Subscriber URL

(IMSI) Description
101012345678911 OYEI_USIM1 http://localhost:9080/spr/sm/addSubscriber?id=101012345678911&d

escription=OYEI_USIM1




Reference
Refer to Yota PCRF Subscriber Management Interface Description for details
on Subscriber Management Interface.
2. Open http://localhost:9080/#db_tt_pcrf_table_SUBSCRIBER (O&M Console)

and make sure the subscribers have been added:
Note
● The above Subscriber IDs are USIMs’ IMSIs configured in 4.2.1
Programming USIM cards
● Subscriber information can be obtained per individual IMSI by
entering e.g.:
http://localhost:9080/spr/sm/getSubscriber?id=101012345678911
4.11.3 Define Services (FreePCRF HTTP - SPR Configuration Interface)
1. Define PCRF Services according to the table below using FreePCRF’s SPR
Configuration Interface:
Service ID / Name / Description URL

01_SRV_100MB_FULL_SPEED_1HOUR http://localhost:9080/spr/conf/addServiceInfo?id=01_SRV_100MB_
FULL_SPEED_1HOUR&name=01_SRV_100MB_FULL_SPEED_1HOUR
&description=01_SRV_100MB_FULL_SPEED_1HOUR
02_SRV_200MB_SLOW_2MBPS_1WEEK http://localhost:9080/spr/conf/addServiceInfo?id=02_SRV_200MB_
SLOW_2MBPS_1WEEK&name=02_SRV_200MB_SLOW_2MBPS_1WE
EK&description=02_SRV_200MB_SLOW_2MBPS_1WEEK
03_SRV_UNLIM_MB_FULL_SPEED http://localhost:9080/spr/conf/addServiceInfo?id=03_SRV_UNLIM_
MB_FULL_SPEED&name=03_SRV_UNLIM_MB_FULL_SPEED&descri
ption=03_SRV_UNLIM_MB_FULL_SPEED
04_SRV_UNLIM_MB_8MBPS http://localhost:9080/spr/conf/addServiceInfo?id=04_SRV_UNLIM_
MB_8MBPS&name=04_SRV_UNLIM_MB_8MBPS&description=04_S
RV_UNLIM_MB_8MBPS
T.B.D. T.B.D.
Reference
Refer to the YotaPCRF Administrators Guide (page 41) for SPR Configuration
Interface basics.
2. Open http://localhost:9080/#db_tt_pcrf_table_SERVICE (O&M Console) and

make sure the services have been added:
Note
You can verify individual services by entering e.g.
http://localhost:9080/spr/conf/getServiceInfo?id=01_SRV_100MB_FULL_SPEE
D_1HOUR
4.11.4 Assign Services to Subscribers (FreePCRF HTTP - Subscriber Management

Interface)
1. Assign the Services to Subscribers as shown in the table below using

FreePCRF’s Subscriber Management Interface:
Subscriber ID Service ID URL

(IMSI)

101012345678911 01_SRV_100MB_FULL_SPEED_1HOUR http://localhost:9080/spr/sm/addService?subscribe
r_id=101012345678911&service_id=01_SRV_100MB
_FULL_SPEED_1HOUR
101012345678922 02_SRV_200MB_SLOW_2MBPS_1WEEK http://localhost:9080/spr/sm/addService?subscribe

r_id=101012345678922&service_id=02_SRV_200MB
_SLOW_2MBPS_1WEEK
101012345678933 03_SRV_UNLIM_MB_FULL_SPEED http://localhost:9080/spr/sm/addService?subscribe

r_id=101012345678933&service_id=03_SRV_UNLIM
_MB_FULL_SPEED
101012345678944 04_SRV_UNLIM_MB_8MBPS http://localhost:9080/spr/sm/addService?subscribe

r_id=101012345678944&service_id=04_SRV_UNLIM
_MB_8MBPS
101012345678955 T.B.D. T.B.D.
2. Open http://localhost:9080/#db_tt_pcrf_table_SUBSCRIBER_SERVICE (O&M

Console) and verify Service-Subscriber assignment:
Note
You can verify individual IMSI to Service associations by entering e.g.:
http://localhost:9080/spr/sm/getService?subscriber_id=101012345678944&ser
vice_id=04_SRV_UNLIM_MB_8MBPS
4.11.5 Create Accumulator Schemes (FreePCRF CLI)
1. Create Accumulator Schemes by pasting commands from the table into

FreePCRF CLI:
Scheme ID/name/description Reset period CLI command

Level_1
Level_2
Level_3

Level_warn
Level_full
01_SCHEME_100MB_FULL_SPEED_1HOUR 1h /opt/cli/cli_execute SCHEME_ADD

25000000 bytes
50000000 bytes
--scheme_id
75000000 bytes "01_SCHEME_100MB_FULL_SPEED_1HOUR"
90000000 bytes --scheme_name
100000000 bytes "01_SCHEME_100MB_FULL_SPEED_1HOUR"
--scheme_description
"01_SCHEME_100MB_FULL_SPEED_1HOUR"
--scheme_reset_period 1
--scheme_level_1 25000000
--scheme_level_warn 90000000
--scheme_level_full 100000000
02_SCHEME_200MB_FULL_SPEED 1week /opt/cli/cli_execute SCHEME_ADD

50000000 bytes
_1WEEK 100000000 bytes
--scheme_id
150000000 bytes "02_SCHEME_200MB_FULL_SPEED_1WEEK"
180000000 bytes --scheme_name
200000000 bytes "02_SCHEME_200MB_FULL_SPEED_1WEEK"
--scheme_description
"02_SCHEME_200MB_FULL_SPEED_1WEEK"
--scheme_reset_period 3
--scheme_level_warn 180000000
--scheme_level_full 200000000
Note
● --scheme_reset_period 1 - resets the accumulator every HOUR
● --scheme_reset_period 3 - resets the accumulator every WEEK
Reference
Refer to the YotaPCRF Administrators Guide (page 50) for Command Line
Interface details.
3. Open http://localhost:9080/#db_tt_pcrf_table_SCHEME (O&M Console) and

make sure that Schemes have been created:

4.11.6 Add Accumulator information (FreePCRF CLI)
1. Create Accumulator information by pasting commands from the table into

FreePCRF CLI:
Accum_info Default Scheme ID CLI command

ID/name/description
01_ACCUM_100MB_FULL_SPEED 01_SCHEME_100MB_FULL_ /opt/cli/cli_execute ACCUM_INFO_ADD

SPEED_1HOUR
--accum_info_id
"01_ACCUM_100MB_FULL_SPEED"
--accum_info_name
--accum_info_description
--accum_info_default_scheme_id
"01_SCHEME_100MB_FULL_SPEED_1HOUR"
02_ACCUM_200MB_FULL_SPEED 02_SCHEME_200MB_FULL_ /opt/cli/cli_execute ACCUM_INFO_ADD

SPEED_1WEEK
--accum_info_id
--accum_info_name
--accum_info_description
--accum_info_default_scheme_id
"02_SCHEME_200MB_FULL_SPEED_1WEEK"
4. Open http://localhost:9080/#db_tt_pcrf_table_ACCUM_INFO (O&M Console)

and make sure that Accumulator info have been created:
4.11.7 Assign Accumulators to Subscribers (FreePCRF HTTP - Subscriber

Management Interface)
1. Assign Accumulators to Subscribers as shown in the table below using

FreePCRF’s Subscriber Management Interface:
Subscriber ID Accumulator ID URL

(IMSI)
101012345678911 01_ACCUM_100MB_FULL_SPEED http://localhost:9080/spr/sm/addAccum?subscriber_id

=101012345678911&accum_id=01_ACCUM_100MB_FU
LL_SPEED&immediate=1&enable=1
101012345678922 02_ACCUM_200MB_FULL_SPEED http://localhost:9080/spr/sm/addAccum?subscriber_id

=101012345678922&accum_id=02_ACCUM_200MB_FU
LL_SPEED&immediate=1&enable=1
2. Open http://localhost:9080/#db_tt_pcrf_table_ACCUM (O&M Console) and

verify Accumulator-Subscriber assignment:
Note
● The Accumulated Value (cumulative data usage) for a given
Accumulator and Subscriber can be modified/reset manually using
Subscriber Management Interface:
○ http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678911&ac
cum_id=01_ACCUM_100MB_FULL_SPEED&value=80000000&immidiate=1
○ http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678922&ac
cum_id=02_ACCUM_200MB_FULL_SPEED&value=190000000&immidiate=1
● The above calls are useful while testing data plans, i.e. instead of
waiting until the UE consumes few hundred Megabytes of data and a
certain Accumulator level is reached, one can set the Accumulator
Value close to the level_full specified in the Accumulator Scheme (e.g.
195MB).
The Accumulated Value can be also reset (set to 0) which is identical
to the beginning of a new validity period for a data plan.
4.11.8 Verify subscriber settings (FreePCRF MiniCRM)

Use MiniCRM to verify subscribers’ properties configured in the previous steps:
http://localhost:8093/#101012345678911

http://localhost:8093/#101012345678922
http://localhost:8093/#101012345678933
http://localhost:8093/#101012345678944

Note
Accumulators and Accumulator Schemes are configured only for subscribers
101012345678911 and 101012345678922 for whom the policy selection is based on
data usage (see subsequent chapters).
4.11.9 Configure Policies (rules.xml)
1. Make a copy of original “rules.xml” and modify the file as follows:
# cp /etc/pcrf/config/rules/rules.xml /etc/pcrf/config/rules/rules.xml.bak
# vi /etc/pcrf/config/rules/rules.xml
<?xml version='1.0' encoding='UTF-8' ?>
<PolicyDef xmlns='http://www.yota.ru/shemes/rules' version='1'>
<Policy Name="01_POLICY_100MB_FULL_SPEED">
<Default>
<Rules>
<Charging-Rule-Definition>
<Charging-Rule-Name Value="01_RULE_100MB_FULL_SPEED"/>
<Flow-Description Value="permit in ip from any to any"/>
<Flow-Description Value="permit out ip from any to any"/>
<Metering-Method Value="VOLUME"/>
<Flow-Status Value="ENABLED"/>
<Monitoring-Key Value="01_KEY_100MB_FULL_SPEED"/>
<Precedence Value="10"/>
</Charging-Rule-Definition>
</Rules>
</Default>
</Policy>
<Policy Name="02_POLICY_200MB_FULL_SPEED">
<Default>
<Rules>
<Charging-Rule-Name Value="02_RULE_200MB_FULL_SPEED"/>
<Monitoring-Key Value="02_KEY_200MB_FULL_SPEED"/>
</Rules>
</Default>
</Policy>
<Policy Name="02_POLICY_200MB_2MBPS">
<Default>
<Rules>
<Charging-Rule-Name Value="02_RULE_200MB_2MBPS"/>

<Monitoring-Key Value="02_KEY_200MB_2MBPS_DUMMY"/>
<QoS-Information>
<QoS-Class-Identifier Value="QCI_6"/>
<Max-Requested-Bandwidth-UL Value="2048000"/>
<Max-Requested-Bandwidth-DL Value="2048000"/>
<Guaranteed-Bitrate-UL Value="2048000"/>
<Guaranteed-Bitrate-DL Value="2048000"/>
<Allocation-Retention-Priority>
<Priority-Level Value="6"/>
<Pre-emption-Capability Value="PRE_EMPTION_CAPABILITY_DISABLED"/>
<Pre-emption-Vulnerability Value="PRE_EMPTION_VULNERABILITY_DISABLED"/>
</Allocation-Retention-Priority>
</QoS-Information>
</Rules>
</Default>
</Policy>
<Policy Name="03_POLICY_UNLIM_MB_FULL_SPEED">
<Default>
<Rules>
<Charging-Rule-Name Value="03_RULE_UNLIM_MB_FULL_SPEED"/>
</Rules>
</Default>
</Policy>
<Policy Name="04_POLICY_UNLIM_MB_8MBPS">
<Default>
<Rules>
<Charging-Rule-Name Value="04_RULE_UNLIM_MB_8MBPS"/>
</Rules>
</Default>
</Policy>
<DefaultAccums>
<Accum Name="01_ACCUM_100MB_FULL_SPEED">
<Monitoring-Key Name="01_KEY_100MB_FULL_SPEED" Direction="Both" Delta="1000000" Monitor-Level="1" />
</Accum>
<Monitoring-Key Name="02_KEY_200MB_FULL_SPEED" Direction="Both" Delta="1000000" Monitor-Level="1" />
</Accum>
</DefaultAccums>
</PolicyDef>
or download complete “rules.xml” file here.
Note
● Every Policy Name prefix (01_, 02_, etc.) corresponds to an individual
Service assigned to a respective subscriber here.

● Policies 01_, and 02_ contain dynamic PCC rule definitions including
rule name, flow description, methering method, monitoring key, QoS
information and precedence. Dynamic rules are provisioned by PCRF
to PCEF (Magma) and don’t have to be configured on CWAG.
● Policies 03_, and 04_ contain only PCC rule names meaning that
PCRF only activates/deactivates these specific rules but their
definition must be statically provided in PCEF (CWAG).
● Rules.xml associates Accumulators and Monitoring-Keys.

The following Monitoring-Key attributes:
<
Monitoring-Key Name="02_KEY_200MB_FULL_SPEED"
Direction="Both"
Delta="1000000"
Monitor-Level="1"
/>
</Accum>
show up in the Usage-Monitoring-Information AVP in CCA-I/U

messages sent to PCEF:
○ Name="02_KEY_200MB_FULL_SPEED" - is a monitoring key

for which the service units are granted
○ Delta="1000000” (1 MB) - is a number of service units granted
○ Direction="Both" - the service units granted is a cumulative
value for uplink and downlink (possible values: “Both”, “Uplink”,
“Downlink”)
○ Monitor-Level="1" - usage monitoring is performed on the
PCC rule level ( “0” for session level monitoring)
● Monitoring-Key Name must much the Monitoring-key set in PCC rule

definition (Monitoring-key specified in the PCC rule is used for data
usage reporting sent in CCR-U messages):

2. Validate the “rules.xml” file:
# /opt/pcrf_core/utils/rules_validator --rules /etc/pcrf/config/rules/rules.xml
Note
If no errors are found, the validation will end up with no message.
4.11.10 Configure Policy selection in Policy Engine (engine.lua)
1. Make a copy of original “engine.lua” and modify the file as follows:
# cp /etc/pcrf/config/lua/engine.lua /etc/pcrf/config/lua/engine.lua.bak
# vi /etc/pcrf/config/lua/engine.lua
package.path="/etc/pcrf/config/lua/?.lua"
default_region="MagmaLAB"
function GxSelectPolicy()
region = get_region()
country = get_country()
location = get_session_location()
if (region == "UNKNOWN") then
region=default_region
log_write(string.format("[ERR_REGCODE] region [%s,%s,%s,%s] not found, using default '%s'", location,
tostring(get_session_ecgi()), tostring(get_session_lac()), tostring(get_session_rac()), region))
end
log_write(string.format("GxSelectPolicy called for %s", get_subscriber_id()))
log_write(string.format(" Region for '%s' is '%s'", get_subscriber_id(), region))
--- Add default events

enable_event_trigger('EVENT_USER_LOCATION_CHANGE')
enable_event_trigger('EVENT_SGSN_CHANGE')
enable_event_trigger('EVENT_QOS_CHANGE')
enable_event_trigger('EVENT_LOSS_OF_BEARER')
enable_event_trigger('EVENT_RECOVERY_OF_BEARER')
enable_event_trigger('EVENT_RAT_CHANGE')
if is_unknown_subscriber() then

log_write(" Reject unknown subscriber")
reject()
return 0
end
--- Service "01_SRV_100MB_FULL_SPEED_1HOUR"
if (is_service_active("01_SRV_100MB_FULL_SPEED_1HOUR")) then
if check_accum_level_full("01_ACCUM_100MB_FULL_SPEED") then
reject()
log_write(string.format("Rejected Subscriber '%s' because the entire data pack is exhausted", get_subscriber_id()))
else
add_policy("01_POLICY_100MB_FULL_SPEED")
log_write(string.format("Policy: '%s' selected for %s", get_policy(0), get_subscriber_id()))
end
return 0
end
--- Service "02_SRV_200MB_SLOW_2MBPS_1WEEK"
if (is_service_active("02_SRV_200MB_SLOW_2MBPS_1WEEK")) then
if check_accum_level_full("02_ACCUM_200MB_FULL_SPEED") then
set_policy("02_POLICY_200MB_2MBPS")
else
set_policy("02_POLICY_200MB_FULL_SPEED")
end
return 0
end
--- Service "03_SRV_UNLIM_MB_FULL_SPEED"
if (is_service_active("03_SRV_UNLIM_MB_FULL_SPEED")) then
add_policy("03_POLICY_UNLIM_MB_FULL_SPEED")
return 0
end
--- Service "04_SRV_UNLIM_MB_8MBPS"
if (is_service_active("04_SRV_UNLIM_MB_8MBPS")) then
add_policy("04_POLICY_UNLIM_MB_8MBPS")
return 0
end
end
or download complete “engine.lua” file here.
Referenece
● Detailed policy engine description is provided here
● Engine.lua functions are described here:
http://localhost:8091/doc/lua_info.html

Note
● The policy selection algorithm is enclosed within the main function
GxSelectPolicy().
● The script checks if consecutive services are active for the subscriber
(IMSI) - see here.
● If a given service is active, the respective policy from “rules.xml” is
selected. The selection can be unconditional or based on the
Accumulator level defined in a Scheme (e.g. if a data usage for a
validity period exceeds the limit, reject the session or select the policy
which reduces the Internet access speed to 2 Mbps).
2. Verify “engine.lua” content:
# /opt/pcrf_core/utils/engine_script_run -n /etc/pcrf/config/lua/engine.lua
-u GxSelectPolicy -s 101012345678911
Policies:
01_POLICY_100MB_FULL_SPEED
No static rules set for subscriber 101012345678911
No static group rules set for subscriber 101012345678911
For subscriber 101012345678911 congestion usage monitoring is switched off
Policies:
02_POLICY_200MB_2MBPS
Reset the Accumulator:

http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678922&accu
m_id=02_ACCUM_200MB_FULL_SPEED&value=0&immidiate=1
and relaunch the above command again:
Policies:
02_POLICY_200MB_FULL_SPEED

Policies:
03_POLICY_UNLIM_MB_FULL_SPEED
Policies:
04_POLICY_UNLIM_MB_8MBPS
Note
Verification of the file content is required in order to prevent incorrect
behavior of the system.
The verification is performed by engine_script_run utility, which verifies if
“engine.lua” contains any syntax errors.
The utility simulates policy selection workflow and shows as the result the
chosen policy for a specified subscriber or an error message.
4.11.11 Add missing configuration items in PCEF (CWAG)
1. Configure QoS profile
a. Open :
https://localhost:9443/swagger/v1/ui/policydb#/Policies/post_lte__networ
k_id__policy_qos_profiles in Firefox to create a new policy QoS profile in
the “cwag_net”:

(profile parameters can be copied from here).
Click on Execute when complete.
b. Make sure that the QoS profile has been created by opening
https://localhost:9443/swagger/v1/ui/policydb#/Policies/get_lte__network
_id__policy_qos_profiles__profile_id_ and providing Network ID / Profile
ID as follows:
Click on Execute when complete.
2. Create static PCC rules
Note
The following policies 03_POLICY_UNLIM_MB_FULL_SPEED and

04_POLICY_UNLIM_MB_8MBPS configured in PCRF’s “rules.xml” file do not
contain charging rule definitions. They only include charging rule names to
be activated at PCEF. These rules must be created in CWAG.

b. Go to https://magma-test.localhost/nms/cwag_net/configure/policies
and add a new static PCC rule by clicking Add Rule.
c. Complete respective 03_RULE_UNLIM_MB_FULL_SPEED rule fields

exactly as follows:

and click on Save when complete.
d. Go to https://magma-test.localhost/nms/cwag_net/configure/policies
and add a new static PCC rule by clicking Add Rule.
e. Complete respective 04_RULE_UNLIM_MB_8MBPS rule fields exactly as

shown below. Use the 04_QOS_PROF_8MBPS QoS profile configured in
this step.

Note
Both static rules have no Monitoring-Key, and there is no usage reporting
(no CCR-U messages) for these rules.

5 Carrier-WiFi in action
This chapter provides step-by-step instructions on testing deployed the Carrier-WiFi
solution and configured data plans.
5.1 Preliminary steps

Before you start testing individual data plans do the following:
1. Make sure that all physical Lab components are interconnected properly as
shown in Figure 4. Physical network setup.
2. Go to VirtualBox and make sure that all VMs (FEG/CWAG/FreePCRF) are

running:
3. Make sure that all containers of all software components have started properly
(+ optionally restart CWAG & FEG containers).

$ cd ${MAGMA_CLONE_DIR}/magma/orc8r/cloud/docker/; docker-compose ps
$ cd ${MAGMA_CLONE_DIR}/magma/nms/app/packages/magmalte/; docker-compose ps
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway; vagrant ssh feg

vagrant@magma-feg-dev:~$ sudo -i
root@magma-feg-dev:~# cd /var/opt/magma/docker/
root@magma-feg-dev:/var/opt/magma/docker# docker-compose down && docker-compose up
-d
root@magma-feg-dev:/var/opt/magma/docker# docker-compose ps
root@magma-feg-dev:/var/opt/magma/docker# exit
vagrant@magma-feg-dev:~$ exit
$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway; vagrant ssh cwag

vagrant@cwag-dev:~$ sudo -i
root@cwag-dev:~# cd /var/opt/magma/docker/
root@cwag-dev:/var/opt/magma/docker# docker-compose down && docker-compose up -d
root@cwag-dev:/var/opt/magma/docker# docker-compose ps

root@cwag-dev:/var/opt/magma/docker# exit
vagrant@cwag-dev:~$ exit
4. Check Diameter peer status in FreePCRF’s O&M Console

(http://localhost:9080/#SensorsTree)
Note
If there is a peer issue, apply the fix procedure described here.
5. Open the following FreePCRF apps in separate browser tabs (Chrome or

Firefox) :
a. MiniCRM: http://localhost:8093/#101012345678922
b. Packet Tracer: http://localhost:9080/trace/
6. Launch the following commands in separate Mac’s terminal tabs:
a. Tab_1 (CISCO AP)

Wojciechs-MacBook-Pro-15:/ wojciechnawrot$ ssh magma@172.16.0.2
magma-ap# show dot11 associations e419.c142.013e

b. Tab_2 (CWAG RADIUS)
root@cwag-dev:~# tcpdump -i eth1 -nn port 1812 or port 1813 or
port 3799
c. Tab_3 (CWAG DHCP)

root@cwag-dev:~# tcpdump -i eth2 port 67 or port 68 -e -n
d. Tab_4 (CWAG UE TRAFFIC)

root@cwag-dev:~# tcpdump -ni eth1 proto gre
e. Tab_5 (CWAG SESSIOND/PIPELINED LOGS)

root@cwag-dev:/var/opt/magma/docker# docker-compose logs -f
--tail=5000 sessiond pipelined policydb
f. Tab_6 (PCRF LOG)

[root@test /]# lv
5.2 Testing “200MB per Week” data plan

1. Reset/zeroize the Accumulator 02_ACCUM_200MB_FULL_SPEED for user
101012345678922 to simulate the beginning of data plan’s validity period:
http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678922&
accum_id=02_ACCUM_200MB_FULL_SPEED&value=0&immidiate=1
2. Make sure the Accumulator has been reset by refreshing MiniCRM page
http://localhost:8093/#101012345678922 :
3. Insert USIM1 into Huawei P smart 2019 (mac address: 9c4e.2073.9780), turn on
the UE, go to WiFi Settings, enable WiFi, and tap on magma in the network
list.

4. Upon successful authentication and authorization the EU gets connected to
the magma network as shown below:
5. The UE state (EAP-Assoc) can be confirmed on the Cisco Access Point.

Execute the following command in Tab_1 of Mac terminal:

6. Go to Tab_2 and verify the captured RADIUS packets:
root@cwag-dev:~# tcpdump -i eth1 -nn port 1812 or port 1813 or port 3799
Note
The successful authentication and authorization should end up with an
Access-Accept message sent to AP by AAA Server (172.16.0.3 ⇨ 172.16.0.2).
Access-Reject is usually sent if there is something wrong with HSS (e.g. HSS
service is down, IMSI does not exist in HSS config, the auth key (Ki) for the
subscriber and/or OP code don’t match with Ki/OP values stored in the
USIM, etc.).
Access-Reject occurs also if the user has insufficient credits for the service at
PCRF.
7. Go to Tab_3 and Tab_4 to observe DHCP DORA process between the UE and
the home router on CWAG’s uplink (eth2) as well as encapsulated user traffic
on CWAG’s downlink (eth1):
root@cwag-dev:~# tcpdump -i eth2 port 67 or port 68 -e -n

root@cwag-dev:~# tcpdump -ni eth1 proto gre
8. Go to Tab_6 and find the policy name selected for the subscriber by PCRF
policy engine:

[root@test /]# lv
22-05-20 12:27:31.556 pcrf_core_W0[31127] INFO Lua: GxSelectPolicy called for 101012345678922

22-05-20 12:27:31.556 pcrf_core_W0[31127] INFO Lua: Region for '101012345678922' is 'MagmaLAB'
22-05-20 12:27:31.558 pcrf_core_W0[31127] INFO Lua: Policy: '02_POLICY_200MB_FULL_SPEED' selected for
101012345678922
9. Go to FreePCRF Packet Tracer (ttp://localhost:9080/trace/) and locate the

CCR-I/CCA-I messages. Note the Charging-Rule-Definition, Monitoring-Key,
and Granted-Service-Unit (1MB):
10. Go to Tab_5 and locate sessiond log section where the dynamic, gx-tracked
charging rule 02_RULE_200MB_FULL_SPEED is activated for IMSI
101012345678922:
root@cwag-dev:/var/opt/magma/docker# docker-compose logs -f --tail=5000

sessiond pipelined policydb
sessiond | I0520 11:47:14.701200 1 LocalEnforcer.cpp:699] Activating Gx tracked rule 02_RULE_200MB_FULL_SPEED with monitoring key
02_KEY_200MB_FULL_SPEED
sessiond | I0520 11:47:14.701261 1 PipelinedClient.cpp:378] Activating 1 rules for IMSI101012345678922 msisdn 12345 and ip
sessiond | I0520 11:47:14.701278 1 GrpcMagmaUtils.cpp:58]
sessiond | magma.lte.ActivateFlowsRequest {

sessiond | sid {
sessiond | id: "IMSI101012345678922"
sessiond | }
sessiond | request_origin {
sessiond | }
sessiond | msisdn: "12345"
sessiond | policies {
sessiond | rule {
sessiond | id: "02_RULE_200MB_FULL_SPEED"
sessiond | priority: 10
sessiond | monitoring_key: "02_KEY_200MB_FULL_SPEED"
sessiond | flow_list {
sessiond | match {
sessiond | }
sessiond | }
sessiond | match {
sessiond | direction: DOWNLINK
sessiond | }
sessiond | }
sessiond | redirect {
sessiond | }
sessiond | tracking_type: ONLY_PCRF
sessiond | }
sessiond | version: 1
sessiond | }
sessiond | }
sessiond | I0520 11:47:14.702358 1 LocalEnforcer.cpp:1973] Updating IPFIX flow for subscriber IMSI101012345678922
sessiond | magma.lte.UEMacFlowRequest {
sessiond | sid {
sessiond | id: "IMSI101012345678922"
sessiond | }
sessiond | mac_addr: "E4-19-C1-42-01-3E"

sessiond | ap_mac_addr: "9C-4E-20-73-97-80"
sessiond | ap_name: "magma"
sessiond | pdp_start_time: 1653047234
sessiond | }
sessiond | I0520 11:47:14.702689 1 LocalEnforcer.cpp:616] IMSI101012345678922-842968 now has subscriber wallet status: VALID_QUOTA
11. Launch Speedtest on the UE to confirm that the speed limit (QoS) is not
applied:

12. Open Youtube app on the UE and play any video to enforce intensive data
usage.
13. Get back to Tab_5 and locate recurrent credit-related logs for the charging
rule 02_RULE_200MB_FULL_SPEED and IMSI 101012345678922:

sessiond |
sessiond | magma.lte.RuleRecordTable {
sessiond | records {
sessiond | sid: "IMSI101012345678922"
sessiond | rule_id: "02_RULE_200MB_FULL_SPEED"
sessiond | bytes_tx: 1541582
sessiond | bytes_rx: 11400512
sessiond | rule_version: 1
sessiond | }
sessiond | rule_id: "internal_default_drop_flow_rule"
sessiond | }
sessiond | epoch: 1652883896
sessiond | }
sessiond | I0520 12:51:48.053248 1 LocalSessionManagerHandler.cpp:70] Aggregating 2 records
sessiond | I0520 12:51:48.053505 1 LocalEnforcer.cpp:378] IMSI101012345678922-556469 used 1541582 tx bytes and
11400512 rx bytes for rule 02_RULE_200MB_FULL_SPEED
sessiond | I0520 12:51:48.053550 1 SessionState.cpp:646] Updating used monitoring credit for
Rule=02_RULE_200MB_FULL_SPEED Monitoring Key=02_KEY_200MB_FULL_SPEED
sessiond | I0520 12:51:48.053694 1 SessionCredit.cpp:572] ===> Used Tx: 1541582 Rx: 11400512 Total: 12942094
sessiond | I0520 12:51:48.054250 1 SessionCredit.cpp:575] ===> Reported Tx: 1234055 Rx: 10835738 Total: 12069793
sessiond | I0520 12:51:48.054417 1 SessionCredit.cpp:578] ===> Allowed Tx: 1234055 Rx: 10835738 Total: 13069793
sessiond | I0520 12:51:48.054457 1 SessionCredit.cpp:581] ===> A_Floor Tx: 1234055 Rx: 10835738 Total: 12069793
sessiond | I0520 12:51:48.054473 1 SessionCredit.cpp:584] ===> (%used) Tx: _% Rx: _% Total: 87%
sessiond | I0520 12:51:48.054493 1 SessionCredit.cpp:597] ===> Grant tracking type TOTAL_ONLY, Reporting: 0
sessiond | I0520 12:51:48.054610 1 LocalEnforcer.cpp:389] Received stats for 1 active sessions and 0 stale sessions
sessiond | I0520 12:51:48.054649 1 SessionCredit.cpp:317] TOTAL_ONLY grant is partially exhausted (threshold 0.8)
sessiond | I0520 12:51:48.055053 1 SessionState.cpp:805] Session IMSI101012345678922-556469 monitoring key
02_KEY_200MB_FULL_SPEED updating due to quota exhaustion with request number 4
sessiond | I0520 12:51:48.055080 1 SessionCredit.cpp:428] ===> Data usage since last report is tx=307527 rx=564774
sessiond | I0520 12:51:48.055094 1 SessionCredit.cpp:625] ===> Amount reporting for this report: tx=307527 rx=564774
sessiond | I0520 12:51:48.057272 1 SessionCredit.cpp:627] ===> The total amount currently being reported: tx=307527
rx=564774
sessiond | I0520 12:51:48.057436 1 LocalSessionManagerHandler.cpp:103] Sending 0 charging updates and 1 monitor updates
to OCS and PCRF
sessiond | I0520 12:51:48.057674 1 SessionStore.cpp:55] saving flag is_reporting = 1 on session store
sessiond | I0520 12:51:48.058398 1 SessionStore.cpp:120] Syncing request numbers into existing sessions
sessiond | I0520 12:51:48.058642 1 SessionStore.cpp:134] sync_request_numbers: Writing into session store
sessiond | magma.lte.UpdateSessionRequest {
sessiond | usage_monitors {

sessiond | update {
sessiond | level: PCC_RULE_LEVEL
sessiond | }
sessiond | session_id: "IMSI101012345678922-556469"
sessiond | request_number: 4
sessiond | hardware_addr: "\344\031\301B\001>"
sessiond | rat_type: TGPP_WLAN
sessiond | tgpp_ctx {
sessiond | gx_dest_host: "test.freepcrf.com"
sessiond | }
sessiond | event_trigger: USAGE_REPORT
sessiond | }
sessiond | }
sessiond | magma.lte.UpdateSessionResponse {
sessiond | usage_monitor_responses {
sessiond | credit {
sessiond | granted_units {
sessiond | total {
sessiond | is_valid: true
sessiond | volume: 1000000
sessiond | }
sessiond | tx {
sessiond | }
sessiond | rx {
sessiond | }
sessiond | }
sessiond | }
sessiond | success: true
sessiond | result_code: 2001
sessiond | }
sessiond | }
sessiond | }
sessiond | I0520 12:51:48.468514 1 SessionStore.cpp:55] saving flag is_reporting = 0 on session store
sessiond | I0520 12:51:48.477607 1 SessionState.cpp:2182] IMSI101012345678922-556469 Received monitor credit for
02_KEY_200MB_FULL_SPEED
sessiond | I0520 12:51:48.477638 1 SessionCredit.cpp:200] Received the following credit total_volume=1000000 tx_volume=0
rx_volume=0 grant_tracking_type=TOTAL_ONLY
sessiond | I0520 12:51:48.477645 1 SessionCredit.cpp:572] ===> Used Tx: 1541582 Rx: 11400512 Total: 12942094
sessiond | I0520 12:51:48.477649 1 SessionCredit.cpp:575] ===> Reported Tx: 1541582 Rx: 11400512 Total: 12942094
sessiond | I0520 12:51:48.477653 1 SessionCredit.cpp:578] ===> Allowed Tx: 1541582 Rx: 11400512 Total: 14069793
sessiond | I0520 12:51:48.477655 1 SessionCredit.cpp:581] ===> A_Floor Tx: 1541582 Rx: 11400512 Total: 13069793
sessiond | I0520 12:51:48.477659 1 SessionCredit.cpp:584] ===> (%used) Tx: _% Rx: _% Total: -12%
sessiond | I0520 12:51:48.477667 1 SessionCredit.cpp:597] ===> Grant tracking type TOTAL_ONLY, Reporting: 0

sessiond | I0520 12:51:48.477671 1 SessionCredit.cpp:600] ===> Last Granted Units Received (tx/rx/total) 0/0/1000000
Note
PCEF (CWAG) sends a data usage report to PCRF in CCR-U messages when
80% of the last TOTAL_ONLY grant (1MB) is reached. PCRF responds with a
new TOTAL_ONLY grant in CCA-U.
Note
The event trigger for CCR-U is “event_trigger: USAGE_REPORT “
EVENT_USAGE_REPORT
This value shall be used in a CCA and RAR commands by the PCRF when
requesting usage monitoring at the PCEF. The PCRF shall also provide in
the CCA or RAR command the Usage-Monitoring-Information AVP(s)
including the Monitoring-Key AVP and the Granted-Service-Unit AVP. When
used in a CCR command, this value indicates that the PCEF generated the
request to report the accumulated usage for one or more monitoring keys.
The PCEF shall also provide the accumulated usage volume using the
Usage-Monitoring-Information AVP(s) including the Monitoring-Key AVP
and the Used-Service-Unit AVP.
14. Switch to the Packet Tracer (http://localhost:9080/trace/) and locate any

CCR-U/CCA-U message pair with usage report and a new data grant:
15. Navigate to MiniCRM (http://localhost:8093/#101012345678922 ) and observe

increasing Accumulator Value by refreshing the web page (the Value increases
along with consecutive usage reports received):

16. When the Accumulator Value of 200000000 (200MB) is reached (which
corresponds to the “Level Full” threshold n Accumulator Scheme), a new
charging rule 02_RULE_200MB_2MBPS is pushed to PCEF:
17. Get back to Tab_6 and find the new policy selected for the subscriber by PCRF
policy engine:
[root@test /]# lv

22-05-20 12:52:28.804 pcrf_core_W0[31127] INFO Lua: Policy: '02_POLICY_200MB_2MBPS' selected for
101012345678922

18. Go to the Packet Tracer (http://localhost:9080/trace/) and locate the
CCR-U/CCA-U message exchange where the existing charging rule
02_RULE_200MB_FULL_SPEED is removed and the new charging rule
02_RULE_200MB_2MBPS is installed:
Note
The new charging rule is configured with a DUMMY Monitoring-ey. If no
Monitoring-Key is defined for a dynamic rule in rules.xml, the rule shows up
in sessiond log as tracking_type: NO_TRACKING and the session
termination occurs.
19. Verify existing rule deactivation / new rule activation on PCEF by jumping to
Tab_5:


sessiond | magma.lte.UpdateSessionResponse {

sessiond | usage_monitor_responses {
sessiond | credit {
sessiond | granted_units {
sessiond | total {
sessiond | is_valid: true
sessiond | volume: 1000000
sessiond | }
sessiond | tx {
sessiond | }
sessiond | rx {
sessiond | }
sessiond | }
sessiond | }
sessiond | success: true
sessiond | result_code: 2001
sessiond | rules_to_remove: "02_RULE_200MB_FULL_SPEED"
sessiond | dynamic_rules_to_install {
sessiond | policy_rule {
sessiond | id: "02_RULE_200MB_2MBPS"
sessiond | monitoring_key: "02_KEY_200MB_2MBPS_DUMMY"
sessiond | match {
sessiond | }
sessiond | }
sessiond | match {
sessiond | }
sessiond | }
sessiond | qos {
sessiond | max_req_bw_ul: 2048000
sessiond | max_req_bw_dl: 2048000
sessiond | gbr_ul: 2048000
sessiond | gbr_dl: 2048000
sessiond | qci: QCI_6
sessiond | }
sessiond | }
sessiond | }
sessiond | }
sessiond | }
sessiond | }
sessiond | }
…...
sessiond | I0520 12:54:34.202384 1 PipelinedClient.cpp:350] Deactivating 1 rules and for subscriber IMSI101012345678922 IP
sessiond | magma.lte.DeactivateFlowsRequest {
sessiond | sid {
sessiond | id: "IMSI101012345678922"
sessiond | }
sessiond | }

sessiond | rule_id: "02_RULE_200MB_FULL_SPEED"
sessiond | }
sessiond | }
sessiond | I0520 12:54:34.202780 1 PipelinedClient.cpp:378] Activating 1 rules for IMSI101012345678922 msisdn 12345 and ip
sessiond | magma.lte.ActivateFlowsRequest {
sessiond | sid {
sessiond | id: "IMSI101012345678922"
sessiond | }
sessiond | }
sessiond | rule {
sessiond | id: "02_RULE_200MB_2MBPS"
sessiond | monitoring_key: "02_KEY_200MB_2MBPS_DUMMY"
sessiond | match {
sessiond | }
sessiond | }
sessiond | match {
sessiond | }
sessiond | }
sessiond | qos {
sessiond | max_req_bw_ul: 2048000
sessiond | max_req_bw_dl: 2048000
sessiond | gbr_ul: 2048000
sessiond | gbr_dl: 2048000
sessiond | qci: QCI_6
sessiond | }
sessiond | }
sessiond | }
sessiond | }
sessiond | }
sessiond | I0520 12:54:34.330880 13 LocalEnforcer.cpp:1864] Pipelined add ue enf flow succeeded for IMSI101012345678922
Note
The new charging rule contains QoS information which activates rate
limiting of UE traffic on CWAG physical interfaces.
20. Launch Speedtest on the UE to confirm that the speed limit of 2Mbps is active
for the new charging rule:

21. Reset/zeroize the Accumulator 02_ACCUM_200MB_FULL_SPEED for user
101012345678922 to simulate the beginning of a new validity period for the
data plan:
http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678922&
accum_id=02_ACCUM_200MB_FULL_SPEED&value=0&immidiate=1
22. Make sure the Accumulator has been reset by refreshing MiniCRM page
http://localhost:8093/#101012345678922 :
23. Go to Tab_6 and notice that after Accumulator reset, the original
02_POLICY_200MB_FULL_SPEED has been restored for the subscriber:
[root@test /]# lv
22-05-20 12:56:02.327 pcrf_core_E0[31132] INFO Lua: GxSelectPolicy called for 101012345678922

22-05-20 12:56:02.327 pcrf_core_E0[31132] INFO Lua: Region for '101012345678922' is 'MagmaLAB'
22-05-20 12:56:02.332 pcrf_core_E0[31132] INFO Lua: Policy: '02_POLICY_200MB_FULL_SPEED' selected for
101012345678922
24. Switch to the Packet Tracer (http://localhost:9080/trace/) and locate the

RAR/RAA message exchange where the existing charging rule
02_RULE_200MB_2MBPS is replaced by the original rule
02_RULE_200MB_FULL_SPEED:

Note
This time Changing-Rule-Remove and Charging-Rule-Install AVPs are sent
inside PCRF-initiated RAR message rather than CCA-U.
25. Launch Speedtest on the UE again to make sure that the speed limit of 2Mbps
has been removed:
5.3 Testing “Full Freedom Silver” data plan
1. Follow the 5.1 Preliminary steps
2. Go to MiniCRM page http://localhost:8093/#101012345678944 and notice that

there is neither Accumulator nor Accumulator scheme assigned to the
subscriber:

3. Insert USIM4 into Huawei P smart 2019 (mac address: 9c4e.2073.9780), turn
on the UE, go to WiFi Settings, enable WiFi, and tap on magma in the network
list.
4. Make sure the UE has been successfully authenticated and authorized by

repeating steps 4-7 from 5.2 Testing “200MB per Week” data plan.
5. Go to Tab_6 and find the policy name selected for the subscriber by PCRF
policy engine:
[root@test /]# lv

22-05-25 07:18:38.422 pcrf_core_W0[31127] INFO Lua: Policy: '04_POLICY_UNLIM_MB_8MBPS' selected for
101012345678944
6. Go to FreePCRF Packet Tracer (http://localhost:9080/trace/) and locate the

CCR-I/CCA-I messages:

Note
There is no Charging-Rule-Definition. Instead the Charging-Rule-Name AVP
is sent to PCEF to indicate the name of the static PCC rule configured on
PCEF.
7. Get back to MiniCRM page http://localhost:8093/#101012345678944 and check

the IP-CAN session ID, the name of installed charging rule as well as some
common session information:
Note
The RAT-Type: WLAN attribute specifies the Radio Access Technology and
can be found in CCR-I messages along with IP-CAN-Type:
CAN_Non_3GPP_EPS attribute which defines the type of Connectivity
Access Network (CAN) to which the user is connected .
Non-3GPP-EPS indicates Evolved Packet System (EPS) based on non-3GPP

access technology and is fdetailed by the RAT-Type AVP.
8. Navigate to Tab_5 and eye the sessiond log:

sessiond | I0525 07:38:34.904507 1 LocalSessionManagerHandler.cpp:96] Succeeded in updating session after no reporting
sessiond | magma.lte.RuleRecordTable {
sessiond | rule_id: "04_RULE_UNLIM_MB_8MBPS"
sessiond | rule_version: 1
sessiond | }
sessiond | rule_id: "internal_default_drop_flow_rule"
sessiond | }
sessiond | epoch: 1653417238
sessiond | }
sessiond | I0525 07:38:39.905593 1 LocalSessionManagerHandler.cpp:70] Aggregating 2 records
sessiond | I0525 07:38:39.905848 1 LocalEnforcer.cpp:378] IMSI101012345678944-365436 used 70485 tx bytes and 106653 rx bytes for rule
04_RULE_UNLIM_MB_8MBPS
sessiond | I0525 07:38:39.906109 1 SessionState.cpp:646] Updating used monitoring credit for Rule=04_RULE_UNLIM_MB_8MBPS
Monitoring Key=
sessiond | I0525 07:38:39.906116 1 SessionState.cpp:2248] Monitoring Key not found, not adding the usage
sessiond | I0525 07:38:39.906507 1 LocalSessionManagerHandler.cpp:96] Succeeded in updating session after no reporting
Note
04_RULE_UNLIM_MB_8MBPS (see here) is configured on CWAG with no
Monitoring-Key because the amount of data consumed by the subscriber is
not relevant for the data plan.
Neither PCRF grants service units for the rule 04_RULE_UNLIM_MB_8MBPS
nor PCEF reports the amount of service units consumed by the subscriber
for this rule.
9. Launch Speedtest on the UE to make sure that the speed limit of 8Mbps
specified in the QoS profile referenced by the charging rule
04_RULE_UNLIM_MB_8MBPS has been applied:

10. Debug QoS for the subscriber 101012345678944:
root@cwag-dev:/var/opt/magma/docker# docker-compose exec pipelined bash

root@cwag-dev:/# cd /usr/local/bin/
root@cwag-dev:/usr/local/bin# ./pipelined_cli.py debug qos
imsi : 101012345678944
ip_addr :
rule_num : 4
direction : 0
qos_handle: 2
qos_handle_ambr: 0
qos_handle_ambr_leaf: 0
Dev: eth2
class htb 1:2 parent 1:fffe prio quantum rate 8192Kbit ceil 8192Kbit linklayer ethernet burst 1598b/1 mpu 0b cburst 1598b/1 mpu 0b level 0
Sent 5482976 bytes 8993 pkt (dropped 0, overlimits 3272 requeues 0)
backlog 0b 0p requeues 0
lended: 8923 borrowed: 0 giants: 0
tokens: 23215 ctokens: 23215
imsi : 101012345678944
ip_addr :
rule_num : 4
direction : 1
qos_handle: 3
qos_handle_ambr: 0
Dev: eth1
Root stats for: eth2

qdisc htb 1: root refcnt 2 r2q 10 default 0 direct_packets_stat 113488 ver 3.17 direct_qlen 1000

root@cwag-dev:/usr/local/bin# ./pipelined_cli.py debug display_flows | grep

'PKT_MARK'
cookie=0x4, duration=2267.103s, table=enforcement(main_table), n_packets=9135, n_bytes=5517125, idle_age=40,

priority=65534,ip,reg1=0x1,metadata=0x2def627db6301
actions=note:b'04_RULE_UNLIM_MB_8MBPS',load:0x2->NXM_NX_PKT_MARK[],set_field:0x4->reg2,set_field:0x1->reg4,resubmit
(,enforcement_stats(main_table)),resubmit(,egress(main_table))

5.4 Testing remaining data plans
Test “100MB per Hour” and “Full Freedom Gold” plans yourself using the techniques
described in the previous chapters.
Create your own data plan for subscriber 101012345678955 with some sophisticated
policy selection criteria, combination of static and dynamic charging rules, service
units usage reporting and QoS profiles.
5.5 CWAG metrics

1. Open https://magma-test.localhost/nms/cwag_net/metrics/ , enter user name
and password: “admin@magma.test” / “password1234”, and click through
available tabs to display charts for the Access Point, Network and specific
subscriber:

2. Click on Grafana tab and select “CWF Gateways” to display the Diameter stats
for CWAG:

5.6 FreePCRF metrics
Open http://localhost:8091/rrd/, and select the time range and charts you want to
display. Click Load when complete:

6 To Dos
6.1 Enable FUA redirect
Redirect user to specific URL on a final unit (i.e. when all servicer units are consumed)
https://www.etsi.org/deliver/etsi_ts/129200_129299/129212/12.10.00_60/ts_129212v121000
p.pdf
“The PCRF may provide the redirect instruction for a dynamic PCC rule to the PCEF
enhanced with ADC. The Provisioning shall be performed using the PCC rule
provisioning procedure. The redirect instruction shall be encoded using a
Redirect-Information AVP within the Charging-Rule-Definition AVP of the dynamic
PCC rule”
6.2 Application-based Internet access

Static PCC rules with application filters.
6.3 AGW and eNodeB

Lab extension by adding Magma Access Gateway and LTE radio equipment.

7 Logging, debugging and
troubleshooting
7.1 Orc8r
7.1.1 Errors and bugs
7.1.1.1 “400 Bad Request - No required SSL Certificate was sent” error when entering
https://localhost:9443/apidocs/v1/#/ in Firefox
Solution:
1. Clear Firefox History and Data:
2. Reload https://localhost:9443/apidocs/v1/#/
3. Click OK:
4. Reload https://localhost:9443/apidocs/v1/#/ again and click on Accept the risk

and continue. Swagger API should now load successfully.

7.2 NMS
7.3 FEG
7.3.1 Extended logging
Perform the steps below on the FEG VM (vagrant ssh feg)
1. Modify “docker-compose.yml” and “docker-compose.override.yml”:
● Enable “Print GRPC Payload” for services which support it (e.g. HSS,
SWX_PROXY, SESSION_PROXY).
● Optionally, increase services’ logging verbosity by manipulating “-v”
parameter’s value.
session_proxy:
<<: *goservice
environment:
USE_GY_FOR_AUTH_ONLY: ${USE_GY_FOR_AUTH_ONLY}
GY_SUPPORTED_VENDOR_IDS: ${GY_SUPPORTED_VENDOR_IDS}
GY_SERVICE_CONTEXT_ID: ${GY_SERVICE_CONTEXT_ID}
container_name: session_proxy
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/session_proxy -logtostderr=true -print-grpc-payload -v=4
swx_proxy:
<<: *goservice
container_name: swx_proxy
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/swx_proxy -logtostderr=true -print-grpc-payload -v=0
# vim docker-compose.override.yml
services:
hss:
<<: *feggoservice
container_name: hss
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/hss -logtostderr=true -print-grpc-payload -v=0

# docker-compose logs -f hss
# docker-compose logs -f swx_proxy
# docker-compose logs -f session_proxy
2. Modify “magmad.yml” to increase magmad’s log level :

# vim /etc/magma/magmad.yml
# log_level: INFO
log_level: DEBUG
# print_grpc_payload: false
print_grpc_payload: true
# docker-compose logs -f magmad
7.3.2 Useful diagnostics commands
Capturing Diameter dialogue between FEG and HSS/PCRF
# tcpdump -i any -nn port 2901 or port 3868 -w /tmp/diameter.pcap
Wireshark MAR/MAA, SAR/SAA, CCR/CCA, RAR/RAA filter to apply:
diameter.cmd.code==303 or diameter.cmd.code==301 or diameter.cmd.code==272 or

diameter.cmd.code==258 or diameter.cmd.code==272
https://www.wireshark.org/docs/dfref/d/diameter.html
Testing CCR-I/CCA-I dialogue between FEG and PCRF for specific IMSI
# docker-compose stop session_proxy
# docker-compose exec csfb bash
# /var/opt/magma/bin/gx_client_cli --commands=I --imsi=101012345678911
# exit
# docker-compose start session_proxy
Significant logs
# docker-compose logs -f hss
# docker-compose logs -f swx_proxy
# docker-compose logs -f session_proxy
7.4 CWAG
7.4.1 Extended logging
Perform the steps below on the CWAG VM (vagrant ssh cwag)

1. Modify “docker-compose.yml”:
● Enable “Print GRPC Payload” for services which support it (aaa_server,

eap_aka).
● Optionally, increase services’ logging verbosity by manipulating “-v”
parameter’s value.
aaa_server:
<<: *feggoservice
container_name: aaa_server
environment:
USE_REMOTE_SWX_PROXY: 1 # Relay to FeG
MAGMA_PRINT_GRPC_PAYLOAD: 1
healthcheck:
test: ["CMD", "nc", "-zv", "localhost","9109"]
timeout: "4s"
retries: 3
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/aaa_server -logtostderr=true -v=4
eap_aka:
<<: *feggoservice
container_name: eap_aka
environment:
USE_REMOTE_SWX_PROXY: 1 # Relay to FeG
MAGMA_PRINT_GRPC_PAYLOAD: 1
healthcheck:
test: ["CMD", "nc", "-zv", "localhost","9123"]
timeout: "4s"
retries: 3
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/eap_aka -logtostderr=true -v=0

# docker-compose logs -f aaa_server
# docker-compose logs -f eap_aka
2. Modify “pipelined.yml”:
# vim /etc/magma/pipelined.yml
# log_level: INFO
log_level: DEBUG
#magma_print_grpc_payload: false
magma_print_grpc_payload: true
# docker-compose logs -f pipelined

3. Modify “sessiond.yml”:
# vim /etc/magma/sessiond.yml
# log_level: INFO
log_level: DEBUG
print_grpc_payload: true
# docker-compose logs -f sessiond
4. Modify “policydb.yml”:
# vim /etc/magma/policydb.yml
# log_level: INFO
log_level: DEBUG
# docker-compose logs -f policydb
5. Modify “magmad.yml”:
# vim /etc/magma/magmad.yml
# log_level: INFO
log_level: DEBUG
# docker-compose logs -f magmad
Capturing RADIUS dialogue between AAA Server and AP
# tcpdump -i eth1 -nn port 1812 or port 1813 or port 3799 -w /tmp/radius.pcap
Capturing GRE traffic
# tcpdump -ni eth1 proto gre
Capturing DHCP traffic

#tcpdump -i eth2 port 67 or port 68 -e -n -vv
Significant logs
# docker-compose logs -f aaa_server
# docker-compose logs -f sessiond
# docker-compose logs -f pipelined
# docker-compose logs -f policydb
7.4.3 Pipelined/OvS debugging
Pipelined metrics (applies to other services as well)
# docker-compose exec pipelined bash

# cd /usr/local/bin/
# ./service303_cli.py metrics pipelined
Pipelined packet tracer

(https://github.com/magma/magma/blob/master/docs/readmes/cwf/troubleshooting.md)

# ./packet_tracer_cli.py uplink 172.16.0.2 e4:19:c1:42:01:3e tcp
Expected result (packet hits table 20) here
Pipelined CLI(debug table assignment)

# ./pipelined_cli.py debug -h
# ./pipelined_cli.py debug table_assignment
App Main Table Scratch Tables

----------------------------------------------------------------------
ue_mac 0 [21, 22]
ingress 1 []
arpd 2 []
tunnel_learn 3 [25]
access_control 4 [26]
vlan_learn 5 [30, 31]
middle 10 []
check_quota 11 [23, 24]
dpi 12 [27]
gy 13 [28, 29]
enforcement 14 [32]
enforcement_stats 15 []
egress 20 []
Pipelined CLI(debug display_flows/QoS) + tc

# ./pipelined_cli.py debug display_flows | grep 'PKT_MARK'

# tc -s -d class show dev eth1
# tc -s -d filter show dev eth1
# tc -s -d class show dev eth2
# tc -s -d filter show dev eth2
# ./pipelined_cli.py debug qos
imsi : 101012345678944
ip_addr :
rule_num : 1
direction : 0
qos_handle: 2
qos_handle_ambr: 0
Dev: eth2
imsi : 101012345678944
ip_addr :
rule_num : 1
direction : 1
qos_handle: 3
qos_handle_ambr: 0
Dev: eth1


The above applies for the following active QoS rule:
Pipelined CLI(enforcement)

# ./pipelined_cli.py enforcement -h
# ./pipelined_cli.py enforcement display_flows
actions=note:b'04_RULE_UNLIM_MB_8MBPS',set_field:0x1->reg2,set_field:0x1->reg4,resubmit(,enforcement_stats(main_table)),resubmit(,
egress(main_table))
actions=note:b'04_RULE_UNLIM_MB_8MBPS',set_field:0x1->reg2,set_field:0x1->reg4,resubmit(,enforcement_stats(main_table)),resubmit(,
egress(main_table))
cookie=0xfffffffffffffffe, duration=3496.497s, table=enforcement(main_table), n_packets=14, n_bytes=1116, idle_age=966, priority=0
actions=resubmit(,enforcement_stats(main_table)),set_field:0->reg0,set_field:0->reg3
cookie=0x1, duration=2014.839s, table=enforcement_stats(main_table), n_packets=17352, n_bytes=26479163, idle_age=92,
priority=10,ip,reg1=0x10,reg2=0x1,reg3=0,reg4=0x1,metadata=0x2def627db6301 actions=drop
priority=10,ip,reg1=0x1,reg2=0x1,reg3=0,reg4=0x1,metadata=0x2def627db6301 actions=drop
priority=1,ip,reg1=0x10,reg2=0,reg4=0,metadata=0x2def627db6301 actions=drop
priority=1,ip,reg1=0x1,reg2=0,reg4=0,metadata=0x2def627db6301 actions=drop
# ./pipelined_cli.py enforcement get_policy_usage
records {
sid: "IMSI101012345678944"
rule_id: "04_RULE_UNLIM_MB_8MBPS"
bytes_tx: 1717893
bytes_rx: 26193239
rule_version: 1
}
records {
sid: "IMSI101012345678944"
rule_id: "internal_default_drop_flow_rule"
}
epoch: 1652457844
- - - - - - - - - - - - - - - - - - - - - - -
Managing database file

# ovsdb-tool show-log -m /etc/openvswitch/conf.db
Querying OvS database with ovs-vsctl
# ovs-vsctl show
Bridge "cwag_br0"
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip=flow}
Port li_port
Interface li_port
type: internal
Port cwag_patch
Interface cwag_patch
type: patch
options: {peer=uplink_patch}

Port "mon1"
Interface "mon1"
type: internal
Port "cwag_br0"
Interface "cwag_br0"
type: internal
Bridge "uplink_br0"
fail_mode: secure
Port "eth2"
Interface "eth2"
Port uplink_patch
Interface uplink_patch
type: patch
options: {peer=cwag_patch}
Port "uplink_br0"
Interface "uplink_br0"
type: internal
Port "gw0"
Interface "gw0"
type: internal
ovs_version: "2.12.0"
# ovs-vsctl list-br
cwag_br0
uplink_br0
# ovs-vsctl list-ports cwag_br0
cwag_patch
gre0
li_port
mon1
# ovs-vsctl list-ports uplink_br0
eth2
gw0
uplink_patch
# ovs-vsctl list Port
# ovs-vsctl list Bridge
# ovs-vsctl list Open_vSwitch
_uuid : d6b53b6c-c9b7-4dfa-803c-6961017e6e63
bridges : [151abd6c-8d6e-4dcc-8608-ac7b74a02cf6, dc6a5304-4b58-454b-ab95-7b3b4c1ee04d]
cur_cfg : 506
datapath_types : [netdev, system]
db_version : "8.0.0"
dpdk_initialized : false
dpdk_version : none
external_ids : {hostname=cwag-dev, rundir="/var/run/openvswitch", system-id="6baf88b1-eba2-4404-91b3-fbc8f250b1fe"}
iface_types : [erspan, geneve, gre, internal, "ip6erspan", "ip6gre", lisp, patch, stt, system, tap, vxlan]
manager_options : []
next_cfg : 506
other_config : {}
ovs_version : "2.12.0"

ssl : []
statistics : {}
system_type : ubuntu
system_version : "18.04"
# ovs-vsctl list Controller
_uuid : a293adde-377d-4053-898e-525308eca596
connection_mode : []
controller_burst_limit: []
controller_rate_limit: []
enable_async_messages: []
external_ids : {}
inactivity_probe : []
is_connected : true
local_gateway : []
local_ip : []
local_netmask : []
max_backoff : []
other_config : {}
role : other
status : {last_error="Connection refused", sec_since_connect="42627", state=ACTIVE}
target : "tcp:127.0.0.1:6633"
type : []
OvS datapath
# ovs-dpctl show
system@ovs-system:
lookups: hit:12533823 missed:66049 lost:0
flows: 21
masks: hit:17532880 total:11 hit/pkt:1.39
port 0: ovs-system (internal)
port 1: gre_sys (gre: packet_type=ptap)
port 2: cwag_br0 (internal)
port 3: mon1 (internal)
port 4: li_port (internal)
port 5: gw0 (internal)
port 6: eth2
port 7: uplink_br0 (internal)
# ovs-dpctl dump-flows
recirc_id(0),in_port(6),eth(src=d0:21:f9:55:81:61,dst=33:33:00:00:00:01),eth_type(0x86dd),ipv6(frag=no), packets:1, bytes:256, used:5.152s,

actions:drop
recirc_id(0),in_port(6),eth(src=cc:98:8b:1c:ac:3b,dst=01:00:5e:7f:ff:fb),eth_type(0x0800),ipv4(src=128.0.0.0/128.0.0.0,dst=128.0.0.0/128.0.0
.0,frag=no), packets:0, bytes:0, used:never, actions:drop
recirc_id(0),in_port(6),eth(src=70:ee:50:68:8b:f6,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.121,tip=192.168.1.1,op=1/0xff),
packets:504, bytes:30240, used:3.176s, actions:drop
recirc_id(0),in_port(6),eth(src=d0:21:f9:55:81:61,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.3,tip=192.168.1.99,op=1/0xff),
recirc_id(0),in_port(6),eth(src=b8:27:eb:79:68:b7,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=192.168.1.120,tip=192.168.1.9,op=1/0xff),
# ovs-dpctl dump-flows uplink_br0
# ovs-dpctl dump-flows cwag_br0

OpenFlow
# ovs-ofctl dump-flows cwag_br0

cookie=0x0, duration=14128.692s, table=0, n_packets=171700, n_bytes=107026673, priority=12,dl_src=e4:19:c1:42:01:3e
actions=set_field:0x2def627db6301->metadata,resubmit(,21),set_field:0->reg0,set_field:0->reg3
cookie=0x0, duration=14128.691s, table=0, n_packets=287103, n_bytes=391330869, priority=12,dl_dst=e4:19:c1:42:01:3e
actions=set_field:0x2def627db6301->metadata,resubmit(,21),set_field:0->reg0,set_field:0->reg3
cookie=0x0, duration=44209.889s, table=0, n_packets=247532, n_bytes=14851920, priority=10,arp
actions=resubmit(,1),set_field:0->reg0,set_field:0->reg3
cookie=0x0, duration=44208.370s, table=1, n_packets=0, n_bytes=0, priority=10,in_port=LOCAL
actions=set_field:0x10->reg1,resubmit(,2),set_field:0->reg0,set_field:0->reg3
# ovs-ofctl dump-ports cwag_br0
OFPST_PORT reply (xid=0x2): 5 ports

port "cwag_patch": rx pkts=13065479, bytes=50773817939, drop=?, errs=?, frame=?, over=?, crc=?
tx pkts=170904, bytes=106920662, drop=?, errs=?, coll=?
port LOCAL: rx pkts=0, bytes=0, drop=0, errs=0, frame=0, over=0, crc=0
tx pkts=28, bytes=2056, drop=0, errs=0, coll=0
port "li_port": rx pkts=0, bytes=0, drop=0, errs=0, frame=0, over=0, crc=0
port mon1: rx pkts=0, bytes=0, drop=456100, errs=0, frame=0, over=0, crc=0
port gre0: rx pkts=171700, bytes=107026673, drop=?, errs=?, frame=?, over=?, crc=?
tx pkts=286450, bytes=391259243, drop=?, errs=?, coll=?
# ovs-ofctl dump-flows uplink_br0

# ovs-ofctl dump-ports uplink_br0
# ovs-ofctl snoop cwag_br0
Logging:
# ovs-appctl vlog/list
# ovs-appctl vlog/set ofproto:file:dbg
Tracing:
# ovs-appctl ofproto/trace cwag_br0 in_port=gre0
7.4.4.1 “c++: internal compiler error: Killed (program cc1plus)”
This error may occur while building CWAG images (docker-compose build --parallel)
Solution:
Increase Docker Desktop memory to 10G and re-launch docker-compose build.

7.5 FreePCRF
Full PCRF restart
# /opt/pcrf_utils/bin/pcrf_full_restart.sh
Deletion of coredumps
# cd /cores
# rm *
Logging
# lv
# lvt
Reference
Refer to YotaPCRF Administrators Guide:
● page 63 - for the full list of utilities
● page 31 - for logging
7.5.2.1 No SSH or web access to FreePCRF VM on forwarded ports

This error is specific to NAT Networks in VirtualBox. VMs in a NAT network can talk to
each other but they can not ping the Default GW for this network. Also they can not
be accessed from the host on forwarded ports.
Solution:
1. Remove FreePCRF guest from the NAT network, disconnect the Virtualbox
"cable", switch to NAT, leave the "cable" disconnected.
2. Remove the DHCP server for the NAT network. Use this command in a
command prompt:
VBoxManage dhcpserver remove --network=NatNetwork
3. Reset the guest to the NAT network and connect the "cable".

4. Try http://localhost:9080/ or ssh root@localhost from MacOS
If successful, check routes on the FreePCRF VM, Default route should now be
installed and the Default GW IP should be pingable:
default 192.168.50.1 0.0.0.0 UG 0 0 0 eth0
7.5.2.2 No connection to mandatory Diameter peer gx-mgm.magmalab.com:3870

This error can be sometimes observed in FreePCRF O&M console
http://localhost:9080/:
Related error messages show up also in FEG’s session_proxy / CWAG’s aaa_server

logs. Session_proxy keeps sending unresponded CCRs to PCRF during the user
attach procedure resulting in RADIUS Access-Reject message and disconnecting the
UE from Carrier-WiFi SSID:
root@cwag-dev:/# tcpdump -i eth1 -nn port 1812 or port 1813 or port 3799
04:29:08.658984 IP 172.16.0.2.1645 > 172.16.0.3.1812: RADIUS, Access-Request (1), id: 0x13 length: 306
04:29:08.661849 IP 172.16.0.3.1812 > 172.16.0.2.1645: RADIUS, Access-Challenge (11), id: 0x13 length: 52
04:29:09.183748 IP 172.16.0.3.1812 > 172.16.0.2.1645: RADIUS, Access-Challenge (11), id: 0x14 length: 108
04:29:15.389906 IP 172.16.0.3.1812 > 172.16.0.2.1645: RADIUS, Access-Reject (3), id: 0x15 length: 44
Solution:
Restart session_proxy service on FEG:

root@magma-feg-dev:/# cd /var/opt/magma/docker/
root@magma-feg-dev:/var/opt/magma/docker# docker-compose restart session_proxy

7.6 Cisco Access Point
Showing stats on tunnel interface
magma-ap# show interfaces tunnel 0 accounting
Protocol Pkts In Chars In Pkts Out Chars Out

Other 249 14940 902 55572
IP 134351 178864351 72528 8747520
Showing dot11 associations and deauthenticating UEs
magma-ap# show dot11 associations

magma-ap# clear dot11 client e419.c142.013e
Showing BSSIDs (radio MACs) the clients are connected to
magma-ap# show dot11 bssid
Interface BSSID Guest SSID

Dot11Radio0 9c4e.2073.9780 Yes magma
Enabling/disabling debug output display
magma-ap# terminal monitor

magma-ap# terminal no monitor
CoA/POD related debugs
magma-ap# debug aaa coa

magma-ap# debug aaa pod
magma-ap# debug radius
Authentication debugs
magma-ap# debug condition mac-address e419.c142.013e

magma-ap# debug dot11 client
magma-ap# debug radius authentication
magma-ap# debug dot11 mgmt ssid
magma-ap# debug dot11 mgmt interface
EAP debugs
magma-ap# debug radius authentication

magma-ap# debug dot11 aaa authenticator process
magma-ap# debug dot11 aaa authenticator state-machine
WPA debugs


7.6.2 AP (Authenticator) log

magma-ap# debug dot11 client
magma-ap# debug dot11 mgmt ssid
magma-ap# debug dot11 mgmt interface
magma-ap# debug aaa authentication

magma-ap# debug aaa authorization
magma-ap# debug aaa accounting
magma-ap# debug dot11 wpa-cckm-km-dot1x
magma-ap# term mon
(Step1) UE Open Authentication and Association

*Nov 4 01:23:49.581: (e419.c142.013e): SM: ---Open Authentication 0x47FEE38: AuthReq (0)SM: Init (0) --> Auth_not_Assoc (1)
*Nov 4 01:23:49.581: (0000.0000.0000): dot11_mgmt: [515B1D3B] sending auth resp, auth_algo=0, status[0] to dst=e419.c142.013e,
src=9c4e.2073.9780, bssid=9c4e.2073.9780, seq=2, interface=Dot11Radio0
*Nov 4 01:23:49.582: (0000.0000.0000): dot11_mgmt: decrementing reference count(previous ref=3, sta_ptr=0x47FEE38)
*Nov 4 01:23:49.590: (0000.0000.0000): dot11_mgmt:[0x515B3E55]received Assoc req
*Nov 4 01:23:49.590: (0000.0000.0000): dot11_mgmt: incrementing reference count (previous ref=2, sta_ptr=0x47FEE38)
*Nov 4 01:23:49.590: (e419.c142.013e): SM: Open Authent 0x47FEE38: AssocReq (1)SM: Auth_not_Assoc (1) --> DONT CHG STATE (255)
*Nov 4 01:23:49.590: (e419.c142.013e):dot11_mgmt: dot11_mgmt_sta_tree_del_internal() sta_ptr:0x47FEE38
*Nov 4 01:23:49.590: (0000.0000.0000): dot11_mgmt: deleting all children under this client, sta_ptr 0x47FEE38
*Nov 4 01:23:49.590: (0000.0000.0000): dot11_mgmt: dot11_mgmt_sta_tree_cont_cleanup, 0x47FEE38
*Nov 4 01:23:49.591: (0000.0000.0000): dot11_mgmt: finish removing client and its children
*Nov 4 01:23:49.591: dot11_mgmt: ssnie_accept: uc_suite_count 1
*Nov 4 01:23:49.591: dot11_mgmt: unicast suite: 0xFAC04
*Nov 4 01:23:49.591: dot11_mgmt: rsnie_accept: seen aes-ccm
*Nov 4 01:23:49.591: dot11_mgmt: rsnie_accept: set enccrypt_type: aes-ccm
*Nov 4 01:23:49.591: dot11_mgmt: akm suite: 0xFAC01
*Nov 4 01:23:49.591: dot11_mgmt: km: wpav2
*Nov 4 01:23:49.591: dot11_mgmt: RSNIE check success
*Nov 4 01:23:49.591: (0000.0000.0000): dot11_mgmt: found a valid rsnie with key_mgmt FAC01 and encrypt_type 512
*Nov 4 01:23:49.591: (0000.0000.0000): dot11_mgmt: client ccx_version 0
*Nov 4 01:23:49.591: (0000.0000.0000): dot11_mgmt: WLAN MFP=1 WPA2=yes
*Nov 4 01:23:49.591: (0000.0000.0000): dot11_mgmt: verifying station is infra client, null sta_ptr->assoc_ext_tlv.elem_id
*Nov 4 01:23:49.592: (0000.0000.0000): dot11_mgmt: insert mac e419.c142.013e into ssid[magma] tree, sta_ptr:0x47FEE38
*Nov 4 01:23:49.592: (0000.0000.0000): dot11_mgmt: received iapp context response
*Nov 4 01:23:49.592: (e419.c142.013e): SM: Open Authent. 0x47FEE38: IAPP-Resp (3)SM: IAPP_get (5) --> DONT CHG STATE (255)
*Nov 4 01:23:49.592: (0000.0000.0000): dot11_mgmt:station encrypt_type 0x200
*Nov 4 01:23:49.592: (0000.0000.0000): dot11_mgmt: No ClientFlexAcl found in cache
*Nov 4 01:23:49.592: (0000.0000.0000): dot11_mgmt: iapp respose: bss clnt
*Nov 4 01:23:49.592: (0000.0000.0000): dot11_mgmt: [515B482F] request driver to add client
*Nov 4 01:23:49.593: (0000.0000.0000): dot11_driver: Adding client with reap_flags_1 0
*Nov 4 01:23:49.593: (0000.0000.0000): dot11_driver: Dot11Radio0: Adding client with aid 1
*Nov 4 01:23:49.593: (0000.0000.0000): dot11_mgmt: driver add resp for client e419.c142.013e with aid 1
*Nov 4 01:23:49.594: (e419.c142.013e): SM: Open Authent. 0x47FEE38: Drv Add Resp (8)SM: Drv_Add_InProg (8) --> DONT CHG STATE (255)

*Nov 4 01:23:49.594: (0000.0000.0000): dot11_mgmt: [515B4D4E] response from driver for client
*Nov 4 01:23:49.594: (0000.0000.0000): dot11_mgmt: [515B4DAC] send Assoc resp, status[0] to dst=e419.c142.013e, aid[1] on
Dot11Radio0
*Nov 4 01:23:49.594: (0000.0000.0000): dot11_driver: Dot11Radio0: Tx AssocResp to client e419.c142.013e
*Nov 4 01:23:49.594: (0000.0000.0000): dot11_aaa: Received dot11_aaa_auth_request for clientSSID: magma, auth_algorithm 0,
key_mgmt 1027073
*Nov 4 01:23:49.594: AAA/BIND(0000001E): Bind i/f
*Nov 4 01:23:49.595: AAA/ACCT/HC(0000001E): Register DOT11/022F4568 64 bit counter support not configured
*Nov 4 01:23:49.595: AAA/ACCT/HC(0000001E): Update DOT11/022F4568
*Nov 4 01:23:49.595: AAA/ACCT/HC(0000001E): no HC DOT11/022F4568
*Nov 4 01:23:49.595: AAA/ACCT/EVENT/(0000001E): CALL START
*Nov 4 01:23:49.595: Getting session id for NET(0000001E) : db=51DA570
*Nov 4 01:23:49.595: AAA/ACCT(00000000): add node, session 20
*Nov 4 01:23:49.595: AAA/ACCT/NET(0000001E): add, count 1
*Nov 4 01:23:49.595: (0000.0000.0000): dot11_aaa: eap list name: eap_methods
*Nov 4 01:23:49.595: (0000.0000.0000): dot11_aaa: Accounting list name: acct_methods
*Nov 4 01:23:49.595: (0000.0000.0000): dot11_aaa: AAA Client entry added to the client list (22F4568)
*Nov 4 01:23:49.595: (0000.0000.0000): dot11_aaa: starting auth sequence for client, [key_mgmt] = 0xFAC01
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_aaa: no pmkid found in RSN IE
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_aaa: Start local Authenticator request
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_aaa: Send auth request for this client to local Authenticator
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_auth: client is added to the client list for application 0x1
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_auth: Created new client for application 0x1
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_auth: req->auth_type 0
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_auth: auth_methods_inprocess: 2
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_auth: eap list name: eap_methods
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_auth: Start auth method EAP or LEAP
*Nov 4 01:23:49.596: (0000.0000.0000): dot11_auth_dot1x: in the dot11_auth_dot1x_start
(Step2) EAPoL to UE (EAP-Request/Identity)

*Nov 4 01:23:49.596: (0000.0000.0000): dot11_dot1x: Sending identity request to client
*Nov 4 01:23:49.596: EAPOL pak dump tx
*Nov 4 01:23:49.596: EAPOL Version: 0x1 type: 0x0 length: 0x002D
*Nov 4 01:23:49.596: EAP code: 0x1 id: 0x1 length: 0x002D type: 0x1
0601CF70: 0100002D 0101002D 01006E65 74776F72 ...-...-..networ
0601CF80: 6B69643D 6D61676D 612C6E61 7369643D kid=magma,nasid=
0601CF90: 6D61676D 612D6170 2C706F72 7469643D magma-ap,portid=
0601CFA0: 30 0
*Nov 4 01:23:49.597: (0000.0000.0000): dot11_auth: sending data to requestor status 1
*Nov 4 01:23:49.597: (0000.0000.0000): dot11_auth: Sending EAPOL to requestor
*Nov 4 01:23:49.597: (0000.0000.0000): dot11_aaa: Received DOT11_AAA_EAP from Local Authenticator
*Nov 4 01:23:49.597: (0000.0000.0000): DOT1X_SM: Executing Action [state: BRIDGE, event: AUTHENTICATOR_REPLY] for client
*Nov 4 01:23:49.597: (0000.0000.0000): dot11_aaa: sending eapol to client on BSSID 9c4e.2073.9780
*Nov 4 01:23:49.597: (0000.0000.0000): dot11_dot1x: Client timer started for 30 seconds
*Nov 4 01:23:49.643: (0000.0000.0000): dot11_aaa: Received EAPOL packet from client
*Nov 4 01:23:49.643: (0000.0000.0000): dot11_aaa: eapol ver 1 type 0 posting event 0x4
*Nov 4 01:23:49.643: (0000.0000.0000): DOT1X_SM: Executing Action [state: BRIDGE, event: CLIENT_REPLY] for client
*Nov 4 01:23:49.643: (0000.0000.0000): dot11_aaa: Sending DOT11_AAA_EAP pak from client to local Authenticator
*Nov 4 01:23:49.643: (0000.0000.0000): dot11_auth_dot1x: Received EAPOL packet from client
*Nov 4 01:23:49.643: EAPOL pak dump rx
*Nov 4 01:23:49.643: EAPOL Version: 0x1 type: 0x0 length: 0x0038
*Nov 4 01:23:49.643: EAP code: 0x2 id: 0x1 length: 0x0038 type: 0x1
07983B90: 01000038 02010038 01303130 ...8...8.010
07983BA0: 31303132 33343536 37383931 3140776C 1012345678911@wl
07983BB0: 616E2E6D 6E633030 312E6D63 63313031 an.mnc001.mcc101
07983BC0: 2E336770 706E6574 776F726B 2E6F7267 .3gppnetwork.org
07983BD0:
*Nov 4 01:23:49.644: (0000.0000.0000): dot11_dot1x: Executing Action [state: CLIENT_WAIT, event: CLIENT_REPLY] for client
*Nov 4 01:23:49.644: (0000.0000.0000): dot11_dot1x: Sending client data to server
*Nov 4 01:23:49.644: AAA/AUTHEN/PPP (0000001E): Pick method list 'eap_methods'
*Nov 4 01:23:49.644: (0000.0000.0000): dot11_dot1x: Started timer server_timeout 60 seconds

*Nov 4 01:23:49.644: (0000.0000.0000): dot11_aaa: Started dot11 authenticator timeout 60 seconds
*Nov 4 01:23:49.644: RADIUS/ENCODE(0000001E):Orig. component type = DOT11
*Nov 4 01:23:49.645: RADIUS(0000001E): Config NAS IP: 172.16.0.2
*Nov 4 01:23:49.645: RADIUS(0000001E): Config NAS IPv6: ::
*Nov 4 01:23:49.645: RADIUS/ENCODE(0000001E): acct_session_id: 20
*Nov 4 01:23:49.645: RADIUS(0000001E): sending
(Step3) Radius Access-Request to AAA Server (EAP-Response/Identity)

*Nov 4 01:23:49.645: RADIUS(0000001E): Send Access-Request to 172.16.0.3:1812 id 1645/26, len 296
*Nov 4 01:23:49.645: RADIUS: authenticator 20 35 10 4A 3C E6 F2 A5 - 72 90 86 E0 7D 92 7C 0E
*Nov 4 01:23:49.646: RADIUS: User-Name [1] 53 "0101012345678911@wlan.mnc001.mcc101.3gppnetwork.org"
*Nov 4 01:23:49.646: RADIUS: Framed-MTU [12] 6 1400
*Nov 4 01:23:49.646: RADIUS: Called-Station-Id [30] 25 "9C-4E-20-73-97-80:magma"
*Nov 4 01:23:49.646: RADIUS: Calling-Station-Id [31] 19 "E4-19-C1-42-01-3E"
*Nov 4 01:23:49.646: RADIUS: Vendor, Cisco [26] 18
*Nov 4 01:23:49.646: RADIUS: Cisco AVpair [1] 12 "ssid=magma"
*Nov 4 01:23:49.646: RADIUS: Vendor, WISPr [26] 14
*Nov 4 01:23:49.646: RADIUS: WISPr VSA [2] 8 "Poznan"
*Nov 4 01:23:49.646: RADIUS: Service-Type [6] 6 Login [1]
*Nov 4 01:23:49.646: RADIUS: Cisco AVpair [1] 20 "service-type=Login"
*Nov 4 01:23:49.646: RADIUS: Message-Authenticato[80] 18
*Nov 4 01:23:49.646: RADIUS: 24 EE 5B 5A D0 0C DE DD 79 88 A6 D8 56 0B 01 71 [ $[ZyVq]
*Nov 4 01:23:49.646: RADIUS: EAP-Message [79] 58
*Nov 4 01:23:49.647: RADIUS: 02 01 00 38 01 30 31 30 31 30 31 32 33 34 35 36 37 38 39 31 [8010101234567891]
*Nov 4 01:23:49.647: RADIUS: 31 40 77 6C 61 6E 2E 6D 6E 63 30 30 31 2E 6D 63 [1@wlan.mnc001.mc]
*Nov 4 01:23:49.647: RADIUS: 63 31 30 31 2E 33 67 70 70 6E 65 74 77 6F 72 6B [c101.3gppnetwork]
*Nov 4 01:23:49.647: RADIUS: 2E 6F 72 67 [ .org]
*Nov 4 01:23:49.647: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]
*Nov 4 01:23:49.647: RADIUS: NAS-Port [5] 6 273
*Nov 4 01:23:49.647: RADIUS: NAS-Port-Id [87] 5 "273"
*Nov 4 01:23:49.647: RADIUS: NAS-IP-Address [4] 6 172.16.0.2
*Nov 4 01:23:49.647: RADIUS: Acct-Session-Id [44] 10 "00000014"
*Nov 4 01:23:49.647: RADIUS(0000001E): Sending a IPv4 Radius Packet
*Nov 4 01:23:49.648: RADIUS(0000001E): Started 30 sec timeout
(Step4) Radius Access-Challenge from AAA Server (EAP-Request/AKA-Identity)

*Nov 4 01:23:49.659: RADIUS: Received from id 1645/26 172.16.0.3:1812, Access-Challenge, len 52
*Nov 4 01:23:49.659: RADIUS: authenticator CD 5E 1F 28 87 7A DD 08 - 43 28 55 C8 F9 AF 8F C6
*Nov 4 01:23:49.659: RADIUS: 01 02 00 0C 17 05 00 00 0A 01 00 00
*Nov 4 01:23:49.660: RADIUS: DA 27 EE F3 52 08 79 FE 1D 28 09 63 DF D9 21 55 [ 'Ry(c!U]
*Nov 4 01:23:49.660: RADIUS(0000001E): Received from id 1645/26
*Nov 4 01:23:49.660: RADIUS/DECODE: EAP-Message fragments, 12, total 12 bytes
*Nov 4 01:23:49.660: (0000.0000.0000): aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
*Nov 4 01:23:49.660: (0000.0000.0000): aaa_resp: found eap pak in server response
*Nov 4 01:23:49.660: (0000.0000.0000): dot11_dot1x: Executing Action [state: SERVER_WAIT, event: SERVER_REPLY] for client
*Nov 4 01:23:49.660: (0000.0000.0000): dot11_dot1x: Forwarding server message to client
*Nov 4 01:23:49.661: EAPOL Version: 0x1 type: 0x0 length: 0x000C
*Nov 4 01:23:49.661: EAP code: 0x1 id: 0x2 length: 0x000C type: 0x17
0601D6C0: 0100000C 0102000C 17050000 0A010000 ................
0601D6D0:
*Nov 4 01:23:49.661: (0000.0000.0000): dot11_dot1x: Started timer client_timeout 30 seconds

078C1590: 01000040 ...@
078C15A0: 02020040 17050000 0E0E0033 30313031 ...@.......30101
078C15B0: 30313233 34353637 38393131 40776C61 012345678911@wla
078C15C0: 6E2E6D6E 63303031 2E6D6363 3130312E n.mnc001.mcc101.
078C15D0: 33677070 6E657477 6F726B2E 6F726700 3gppnetwork.org.
078C15E0:
(Step5) Radius Access-Request to AAA Server(EAP-Response/AKA-Identity: AT_IDENTITY)

*Nov 4 01:23:49.670: RADIUS: authenticator 1D 7E 70 8F EE 7F F5 14 - F4 A8 89 3E 0F 3A 20 D0
*Nov 4 01:23:49.671: RADIUS: 51 AA 70 54 D3 39 E0 66 90 28 B9 E3 2A 6F 94 DB [ QpT9f(*o]
*Nov 4 01:23:49.671: RADIUS: 02 02 00 40 17 05 00 00 0E 0E 00 33 30 31 30 31 30 31 32 33 34 35 36 37 38 39 [@301010123456789]
*Nov 4 01:23:49.671: RADIUS: 31 31 40 77 6C 61 6E 2E 6D 6E 63 30 30 31 2E 6D [11@wlan.mnc001.m]
*Nov 4 01:23:49.671: RADIUS: 63 63 31 30 31 2E 33 67 70 70 6E 65 74 77 6F 72 [cc101.3gppnetwor]
*Nov 4 01:23:49.671: RADIUS: 6B 2E 6F 72 67 00 [ k.org]
magma-ap#
(Step8) Radius Access-Challenge from AAA Server (EAP-Req./AKA-Chall.: RAND/AUTN/MAC)

*Nov 4 01:23:49.778: RADIUS: Received from id 1645/27 172.16.0.3:1812, Access-Challenge, len 108
*Nov 4 01:23:49.778: RADIUS: authenticator 25 53 C1 79 99 32 D2 9F - CB 70 07 3F 47 B3 D4 FF
*Nov 4 01:23:49.778: RADIUS: 01 03 00 44 17 01 00 00 01 05 00 00 56 7E D4 B7 47 C4 3C 09 24 A7 FF B9 31 D2 9B 4B 02 05 00 00 7D 8F D2
57 F7 EE 80 00 0C C5 03 2D 92 5A E4 9F 0B 05 00 00 02 3E 2E 1F 34 DF CA 6D [DV~G<$1K}W-Z>.4m]
*Nov 4 01:23:49.779: RADIUS: 22 60 E5 1C 69 A6 93 08 [ "`i]

*Nov 4 01:23:49.779: RADIUS: BE 21 8D 46 F1 47 73 50 EC 2B 7A 02 65 84 21 2C [ !FGsP+ze!,]
*Nov 4 01:23:49.779: (0000.0000.0000): aaa_resp: Received server response: GET_CHALLENGE_RESPONSE
*Nov 4 01:23:49.780: (0000.0000.0000): dot11_dot1x: Executing Action [state: SERVER_WAIT, event: SERVER_REPLY] for client
0601D930: 01000044 01030044 17010000 01050000 ...D...D........
0601D940: 567ED4B7 47C43C09 24A7FFB9 31D29B4B V~T7GD<.$'.91R.K
0601D950: 02050000 7D8FD257 F7EE8000 0CC5032D ....}.RWwn...E.-
0601D960: 925AE49F 0B050000 023E2E1F 34DFCA6D .Zd......>..4_Jm
0601D970: 2260E51C 69A69308 "`e.i&..
07964A60: 01000040 02030040 ...@...@
07964A70: 17010000 03030040 0FAF49F9 1FA21B8A .......@./Iy."..
07964A80: 86060000 0F596380 AC8EB63B 83A6B938 .....Yc.,.6;.&98
07964A90: 8B9E9738 6876C186 0B050000 55113AE4 ...8hvA.....U.:d
07964AA0: B863DFBA 05012032 5F58DC45 8c_:.. 2_X\E
(Step9) Radius Access-Request to AAA Server(EAP-Resp./AKA-Chall.: RES/MAC/CHECKCODE)

*Nov 4 01:23:49.946: RADIUS: authenticator 7E AB 2F 65 25 63 34 EC - 15 BA 17 B8 1E C3 4B F5

*Nov 4 01:23:49.947: RADIUS: 44 98 FC 52 AD 17 FB A3 8D 7D CB EC C3 55 16 3F [ DR}U?]
*Nov 4 01:23:49.947: RADIUS: 02 03 00 40 17 01 00 00 03 03 00 40 0F AF 49 F9 1F A2 1B 8A 86 06 00 00 0F 59 63 80 AC 8E B6 3B 83 A6 B9
38 8B 9E 97 38 68 76 C1 86 0B 05 00 00 55 11 3A E4 B8 63 DF BA 05 01 20 32 5F [@@IYc;88hvU:c 2_]
*Nov 4 01:23:49.947: RADIUS: 58 DC 45 [ XE]
(Step11) Radius Access-Accept from AAA Server (EAP-Success, MSK)

*Nov 4 01:23:50.246: RADIUS: Received from id 1645/28 172.16.0.3:1812, Access-Accept, len 213
*Nov 4 01:23:50.246: RADIUS: authenticator 0B D9 80 52 97 81 51 A8 - 5C AF D1 36 C1 D5 75 2B
*Nov 4 01:23:50.246: RADIUS: 03 03 00 04
*Nov 4 01:23:50.246: RADIUS: Vendor, Microsoft [26] 58
*Nov 4 01:23:50.246: RADIUS: MS-MPPE-Recv-Key [17] 52 *
*Nov 4 01:23:50.246: RADIUS: Vendor, Microsoft [26] 58
*Nov 4 01:23:50.246: RADIUS: MS-MPPE-Send-Key [16] 52 *
*Nov 4 01:23:50.246: RADIUS: 71 83 29 BB 54 22 8F A6 BF 1F CC A0 5C A3 F3 15 [ q)T"\]
*Nov 4 01:23:50.247: (0000.0000.0000): aaa_resp: Received server response: PASS
*Nov 4 01:23:50.247: (0000.0000.0000): aaa_resp: Found AAA_AT_MS_MPPE_RECV_KEY in server response
*Nov 4 01:23:50.247: (0000.0000.0000): aaa_resp: AAA_AT_MS_MPPE_RECV_KEY session key length 32
*Nov 4 01:23:50.248: (0000.0000.0000): PMK: Sucessfully created pmk record for this station, username '', life time '86400', flags 0x1
*Nov 4 01:23:50.248: (0000.0000.0000): PMK: updated username 0101012345678911@wlan.mnc001.mcc101.3gppnetwork.org in the pmk
record
*Nov 4 01:23:50.248: (0000.0000.0000): aaa_resp: Found AAA_AT_MS_MPPE_SEND_KEY in server response
*Nov 4 01:23:50.248: (0000.0000.0000): aaa_resp: AAA_AT_MS_MPPE_SEND_KEY session key length 32
*Nov 4 01:23:50.248: (0000.0000.0000): aaa_resp: client username 0101012345678911@wlan.mnc001.mcc101.3gppnetwork.org
*Nov 4 01:23:50.248: (0000.0000.0000): dot11_auth: Checking for SSID in server attributes
*Nov 4 01:23:50.248: (0000.0000.0000): aaa_resp: Checking for Airespace-Vlan-Name in server attributes
*Nov 4 01:23:50.248: (0000.0000.0000): aaa_resp: Checking for VLAN ID in server attributes
*Nov 4 01:23:50.248: (0000.0000.0000): aaa_resp: Checking for Airespace-Acl-Name in server attributes
*Nov 4 01:23:50.248: (0000.0000.0000): aaa_resp: Updating radius assigned Airespace Client acl '' into cache
*Nov 4 01:23:50.248: (0000.0000.0000): PMK: updated pmk record with Client Flex Acl
*Nov 4 01:23:50.248: (0000.0000.0000): dot11_dot1x: Executing Action [state: SERVER_WAIT, event: SERVER_PASS] for client
*Nov 4 01:23:50.249: EAP code: 0x3 id: 0x3 length: 0x0004
0601DA60: 01000004 03030004 ........
0601DA70:
*Nov 4 01:23:50.250: (0000.0000.0000): dot11_auth: DOT11_AUTH_SUCCESS with resp->nsk_len 32 resp->auth_key_len 32
*Nov 4 01:23:50.250: (0000.0000.0000): dot11_auth: client authenticated, node_type 64 for application 0x1
*Nov 4 01:23:50.250: (0000.0000.0000): dot11_auth: Client is deleted for application 0x1
*Nov 4 01:23:50.250: (0000.0000.0000): dot11_aaa: Received DOT11_AAA_SUCCESS from Local Authenticator
*Nov 4 01:23:50.250: (0000.0000.0000): dot11_aaa: Network-id =0

*Nov 4 01:23:50.250: (0000.0000.0000): dot11_aaa: Found keys - nsk (btk), len 32
*Nov 4 01:23:50.250: (0000.0000.0000): dot11_aaa: found auth key, len 32
*Nov 4 01:23:50.250: (0000.0000.0000): DOT1X_SM: Executing Action [state: BRIDGE, event: AUTHENTICATOR_PASS] for client
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_aaa: Authentication passed for client, start wpa-v2 key exchange
(Step12) 4-way handshake

*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: Starting wpav2 ptk msg 1 to supplicant
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: ptk msg 1 pak_size 121
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: eapol version 2, eapol type 3 eapol length 117
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: building PTK msg (handshake type = 1) for client
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: ptk key len 16, eapol key descriptor type 0x2
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: ptk key data len 22
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: wpav2 pmkid[DOT1X]: 8FE89AE2A32C6CFEEFF1A64E0FBC391F
*Nov 4 01:23:50.251: (0000.0000.0000): dot11_dot1x: [handshake retry count = 1] Sent WPAv2 PTK msg 1 to client, no timer set
*Nov 4 01:23:50.252: (0000.0000.0000): dot11_dot1x: [handshake retry count = 1] Handshake msg to client, timer set: timeout 500 ms
*Nov 4 01:23:50.265: (0000.0000.0000): DOT1X_SM: Exec. Action [state: WPAV2_PTK_MSG2_WAIT, event: RECV_EAPOL_KEY_RSP] for client
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: Received wpav2 ptk msg2
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: verifying PTK msg 2 from client
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: Warning: Verifying EAPOL header Invalid key len (exp=0x10, act=0x0)
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: wpa-v2 clnt does not have cached pmk rec:
aaa_client->ms_mppe_receive_key:0x47FF000
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: Handshake 2 verified successfully
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: Starting wpav2 ptk msg 3 to supplicant
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: wpav2 msg3 data_len before padding 46
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: wpav2 msg3 padding 2 data_len after padding 56, eapol pak_size 155
*Nov 4 01:23:50.265: (0000.0000.0000): dot11_dot1x: eapol version 2, eapol type 3 eapol length 151
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: building PTK msg (handshake type = 3) for client
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: ptk key len 16, eapol key descriptor type 0x2
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: wpav2_ptk msg 3 rsnie len 22 and 20
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: mcst_key_len 16 index 1 vlan 0
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: gnonce: 82 BE F6 A4 DE F8 55 0A 58 89 79 52 01 6C B5 F8 01 F9 AB 9C 00 00 00 64
01 F9 AB 9C 00 00 00 64
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: multicast key : 63 CF AB DF 2C 30 54 7E 4D F2 EA FD BF 49 B6 E9
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: gtk(pt) key (len = 16) : 63 CF AB DF 2C 30 54 7E 4D F2 EA FD BF 49 B6 E9
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: Is Client 11w Enbaled? NO
*Nov 4 01:23:50.266: (0000.0000.0000): dot11_dot1x: build wpav2 ptk msg 3, pad data from 46 by 2
*Nov 4 01:23:50.267: (0000.0000.0000): dot11_dot1x: dump temp_key_data(pt) (len 48) : 30 14 01 00 00 0F AC 04 01 00 00 0F AC 04 01 00
00 0F AC 01 3C 00 DD 16 00 0F AC 01 01 00 63 CF AB DF 2C 30 54 7E 4D F2 EA FD BF 49 B6 E9 DD 00
*Nov 4 01:23:50.267: (0000.0000.0000): dot11_dot1x: dump eapol encrypt key: E7 10 1A DC 68 CC C9 66 71 FB FB 7E 33 9E E7 BE
*Nov 4 01:23:50.267: (0000.0000.0000): dot11_dot1x: eapol key_data from len 48 to 56 (ct): 00 31 E2 39 7E E5 F6 A4 48 67 90 C5 A2 4E C5
03 83 3D E9 9A EC 15 13 11 C0 5E D2 12 FB 3A 11 E4 E8 F0 DB 69 C7 73 7D F8 10 50 59 6A 9C 95 78 D0 B0 9E 53 18 BB 05 44 A1
*Nov 4 01:23:50.267: (0000.0000.0000): dot11_dot1x: aes key wrap key_data from len 48 to 56 gtk(ct):
*Nov 4 01:23:50.268: (0000.0000.0000): dot11_dot1x: dump decrypted aes key data: 30 14 01 00 00 0F AC 04 01 00 00 0F AC 04 01 00 00
0F AC 01 3C 00 DD 16 00 0F AC 01 01 00 63 CF AB DF 2C 30 54 7E 4D F2 EA FD BF 49 B6 E9 DD 00
*Nov 4 01:23:50.268: (0000.0000.0000): dot11_dot1x: wpav2 msg 3 key data len 56
*Nov 4 01:23:50.273: (0000.0000.0000): dot11_dot1x: MIC key: 2F 2D AF 6B 8C 03 C0 BF AD F3 03 84 D3 4F 68 2C
*Nov 4 01:23:50.273: (0000.0000.0000): dot11_dot1x: hmac_sha1 mic for eapol pak (len 155) : 5C 35 BD 00 87 06 68 D2 6F A6 AF 38 FD B0
C5 1D
*Nov 4 01:23:50.273: (0000.0000.0000): dot11_dot1x: msg 3 hmac_sha1 mic for eapol_key len 155
*Nov 4 01:23:50.273: (0000.0000.0000): dot11_dot1x: [handshake retry count = 1] Sent WPAv2 PTK msg 3 to client, no timer set
*Nov 4 01:23:50.273: (0000.0000.0000): dot11_dot1x: [handshake retry count = 1] Handshake msg to client, timer set: timeout 500 ms
*Nov 4 01:23:50.289: (0000.0000.0000): DOT1X_SM: Executing Action [state: WPAV2_PTK_MSG4_WAIT, event: RECV_EAPOL_KEY_RSP] for
client
*Nov 4 01:23:50.289: (0000.0000.0000): dot11_dot1x: Received WPAv2 PTK msg4
*Nov 4 01:23:50.289: (0000.0000.0000): dot11_dot1x: verifying PTK msg 4 from client
*Nov 4 01:23:50.289: (0000.0000.0000): dot11_dot1x: Warning: Verifying EAPOL header Invalid key len (exp=0x10, act=0x0)

*Nov 4 01:23:50.289: (0000.0000.0000): dot11_dot1x: Handshake 4 verified successfully
*Nov 4 01:23:50.289: (0000.0000.0000): dot11_dot1x: plumbing keys, entrypt_type: 0x200
*Nov 4 01:23:50.289: (0000.0000.0000): Dot11_Driver: setting client key with encrypt type 0x200
*Nov 4 01:23:50.289: (0000.0000.0000): dot11_dot1x: plumb ssn PTK (len = 16) hex: B4 45 65 8D 09 A7 C7 DD 5B 23 30 96 73 DD 0C 3A
*Nov 4 01:23:50.289: (0000.0000.0000): dot11_dot1x: 4-way Handshake pass for client
*Nov 4 01:23:50.289: (0000.0000.0000): dot11_aaa: Sending auth response: 2 for client
*Nov 4 01:23:50.290: (0000.0000.0000): dot11_mgmt: received AAA Auth resp, returned vlan name , vlan id 0 and wnid 0
*Nov 4 01:23:50.290: (e419.c142.013e): SM: ---Open Authentication 0x47FEE38: AAA Auth OK (5)SM: AAA_Auth (6) --> Assoc (2)
*Nov 4 01:23:50.290: %DOT11-6-ASSOC: Interface Dot11Radio0, Station e419.c142.013e Associated KEY_MGMT[WPAv2]
*Nov 4 01:23:50.290: (0000.0000.0000): dot11_aaa: client Associated
*Nov 4 01:23:50.290: (0000.0000.0000): PMK: updated username 0101012345678911@wlan.mnc001.mcc101.3gppnetwork.org in the pmk
record
*Nov 4 01:23:50.290: AAA/ACCT/NET(0000001E): Pick method list 'acct_methods'
*Nov 4 01:23:50.290: AAA/ACCT/SETMLIST(0000001E): Handle D4000005, mlist 05038634, Name acct_methods
*Nov 4 01:23:50.291: (0000.0000.0000): dot11_aaa: Starting accounting for user
*Nov 4 01:23:50.291: AAA/ACCT/EVENT/(0000001E): NET UP
*Nov 4 01:23:50.291: (0000.0000.0000): dot11_aaa: Updating aaa attributes for user
*Nov 4 01:23:50.291: AAA/ACCT/NET(0000001E): Queueing record is START
*Nov 4 01:23:50.291: (0000.0000.0000): dot11_mgmt: bss client assoc/reassoc updated stats curr_assoc 1 cur_bss_assoc 1 cur_rptrs 0
cur_bss_rptrs 0
*Nov 4 01:23:50.292: (0000.0000.0000): Tbridge_Create: updating bridge-group for station on Dot11Radio0, with bridge-group index 1
*Nov 4 01:23:50.292: (0000.0000.0000): Tbridge_Create: add client on Dot11Radio0's Transparent Bridge Table
*Nov 4 01:23:50.292: (0000.0000.0000): dot11_mgmt: lwapp_session_timeout not starting for this client
*Nov 4 01:23:50.292: AAA/ACCT(0000001E): Accounting method=rad_acct (RADIUS)
(Step13)Radius Accounting-Request to AAA Server (Acct-Status-Type: Start)

*Nov 4 01:23:50.293: RADIUS(0000001E): Send Accounting-Request to 172.16.0.3:1813 id 1646/15, len 286
*Nov 4 01:23:50.293: RADIUS: authenticator 71 AA 85 01 17 E5 43 CA - 39 E8 8F 99 59 50 48 59
*Nov 4 01:23:50.293: RADIUS: Called-Station-Id [30] 19 "9C-4E-20-73-97-80"
*Nov 4 01:23:50.294: RADIUS: Cisco AVpair [1] 11 "vlan-id=0"
*Nov 4 01:23:50.294: RADIUS: Cisco AVpair [1] 21 "nas-location=Poznan"
*Nov 4 01:23:50.294: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up"
*Nov 4 01:23:50.295: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Nov 4 01:23:50.295: RADIUS: Acct-Status-Type [40] 6 Start [1]
*Nov 4 01:23:50.295: RADIUS: Service-Type [6] 6 Framed [2]
*Nov 4 01:23:50.295: RADIUS: home-hl-prefix [151] 10 "9EDB4DB9"
*Nov 4 01:23:50.295: RADIUS: Acct-Delay-Time [41] 6 0
*Nov 4 01:23:50.309: RADIUS: Received from id 1646/15 172.16.0.3:1813, Accounting-response, len 30

*Nov 4 01:23:50.309: RADIUS: authenticator 05 D5 08 DE 26 28 37 34 - DA 8F 81 A4 63 15 48 44
*Nov 4 01:23:50.310: AAA/ACCT/NET(0000001E): START protocol reply PASS
*Nov 4 01:23:50.310: AAA/ACCT(0000001E): Accounting response status = SUCCESS
*Nov 4 01:23:50.310: AAA/ACCT(0000001E): Send START accounting notification to EM successfully
*Nov 4 01:23:50.310: AAA/ACCT(0000001E): mlist_periodic is not set, interval 0
*Nov 4 01:23:50.310: AAA/ACCT(0000001E): Resetting Periodic timer 60
*Nov 4 01:23:50.833: (0000.0000.0000): dot11_mgmt: Updating the client IP (192.168.1.236) to the controller
*Nov 4 01:24:55.768: AAA/ACCT/NET(0000001E): Queueing record is UPDATE
*Nov 4 01:24:55.768: AAA/ACCT(0000001E): Sending per. rec. type=NET user=0101012345678911@wlan.mnc001.mcc101.3gppnetwork.org
(Step14)Radius Accounting-Request to AAA Server (Acct-Status-Type: Start)

*Nov 4 01:24:55.769: RADIUS: authenticator AE 5C 22 7E 6C CF F9 65 - 28 A7 4E EF 48 D7 8D EF
*Nov 4 01:24:55.771: RADIUS: Acct-Session-Time [46] 6 65
*Nov 4 01:24:55.771: RADIUS: Acct-Input-Octets [42] 6 192419
*Nov 4 01:24:55.771: RADIUS: Acct-Output-Octets [43] 6 238858
*Nov 4 01:24:55.771: RADIUS: Acct-Input-Packets [47] 6 602
*Nov 4 01:24:55.771: RADIUS: Acct-Output-Packets [48] 6 512
*Nov 4 01:24:55.771: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Nov 4 01:24:55.779: RADIUS: authenticator 7C B4 F3 EB 30 DD A3 8C - 0B 55 5C 80 05 86 A5 03
*Nov 4 01:24:55.780: AAA/ACCT/NET(0000001E): UPDATE protocol reply PASS
*Nov 4 01:24:55.780: AAA/ACCT(0000001E): Send UPDATE accounting notification to EM successfully

*Nov 4 01:25:56.522: AAA/ACCT/NET(0000001E): Queueing record is UPDATE
*Nov 4 01:25:56.522: AAA/ACCT(0000001E): Sending periodic record type=NET
user=0101012345678911@wlan.mnc001.mcc101.3gppnetwork.org
*Nov 4 01:25:56.523: RADIUS: authenticator AE 0E 7B 8E 0A 73 DF 87 - 2C 10 89 7E ED 00 AC 42
*Nov 4 01:25:56.524: RADIUS: Acct-Session-Time [46] 6 126
*Nov 4 01:25:56.525: RADIUS: Acct-Input-Octets [42] 6 474582
*Nov 4 01:25:56.525: RADIUS: Acct-Output-Octets [43] 6 2243743
*Nov 4 01:25:56.525: RADIUS: Acct-Input-Packets [47] 6 1509
*Nov 4 01:25:56.525: RADIUS: Acct-Output-Packets [48] 6 2503
*Nov 4 01:25:56.525: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Nov 4 01:25:56.534: RADIUS: authenticator 88 E7 76 E1 EA DD 65 14 - 3F 75 74 7E D3 84 2F 9F
*Nov 4 01:25:56.534: AAA/ACCT/NET(0000001E): UPDATE protocol reply PASS
*Nov 4 01:25:56.535: AAA/ACCT(0000001E): Send UPDATE accounting notification to EM successfully
(Step18)Radius Disconnect-Request to AP
*Nov 4 01:25:59.501: RADIUS: POD received from id 0 172.16.0.3:46289, POD Request, len 49
*Nov 4 01:25:59.501: POD: 172.16.0.3 request queued
*Nov 4 01:25:59.501: ++++++ POD Attribute List ++++++
*Nov 4 01:25:59.501: 051749F8 0 00000001 session-id(408) 4 20(14)
*Nov 4 01:25:59.501: 05174F48 0 00000081 formatted-clid(37) 17 E4-19-C1-42-01-3E
*Nov 4 01:25:59.501: DOT11 POD Received PoD request
*Nov 4 01:25:59.501: DOT11 POD Invalid MAC address (E4-19-C1-42-01-3E) len=17
*Nov 4 01:25:59.502: DOT11 POD Could not terminate session, wds=0 err_code=404
*Nov 4 01:25:59.502: POD: Added NACK Error Cause: Invalid Request
*Nov 4 01:25:59.502: POD: Sending NAK from port 3799 to 172.16.0.3/46289
*Nov 4 01:25:59.502: RADIUS: 101 6 00000194

7.6.3.1 AP sends Disconnect-NAK to CWAG instead of Disconnect-ACK

Interoperability between Cisco AP and CWAG requires IETF format to be configured
on the AP for Calling-Station-Id (31) and Called-Station-Id (30) RADIUS attributes
(dot11 aaa csid ietf and wlccp wds aaa csid ietf statements). This is because CWAG
does not accept UE MACs in Cisco-default format (e.g. 0000.4096.3e4a) or
unformatted (e.g. 000040963e4a).
With IETF format, the user attach procedure is successful but the Change of
Authorization (CoA)/Session Termination fails on the AP because of the bug in Cisco
IOS. In the Disconnect-Request (POD), CWAG uses Calling-Station-ID value (e.g.
E4-19-C1-42-01-3E) obtained previously from the AP, but instead of terminating a
session and responding with Disconnect-ACK, the AP responds with
Disconnect-NAK and an error cause 404 (Invalid-Request):
The root cause for an error 404 is “Invalid MAC address” which can be found in the
AP’s debug output below:
magma-ap# show dot11 associations
802.11 Client Stations on Dot11Radio0:

SSID [magma] :
MAC Address IP address IPV6 address Device Name Parent State
e419.c142.013e 192.168.1.236 :: unknown - self EAP-Assoc


magma-ap# terminal monitor
*Nov 2 04:36:20.324: RADIUS: POD received from id 0 172.16.0.3:50250, POD Request, len 49
*Nov 2 04:36:20.325: POD: 172.16.0.3 request queued
*Nov 2 04:36:20.325: ++++++ POD Attribute List ++++++
*Nov 2 04:36:20.325: 022BF6D0 0 00000001 session-id(408) 4 1146(47A)
*Nov 2 04:36:20.325: 022BFB10 0 00000081 formatted-clid(37) 17 E4-19-C1-42-01-3E
*Nov 2 04:36:20.325:
*Nov 2 04:36:20.325: DOT11 POD Received PoD request
*Nov 2 04:36:20.325: DOT11 POD Invalid MAC address (E4-19-C1-42-01-3E) len=17
*Nov 2 04:36:20.325: DOT11 POD Could not terminate session, wds=0 err_code=404
*Nov 2 04:36:20.325: POD: Added NACK Error Cause: Invalid Request
*Nov 2 04:36:20.325: POD: Sending NAK from port 3799 to 172.16.0.3/50250
*Nov 2 04:36:20.326: RADIUS: 101 6 00000194
The UE MAC string stored by the AP in Cisco default format doesn’t match the
obtained IETF string and the format conversion is not performed before string
comparison. As a result, the UE stays connected with the “magma” wireless network
instead of being disauthenticated/disasociated.
As described here, the issue does not occur when the Authenticator uses Cisco
native format for csid (dot11 aaa csid default), but as mentioned before such a
configuration makes the UE attach procedure fail.
Solution:
There is currently neither a solution nor workaround for existing Lab setup. The Cisco
AIR-AP1142N-E-K9 platform is EOL and is running with the latest available version of
firmware 15.3(3)JD17. It could be tried to launch CIsco WLC on a VM and convert the
AP to the lightweight mode but it needs additional hardware resources, increases
Lab complexity, and may still not guarantee successful Disconnect operation.
7.7 UEs
7.7.1 Collecting UE logs with Android Debug Bridge (ADB)
UE logs may be extremely useful when troubleshooting EAP-AKA authentication.
Follow the steps below to collect log messages from the Android devices used in the
Lab (Samsung Galaxy SM-G350 running Android 4 and Huawei P smart 2019 running
Android 10). Note that the iPhone does not allow for logs access without rooting.
1. On your Android device:

a. Go to the Settings app.
b. Tap the About Phone option.
c. Tap the Build Number option 7 times (this enables developer mode).
d. Go back to the main settings (or to Settings ⇨ System&updates) where
Developer options should show up.

e. Enter Developer options and enable USB debugging.
2. On your Mac:
a. Download ADB file for Mac:
https://dl.google.com/android/repository/platform-tools-latest-darwin.zip
b. Unpack the zip file and enter the extracted directory:
$ cd ~/Downloads/platform-tools
c. Connect the mobile phone with a USB cable.

d. Change the USB connection mode to file transfer (MTP).
e. From the extracted folder run:
$ ./adb devices
List of devices attached

39V4C19916015719 unauthorized
and Allow USB debugging on the phone when the prompt pops up.
f. Launch logging to file:

$ ./adb logcat >> android10.log
g. Go to Settings ⇨ Wifi and tap magma in the Available networks list.

h. Interrupt log collection (CTRL+C) and parse the log file by e.g.
“wpa_supplicant:” , “TelephonyUtil:”, and “WifiClientModeImpl:”:
7.7.2 UE (Supplicant) log

$ cat android10.log | grep wpa_supplicant
….
08-03 23:57:42.020 16193 16193 I wpa_supplicant: wlan0: Trying to associate with SSID 'magma'
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: Cancelling scan request
08-03 23:57:42.020 16193 16193 E wpa_supplicant: wlan0: ssid->assoc_retry=0
08-03 23:57:42.020 16193 16193 D wpa_supplicant: RSN: PMKSA cache search - network_ctx=0x7bffe9d400 try_opportunistic=1 akmp=0x0
08-03 23:57:42.020 16193 16193 D wpa_supplicant: RSN: Search for BSSID 9c:**:**:**:97:80
08-03 23:57:42.020 16193 16193 D wpa_supplicant: RSN: Consider 9c:**:**:**:97:80 for OKC
08-03 23:57:42.020 16193 16193 D wpa_supplicant: RSN: No PMKSA cache entry found
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: RSN: using IEEE 802.11i/D9.0
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: Selected cipher suites: group 16 pairwise 16 key_mgmt 1 proto 2
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: Selected mgmt group cipher 32
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: clearing AP WPA IE
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: AP group 0x10 network profile group 0x1e; available group 0x10
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: using GTK CCMP
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: AP pairwise 0x10 network profile pairwise 0x18; available pairwise 0x10
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: using PTK CCMP
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: AP key_mgmt 0x1 network profile key_mgmt 0x89; available key_mgmt
0x1

08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: using KEY_MGMT 802.1X
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: AP mgmt_group_cipher 0x20 network profile mgmt_group_cipher 0x0;
available mgmt_group_cipher 0x0
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: WPA: not using MGMT group cipher
08-03 23:57:42.020 16193 16193 D wpa_supplicant: WPA: No current PMKSA - clear PMK
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: Automatic auth_alg selection: 0x1
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: Overriding auth_alg selection: 0x1
08-03 23:57:42.020 16193 16193 D wpa_supplicant: wlan0: State: DISCONNECTED -> ASSOCIATING
08-03 23:57:42.020 16193 16193 D wpa_supplicant: mdpp-wpa: MDPP switch is off
08-03 23:57:42.021 16193 16193 D wpa_supplicant: WPS: AP vendor specific ies from wpa_bss
08-03 23:57:42.021 16193 16193 D wpa_supplicant: Notifying state change event to hidl control: 5
08-03 23:57:42.021 16193 16193 D wpa_supplicant: P2P: channels: 81:1,2,3,4,5,6,7,8,9,10,11,12,13 115:36,40,44,48 116:36,44 117:40,48
124:149,153,157,161 125:149,153,157,161,165 126:149,157 127:153,161 128:36,40,44,48 130:36,40,44,48
08-03 23:57:42.021 16193 16193 D wpa_supplicant: bss->freq (2447)
08-03 23:57:42.021 16193 16193 D wpa_supplicant: nl80211: Set mode ifindex 34 iftype 2 (STATION)
08-03 23:57:42.021 16193 16193 D wpa_supplicant: nl80211: Unsubscribe mgmt frames handle 0x888888f3776bc689 (mode change)
08-03 23:57:42.021 16193 16193 D wpa_supplicant: nl80211: Subscribe to mgmt frames with non-AP handle 0x7bffe34e00
08-03 23:57:42.023 16193 16193 D wpa_supplicant: nl80211: Connect (ifindex=34)
08-03 23:57:42.023 16193 16193 D wpa_supplicant: * freq=2447
08-03 23:57:42.023 16193 16193 D wpa_supplicant: * SSID=magma
08-03 23:57:42.023 16193 16193 D wpa_supplicant: * pairwise=0xfac04
08-03 23:57:42.023 16193 16193 D wpa_supplicant: * group=0xfac04
08-03 23:57:42.023 16193 16193 D wpa_supplicant: * akm=0xfac01
08-03 23:57:42.023 16193 16193 D wpa_supplicant: * Auth Type 0
08-03 23:57:42.023 16193 16193 D wpa_supplicant: * WPS:0, privacy:1
08-03 23:57:42.024 16193 16193 D wpa_supplicant: nl80211: Connect request send successfully
08-03 23:57:42.024 16193 16193 D wpa_supplicant: wlan0: Setting authentication timeout: 10 sec 0 usec
08-03 23:57:42.061 16193 16193 D wpa_supplicant: nl80211: Drv Event 46 (NL80211_CMD_CONNECT) received for wlan0
08-03 23:57:42.061 16193 16193 D wpa_supplicant: nl80211: Connect event (status=0 ignore_next_local_disconnect=0)
08-03 23:57:42.061 16193 16193 D wpa_supplicant: nl80211: current bssid 00:**:**:**:00:00
08-03 23:57:42.065 16193 16193 D wpa_supplicant: nl80211: Associated on 2447 MHz
08-03 23:57:42.065 16193 16193 D wpa_supplicant: nl80211: Associated with 9c:**:**:**:97:80
08-03 23:57:42.065 16193 16193 D wpa_supplicant: nl80211: Operating frequency for the associated BSS from scan results: 2447 MHz
08-03 23:57:42.065 16193 16193 D wpa_supplicant: nl80211: Associated on 2447 MHz
08-03 23:57:42.065 16193 16193 D wpa_supplicant: nl80211: Associated with 9c:**:**:**:97:80
08-03 23:57:42.066 16193 16193 D wpa_supplicant: nl80211: Set drv->ssid based on scan res info to 'magma'
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: Event ASSOC (0) received
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: Association info event
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: freq=2447 MHz
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: State: ASSOCIATING -> ASSOCIATED
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: freq[0]: 2447, flags=0x1
124:149,153,157,161 125:149,153,157,161,165 126:149,157 127:153,161 128:36,40,44,48 130:36,40,44,48
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: Associated to a new BSS: BSSID=9c:**:**:**:97:80
08-03 23:57:42.066 16193 16193 D wpa_supplicant: Notifying bssid changed to hidl control
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: WPA: clearing AP WPA IE
08-03 23:57:42.066 16193 16193 I wpa_supplicant: wlan0: Associated with 9c:**:**:**:97:80
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: WPA: Association event - clear replay counter
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: WPA: Clear old PTK
08-03 23:57:42.066 16193 16193 D wpa_supplicant: TDLS: Remove peers on association
08-03 23:57:42.066 16193 16193 D wpa_supplicant: wlan0: Cancelling scan request
08-03 23:57:42.066 16193 16193 I wpa_supplicant: wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
08-03 23:57:42.068 16193 16193 D wpa_supplicant: l2_packet_receive: src=9c:**:**:**:97:80 len=49
08-03 23:57:42.068 16193 16193 D wpa_supplicant: wlan0: RX EAPOL from 9c:**:**:**:97:80
08-03 23:57:42.068 16193 16193 D wpa_supplicant: EAPOL: Received EAP-Packet frame
08-03 23:57:42.068 16193 16193 D wpa_supplicant: EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0
08-03 23:57:42.068 16193 16193 I wpa_supplicant: eap auth started,set wifi mtu=1500
08-03 23:57:42.069 16193 16193 D wpa_supplicant: set wlan mtu to 1500

08-03 23:57:42.069 16193 16193 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
08-03 23:57:42.069 16193 16193 W wpa_supplicant: EAP: buildIdentity: identity configuration was not available
08-03 23:57:42.069 16193 16193 D wpa_supplicant: EAPOL: EAP parameter needed
08-03 23:57:42.069 16193 16193 D wpa_supplicant: Notifying network request to hidl control: 0
08-03 23:57:42.070 16193 16193 I wpa_supplicant: wlan0: CTRL-REQ-IDENTITY-0:Identity needed for SSID magma
08-03 23:57:42.070 16193 16193 D wpa_supplicant: EAP: No eapRespData available
08-03 23:57:42.108 16193 16193 D wpa_supplicant: EAPOL: received control response (user input) notification - retrying pending EAP
Request
08-03 23:57:42.108 16193 16193 I wpa_supplicant: eap auth started,set wifi mtu=1500
08-03 23:57:42.108 16193 16193 D wpa_supplicant: set wlan mtu to 1500
08-03 23:57:42.108 16193 16193 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
08-03 23:57:42.109 16193 16193 D wpa_supplicant: TX EAPOL: dst=9c:**:**:**:97:80
08-03 23:57:42.383 16193 16193 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=23
08-03 23:57:42.383 16193 16193 D wpa_supplicant: EAP: Initialize selected EAP method: vendor 0 method 23 (AKA)
08-03 23:57:42.383 16193 16193 D wpa_supplicant: EAP-AKA: CONTINUE -> CONTINUE
08-03 23:57:42.383 16193 16193 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 23 (AKA) selected
08-03 23:57:42.383 16193 16193 D wpa_supplicant: EAP-AKA: Subtype=5
08-03 23:57:42.383 16193 16193 D wpa_supplicant: EAP-SIM: AT_PERMANENT_ID_REQ
08-03 23:57:42.383 16193 16193 D wpa_supplicant: EAP-SIM: Attributes parsed successfully (aka=1 encr=0)
08-03 23:57:42.383 16193 16193 D wpa_supplicant: EAP-AKA: subtype Identity
08-03 23:57:42.383 16193 16193 D wpa_supplicant: Generating EAP-AKA Identity (id=2)
08-03 23:57:42.383 16193 16193 D wpa_supplicant: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=0x7bffe427c0
08-03 23:57:42.597 16193 16193 D wpa_supplicant: EAP-SIM: AT_RAND
08-03 23:57:42.597 16193 16193 D wpa_supplicant: EAP-AKA: AT_AUTN
08-03 23:57:42.597 16193 16193 D wpa_supplicant: EAP-SIM: AT_MAC
08-03 23:57:42.597 16193 16193 D wpa_supplicant: EAP-AKA: subtype Challenge
08-03 23:57:42.597 16193 16193 D wpa_supplicant: EAP-AKA: UMTS authentication algorithm
08-03 23:57:42.598 16193 16193 D wpa_supplicant: EAP-AKA: Use external USIM processing
08-03 23:57:42.598 16193 16193 D wpa_supplicant: EAPOL: EAP parameter needed
08-03 23:57:42.598 16193 16193 D wpa_supplicant: Notifying network request to hidl control: 0
08-03 23:57:42.599 16193 16193 I wpa_supplicant: wlan0:
CTRL-REQ-SIM-0:UMTS-AUTH:230fe5c133719f27c56112f852876982:26099080b1f1800049b01227d7aea8db needed for SSID magma
08-03 23:57:42.599 16193 16193 D wpa_supplicant: EAP-AKA: Wait for external USIM processing
08-03 23:57:42.599 16193 16193 D wpa_supplicant: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
eapRespData=(nil)
08-03 23:57:42.599 16193 16193 D wpa_supplicant: EAP: No eapRespData available
08-03 23:57:42.788 16193 16193 D wpa_supplicant: EAPOL: received control response (user input) notification - retrying pending EAP
Request
08-03 23:57:42.788 16193 16193 D wpa_supplicant: EAP-SIM: AT_RAND
08-03 23:57:42.788 16193 16193 D wpa_supplicant: EAP-AKA: AT_AUTN
08-03 23:57:42.788 16193 16193 D wpa_supplicant: EAP-SIM: AT_MAC
08-03 23:57:42.789 16193 16193 D wpa_supplicant: EAP-AKA: subtype Challenge
08-03 23:57:42.789 16193 16193 D wpa_supplicant: EAP-AKA: UMTS authentication algorithm
08-03 23:57:42.789 16193 16193 D wpa_supplicant: EAP-AKA: Use result from external USIM processing
08-03 23:57:42.789 16193 16193 D wpa_supplicant: EAP-AKA: CONTINUE -> SUCCESS
08-03 23:57:42.789 16193 16193 D wpa_supplicant: Generating EAP-AKA Challenge (id=3)

08-03 23:57:42.789 16193 16193 D wpa_supplicant: AT_RES
08-03 23:57:42.789 16193 16193 D wpa_supplicant: AT_CHECKCODE
08-03 23:57:42.789 16193 16193 D wpa_supplicant: AT_MAC
08-03 23:57:42.789 16193 16193 D wpa_supplicant: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=COND_SUCC
eapRespData=0x7bffe427c0
08-03 23:57:42.954 16193 16193 D wpa_supplicant: EAP: Received EAP-Success
08-03 23:57:42.954 16193 16193 I wpa_supplicant: wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
08-03 23:57:42.955 16193 16193 D wpa_supplicant: EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines
08-03 23:57:42.955 16193 16193 D wpa_supplicant: wlan0: IEEE 802.1X RX: version=2 type=3 length=117
08-03 23:57:42.955 16193 16193 D wpa_supplicant: wlan0: EAPOL-Key type=2
08-03 23:57:42.955 16193 16193 D wpa_supplicant: wlan0: key_info 0x8a (ver=2 keyidx=0 rsvd=0 Pairwise Ack)
08-03 23:57:42.955 16193 16193 D wpa_supplicant: wlan0: key_length=16 key_data_length=22
08-03 23:57:42.955 16193 16193 D wpa_supplicant: wlan0: State: ASSOCIATED -> 4WAY_HANDSHAKE
124:149,153,157,161 125:149,153,157,161,165 126:149,157 127:153,161 128:36,40,44,48 130:36,40,44,48
08-03 23:57:42.956 16193 16193 I wpa_supplicant: wlan0: WPA: RX message 1 of 4-Way Handshake from 9c:**:**:**:97:80 (ver=2)
08-03 23:57:42.956 16193 16193 D wpa_supplicant: wlan0: RSN: no matching PMKID found
08-03 23:57:42.956 16193 16193 D wpa_supplicant: EAPOL: Successfully fetched key (len=32)
08-03 23:57:42.956 16193 16193 D wpa_supplicant: EAPOL: Successfully fetched key (len=64)
08-03 23:57:42.956 16193 16193 D wpa_supplicant: RSN: Derive PMKID using HMAC-SHA-1
08-03 23:57:42.956 16193 16193 D wpa_supplicant: RSN: Added PMKSA cache entry for 9c:**:**:**:97:80 network_ctx=0x7bffe9d400
akmp=0x1
08-03 23:57:42.956 16193 16193 I wpa_supplicant: wlan0: PMKSA-CACHE-ADDED 9c:**:**:**:97:80 0
08-03 23:57:42.956 16193 16193 D wpa_supplicant: nl80211: Add PMKID for 9c:**:**:**:97:80
08-03 23:57:42.960 16193 16193 D wpa_supplicant: wlan0: RSN: the new PMK matches with the PMKID
08-03 23:57:42.961 16193 16193 D wpa_supplicant: WPA: PTK derivation using PRF(SHA1)
08-03 23:57:42.961 16193 16193 D wpa_supplicant: WPA: PTK derivation - A1=e4:**:**:**:01:3e A2=9c:**:**:**:97:80
08-03 23:57:42.961 16193 16193 I wpa_supplicant: wlan0: WPA: Sending EAPOL-Key 2/4
08-03 23:57:42.961 16193 16193 D wpa_supplicant: WPA: Send EAPOL-Key frame to 9c:**:**:**:97:80 ver=2 mic_len=16 key_mgmt=0x1
08-03 23:57:42.961 16193 16193 D wpa_supplicant: WPA: EAPOL-Key MIC using HMAC-SHA1
08-03 23:57:42.973 16193 16193 D wpa_supplicant: EAPOL: Ignoring WPA EAPOL-Key frame in EAPOL state machines
08-03 23:57:42.973 16193 16193 D wpa_supplicant: wlan0: IEEE 802.1X RX: version=2 type=3 length=151
08-03 23:57:42.973 16193 16193 D wpa_supplicant: wlan0: EAPOL-Key type=2
08-03 23:57:42.973 16193 16193 D wpa_supplicant: wlan0: key_info 0x13ca (ver=2 keyidx=0 rsvd=0 Pairwise Install Ack MIC Secure Encr)
08-03 23:57:42.973 16193 16193 D wpa_supplicant: wlan0: key_length=16 key_data_length=56
08-03 23:57:42.973 16193 16193 D wpa_supplicant: WPA: Decrypt Key Data using AES-UNWRAP (KEK length 16)
08-03 23:57:42.973 16193 16193 D wpa_supplicant: wlan0: State: 4WAY_HANDSHAKE -> 4WAY_HANDSHAKE
08-03 23:57:42.973 16193 16193 I wpa_supplicant: wlan0: WPA: RX message 3 of 4-Way Handshake from 9c:**:**:**:97:80 (ver=2)
08-03 23:57:42.974 16193 16193 D wpa_supplicant: wlan0: WPA: Installing PTK to the driver
08-03 23:57:42.975 16193 16193 D wpa_supplicant: wpa_driver_nl80211_set_key: ifindex=34 (wlan0) alg=3 addr=0x7bffe8c448 key_idx=0
set_tx=1 seq_len=6 key_len=16
08-03 23:57:42.975 16193 16193 D wpa_supplicant: addr=9c:**:**:**:97:80
08-03 23:57:42.976 16193 16193 I wpa_supplicant: wlan0: WPA: Sending EAPOL-Key 4/4
08-03 23:57:42.976 16193 16193 D wpa_supplicant: WPA: Send EAPOL-Key frame to 9c:**:**:**:97:80 ver=2 mic_len=16 key_mgmt=0x1
08-03 23:57:42.977 16193 16193 D wpa_supplicant: EAPOL authentication completed - result=SUCCESS
08-03 23:57:42.977 16193 16193 D wpa_supplicant: wlan0: State: 4WAY_HANDSHAKE -> GROUP_HANDSHAKE

124:149,153,157,161 125:149,153,157,161,165 126:149,157 127:153,161 128:36,40,44,48 130:36,40,44,48
08-03 23:57:42.978 16193 16193 D wpa_supplicant: wlan0: WPA: Installing GTK to the driver (keyidx=1 tx=0 len=16)
08-03 23:57:42.983 16193 16193 D wpa_supplicant: wpa_driver_nl80211_set_key: ifindex=34 (wlan0) alg=3 addr=0x58e11d5e5c key_idx=1
set_tx=0 seq_len=6 key_len=16
08-03 23:57:42.983 16193 16193 D wpa_supplicant: broadcast key
08-03 23:57:42.983 16193 16193 I wpa_supplicant: wlan0: WPA: Key negotiation completed with 9c:**:**:**:97:80 [PTK=CCMP GTK=CCMP]
08-03 23:57:42.983 16193 16193 D wpa_supplicant: wlan0: Cancelling authentication timeout
08-03 23:57:42.983 16193 16193 D wpa_supplicant: wlan0: State: GROUP_HANDSHAKE -> COMPLETED
08-03 23:57:42.983 16193 16193 D wpa_supplicant: wlan0: Radio work 'connect'@0x7bffe2d240 done in 0.963924 seconds
08-03 23:57:42.984 16193 16193 D wpa_supplicant: wlan0: radio_work_free('connect'@0x7bffe2d240): num_active_works --> 0
08-03 23:57:42.984 16193 16193 I wpa_supplicant: wlan0: CTRL-EVENT-CONNECTED - Connection to 9c:**:**:**:97:80 completed [id=0
id_str=%7B%22configKey%22%3A%22%5C%22magma%5C%22WPA_EAP%22%2C%22creatorUid%22%3A%221000%22%7D]
Note
The log format and contents may differ depending on Android version.
7.7.3 ADB cheat sheet
Command Description
./adb shell Enters the Android shell. Works for Android 4.

“Permission denied” for Android 10.
./adb shell Shows WPA Supplicant configuration.

shell@android:/ $ cat /etc/wifi/wpa_supplicant.conf
./adb devices Use “-s” parameter if more than one Android

phones are being debugged:
./adb -s 39V4C19916015719 logcat | grep
wpa_supplicant 39V4C19916015719 - Android 10 (Huawei)
4203931c45243100 - Android 4 (Samsung)
./adb -s 4203931c45243100 logcat | grep
wpa_supplicant
./adb -s 4203931c45243100 logcat -b radio Shows radio logs
./adb -s 4203931c45243100 shell dumpsys Shows IMEI

iphonesubinfo
Reference
https://www.xda-developers.com/install-adb-windows-macos-linux/
https://www.xda-developers.com/how-to-take-logs-in-android/
http://adbcommand.com/awesome-adb

8 Appendices
APPENDIX 1 - USIM Parameters
Parameter Description
AMF Authentication Management Field. The AMF is a 16 bit value which is used to set the
acceptable synchronization window in both the UE (User Equipment) and the network.
ICCID 19 or 20 characters USIM's unique serial number printed on the card. Used mainly for
logistics.
PIN/PUK PINs and PUKs are codes to unlock the card. If you get the PIN wrong too many times you
need the longer PUK to unlock it.
ADM Administrative Key.

The administrative key controls the access to, and modification of, the configuration
parameters of the USIM
IMSI International Mobile Subscriber Identity. IMSIs are hierarchical, starting with 3 digit Mobile
Country Code MCC, then the Mobile Network Code (MNC) (2/3 digits) and finally a Mobile
Subscription Identification Number (MSIN), a unique number allocated by the operator to the
subscribers in their network.
ACC Access Control Class. The ACC allows values from 0-15, and determines the access control
class of the subscriber.
AD Administrative Data. Like the ACC field the AD field allows operators to drive test networks
without valid paying subscribers attaching to the network.
Ki Subscriber's Key. Subscriber’s secret key known only to the Subscriber (USIM) and the HSS.
OP Operator Code. Same for all USIMs from a single operator. Used in combination with Ki as an
input for some authentication / authorisation crypto generation.
OPc Instead of giving each USIM the Operator Code (OP), a derived operator code can be
precomputed when the USIM is written with the Ki key.This means the OP is not stored on
the USIM.
OPc=Encypt-Algo(OP,Key)
PLMN Public Land Mobile Network.

The PLMN is the combination of MCC & MNC that identifies the operator’s radio access
network (RAN) from other operators.
While there isn’t a specific PLMN field in most USIMs it’s worth understanding as several
fields require a PLMN.

HPLMNwACT HPLMN selector with Access Technology.
Contains in order of priority, the Home-PLMN codes with the access technology specified.
This allows the USIM to work out which PLMN to attach to and which access technology
(RAN), for example if the operator’s PLMN was 50599 we could have:
50599 E-UTRAN
50599 UTRAN
To try 4G and if that fails use 3G.

In situations where operators might partner to share networks in different areas, this could
be set to the PLMN of the operator first, then its partnered operator second.
OPLMNwACT Operator controlled PLMN selector with Access Technology.

This is a list of PLMNs the operator has a roaming agreement with in order of priority and
with the access technology.
An operator may roam to Carrier X but only permit UTRAN access, not E-TRAN.
EHPLMN Equivalent HPLMN

Used to define equivalent HPMNs, for example if two carriers merge and still have two
PLMNs.
FPLMN Forbidden PLMN list.

A list of PLMNs the subscriber is not permitted to roam to.
HPPLMN Higher Priority PLMN search period.

How long in seconds to spend between each PLMN/Access Technology in HPLMNwACT list.
GID 1/2 Two group identifier fields that allow the operator to identify a group of USIMs for a
particular application.
SMSP Short message service parameters

This EF contains values for Short Message Service header Parameters (SMSP), which can be
used by the ME for user assistance in preparation of mobile originated short messages. For
example, a service centre address will often be common to many short messages sent by the
subscriber.
MSISDN Mobile Station International Subscriber Directory Number. The E.164 formatted phone
number of the subscriber (not mandatory in Magma setup).
SPN SPN (Service Provider Name)

The SPN is an optional field containing the human-readable name of the network.
The SPN allows MVNOs to provide their own USIMs with their name as the operator on the
handset.
ECC Codes up to 6 digits long the subscriber is allowed to dial from the home screen / in
emergency / while not authenticated (999,112, etc.)
Milenage AES-based confidentiality algorithm used in 3GPP networks
XOR XOR is available as an alternative to Milenage available on some SIM cards for testing only,

and the mechanism for XOR Confidentiality Algorithm is only employed in testing scenarios,
not designed for production. Instead of using AES under the hood like Milenage, it’s just plain
old XOR of the keys.
APPENDIX 2 - Suspend / resume Magma and FreePCRF

Execute the command below to suspend all Magma services and FreePCRF VM to
release resources of your Mac:

$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway; vagrant suspend feg
$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway; vagrant suspend cwag
$ cd ${MAGMA_CLONE_DIR}/magma/orc8r/cloud/docker/; ./run.py --down
$ cd ${MAGMA_CLONE_DIR}/magma/nms/app/packages/magmalte/; docker-compose down
$ vboxmanage controlvm freePCRF savestate
Launch the following commands to resume Magma services and FreePCRF VM:

$ cp -r ${MAGMA_CLONE_DIR}/Backup/magma_orc8r_build /tmp/
$ cd ${MAGMA_CLONE_DIR}/magma/orc8r/cloud/docker/; ./run.py --metrics; sleep 30;docker-compose
ps
$ cd ${MAGMA_CLONE_DIR}/magma/nms/app/packages/magmalte/; docker-compose up -d; sleep 60;
docker-compose ps
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway; vagrant up feg
$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway; vagrant up cwag
$ vboxmanage startvm freePCRF

APPENDIX 3 - Access credentials
Access method Login / password
Cisco AP
ssh magma@172.16.0.2 magma / magma
http://172.16.0.2 magma / magma
Orc8r
admin_operator.pfx (certificate password) - / magma
https://localhost:9443/apidocs/v1/#/ (Orc8r API) -/-
http://localhost:5601/app/kibana (Orc8r Kibana) -/-
http://localhost:9093/#/alerts (Orc8r Alert Manager) -/-
http://localhost:9090/graph (Orc8r Prometheus) -/-
http://localhost:3000/grafana/login (Orc8r Grafana) -/-
NMS
https://master.localhost/ (NMS Master Organisation) admin@magma.test / password1234
https://magma-test.localhost/ (NMS Test Organisation) admin@magma.test / password1234
FreePCRF
ssh root@localhost root / password
http://localhost:9080/ (FreePCRF Console) -/-
http://localhost:8093/ (FreePCRF MiniCRM) -/-
http://localhost:9080/trace/ (FreePCRF Tracer) -/-
http://localhost:8091/ (FreePCRF Server Monitoring and -/-

Documentation)

APPENDIX 4 - Collection of links
Magma
URL Description
https://github.com/magma/magma/blob/master/docs/pdfs/Mag Magma Product Overview

ma_Product_Overview.pdf
1. https://github.com/magma/magma/blob/master/docs/p Magma Product Specification

dfs/Magma_Specs_FFWA_V1.1.pdf
2. https://github.com/magma/magma/blob/master/docs/p
dfs/Magma%20FWA%20Product%20Specifications%20v1
.0.pdf
https://github.com/magma/magma/blob/master/docs/readmes/c CWAG t-shooting

wf/troubleshooting.md
1. https://github.com/magma/magma/blob/master/docs/re Configuring Federation Gateway

admes/feg/deploy_configure.md (omnipresent rules, disabling Gx/Gy,
redirect support, etc)
2. https://docs.magmacore.org/docs/feg/federated_fwa_set
up_guide
https://github.com/magma/magma/blob/master/docs/readmes/f Session proxy (+ PCRF-less setups)

eg/session_proxy.md
https://github.com/magma/magma/blob/master/docs/readmes/c Pipelined Packet Tracker debugging

wf/troubleshooting.md
https://docs.magmacore.org/docs/resources/ref_pcap PCAP collection (!!!)
https://docs.magmacore.org/docs/lte/architecture_overview# AGW services
https://docs.magmacore.org/docs/resources/ref_magma_metrics Magma metrics
https://docs.magmacore.org/docs/howtos/ue_metering n UE metering
https://github.com/magma/magma/blob/master/docs/readmes/lt Magma Datapath - AGW (!!!)

e/datapath.md

OvS, pipelined
URL Description
https://superuser.openstack.org/articles/openvswitch-openstack- Understanding Open vSwitch (!!!)

sdn/
https://docs.openvswitch.org/en/latest/faq/configuration/ OvS basic configuration
https://docs.openvswitch.org/en/latest/faq/ OvS FAQ
https://supportportal.juniper.net/s/article/NFX-Open-vSwitch-OV Open vSwitch (OvS) commands for

S-commands-for-troubleshooting?language=en_US#pktdrops troubleshooting (!!!)
https://gist.github.com/djoreilly/c5ea44663c133b246dd9d42b921 OvS cheat sheet (!!!)

f7646
https://ovs-reviews.readthedocs.io/en/latest/tutorials/ovs-advanc OvS advanced features

ed.html
http://www.openvswitch.org//support/slides/OVS-Debugging-110 OvS debugging (!!!)

414.pdf
QoS
URL Description
https://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html Linux Traffic Control - HOWTO (!!!)
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch21s02.html Linux QoS using TC (!!!)
https://netbeez.net/blog/how-to-use-the-linux-traffic-control/ How to use Linux Traffic Control
VirtualBox
URL Description
https://www.nakivo.com/blog/virtualbox-network-setting-guide/ VirtualBox Network Settings: Complete

Guide
https://www.virtualbox.org/manual/ch06.html Virtual Networking
https://forums.virtualbox.org/viewtopic.php?f=2&t=96296 Non-working NAT network

Cisco AP
URL Description
1. https://mrncciew.com/2012/10/20/lightweight-to-auton Lightweight AP to autonomous

omous-conversion/ conversion
2. https://community.cisco.com/t5/wireless/converting-a-li
ghtweight-ap-to-an-autonomous-ap/td-p/2284278
https://assets-cf.criticalpowersupplies.co.uk/assets/files/44/14/cr Cisco IOS Command Reference for

-TOC.pdf Autonomous Cisco Aironet Access Points
and Bridges
https://www.cisco.com/web/techdoc/wireless/access_points/onli Online help for AP1140 GUI

ne_help/eag/123-04.JA/1100/h_ap_sec_ap-client-security.html
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/comm IOS Radius commands

and/reference/srfrad.html#wp1033324
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/m Cisco security commands for APs

ob_exp/83/cmd-ref/me_cr_book/me_security_cli.html
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/1 Cisco IOS Configuration Guide for

5-3-3-JB/configuration/guide/cg_book/cg-chap5-admin.html Autonomous Cisco Aironet Access
Points - Release 15.3(3)JBB (!!!)
Subchapters:
Config examples:
https://www.cisco.com/c/en/us/td/docs/wireless/access_point/15-3-3-JB/configurati
on/guide/cg_book/cg-chap4-first.html
Auth types:
on/guide/cg_book/cg-chap11-authtypes.html
EoGRE:
on/guide/cg_book/cg-chap-EoGRE.html
Radius config (incl. CoA):
on/guide/cg_book/cg-chap13-radius-tacacs.html
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/s Configure SSIDs and VLANs on

ervice-set-identifier-ssid/210516-SSIDs-and-VLANs-configuration- Autonomous APs (diagnostics
on-Autonom.html commands/debugs) (!!!!!)
https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1 WPA configuration overview and

100-series/44721-WPAOverview.html troubleshooting (!!!)
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/ How to Configure RADIUS Change of

configuration/xe-16-10/sec-usr-aaa-xe-16-10-book/sec-rad-coa.h Authorization (!!!):
tml COA request/responses, configuration

examples, error codes, monitoring &
t-shooting
https://www.portnox.com/blog/radius-change-of-authorization/ RADIUS Change of Authorization – What

is It?
https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1 Debug authentications (!!!)

200-series/50843-debug-authen.html#EAP
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/ IOS AAA Configuration guide (!!!)

configuration/15-mt/sec-usr-aaa-15-mt-book.pdf
1. https://www.ciscozine.com/802-1x-introduction-general 802.1x: Introduction and general

-principles/ principles + configuration guide (cisco
2. https://www.ciscozine.com/dot1x-global-configuration-d switch)
eployment-guide/
https://community.cisco.com/t5/wireless/air-sap1602i-fails-with- Aironet config example

wpa2-eap/td-p/2517463
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/B Advanced Wireless Troubleshooting

RKEWN-3011.pdf
https://www.cisco.com/c/nl_nl/support/docs/wireless-mobility/se Useful Aironet debug outputs (!!!)

rvice-set-identifier-ssid/210516-SSIDs-and-VLANs-configuration-o
n-Autonom.pdf

802.1x, EAP-AKA, EAPoL, MILENAGE, USIMs, Diameter, SWx, Gx, Gy
URL Description
https://www.cisco.com/en/US/docs/wireless/wlan_adapter/secur 802.11 Network Security

e_client/5.1.0/administration/guide/C1_Network_Security.html Fundamentals (!!!)
1. https://en.wikipedia.org/wiki/IEEE_802.1X IEEE 802.1x

2. https://www.ciscozine.com/802-1x-introduction-general-
principles/
https://datatracker.ietf.org/doc/html/rfc4187 RFC4187 (EAP-AKA)(!!!)
1. https://wifiwiki.wordpress.com/2018/03/08/eap-aka-sim EAP-AKA simplified description +

plified/ wireless captures (!!!)
2. https://wifiwiki.wordpress.com/2019/11/10/understandi
ng-eap-aka-through-wireless-captures/
https://wiki.freeradius.org/guide/eap-sim EAP-AKA, EAP-SIM, EAP-SIM’, auth

vectors overview (!!!)
https://www.iana.org/assignments/eapsimaka-numbers/eapsima EAP-AKA and EAP-SIM Parameters

ka-numbers.xhtml#eapsimaka-numbers-6
https://freeradius.org/rfc/rfc2869.html#EAP-Message Radius EAP message (!!!)
https://www.vocal.com/secure-communication/eapol-extensible- EAPoL Protocol – Extensible

authentication-protocol-over-lan/ Authentication Protocol over LAN
1. https://www.wifi-professionals.com/2019/01/4-way-hand 4-way handshake (!!!)

shake
2. https://crypto.stackexchange.com/questions/73196/wha
t-is-the-relation-between-aes-and-ptk-in-wpa2-wifi
1. https://documentation.meraki.com/MR/WiFi_Basics_and 802.11 Authentication & Association

_Best_Practices/802.11_Association_Process_Explained
2. https://wifibond.com/2017/04/08/802-11-association-pr
ocess/
3. https://www.intel.com/content/www/us/en/support/artic
les/000006508/wireless/legacy-intel-wireless-products.ht
ml
4. https://networklessons.com/cisco/ccna-200-301/wireless
-authentication-methods
5. https://netbeez.net/blog/station-authentication-associati
on/
https://nickvsnetworking.com/hss-usim-authentication-in-lte-nr-4 HSS & USIM Authentication in LTE/NR

g-5g/ (4G & 5G) - Option 4 – Mutual
Authentication (Real World*) (!!!)

https://nickvsnetworking.com/querying-auth-credentials-from-us Querying Auth Credentials from
im-sim-cards/ USIM/SIM cards (!!!)
https://www.sharetechnote.com/html/Handbook_LTE_Authentica Handbook LTE authentication (!!!)

tion.html
https://nickvsnetworking.com/confidentiality-algorithms-in-3gpp- Confidentiality Algorithms in 3GPP

milenage-xor-comp128/ Networks: MILENAGE, XOR & Comp128
https://www.3glteinfo.com/lte-security-architecture/ LTE security architecture (key types,

auth vectors, etc.) (!!!)
https://medium.com/uw-ictd/lte-authentication-2d0810a061ec LTE authentication (message

exchange, keys, Milenage) (!!!)
http://howltestuffworks.blogspot.com/2011/11/authentication-re LTE authentication request

quest.html
https://www.3gpp.org/specifications/60-confidentiality-algorithm Specification of the MILENAGE algorithm

s set
https://nickvsnetworking.com/usim-basics/ LTE (4G) – USIM Basics
http://www.sharetechnote.com/html/Handbook_LTE_USIM_Para USIM parameters

meters.html
https://cyberloginit.com/2018/05/03/build-a-lte-network-with-srsl USIM programming (with SIM

te-and-program-your-own-usim-card.html Personalize tools)
1. https://pl.aliexpress.com/item/33042823324.html?spm= Oyeitimes SIM card reader/writer + SIM

a2g0s.9042311.0.0.32c84c4dMehAbh Personalize tools
2. http://oyeitimes.com/about.php?id=535&ids=566
https://www.etsi.org/deliver/etsi_ts/131100_131199/131102/11.0 ETSI TS 131 102

6.00_60/ts_131102v110600p.pdf Universal Mobile Telecommunications
System (UMTS); LTE; Characteristics of
the Universal Subscriber Identity Module
(USIM) application
https://www.rfwireless-world.com/Tutorials/LTE-Bearer-types.ht LTE bearer types

ml#:~:text=An%20LTE%20EPS%20bearer%20provides,network%2
0using%20'attach%20procedure'.
https://www.f5.com/services/resources/glossary/diameter-interfa Diameter interfaces

ces
https://datatracker.ietf.org/doc/html/rfc6733 RFC 6733 (Base Diameter Protocol)

https://www.juniper.net/documentation/us/en/software/junos/s Diameter Base Protocol - introduction
ubscriber-mgmt-sessions/topics/topic-map/diameter-base-proto from Juniper
col.html
https://www.cspsprotocol.com/swx-interface/ SWx
https://www.etsi.org/deliver/etsi_ts/129200_129299/129273/15.0 SWx description (as of page 112) (!!!)

2.00_60/ts_129273v150200p.pdf
https://www.cspsprotocol.com/gy-interface/ Gy
http://www.lteandbeyond.com/2012/01/gx-interface-sitting-betw Gx
een-pcrf-and.html
https://www.etsi.org/deliver/etsi_ts/129200_129299/129212/07.1 Gx description, PCC rules provisioning,

5.00_60/ts_129212v071500p.pdf messages, etc (!!!)
https://infocenter.nokia.com/public/7750SR140R4/index.jsp?topi Diameter and Diameter applications:

c=%2Fcom.sr.triple.play%2Fhtml%2Fgx_policy.html Gx protocol, policy assignment
(pull/push) models, IP CAN, Policy
management via Gx, etc (!!!)
https://www.developingsolutions.com/solutions/use-cases/policy Policy Use Case – Resource Allocation

-use-case-resource-allocation/ (CCR/CCA, RAR/RAA message
exchange) (!!!)
https://www.developingsolutions.com/solutions/use-cases/policy Policy Use Case – Usage Monitoring

-use-case-usage-monitoring-and-reporting/ and Reporting (CCR/CCA, RAR/RAA
message exchange) (!!!)
https://en.wikipedia.org/wiki/Diameter_Credit-Control_Applicatio Diameter Credit Control Application

n (!!!)
https://en.wikipedia.org/wiki/Policy_and_charging_rules_function Policy and charging rules function
https://forum.huawei.com/carrier/en/thread-73483.html Static/Dynamic PCC rules (!!!)
https://www.juniper.net/documentation/us/en/software/junos/s Understanding How Subscriber-Aware

ubscriber-aware-policy/topics/concept/tdf-dynamic-rules-provisi Policy and Charging Control Rules Are
on-understanding.html Provisioned Dynamically by a PCRF
https://www.juniper.net/documentation/us/en/software/junos/s Understanding How Subscriber-Aware

ubscriber-aware-policy/topics/concept/tdf-static-rules-provision- Policy and Charging Control Rules Are
understanding.html Provisioned Statically
https://www.juniper.net/documentation/en_US/junos-space-apps Understanding Policy and Charging

/edge-services-director1.0/topics/concept/tdf-pcef-overview-esd. Enforcement Function (PCEF)

html
Yota/Telexir FreePCRF
URL Description
Telexir PCRF 3.7.1. Quick Start Guide.pdf Telexir PCRF 3.7.1. Quick Start Guide
Yota PCRF 3.6. Subscriber Management Interface Descripti… Yota PCRF 3.6. Subscriber
Management Interface Description
Yota PCRF 3.6. Policy Engine Description.pdf Yota PCRF 3.6. Policy Engine
Description
Yota PCRF 3.6. Product Description.pdf Yota PCRF 3.6. Product Description
Yota PCRF 3.6. Release Notes.pdf Yota PCRF 3.6. Release Notes
Yota PCRF 3.6. Installation Guide.pdf Yota PCRF 3.6. Installation Guide
Yota PCRF 3.6. Administrators Guide.pdf Yota PCRF 3.6. Administrators Guide
Yota PCRF 3.6. Backup and Recovery.pdf Yota PCRF 3.6. Backup and Recovery
Yota PCRF 3.6. DDF Information Interface Description.pdf Yota PCRF 3.6. DDF Information Interface
Description
Yota PCRF Policy Control Presentation (Berlin 2014).pdf Yota PCRF Policy Control Presentation
(Berlin 2014)
https://github.com/marcosbontempo/freePCRF FreePCRF github source

(Public) Build An Inexpensive Carrier-WiFi Network On Your Laptop With Magma (54dc60e7a v1.1)

Uploaded by

Copyright:

Available Formats

You might also like

(Public) Build An Inexpensive Carrier-WiFi Network On Your Laptop With Magma (54dc60e7a v1.1)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Public) Build An Inexpensive Carrier-WiFi Network On Your Laptop With Magma (54dc60e7a v1.1)

Uploaded by

Copyright:

Available Formats

US HEADQUARTERS

© 2005–2022 All Rights Reserved www.mirantis.com Page 1

2 Purpose of this document 8

© 2005–2022 All Rights Reserved www.mirantis.com Page 2

4 Carrier-WiFi Lab deployment 37

© 2005–2022 All Rights Reserved www.mirantis.com Page 3

5 Carrier-WiFi in action 137

© 2005–2022 All Rights Reserved www.mirantis.com Page 4

7 Logging, debugging and troubleshooting 161

© 2005–2022 All Rights Reserved www.mirantis.com Page 5

© 2005–2022 All Rights Reserved www.mirantis.com Page 6

© 2005–2022 All Rights Reserved www.mirantis.com Page 7

© 2005–2022 All Rights Reserved www.mirantis.com Page 8

A high-level architecture of the Magma Carrier-WiFi solution integrated with WLAN

© 2005–2022 All Rights Reserved www.mirantis.com Page 9

3.2 Carrier-WiFi Lab components

© 2005–2022 All Rights Reserved www.mirantis.com Page 10

As opposed to typical Magma deployments with eNodeBs and Access Gateways

Remaining, crucial Lab components listed below will be implemented as Docker

● Magma - Orchestrator (Orc8r) [Docker Desktop@MacOS],

© 2005–2022 All Rights Reserved www.mirantis.com Page 11

3.3 Software inventory

Figure 3. Orc8r overview

© 2005–2022 All Rights Reserved www.mirantis.com Page 12

3.3.3 Carrier-WiFi Access Gateway (CWAG)

© 2005–2022 All Rights Reserved www.mirantis.com Page 13

© 2005–2022 All Rights Reserved www.mirantis.com Page 14

3.3.4 Federation Gateway (FEG)

FEG supports the following features and functionalities:

The key containerized services running on the Federated Gateway include:

© 2005–2022 All Rights Reserved www.mirantis.com Page 15

3.3.5 Home Subscriber Server (HSS)

3.3.6 Policy and Charging Rules Function (PCRF)

3.3.7 Online Charging System (OCS)

3.4 Hardware specifications

© 2005–2022 All Rights Reserved www.mirantis.com Page 16

2. 2 x USB-C⟺ Ethernet adapter (Green Cell AK61).

3. WiFi Access Point

Pre-owned bundle, price 65 PLN / ~17 USD

4. SIM card reader / writer:

Price 73 PLN /~46 USD (Oct. 2020)

© 2005–2022 All Rights Reserved www.mirantis.com Page 17

Figure 4. Physical network setup

© 2005–2022 All Rights Reserved www.mirantis.com Page 18

3.5 High-level user flows

3.5.1 User Authentication/Attach flow

© 2005–2022 All Rights Reserved www.mirantis.com Page 19

● The EAP-AKA WiFi profile is configured manually or pushed to User

© 2005–2022 All Rights Reserved www.mirantis.com Page 20

3.5.2 User Data flow

Figure 6. User Data flow

© 2005–2022 All Rights Reserved www.mirantis.com Page 21

3.6 USIM-based authentication and authorization -

EAP-AKA is used by the Magma Carrier-WiFi solution for bi-directional

There are three main components of the authentication process :

© 2005–2022 All Rights Reserved www.mirantis.com Page 22

Figure 7. MILENAGE overview

© 2005–2022 All Rights Reserved www.mirantis.com Page 23