Professional Documents
Culture Documents
(Public) Build An Inexpensive Carrier-WiFi Network On Your Laptop With Magma (54dc60e7a v1.1)
(Public) Build An Inexpensive Carrier-WiFi Network On Your Laptop With Magma (54dc60e7a v1.1)
(Public) Build An Inexpensive Carrier-WiFi Network On Your Laptop With Magma (54dc60e7a v1.1)
Campbell, CA
900 E Hamilton Avenue, Suite 650,
Campbell, CA 95008
+1-650-963-9828 Phone
+1-650-963-9723 Fax
Build an inexpensive
Carrier-WiFi network
on your laptop with
Magma
Wojciech Nawrot
Contributors:
Chandra Reddy Dodda
Denys Myrhorodskyi
Kishwar Hossain
2020-2022
1 Introduction 7
3 Carrier-WiFi architecture 9
3.1 What is Carrier-WiFi? 9
Figure 1. Carrier-WiFi architecture 10
3.2 Carrier-WiFi Lab components 10
Figure 2. Carrier-WiFi Lab components 11
3.3 Software inventory 12
3.3.1 Orchestrator (Orc8r) 12
Figure 3. Orc8r overview 12
3.3.2 NMS 13
3.3.3 Carrier-WiFi Access Gateway (CWAG) 13
Pipelined 13
Sessiond 13
DPId 13
PolicyDB 13
Radiusd 13
Radius 14
Aaa_server 14
Control proxy 14
Magmad 14
Directoryd 14
Eventd 14
Td-agent-bit 14
Health checker 14
Redirectd 15
3.3.4 Federation Gateway (FEG) 15
session_proxy 15
swx_proxy 15
3.3.5 Home Subscriber Server (HSS) 16
3.3.6 Policy and Charging Rules Function (PCRF) 16
3.3.7 Online Charging System (OCS) 16
6 To Dos 159
6.1 Enable FUA redirect 160
6.2 Application-based Internet access 160
6.3 AGW and eNodeB 160
8 Appendices 191
APPENDIX 1 - USIM Parameters 193
APPENDIX 2 - Suspend / resume Magma and FreePCRF 195
APPENDIX 3 - Access credentials 196
APPENDIX 4 - Collection of links 197
Magma 197
OvS, pipelined 198
QoS 198
VirtualBox 198
Cisco AP 198
802.1x, EAP-AKA, EAPoL, MILENAGE, USIMs, Diameter, SWx, Gx, Gy 201
Yota/Telexir FreePCRF 204
Phones switch from LTE to WiFi automatically if the carrier’s WiFi network is
detected. They authenticate with the carrier’s USIM card and access the Internet
according to data plan-specific Policy and Charging Control (PCC) rules. A phone is
disconnected from the WiFi network (or the Internet slows down) if the subscriber's
data pack for a specific validity period is exhausted. However, for some traffic
categories, data usage tracking can be disabled so that specific apps such as
Facebook or WhatsApp can be used totally free of charge.
Refer to the next chapter for description of respective software components and
subcomponents.
3.3.2 NMS
Magma’s NMS provides a single pane of glass for managing Magma based networks.
NMS provides the ability to configure gateways, visibility into status, events and
metrics observed in these networks; and the ability to configure and receive alerts.
The CWAG VM comprises Open vSwitch, which is used to implement basic PCEF
functionality for user plane traffic as well as the following services running inside
Docker containers:
Pipelined
Pipelined is the control application that programs the OvS OpenFlow rules. Pipelined
is a set of services that are chained together.
Sessiond
Sessiond implements the control plane for the PCEF functionality in Magma. It is
responsible for the lifecycle management of the session state (credit and rules)
associated with a user. It interacts with the PCEF datapath through pipelined for
L2-L4 and DPId for L4-L7 policies.
DPId
DPId is a deep packet inspection service to enforce policy rules.
PolicyDB
PolicyDB is the service that supports static PCRF rules. This service runs in both the
CWAG and the Orc8r. Rules managed through the REST API are streamed to the
PolicyDB instances on the CWAG. Sessiond ensures these policies are implemented
as specified.
Radius
Radius is a service which exchanges encapsulated EAP-RADIUS and accounting
messages with a WiFi Access Point (802.1x Authenticator).
Aaa_server
The 3GPP AAA server provides USIM-based EAP-AKA authentication, authorization
and policy control to the packet gateway for 3GPP WiFi access.
Control proxy
The control proxy manages the network transport between gateways and the Orc8r.
It also provides the following functionality:
● Abstract service addressing by providing a service registry, mapping a
user-addressable name to its remote IP and port.
● Push all traffic over HTTP/2, encrypted using TLS. The traffic is routed to
individual services by encoding the service name in the HTTP/2 authority
header.
● Individual gRPC calls between a gateway and the controller are multiplexed
over the same HTTP/2 connection, avoiding connection setup time per RPC
call.
Magmad
Parent service to start all Magma services, owns the collection and reporting of
metrics of services, and also acts as the bootstrapping client with Orc8r.
Directoryd
Lookup service that provides the ability to push different keys and attribute pairs for
each key. Commonly used keys include subscriber ID and session ID.
Eventd
Service that acts like an intermediary for different Magma services, using the
service303 interface. It receives and pushes the generated registered events to the
td-agent-bit service on the gateway, so these can be then later sent to the Orc8r.
These events will be sent to Elasticsearch, where they can be queried.
Td-agent-bit
Enables log aggregation and event logging, where it takes input from syslog and the
events service and forwards the output to the Orc8r. It is received on the Orc8r by
Fluentd then stored in Elasticsearch.
Redirectd
Redirectd is a service which supports FUA (Final Unit Action) redirection for users
whose service units have been exhausted.
session_proxy
The session_proxy service translates calls from gRPC to the Gx/Gy protocol between
CWAG and PCRF/OCS. It controls the session of each subscriber with the following
interfaces:
● Notifies the PCRF/OCS of a new session and returns rules associated with a
subscriber, along with credits for each rule.
● Updates the PCRF/OCS with each used credit and terminations from CWAG.
● Terminates the session in PCRF/OCS for a subscriber.
● Updates a monitor given its usage and session information.
● Processes QoS information.
● Creates a session request.
● Updates rules for each session.
Reference
Refer to Yota PCRF 3.6. Product Description.pdf for product architecture and
features.
Decision
The OCS component is not mandatory for the Magma Carrier-WiFi solution to
work and will not be deployed in the Lab.
6. Home router:
● Ubiquiti ER-10X router
Note
● Make sure that your Mac has at least 8 CPUs and 16 Gigs of RAM,
The illustration of the MILENAGE algorithm with Input and Output Parameters is
shown in the diagram below:
Reference: https://www.sharetechnote.com/html/Handbook_LTE_Authentication.html
The configurable Input Parameters for the MILENAGE algorithm in the Carrier-WiFi
Lab include K, OP (and AMF 1) values, which are stored in USIM cards and in the HSS
service/subscriber config. OPc is derived from OP, Ek is derived from K, while the
other parameters are either pre-configured/hardcoded (c1-c5, r1-r5, SQN) or
1
Note that AMF is configurable only on the HSS side.
The self-created message flow may be slightly inaccurate, but it is good enough for
the reader to get a general understanding of 802.1x/EAP-AKA authentication,
HSS/PCRF authorization, data usage reporting or user traffic encryption.
Step 1
a. At the beginning of the 802.11 authentication and association process, the UE
scans all of the available frequencies in search of SSIDs to join. The UE sends
probe request frames which contain supported data rates and 802.11
capabilities. APs in proximity reply with probe response frames that contain
the SSID and BSSID.
b. When the UE finds an SSID that matches its configuration, it sends a null
authentication request (algorithm: Open System), after which the AP sends
After this process is completed, 802.11 data frames can be sent between the
UE and AP. These data frames are limited to 802.1x frames until the 802.1x/EAP
authentication is completed and successful.
Step 2
Once association is successful, EAP frame exchange is started by AP with the first
frame as EAP-Request/Identity frame. In this frame exchange AP is asking for identity
information from UE to start the authentication process with core network elements.
Step 3
On receiving the EAP identity request, UE responds with an EAP-Response/ Identity
frame, which includes the IMSI information to be used as user identity against which
the user will be authenticated by HSS. In identity “0” is used as a WLAN Identity
Prefix meaning that the authentication algorithm type is EAP-AKA and not EAP-SIM
or EAP-AKA'.
The EAP-Response/Identity from UE is sent by AP to AAA Server (CWAG) in the
Radius Access-Request packet.
Step 4
AAA Server responds to AP with a Radius Access-Challenge packet containing
EAP-Request/AKA-Identity message with AT_PERMANENT_ID_REQ attribute to
indicate that the server wants the peer to include permanent identity in the
AT_IDENTITY attribute of the EAP-Response/AKA-Identity message.
AP forwards the obtained EAP-Request to UE.
Step 6
AAA Server contacts FEG through gRPC and provides it with user identity, which is
further contained in MAR and SAR Diameter messages sent to HSS through SWx.
{
"userName": "101012345678911",
"sipNumAuthVectors": 3,
"authenticationScheme": "EAP_AKA",
"resyncInfo": null,
"retrieveUserProfile": true
}
while SAR (Server Assignment Request) is a request for a non-3gpp user profile
(Server-Assignment-Type AVP set to AAA_USER_DATA_REQUEST).
"userName": "101012345678911",
"sipAuthVectors": [
{
"authenticationScheme": "EAP_AKA",
"randAutn": "GO/KoWplNNCY4EV3Z6FnI5usLKhs1oAA6ttgGj3HA6M=",
"xres": "UOrLcSPTl9Y=",
"confidentialityKey": "M+hN2I29cZwXkXvFAJoToA==",
"integrityKey": "scHXKlKAf1rKZFwiYSM0vg=="
},
Reference
Refer to ETSI TS 129 273 "3GPP EPS AAA interfaces" as of page 112 for full SWx
description including procedures and messages.
At this point, AAA Server generates MK (Master Key) using UE identity and the CK / IK
values obtained from HSS as a part of authentication vector:
MK = SHA1(Identity|IK|CK)
The MK is then fed into a Pseudo-Random number Function (PRF), which generates
separate Transient EAP Keys (TEKs) for protecting EAP-AKA packets, as well as a
Master Session Key (MSK) for link layer security.
Note that apart from RAND and AUTN there is additional MAC attribute included to
ensure authenticity of the message.
UE (USIM) leverages MILENAGE along with received RAND and locally stored Input
Parameters to compute XAUTN and RES values (in the same way the HSS computed
AUTN and XRES). Then it compares XAUTN and received AUTN to make sure they
match. If they do, the Network gets authenticated.
At this point UE generates keying material (MK, TEKs and MSK) in the same manner
as AAA Server did previously.
Step 9
UE sends back its RES to AP as an attribute of EAP-Response/AKA-Challenge
message which is forwarded to AAA Server in the Radius Access-Request packet.
Once AAA Server receives RES, it is compared with XRES previously obtained from
HSS. If both match, UE (USIM) gets authenticated.
Step 10
AAA Server contacts PCRF through gRPC/Gx in order to collect the Charging Rule
Definition comprising rule name/precedence, flow description, monitoring method,
Monitoring-Key, as well as Usage Monitoring Information including service units
granted for the UE, and the level of data usage monitoring. Requested information is
provided in the CCA-I (Credit Control Answer-Initial) message sent as a response to
CCR-I (Credit Control Request-Initial).
Reference
Refer to ETSI TS 129 212 "Policy and Charging Control (PCC)" for Gx protocol
description, including procedures, messages and related stuff.
Step 11
a. Upon unsuccessful authorization from PCRF, AAA Server sends EAP-Failure
message in Radius Access-Reject packet to AP, and the entire authentication
process for UE is restarted. The process will fail as long as no credits are
available for the user.
At this point the EAP-AKA full authentication procedure is complete but UE still can
not send/receive data over the wireless medium due to the lack of encryption keys
which need to be generated and installed at both UE and AP.
To start with encryption keys generation both UE and AP must possess the MSK. UE
already derived its MSK in step 8 while AP needs to obtain the MSK from AAA Server.
AAA Server sends the 64-byte MSK to AP inside the Radius Access-Accept packet in
which the EAP-Success message is contained. The MSK is broken down into two
32-byte keys; i.e. MS-MPPE-Recv-Key and MS-MPPE-Send-Key:
Step 12
Given that both UE and AP already have the same copy of MSK , the 4-way
handshake process can be started between Supplicant and Authenticator.
The products of 4-way handshake are Pairwise Transient Key (PTK) and Group
Temporal Key (GTK) used for encryption of unicast and multicast/broadcast traffic
respectively. The PTK/GTK keys are generated by some source key material (MSK ⇨
PMK/GMK), nonces (random numbers) and MAC addresses of UE and AP.
Reference
Step 13
AP sends Radius Accounting-Request (Acct-Status-Type: Start) packet to AAA Server
which is responded to by Radius Accounting-Response.
At the same time UE begins the DHCP DORA process with the router, obtains IP
address / default GW / DNS server and accesses the Internet according to OvS flows
obtained previously from PCRF within Charging Rule Definition (see Step 10).
Note that L2 traffic between AP’s SSID and CWAG (OvS) is encapsulated in GRE so
the entire data path between UE and router is L2.
Step 14
AP may periodically send interim Radius accounting updates (Acct-Status-Type:
Interim-Update) with UE’s data usage to AAA Server, but provided metrics are not
used for user’s quota management between PCEF (CWAG) and PCRF. They are used
for creating traffic graphs in NMS/Grafana and optionally e.g. for alerting (see RFC
2866 for Radius accounting details).
Step 15
UE data usage monitoring is performed on CWAG per each individual PCC rule and
reported to PCRF in Diameter CCR-U (Credit Control Request-Update) messages
sent through Gx interface. CCA-U contains used Input/Output/Total octets and a
Monitoring-Key associated with the rule.
PCRF responds to CCR-Us with CCA-Us (Credit Control Answer-Update) including the
Monitoring Key as well as a number of service units granted to the UE (typically small
value of e.g. 1MB).
PCEF (CWAG) removes respective PCC rules and responds to RAR with RAA (Re-Auth
Answer) and a result code of 2001 (Diameter Success).
Reference
Refer to ETSI TS 129 212 "Policy and Charging Control (PCC)" chapters 4.5.9 Request
of IP-CAN Session Termination and 5.3.44 Session-Release-Cause for details.
Step 17
PCEF (CWAG) sends the CCR-T (Credit Control Request-Termination) to PCRF to
indicate that the IP-CAN session is being terminated. The termination cause is
DIAMETER_LOGOUT(1).
PCRF responds to CCR-T with CCA-T (Credit Control Answer-Termination) and a
result code of 2001 (Diameter Success):
Step 19
AP generates a Radius Accounting Stop packet (Acct-Status-Type: Stop) and sends
that to AAA Server, which replies with an acknowledgement that the packet has
been received (see RFC 2866).
Step 20
AP responds to a Radius Disconnect-Request packet sent by AAA Server with a
Radius Disconnect-ACK if all associated session context is discarded and the user
session is no longer connected.
After UE is deauthenticated and disassociated from the AP it will retry the entire
attach procedure from scratch, but the authentication will fail until a new credit pool
is available for the user at PCRF (it takes place when new validity period begins).
(*) To make Wireshark decode Diameter dialogue properly add 3868, 3870, 3901,
2901 TCP ports under Preferences ⇨Protocols ⇨ DIAMETER.
4.2 UE setup
Reference
Refer to APPENDIX 1 and https://nickvsnetworking.com/usim-basics/ for the
description of USIM parameters.
Ki 4 11111111111111111111111111111111 11111111111111111111111111111111
OP 5 11111111111111111111111111111111 11111111111111111111111111111111
Ki 11111111111111111111111111111111 11111111111111111111111111111111
OP 11111111111111111111111111111111 11111111111111111111111111111111
2
Dummy value created using ICCID generator http://www.heicard.com/en/check_iccid , not referenced
by Magma.
3
Dummy value - can not start from “0” and must match with IMSI configured in FEG’s “hss.yml”
subscribers file.
4
Dummy value - must match with “auth_key” configured in FEG’s “hss.yml” subscribers file.
5
Dummy value - must match with “lte_auth_op” defined in FEG's HSS config provided by API
(BASE64 "EREREREREREREREREREREQ==").
ICCID 89600117113000044588
IMSI15 101012345678955
Ki 11111111111111111111111111111111
OP 11111111111111111111111111111111
4.2.2.1 Android
Setting up WiFi network on Android devices is easy and can be completed in less
than one minute:
1. Insert recently configured micro USIM1 card into the USIM card slot of Huawei
P smart 2019 phone (no PIN code is required).
2. Go to Settings ⇨ Wifi.
3. Tap on Add network in the bottom of the screen.
4. Complete network settings as follows:
Note
Android UEs won’t join the “magma” WiFi network until the Lab’s Access
Point and all Magma components are deployed and configured.
4.2.2.2 IOS
As opposed to Android, IOS devices do not allow for selecting EAP authentication for
WiFi networks being configured manually and also attempts of joining “magma”
network from the list of broadcasted SSIDs end up with an undesired username and
password prompt.
To make the iPhone authenticate with the USIM card, the configuration profile with
respective network settings must be pushed to the device beforehand.
Follow the steps below for profile creation and distribution.
1. Create empty “magma iOS_Profile.mobileconfig” file and fill it out with the
following configuration items:
Note
● EAP type 23 is EAP-AKA,
● Encryption type is WPA as configured later on the Carrier-WiFi Access
Point,
● The SSID string is “magma”.
Reference
Refer to Apple’s documentation for more information on IOS configuration
profiles.
2. Once the profile file is saved, upload it to any cloud drive (e.g. Dropbox or
Google Drive) and get the shareable link:
https://drive.google.com/file/d/1kXoRiIZ9hWho4z8UoYO3My255p-weDhB/view
?usp=sharing
3. Send the above link to iPhone through e.g. WhatsApp or email and tap it.
4. Tap the Or continue to website button:
7. Choose iPhone:
11. Get back to Settings ⇨ General ⇨ Profile ⇨ magma and tap Install:
Note
iPhone won’t join the “magma” WiFi network until the Lab’s Access Point
and all Magma components are deployed and configured.
$ ls -ltr /dev/*usb*
… Version 15.3(3)JD17 …
Reference
Refer to the links below for details on AP conversion:
● https://mrncciew.com/2012/10/20/lightweight-to-autonomous-conversi
on/
● https://community.cisco.com/t5/wireless/converting-a-lightweight-ap-
to-an-autonomous-ap/td-p/2284278
magma-ap#sh run
!
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname magma-ap
!
!
Note
● “magma” SSID placed on 802.11N 2,4GHz radio (Dot11Radio0) should show
up in the broadcasted wireless network list. It’s accessible only from UEs
with inserted Lab’s USIM cards and configured with respective WiFi profiles
(see 4.2 UE setup).
● User’s data from the “magma” wireless network is sent to CWAG through
the wired link using L2 GRE tunnel terminated on CWAG’s eth1 interface
(172.16.0.3). Encapsulated Ethernet traffic has no vlan tag as opposed to
production Magma environments.
● The aaa server radius dynamic-author section defines the radius client
(CWAG) from which the AP accepts Change of Authorization (CoA) and
disconnect requests (e.g. if a subscriber burned through the entire WiFi
data package defined by the policy). The AP’s AAA server listens on port
3379 and is configured with an encrypted 055A545C751918 key
(unencrypted string: 123456).
Reference
Refer to the collection of links in the Cisco AP section for AP configuration
guidelines.
$ echo -e 'if command -v pyenv 1>/dev/null 2>&1; then\n eval "$(pyenv init -)"\nfi'
>> ~/.bash_profile
$ source .bash_profile
$ pyenv versions
system
2.7.18
* 3.7.3 (set by /Users/wojciechnawrot/.pyenv/version)
$ python --version
Python 3.7.3
Note
Make sure you are using python 3.7.3 globally !
$ docker --version
$ docker-compose --version
$ vagrant --version
Vagrant 2.2.13
54dc60e7a071461b584245e6b89349eaad0c194f (Jul21.2021)
$ cd ${MAGMA_CLONE_DIR}/magma
$ git checkout 54dc60e7a071461b584245e6b89349eaad0c194f
$ git describe --tags
v1.0.0-rc1-6799-g54dc60e7a
Note
At the time of this writing more recent Magma commits are available but to
make your deployment process smooth and compliant with the
documentation checkout to the above number.
$ cd ${MAGMA_CLONE_DIR}/magma/orc8r/cloud/docker/
$ ./build.py -a
$ docker images
Note
● Enter your Docker Registry username and password when prompted
● MAGMA_TAG is the first nine characters of the commit number
4. (Optional) Open Docker Desktop and make sure that Orc8r images are in
place:
$ cd ${MAGMA_CLONE_DIR}/magma/orc8r/cloud/docker/
$ ./run.py --metrics
$ docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
elasticsearch /usr/local/bin/docker-entr ... Up 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp
fluentd tini -- /bin/entrypoint.sh ... Up 0.0.0.0:24224->24224/tcp, 0.0.0.0:24224->24224/udp, 0.0.0.0:24225->24225/tcp, 0.0.0.0:24225->24225/udp, 5140/tcp
orc8r_alertmanager-configurer_1 alertmanager_configurer -p ... Up
orc8r_alertmanager_1 /bin/alertmanager --config ... Up 0.0.0.0:9093->9093/tcp
orc8r_controller_1 /bin/sh -c /usr/local/bin/ ... Up
orc8r_kibana_1 /usr/local/bin/dumb-init - ... Up 0.0.0.0:5601->5601/tcp
orc8r_maria_1 docker-entrypoint.sh mysql ... Up 3306/tcp
orc8r_nginx_1 /bin/sh -c /usr/local/bin/ ... Up 80/tcp, 0.0.0.0:7443->8443/tcp, 0.0.0.0:7444->8444/tcp, 0.0.0.0:9443->9443/tcp
orc8r_postgres_1 docker-entrypoint.sh postg ... Up 0.0.0.0:5432->5432/tcp
orc8r_postgres_test_1 docker-entrypoint.sh postg ... Up 0.0.0.0:5433->5432/tcp
orc8r_prometheus-cache_1 prometheus-edge-hub -limit ... Up 0.0.0.0:9091->9091/tcp, 0.0.0.0:9092->9092/tcp
orc8r_prometheus-configurer_1 prometheus_configurer -por ... Up
orc8r_prometheus_1 /bin/prometheus --config.f ... Up 0.0.0.0:9090->9090/tcp
orc8r_test_1 /bin/bash -lc echo Hello W ... Exit 0
orc8r_user-grafana_1 /run.sh Up 0.0.0.0:3000->3000/tcp
$ mkdir ${MAGMA_CLONE_DIR}/Backup/
$ cp ${MAGMA_CLONE_DIR}/magma/.cache/test_certs/admin_operator.pfx
${MAGMA_CLONE_DIR}/Backup/
Note
Click here in case of “400 Bad Request - No required SSL Certificate
was sent” error
127.0.0.1 magma-test.localhost
127.0.0.1 master.localhost
127.0.0.1 fb-test.localhost
$ cd ${MAGMA_CLONE_DIR}/magma/nms/app/packages/magmalte/
$ export COMPOSE_PROJECT_NAME=magmalte
$ docker-compose build magmalte
Note
In case of the following error: "info There appears to be trouble with your
network connection. Retrying..." and build interruption, relaunch
"docker-compose build magmalte"
$ cd ${MAGMA_CLONE_DIR}/magma/nms/app/packages/magmalte/
$ export PUBLISH=${MAGMA_CLONE_DIR}/magma/orc8r/tools/docker/publish.sh
$ export REGISTRY=docker.io/wnawrot
$ export MAGMA_TAG=54dc60e7a
$ ${PUBLISH} -r ${REGISTRY} -i magmalte -v ${MAGMA_TAG}
Note
● Enter your Docker Registry username and password when prompted
● MAGMA_TAG is the first nine characters of the commit number
$ docker-compose up -d
$ docker-compose ps
$ cd scripts
$ ./dev_setup.sh
...
$ node -r '@fbcnms/babel-register' scripts/setPassword.js magma-test admin@magma.test password1234
Creating a new user: email=admin@magma.test, password=password1234
...
$ node -r '@fbcnms/babel-register' scripts/setPassword.js master admin@magma.test password1234
Creating a new user: email=admin@magma.test, password=password1234
...
c. Click on Save.
d. Click Add Network again and complete CWAG parameters:
11. (Optional) Look into CWAG/FEG networks description through the swagger
API:
a. Make sure you are signed in Docker Desktop with your Docker Hub
credentials:
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway/docker
$ docker-compose build
Note
● Only feg_gateway_go and feg_gateeway_python images are
relevant.
● Tag respective images with the first nine characters of the
commit number
e. Open Docker Desktop and make sure that FEG (feg_)images are in
place:
$ docker images
Go to Preferences ⇨ Network, add a new NAT network, and fill out parameters
exactly as follows:
Note
This network will be used in FEG’s Vagrantfile for PCRF VM interconnect.
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway/
$ mv Vagrantfile Vagrantfile.bak
$ touch Vagrantfile
$ vim Vagrantfile
VAGRANTFILE_API_VERSION = "2"
Vagrant.require_version ">=1.9.1"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.synced_folder "../..", "/home/vagrant/magma"
config.vm.define :feg, primary: true do |feg|
feg.vm.box = "generic/ubuntu1804"
feg.vm.box_version = "1.9.12"
feg.vbguest.auto_update = false
feg.vm.hostname = "magma-feg-dev"
feg.ssh.password = "vagrant"
Note
● FEG VM will be started with two network interfaces:
○ eth0 - not specified in the Vagrantfile and running in
NAT mode (default IP address=10.0.2.15). This interface
will be used for FEG ssh access (port forwarding) and
outgoing communication with the Orc8r listening on
the lo0 interface of the MacOS.
○ eth1 - specified in the Vagrantfile, connected to the
private “NatNetwork” and assigned 192.168.50.3/24 IP
address. This IP will be used for communication with the
external PCRF system.
$ cd ${MAGMA_CLONE_DIR}/magma/feg/gateway/
$ vagrant validate
$ vagrant up feg
$ vagrant status
…
feg running (virtualbox)
…
$ vagrant ssh feg
a. Add the following DNS static entries to enable FEG to access the Orc8r:
10.0.2.2 controller.magma.test
10.0.2.2 bootstrapper-controller.magma.test
10.0.2.2 fluentd.magma.test
Note
The above FQDNs are Orc8r services referenced in the
“/etc/magma/control-proxy.yaml” file and listening on ports: TCP/7443,
TCP/7444, and TCP/24224 respectively.
Trying 10.0.2.2...
Connected to controller.magma.test.
Escape character is '^]'.
Trying 10.0.2.2...
Connected to bootstrapper-controller.magma.test.
Escape character is '^]'.
Trying 10.0.2.2...
Connected to fluentd.magma.test.
Escape character is '^]'.
a. Copy relevant files from the mounted share into FEG’s local directory:
$ sudo -i
# mkdir /tmp/install_dir
# cd /tmp/install_dir
# cp /home/vagrant/magma/orc8r/tools/docker/install_gateway.sh .
# cp /home/vagrant/magma/feg/gateway/configs/control_proxy.yml .
# cp /home/vagrant/magma/feg/gateway/docker/.prod_env .
# cp /home/vagrant/magma/.cache/test_certs/rootCA.pem .
COMPOSE_PROJECT_NAME=feg
DOCKER_USERNAME=wnawrot
DOCKER_PASSWORD='<REPLACE_WITH_YOUR_DOCKER_REGISTRY_PASSWORD>'
DOCKER_REGISTRY=docker.io/wnawrot/feg_
IMAGE_VERSION=54dc60e7a
GIT_HASH=54dc60e7a
BUILD_CONTEXT=https://github.com/facebookincubator/magma.git#master
ROOTCA_PATH=/var/opt/magma/certs/rootCA.pem
CONTROL_PROXY_PATH=/etc/magma/control_proxy.yml
CONFIGS_DEFAULT_VOLUME=/etc/magma
CONFIGS_TEMPLATES_PATH=/etc/magma/templates
SNOWFLAKE_PATH=/etc/snowflake
CERTS_VOLUME=/var/opt/magma/certs
CONFIGS_VOLUME=/var/opt/magma/configs
CONFIGS_OVERRIDE_VOLUME=/var/opt/magma/configs
LOG_DRIVER=journald
Note
● Replace Docker registry name, username and password with
your Docker Hub credentials.
● Assign the “image version” / “git hash” variables with the string
you set while pushing FEG images into the registry.
# cd /tmp/install_dir
# ./install_gateway.sh feg
....
Creating td-agent-bit ... done
Creating swx_proxy ... done
Creating eventd ... done
Creating eap_aka ... done
Creating session_proxy ... done
Creating csfb ... done
Creating redis ... done
Creating feg_hello ... done
Creating s6a_proxy ... done
Creating control_proxy ... done
Creating radiusd ... done
Creating magmad ... done
Creating eap_sim ... done
Creating s8_proxy ... done
# cd /var/opt/magma/docker/
# docker-compose ps
# cp
/tmp/magmagw_install/magma/orc8r/tools/ansible/roles/fluent_bit/files/6
0-fluent-bit.conf /etc/rsyslog.d/
Note
Mock HSS to be launched locally on FEG VM is emulating real carrier’s HSS
core service accessible through the SWx DIAMETER interface. Refer to 3.3.5
Home Subscriber Server (HSS) for details.
# touch /var/opt/magma/docker/docker-compose.override.yml
# vim docker-compose.override.yml
# touch /var/opt/magma/configs/hss.yml
# vim /var/opt/magma/configs/hss.yml
# HSS Config
#
# ---
#subscribers:
# <imsi>:
# <auth_key>: - required (hex string)
# <non_3gpp_enabled>: - optional (bool)
subscribers:
# OYEI USIM1
"101012345678911":
auth_key: "11111111111111111111111111111111"
non_3gpp_enabled: true
# OYEI USIM2
"101012345678922":
# OYEI USIM3
"101012345678933":
auth_key: "11111111111111111111111111111111"
non_3gpp_enabled: true
# OYEI USIM4
"101012345678944":
auth_key: "11111111111111111111111111111111"
non_3gpp_enabled: true
# OYEI USIM5
"101012345678955":
auth_key: "11111111111111111111111111111111"
non_3gpp_enabled: true
Note
● The above subscriber settings are USIMs’ IMSI and Ki
parameters configured in 4.2.1 Programming USIM cards.
● non_3gpp_enabled: true means that the user has non-3GPP
subscription and is allowed to use access technologies not
specified in 3GPP (e.g. WiFi or Wimax). This setting makes HSS
send Non-3GPP-IP-Access:
NON_3GPP_SUBSCRIPTION_ALLOWED(0) AVP in SAA
message to the AAA Server.
# cd /var/opt/magma/docker
# docker-compose -f docker-compose.override.yml up -d
# cd /var/opt/magma/docker
# docker-compose exec magmad /usr/local/bin/show_gateway_info.py
Hardware ID
-----------
951b76cb-2f90-4b05-ba1f-8581b7f9cf57
Challenge key
Note
Save the “Hardware ID” and the “Challenge Key” in a safe place. They both
will be required for FEG registration.
The configuration below will be provided through the NMS GUI. Some
verification steps will be performed directly on the FEG VM.
Note
Use “Hardware UUID” and the “Challenge Key” you noted down in the
previous step. They both will be different from values shown in the
screenshot above.
Note
● Keep the “CSFB” section empty as it’s not relevant for the
Carrier-WiFi Lab.
● CSFB (Circuit Switched Fallback) delivers voice and SMS
services to LTE devices.
$ sudo -i
# cd /var/opt/magma/docker
# docker-compose exec magmad /usr/local/bin/checkin_cli.py
Note
Note
The “gateway.mconfig” file is updated every single minute.
The adjustments described below will be done using Orc8r’s API (NMS does
not support all configuration items).
a. Open
https://localhost:9443/apidocs/v1/#/Federation%20Gateways/get_feg__n
etwork_id__gateways__gateway_id__federation in Firefox, enter
Network/Gateway ID (“feg_net”/”feg_01”) and hit Execute:
b. Create a new temporary text file and copy the response body from point
a. onto it.
c. Add missing configuration statements to the text file (in red) as shown
below:
"swx": {
"hlr_plmn_ids": null,
"server": {
"address": "127.0.0.1:2901",
"dest_host": "hw-hss.epc.mnc001.mcc001.3gppnetwork.org",
"dest_realm": "epc.mnc001.mcc001.3gppnetwork.org",
"disable_dest_host": true,
"host": "swx-mgm1.epc.mnc001.mcc001.3gppnetwork.org",
"local_address": "127.0.0.1:3901",
"product_name": "magma",
"protocol": "tcp",
"realm": "epc.mnc001.mcc001.3gppnetwork.org"
},
"servers": null
}
}
○ "lte_auth_amf": "gAA="
○ "lte_auth_op": "EREREREREREREREREREREQ=="
e. Open
https://localhost:9443/apidocs/v1/#/Federation%20Gateways/put_feg__n
etwork_id__gateways__gateway_id__federation in Firefox , click Try it
out, enter Network/Gateway ID (“feg_net”/”feg_01”), replace the entire
example config with the content of the text file from point c. and hit
Execute:
f. Open
https://localhost:9443/apidocs/v1/#/Federation%20Gateways/get_feg__n
etwork_id__gateways__gateway_id__federation in Firefox again, enter
Network/Gateway ID (“feg_net”/”feg_01”) and hit Execute to make sure
that configuration changes to FEG have been saved.
Note
From now on do not modify FEG’s settings with NMS because the
config adjustments made through the API will be removed !
# cd /var/opt/magma/docker
# docker-compose down && docker-compose up -d
# cd /var/opt/magma/docker
# cd /var/opt/magma/docker
# docker-compose exec hss bash
# ./var/opt/magma/bin/hss_cli get -subscriber_id 101012345678911
Perform the following test from any FEG container, e.g. csfb:
# cd /var/opt/magma/docker
# docker-compose exec csfb bash
# ./var/opt/magma/bin/swx_cli mar 101012345678933
Note
● MAR (Multimedia Authentication Request) is a command sent
by AAA Server to the HSS through the SWx interface for
accessing security information.
a. Make sure you are signed in Docker Desktop with your Docker Hub
credentials:
$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway/docker
c. Go for a walk.
Note
If the build fails due to the following error "c++: internal compiler
error: Killed (program cc1plus)", increase Docker Desktop memory to
10G and re-launch docker-compose build (click here for details).
d. Tag created CWAG images and push them into Docker Registry:
Note
Tag respective images with the first nine characters of the commit
number
e. Open Docker Desktop and make sure that all CWAG (cwf_) images are
in place:
$ docker images
$ vim Vagrantfile
VAGRANTFILE_API_VERSION = "2"
Vagrant.require_version ">=1.9.1"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.synced_folder "../..", "/home/vagrant/magma"
config.vm.define :cwag, primary: true do |cwag|
cwag.vm.box = "generic/ubuntu1804"
cwag.disksize.size = '50GB'
cwag.vm.box_version = "1.9.12"
cwag.vbguest.auto_update = false
cwag.vm.hostname = "cwag-dev"
#eth1 - RADIUS and L2GRE iface
cwag.vm.network "public_network", bridge: "en7: USB 10/100/1000 LAN", ip: "172.16.0.3", nic_type: "82540EM"
#eth2 - Uplink iface
cwag.vm.network "public_network", bridge: "en9: USB 10/100/1000 LAN 2", nic_type: "82540EM", auto_config: false
config.vm.provision "shell",
run: "always",
inline: "ifconfig eth2 up"
cwag.ssh.password = "vagrant"
cwag.ssh.insert_key = true
cwag.vm.provider "virtualbox" do |vb|
vb.name = "cwag-dev"
vb.linked_clone = true
vb.customize ["modifyvm", :id, "--memory", "2048"]
vb.customize ["modifyvm", :id, "--cpus", "2"]
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
vb.customize ["modifyvm", :id, "--nicpromisc3", "allow-all"]
end
end
end
Note
● Do not use Mac’s Wi-Fi (Airport) as an uplink interface
interconnecting CWAG with the home router. Magma won’t
work in such a scenario.
Note
Make sure that both USB-C ⟺ Ethernet adapters are connected to
your Mac while spinning up the CWAG VM (see Figure 4. Physical
network setup )
$ cd ${MAGMA_CLONE_DIR}/magma/cwf/gateway/
$ vagrant up cwag
$ vagrant status
…
cwag running (virtualbox)
…
d. After the CWAG VM is spun up make sure that its network adapters 2
and 3 operate in Promiscuous Mode: “Allow All”:
$ sudo -i
# vim /etc/hosts
10.0.2.2 controller.magma.test
10.0.2.2 bootstrapper-controller.magma.test
10.0.2.2 fluentd.magma.test
Note
The above FQDNs are Orc8r services referenced in the
“/etc/magma/control-proxy.yaml” file and listening on ports: TCP/7443,
TCP/7444, and TCP/24224 respectively.
Trying 10.0.2.2...
Connected to controller.magma.test.
Escape character is '^]'.
Trying 10.0.2.2...
Connected to bootstrapper-controller.magma.test.
Escape character is '^]'.
Trying 10.0.2.2...
Connected to fluentd.magma.test.
Escape character is '^]'.
c. Check AP connectivity:
Note
Make sure that the AP is configured (see 6.2.2. AP command set),
powered up and connected to your Mac with Ethernet cable.
$ ping 172.16.0.2
$ ssh magma@172.16.0.2
Password:
a. Copy relevant files from the mounted share into CWAG’s local directory:
$ sudo -i
# mkdir /tmp/install_dir
# cd /tmp/install_dir
# cp /home/vagrant/magma/orc8r/tools/docker/install_gateway.sh .
# cp /home/vagrant/magma/cwf/gateway/configs/control_proxy.yml .
# cp /home/vagrant/magma/cwf/gateway/docker/.prod_env .
# cp /home/vagrant/magma/.cache/test_certs/rootCA.pem .
# cd /tmp/install_dir
# mv .prod_env .env
# vim .env
COMPOSE_PROJECT_NAME=cwf
DOCKER_USERNAME=wnawrot
DOCKER_PASSWORD='**********'
DOCKER_REGISTRY=docker.io/wnawrot/cwf_
IMAGE_VERSION=54dc60e7a
GIT_HASH=54dc60e7a
BUILD_CONTEXT=https://github.com/magma/magma.git#master
ROOTCA_PATH=/var/opt/magma/certs/rootCA.pem
CONTROL_PROXY_PATH=/etc/magma/control_proxy.yml
CONFIGS_TEMPLATES_PATH=/etc/magma/templates
CERTS_VOLUME=/var/opt/magma/certs
CONFIGS_OVERRIDE_VOLUME=/var/opt/magma/configs
CONFIGS_DEFAULT_VOLUME=/etc/magma
SECRETS_VOLUME=/var/opt/magma/secrets
RADIUS_STORAGE_TYPE=memory
RADIUS_REDIS_ADDR=
LOG_DRIVER=journald
Note
● Replace Docker registry name, username and password with
your Docker Hub credentials.
● Assign the “image version” / “git hash” variables with the string
you set while pushing CWAG images into the registry.
● Specify Ingress and Uplink ports accordingly, i.e. eth1 for AP
connectivity and eth2 for Internet access.
● Set dummy eth5 interface as Lawful Interception port (not
relevant for the Lab).
# cd /tmp/install_dir
# ./install_gateway.sh cwag
....
Creating td-agent-bit ... done
Creating radiusd ... done
Creating redis ... done
Creating magmad ... done
Creating health ... done
Creating redirectd ... done
Creating radius ... done
Creating eap_aka ... done
Creating eap_sim ... done
Creating pipelined ... done
Creating control_proxy ... done
Creating aaa_server ... done
Creating eventd ... done
Creating directoryd ... done
Creating policydb ... done
Creating state ... done
Creating sessiond ... done
Installed successfully!!
# cd /var/opt/magma/docker/
# docker-compose ps
# cp
/tmp/magmagw_install/magma/orc8r/tools/ansible/roles/fluent_bit/files/6
0-fluent-bit.conf /etc/rsyslog.d/
# service rsyslog restart
# cd /var/opt/magma/docker
# docker-compose exec magmad /usr/local/bin/show_gateway_info.py
Hardware ID
-----------
40d31441-38dd-44be-9bed-c58067c412c7
Challenge key
-------------
MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYqFfZwhGWoN3EotmE3HUC6UsHez69axCV++WGsMG1Mg2+V3nSluDRuRO
J5uGgJlDV+4PJwIE65yM+4jda0ybPu9JoIvQuxtfd6pIG98z1+IioBHXgShh0DsZk79o3CdI
Note
Save the “Hardware ID” and the “Challenge Key” in a safe place. They both
will be required for CWAG registration.
6. Register CWAG
Note
Use “Hardware UUID” and the “Challenge Key” you noted down in the
previous step. They both will be different from values shown in the
screenshot above.
d. Specify subnet for the GRE peers (in our case a GRE peer is Cisco Access
Point running GRE on 172.16.0.2), and click on Save when complete:
$ sudo -i
# cd /var/opt/magma/docker
# docker-compose exec magmad /usr/local/bin/checkin_cli.py
Note
The above means that CWAG properly interacts with the Orc8r.
Note
$ sudo -i
# vim /etc/magma/pipelined.yml
…
static_services: [
'ue_mac',
'arpd',
'check_quota',
'access_control',
'tunnel_learn',
'vlan_learn',
# 'ipfix',
#'li_mirror',
'ryu_rest_service',
'startup_flows',
#'packet_tracer',
…
qos:
# enable: false
enable: true
# impl: ovs_meter
impl: linux_tc
max_rate: 1000000000
linux_tc:
min_idx: 2
max_idx: 65534
ovs_meter:
min_idx: 2
max_idx: 100000
Note
Disable (comment out) ipfix and enable linux_tc QoS.
pipelined:
<<: *ltepyservice
# cd /var/opt/magma/docker
# docker-compose down && docker-compose up -d
{
"configsByKey": {
"aaa_server": {
"@type": "type.googleapis.com/magma.mconfig.AAAConfig",
"logLevel": "INFO",
"IdleSessionTimeoutMs": 500000,
"AccountingEnabled": true,
"CreateSessionOnAuth": true
},
"control_proxy": {
"@type": "type.googleapis.com/magma.mconfig.ControlProxy",
"logLevel": "INFO"
},
"directoryd": {
"@type": "type.googleapis.com/magma.mconfig.DirectoryD",
"logLevel": "INFO"
},
# ovs-vsctl show
Bridge "cwag_br0"
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip=flow}
Port li_port
Interface li_port
type: internal
Port "mon1"
Interface "mon1"
type: internal
Port cwag_patch
Interface cwag_patch
type: patch
options: {peer=uplink_patch}
Port "cwag_br0"
Interface "cwag_br0"
type: internal
Bridge "uplink_br0"
fail_mode: secure
Port "gw0"
Interface "gw0"
type: internal
Port "eth2"
Interface "eth2"
Port uplink_patch
Interface uplink_patch
type: patch
options: {peer=cwag_patch}
Port "uplink_br0"
Interface "uplink_br0"
type: internal
ovs_version: "2.12.0"
# cd /var/opt/magma/docker
# docker-compose exec radiusd bash
# /var/opt/magma/bin/hello_cli message 0
Note
If CWAG⟺FEG connectivity is fine, FEG will echo “message” to CWAG
as shown above.
Reference
Before you proceed with configuration steps refer to YotaPCRF concepts available
here.
6. Launch the graphical console of FreePCRF VM and log in the VM with root /
password credentials.
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
PREFIX=24
IPADDR=192.168.50.4
DEFROUTE=YES
GATEWAY=192.168.50.1
DNS1=8.8.8.8
# vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=test.freepcrf.com
# vi /etc/hosts
192.168.50.4 test.freepcrf.com
192.168.50.3 gx-mgm.magmalab.com
# vi /etc/ntp.conf
Note
● From now on you can ssh the FreePCRF VM directly from MacOS
(ssh root@localhost).
● Refer to 7.5.2.1 No SSH or web access to FreePCRF VM on forwarded
ports in case you can not access the FreePCRF VM through ssh/http
although networking has been configured as described.
http://localhost:9080/
http://localhost:8093/
http://localhost:8091/
9. Verify settings for existing (preconfigured) PCRF cluster and PCRF Peer
Reference
Refer to the YotaPCRF Administrators Guide (page 44) for O&M
Console description.
Cluster ID: 1
Cluster Role: 3 (Cluster Role PCRF with SPR )
Cluster SSR Subscription: 0 (Cluster SSR NONE)
Cluster Name: PCRF 1
Cluster Description:
Peer ID: 1
Cluster ID: 1 (PCRF 1)
Note
All the Diameter parameters including IPs, ports, hostnames, realms,
etc. must match at both sides, i.e. PCRF and PCEF (Magma).
b. Check Gx interface
Refer to the table below for the summary of subscribers’ data plans and relevant
configuration items:
Data plan description: The subscriber is assigned a WiFi plan with unlimited download/upload data
rate (Internet speed) and 100MB of cumulative download/upload data volume
granted every single hour. If the 100MB data pack is exhausted, the
subscriber's session is disconnected immediately and new sessions are not
allowed. The subscriber can join the Carrier-WiFi network again as soon as the
data accumulator value is reset automatically (every single hour) or manually
by the administrator.
Data plan description: The subscriber is assigned a WiFi plan with unlimited download/upload data
rate (internet speed) and 200MB of cumulative download/upload data volume
granted every week. If the 200MB data pack is exhausted, a new policy with
QoS is installed and the Internet speed is reduced to 2Mbit/s. The low data
rate for existing and new sessions persists until the accumulator value is reset
Data plan description: The subscriber is assigned a WiFi plan with unrestricted download/upload
Internet speed and unlimited data volume forever.
Data plan description: The subscriber is assigned a WiFi plan with download/upload Internet speed
limited to 8Mbit/s and unlimited data volume forever.
Reference
Refer to Yota PCRF Subscriber Management Interface Description for details
on Subscriber Management Interface.
Note
● The above Subscriber IDs are USIMs’ IMSIs configured in 4.2.1
Programming USIM cards
● Subscriber information can be obtained per individual IMSI by
entering e.g.:
http://localhost:9080/spr/sm/getSubscriber?id=101012345678911
1. Define PCRF Services according to the table below using FreePCRF’s SPR
Configuration Interface:
02_SRV_200MB_SLOW_2MBPS_1WEEK http://localhost:9080/spr/conf/addServiceInfo?id=02_SRV_200MB_
SLOW_2MBPS_1WEEK&name=02_SRV_200MB_SLOW_2MBPS_1WE
EK&description=02_SRV_200MB_SLOW_2MBPS_1WEEK
03_SRV_UNLIM_MB_FULL_SPEED http://localhost:9080/spr/conf/addServiceInfo?id=03_SRV_UNLIM_
MB_FULL_SPEED&name=03_SRV_UNLIM_MB_FULL_SPEED&descri
ption=03_SRV_UNLIM_MB_FULL_SPEED
04_SRV_UNLIM_MB_8MBPS http://localhost:9080/spr/conf/addServiceInfo?id=04_SRV_UNLIM_
MB_8MBPS&name=04_SRV_UNLIM_MB_8MBPS&description=04_S
RV_UNLIM_MB_8MBPS
T.B.D. T.B.D.
Reference
Refer to the YotaPCRF Administrators Guide (page 41) for SPR Configuration
Interface basics.
Note
You can verify individual services by entering e.g.
http://localhost:9080/spr/conf/getServiceInfo?id=01_SRV_100MB_FULL_SPEE
D_1HOUR
Note
You can verify individual IMSI to Service associations by entering e.g.:
http://localhost:9080/spr/sm/getService?subscriber_id=101012345678944&ser
vice_id=04_SRV_UNLIM_MB_8MBPS
Note
● --scheme_reset_period 1 - resets the accumulator every HOUR
● --scheme_reset_period 3 - resets the accumulator every WEEK
Reference
Refer to the YotaPCRF Administrators Guide (page 50) for Command Line
Interface details.
Note
● The Accumulated Value (cumulative data usage) for a given
Accumulator and Subscriber can be modified/reset manually using
Subscriber Management Interface:
○ http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678911&ac
cum_id=01_ACCUM_100MB_FULL_SPEED&value=80000000&immidiate=1
○ http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678922&ac
cum_id=02_ACCUM_200MB_FULL_SPEED&value=190000000&immidiate=1
● The above calls are useful while testing data plans, i.e. instead of
waiting until the UE consumes few hundred Megabytes of data and a
certain Accumulator level is reached, one can set the Accumulator
Value close to the level_full specified in the Accumulator Scheme (e.g.
195MB).
The Accumulated Value can be also reset (set to 0) which is identical
to the beginning of a new validity period for a data plan.
http://localhost:8093/#101012345678911
http://localhost:8093/#101012345678933
http://localhost:8093/#101012345678944
# cp /etc/pcrf/config/rules/rules.xml /etc/pcrf/config/rules/rules.xml.bak
# vi /etc/pcrf/config/rules/rules.xml
<Policy Name="01_POLICY_100MB_FULL_SPEED">
<Default>
<Rules>
<Charging-Rule-Definition>
<Charging-Rule-Name Value="01_RULE_100MB_FULL_SPEED"/>
<Flow-Description Value="permit in ip from any to any"/>
<Flow-Description Value="permit out ip from any to any"/>
<Metering-Method Value="VOLUME"/>
<Flow-Status Value="ENABLED"/>
<Monitoring-Key Value="01_KEY_100MB_FULL_SPEED"/>
<Precedence Value="10"/>
</Charging-Rule-Definition>
</Rules>
</Default>
</Policy>
<Policy Name="02_POLICY_200MB_FULL_SPEED">
<Default>
<Rules>
<Charging-Rule-Definition>
<Charging-Rule-Name Value="02_RULE_200MB_FULL_SPEED"/>
<Flow-Description Value="permit in ip from any to any"/>
<Flow-Description Value="permit out ip from any to any"/>
<Metering-Method Value="VOLUME"/>
<Flow-Status Value="ENABLED"/>
<Monitoring-Key Value="02_KEY_200MB_FULL_SPEED"/>
<Precedence Value="10"/>
</Charging-Rule-Definition>
</Rules>
</Default>
</Policy>
<Policy Name="02_POLICY_200MB_2MBPS">
<Default>
<Rules>
<Charging-Rule-Definition>
<Charging-Rule-Name Value="02_RULE_200MB_2MBPS"/>
<Flow-Description Value="permit in ip from any to any"/>
<Policy Name="03_POLICY_UNLIM_MB_FULL_SPEED">
<Default>
<Rules>
<Charging-Rule-Name Value="03_RULE_UNLIM_MB_FULL_SPEED"/>
</Rules>
</Default>
</Policy>
<Policy Name="04_POLICY_UNLIM_MB_8MBPS">
<Default>
<Rules>
<Charging-Rule-Name Value="04_RULE_UNLIM_MB_8MBPS"/>
</Rules>
</Default>
</Policy>
<DefaultAccums>
<Accum Name="01_ACCUM_100MB_FULL_SPEED">
<Monitoring-Key Name="01_KEY_100MB_FULL_SPEED" Direction="Both" Delta="1000000" Monitor-Level="1" />
</Accum>
<Accum Name="02_ACCUM_200MB_FULL_SPEED">
<Monitoring-Key Name="02_KEY_200MB_FULL_SPEED" Direction="Both" Delta="1000000" Monitor-Level="1" />
</Accum>
</DefaultAccums>
</PolicyDef>
Note
● Every Policy Name prefix (01_, 02_, etc.) corresponds to an individual
Service assigned to a respective subscriber here.
● Policies 03_, and 04_ contain only PCC rule names meaning that
PCRF only activates/deactivates these specific rules but their
definition must be statically provided in PCEF (CWAG).
<Accum Name="02_ACCUM_200MB_FULL_SPEED">
<
Monitoring-Key Name="02_KEY_200MB_FULL_SPEED"
Direction="Both"
Delta="1000000"
Monitor-Level="1"
/>
</Accum>
Note
If no errors are found, the validation will end up with no message.
# cp /etc/pcrf/config/lua/engine.lua /etc/pcrf/config/lua/engine.lua.bak
# vi /etc/pcrf/config/lua/engine.lua
package.path="/etc/pcrf/config/lua/?.lua"
default_region="MagmaLAB"
function GxSelectPolicy()
region = get_region()
country = get_country()
location = get_session_location()
if (region == "UNKNOWN") then
region=default_region
log_write(string.format("[ERR_REGCODE] region [%s,%s,%s,%s] not found, using default '%s'", location,
tostring(get_session_ecgi()), tostring(get_session_lac()), tostring(get_session_rac()), region))
end
log_write(string.format("GxSelectPolicy called for %s", get_subscriber_id()))
log_write(string.format(" Region for '%s' is '%s'", get_subscriber_id(), region))
if is_unknown_subscriber() then
if (is_service_active("01_SRV_100MB_FULL_SPEED_1HOUR")) then
if check_accum_level_full("01_ACCUM_100MB_FULL_SPEED") then
reject()
log_write(string.format("Rejected Subscriber '%s' because the entire data pack is exhausted", get_subscriber_id()))
else
add_policy("01_POLICY_100MB_FULL_SPEED")
log_write(string.format("Policy: '%s' selected for %s", get_policy(0), get_subscriber_id()))
end
return 0
end
if (is_service_active("02_SRV_200MB_SLOW_2MBPS_1WEEK")) then
if check_accum_level_full("02_ACCUM_200MB_FULL_SPEED") then
set_policy("02_POLICY_200MB_2MBPS")
log_write(string.format("Policy: '%s' selected for %s", get_policy(0), get_subscriber_id()))
else
set_policy("02_POLICY_200MB_FULL_SPEED")
log_write(string.format("Policy: '%s' selected for %s", get_policy(0), get_subscriber_id()))
end
return 0
end
if (is_service_active("03_SRV_UNLIM_MB_FULL_SPEED")) then
add_policy("03_POLICY_UNLIM_MB_FULL_SPEED")
log_write(string.format("Policy: '%s' selected for %s", get_policy(0), get_subscriber_id()))
return 0
end
if (is_service_active("04_SRV_UNLIM_MB_8MBPS")) then
add_policy("04_POLICY_UNLIM_MB_8MBPS")
log_write(string.format("Policy: '%s' selected for %s", get_policy(0), get_subscriber_id()))
return 0
end
end
Referenece
● Detailed policy engine description is provided here
● Engine.lua functions are described here:
http://localhost:8091/doc/lua_info.html
# /opt/pcrf_core/utils/engine_script_run -n /etc/pcrf/config/lua/engine.lua
-u GxSelectPolicy -s 101012345678911
Policies:
01_POLICY_100MB_FULL_SPEED
No static rules set for subscriber 101012345678911
No static group rules set for subscriber 101012345678911
For subscriber 101012345678911 congestion usage monitoring is switched off
# /opt/pcrf_core/utils/engine_script_run -n /etc/pcrf/config/lua/engine.lua
-u GxSelectPolicy -s 101012345678922
Policies:
02_POLICY_200MB_2MBPS
No static rules set for subscriber 101012345678922
No static group rules set for subscriber 101012345678922
For subscriber 101012345678922 congestion usage monitoring is switched off
Policies:
02_POLICY_200MB_FULL_SPEED
No static rules set for subscriber 101012345678922
No static group rules set for subscriber 101012345678922
For subscriber 101012345678922 congestion usage monitoring is switched off
# /opt/pcrf_core/utils/engine_script_run -n /etc/pcrf/config/lua/engine.lua
Policies:
03_POLICY_UNLIM_MB_FULL_SPEED
No static rules set for subscriber 101012345678933
No static group rules set for subscriber 101012345678933
For subscriber 101012345678933 congestion usage monitoring is switched off
# /opt/pcrf_core/utils/engine_script_run -n /etc/pcrf/config/lua/engine.lua
-u GxSelectPolicy -s 101012345678944
Policies:
04_POLICY_UNLIM_MB_8MBPS
No static rules set for subscriber 101012345678944
No static group rules set for subscriber 101012345678944
For subscriber 101012345678944 congestion usage monitoring is switched off
Note
Verification of the file content is required in order to prevent incorrect
behavior of the system.
The verification is performed by engine_script_run utility, which verifies if
“engine.lua” contains any syntax errors.
The utility simulates policy selection workflow and shows as the result the
chosen policy for a specified subscriber or an error message.
a. Open :
https://localhost:9443/swagger/v1/ui/policydb#/Policies/post_lte__networ
k_id__policy_qos_profiles in Firefox to create a new policy QoS profile in
the “cwag_net”:
b. Make sure that the QoS profile has been created by opening
https://localhost:9443/swagger/v1/ui/policydb#/Policies/get_lte__network
_id__policy_qos_profiles__profile_id_ and providing Network ID / Profile
ID as follows:
Note
The following policies 03_POLICY_UNLIM_MB_FULL_SPEED and
b. Go to https://magma-test.localhost/nms/cwag_net/configure/policies
and add a new static PCC rule by clicking Add Rule.
d. Go to https://magma-test.localhost/nms/cwag_net/configure/policies
and add a new static PCC rule by clicking Add Rule.
1. Make sure that all physical Lab components are interconnected properly as
shown in Figure 4. Physical network setup.
3. Make sure that all containers of all software components have started properly
(+ optionally restart CWAG & FEG containers).
Note
If there is a peer issue, apply the fix procedure described here.
http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678922&
accum_id=02_ACCUM_200MB_FULL_SPEED&value=0&immidiate=1
2. Make sure the Accumulator has been reset by refreshing MiniCRM page
http://localhost:8093/#101012345678922 :
3. Insert USIM1 into Huawei P smart 2019 (mac address: 9c4e.2073.9780), turn on
the UE, go to WiFi Settings, enable WiFi, and tap on magma in the network
list.
root@cwag-dev:~# tcpdump -i eth1 -nn port 1812 or port 1813 or port 3799
Note
The successful authentication and authorization should end up with an
Access-Accept message sent to AP by AAA Server (172.16.0.3 ⇨ 172.16.0.2).
Access-Reject is usually sent if there is something wrong with HSS (e.g. HSS
service is down, IMSI does not exist in HSS config, the auth key (Ki) for the
subscriber and/or OP code don’t match with Ki/OP values stored in the
USIM, etc.).
Access-Reject occurs also if the user has insufficient credits for the service at
PCRF.
7. Go to Tab_3 and Tab_4 to observe DHCP DORA process between the UE and
the home router on CWAG’s uplink (eth2) as well as encapsulated user traffic
on CWAG’s downlink (eth1):
8. Go to Tab_6 and find the policy name selected for the subscriber by PCRF
policy engine:
10. Go to Tab_5 and locate sessiond log section where the dynamic, gx-tracked
charging rule 02_RULE_200MB_FULL_SPEED is activated for IMSI
101012345678922:
sessiond | I0520 11:47:14.701200 1 LocalEnforcer.cpp:699] Activating Gx tracked rule 02_RULE_200MB_FULL_SPEED with monitoring key
02_KEY_200MB_FULL_SPEED
sessiond | I0520 11:47:14.701261 1 PipelinedClient.cpp:378] Activating 1 rules for IMSI101012345678922 msisdn 12345 and ip
sessiond | I0520 11:47:14.701278 1 GrpcMagmaUtils.cpp:58]
sessiond | magma.lte.ActivateFlowsRequest {
11. Launch Speedtest on the UE to confirm that the speed limit (QoS) is not
applied:
13. Get back to Tab_5 and locate recurrent credit-related logs for the charging
rule 02_RULE_200MB_FULL_SPEED and IMSI 101012345678922:
sessiond |
sessiond | I0520 12:51:48.051728 23 GrpcMagmaUtils.cpp:58]
sessiond | magma.lte.RuleRecordTable {
sessiond | records {
sessiond | sid: "IMSI101012345678922"
sessiond | rule_id: "02_RULE_200MB_FULL_SPEED"
sessiond | bytes_tx: 1541582
sessiond | bytes_rx: 11400512
sessiond | rule_version: 1
sessiond | }
sessiond | records {
sessiond | sid: "IMSI101012345678922"
sessiond | rule_id: "internal_default_drop_flow_rule"
sessiond | }
sessiond | epoch: 1652883896
sessiond | }
sessiond | I0520 12:51:48.053248 1 LocalSessionManagerHandler.cpp:70] Aggregating 2 records
sessiond | I0520 12:51:48.053505 1 LocalEnforcer.cpp:378] IMSI101012345678922-556469 used 1541582 tx bytes and
11400512 rx bytes for rule 02_RULE_200MB_FULL_SPEED
sessiond | I0520 12:51:48.053550 1 SessionState.cpp:646] Updating used monitoring credit for
Rule=02_RULE_200MB_FULL_SPEED Monitoring Key=02_KEY_200MB_FULL_SPEED
sessiond | I0520 12:51:48.053694 1 SessionCredit.cpp:572] ===> Used Tx: 1541582 Rx: 11400512 Total: 12942094
sessiond | I0520 12:51:48.054250 1 SessionCredit.cpp:575] ===> Reported Tx: 1234055 Rx: 10835738 Total: 12069793
sessiond | I0520 12:51:48.054417 1 SessionCredit.cpp:578] ===> Allowed Tx: 1234055 Rx: 10835738 Total: 13069793
sessiond | I0520 12:51:48.054457 1 SessionCredit.cpp:581] ===> A_Floor Tx: 1234055 Rx: 10835738 Total: 12069793
sessiond | I0520 12:51:48.054473 1 SessionCredit.cpp:584] ===> (%used) Tx: _% Rx: _% Total: 87%
sessiond | I0520 12:51:48.054493 1 SessionCredit.cpp:597] ===> Grant tracking type TOTAL_ONLY, Reporting: 0
sessiond | I0520 12:51:48.054610 1 LocalEnforcer.cpp:389] Received stats for 1 active sessions and 0 stale sessions
sessiond | I0520 12:51:48.054649 1 SessionCredit.cpp:317] TOTAL_ONLY grant is partially exhausted (threshold 0.8)
sessiond | I0520 12:51:48.055053 1 SessionState.cpp:805] Session IMSI101012345678922-556469 monitoring key
02_KEY_200MB_FULL_SPEED updating due to quota exhaustion with request number 4
sessiond | I0520 12:51:48.055080 1 SessionCredit.cpp:428] ===> Data usage since last report is tx=307527 rx=564774
sessiond | I0520 12:51:48.055094 1 SessionCredit.cpp:625] ===> Amount reporting for this report: tx=307527 rx=564774
sessiond | I0520 12:51:48.057272 1 SessionCredit.cpp:627] ===> The total amount currently being reported: tx=307527
rx=564774
sessiond | I0520 12:51:48.057436 1 LocalSessionManagerHandler.cpp:103] Sending 0 charging updates and 1 monitor updates
to OCS and PCRF
sessiond | I0520 12:51:48.057674 1 SessionStore.cpp:55] saving flag is_reporting = 1 on session store
sessiond | I0520 12:51:48.058398 1 SessionStore.cpp:120] Syncing request numbers into existing sessions
sessiond | I0520 12:51:48.058642 1 SessionStore.cpp:134] sync_request_numbers: Writing into session store
sessiond | I0520 12:51:48.058782 1 GrpcMagmaUtils.cpp:58]
sessiond | magma.lte.UpdateSessionRequest {
sessiond | usage_monitors {
Note
PCEF (CWAG) sends a data usage report to PCRF in CCR-U messages when
80% of the last TOTAL_ONLY grant (1MB) is reached. PCRF responds with a
new TOTAL_ONLY grant in CCA-U.
Note
The event trigger for CCR-U is “event_trigger: USAGE_REPORT “
EVENT_USAGE_REPORT
This value shall be used in a CCA and RAR commands by the PCRF when
requesting usage monitoring at the PCEF. The PCRF shall also provide in
the CCA or RAR command the Usage-Monitoring-Information AVP(s)
including the Monitoring-Key AVP and the Granted-Service-Unit AVP. When
used in a CCR command, this value indicates that the PCEF generated the
request to report the accumulated usage for one or more monitoring keys.
The PCEF shall also provide the accumulated usage volume using the
Usage-Monitoring-Information AVP(s) including the Monitoring-Key AVP
and the Used-Service-Unit AVP.
17. Get back to Tab_6 and find the new policy selected for the subscriber by PCRF
policy engine:
[root@test /]# lv
Note
The new charging rule is configured with a DUMMY Monitoring-ey. If no
Monitoring-Key is defined for a dynamic rule in rules.xml, the rule shows up
in sessiond log as tracking_type: NO_TRACKING and the session
termination occurs.
19. Verify existing rule deactivation / new rule activation on PCEF by jumping to
Tab_5:
…...
sessiond | I0520 12:54:34.202384 1 PipelinedClient.cpp:350] Deactivating 1 rules and for subscriber IMSI101012345678922 IP
sessiond | I0520 12:54:34.202401 1 GrpcMagmaUtils.cpp:58]
sessiond | magma.lte.DeactivateFlowsRequest {
sessiond | sid {
sessiond | id: "IMSI101012345678922"
sessiond | }
sessiond | request_origin {
sessiond | }
Note
The new charging rule contains QoS information which activates rate
limiting of UE traffic on CWAG physical interfaces.
20. Launch Speedtest on the UE to confirm that the speed limit of 2Mbps is active
for the new charging rule:
http://localhost:9080/spr/sm/setAccumValue?subscriber_id=101012345678922&
accum_id=02_ACCUM_200MB_FULL_SPEED&value=0&immidiate=1
22. Make sure the Accumulator has been reset by refreshing MiniCRM page
http://localhost:8093/#101012345678922 :
23. Go to Tab_6 and notice that after Accumulator reset, the original
02_POLICY_200MB_FULL_SPEED has been restored for the subscriber:
[root@test /]# lv
25. Launch Speedtest on the UE again to make sure that the speed limit of 2Mbps
has been removed:
5. Go to Tab_6 and find the policy name selected for the subscriber by PCRF
policy engine:
[root@test /]# lv
Note
The RAT-Type: WLAN attribute specifies the Radio Access Technology and
can be found in CCR-I messages along with IP-CAN-Type:
CAN_Non_3GPP_EPS attribute which defines the type of Connectivity
Access Network (CAN) to which the user is connected .
sessiond | I0525 07:38:34.904469 1 LocalEnforcer.cpp:389] Received stats for 1 active sessions and 0 stale sessions
sessiond | I0525 07:38:34.904507 1 LocalSessionManagerHandler.cpp:96] Succeeded in updating session after no reporting
sessiond | I0525 07:38:39.903858 23 GrpcMagmaUtils.cpp:58]
sessiond | magma.lte.RuleRecordTable {
sessiond | records {
sessiond | sid: "IMSI101012345678944"
sessiond | rule_id: "04_RULE_UNLIM_MB_8MBPS"
sessiond | bytes_tx: 70485
sessiond | bytes_rx: 106653
sessiond | rule_version: 1
sessiond | }
sessiond | records {
sessiond | sid: "IMSI101012345678944"
sessiond | rule_id: "internal_default_drop_flow_rule"
sessiond | }
sessiond | epoch: 1653417238
sessiond | }
sessiond | I0525 07:38:39.905593 1 LocalSessionManagerHandler.cpp:70] Aggregating 2 records
sessiond | I0525 07:38:39.905848 1 LocalEnforcer.cpp:378] IMSI101012345678944-365436 used 70485 tx bytes and 106653 rx bytes for rule
04_RULE_UNLIM_MB_8MBPS
sessiond | I0525 07:38:39.906109 1 SessionState.cpp:646] Updating used monitoring credit for Rule=04_RULE_UNLIM_MB_8MBPS
Monitoring Key=
sessiond | I0525 07:38:39.906116 1 SessionState.cpp:2248] Monitoring Key not found, not adding the usage
sessiond | I0525 07:38:39.906188 1 LocalEnforcer.cpp:389] Received stats for 1 active sessions and 0 stale sessions
sessiond | I0525 07:38:39.906507 1 LocalSessionManagerHandler.cpp:96] Succeeded in updating session after no reporting
Note
04_RULE_UNLIM_MB_8MBPS (see here) is configured on CWAG with no
Monitoring-Key because the amount of data consumed by the subscriber is
not relevant for the data plan.
Neither PCRF grants service units for the rule 04_RULE_UNLIM_MB_8MBPS
nor PCEF reports the amount of service units consumed by the subscriber
for this rule.
9. Launch Speedtest on the UE to make sure that the speed limit of 8Mbps
specified in the QoS profile referenced by the charging rule
04_RULE_UNLIM_MB_8MBPS has been applied:
imsi : 101012345678944
ip_addr :
rule_num : 4
direction : 0
qos_handle: 2
qos_handle_ambr: 0
qos_handle_ambr_leaf: 0
Dev: eth2
class htb 1:2 parent 1:fffe prio quantum rate 8192Kbit ceil 8192Kbit linklayer ethernet burst 1598b/1 mpu 0b cburst 1598b/1 mpu 0b level 0
Sent 5482976 bytes 8993 pkt (dropped 0, overlimits 3272 requeues 0)
backlog 0b 0p requeues 0
lended: 8923 borrowed: 0 giants: 0
tokens: 23215 ctokens: 23215
imsi : 101012345678944
ip_addr :
rule_num : 4
direction : 1
qos_handle: 3
qos_handle_ambr: 0
qos_handle_ambr_leaf: 0
Dev: eth1
class htb 1:3 parent 1:fffe prio quantum rate 8192Kbit ceil 8192Kbit linklayer ethernet burst 1598b/1 mpu 0b cburst 1598b/1 mpu 0b level 0
Sent 7741553 bytes 8860 pkt (dropped 0, overlimits 3074 requeues 0)
backlog 0b 0p requeues 0
lended: 6732 borrowed: 0 giants: 0
tokens: 22819 ctokens: 22819
Create your own data plan for subscriber 101012345678955 with some sophisticated
policy selection criteria, combination of static and dynamic charging rules, service
units usage reporting and QoS profiles.
https://www.etsi.org/deliver/etsi_ts/129200_129299/129212/12.10.00_60/ts_129212v121000
p.pdf
“The PCRF may provide the redirect instruction for a dynamic PCC rule to the PCEF
enhanced with ADC. The Provisioning shall be performed using the PCC rule
provisioning procedure. The redirect instruction shall be encoded using a
Redirect-Information AVP within the Charging-Rule-Definition AVP of the dynamic
PCC rule”
7.1.1.1 “400 Bad Request - No required SSL Certificate was sent” error when entering
https://localhost:9443/apidocs/v1/#/ in Firefox
Solution:
1. Clear Firefox History and Data:
2. Reload https://localhost:9443/apidocs/v1/#/
3. Click OK:
7.3 FEG
7.3.1 Extended logging
● Enable “Print GRPC Payload” for services which support it (e.g. HSS,
SWX_PROXY, SESSION_PROXY).
● Optionally, increase services’ logging verbosity by manipulating “-v”
parameter’s value.
# cd /var/opt/magma/docker
# vim docker-compose.yml
session_proxy:
<<: *goservice
environment:
USE_GY_FOR_AUTH_ONLY: ${USE_GY_FOR_AUTH_ONLY}
GY_SUPPORTED_VENDOR_IDS: ${GY_SUPPORTED_VENDOR_IDS}
GY_SERVICE_CONTEXT_ID: ${GY_SERVICE_CONTEXT_ID}
container_name: session_proxy
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/session_proxy -logtostderr=true -print-grpc-payload -v=4
swx_proxy:
<<: *goservice
container_name: swx_proxy
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/swx_proxy -logtostderr=true -print-grpc-payload -v=0
# vim docker-compose.override.yml
services:
hss:
<<: *feggoservice
container_name: hss
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/hss -logtostderr=true -print-grpc-payload -v=0
# log_level: INFO
log_level: DEBUG
# print_grpc_payload: false
print_grpc_payload: true
# cd /var/opt/magma/docker
# docker-compose down && docker-compose up -d
# docker-compose logs -f magmad
Testing CCR-I/CCA-I dialogue between FEG and PCRF for specific IMSI
# cd /var/opt/magma/docker
# docker-compose stop session_proxy
# docker-compose exec csfb bash
# /var/opt/magma/bin/gx_client_cli --commands=I --imsi=101012345678911
# exit
# docker-compose start session_proxy
Significant logs
# cd /var/opt/magma/docker
# docker-compose logs -f hss
# docker-compose logs -f swx_proxy
# docker-compose logs -f session_proxy
7.4 CWAG
7.4.1 Extended logging
# cd /var/opt/magma/docker
# vim docker-compose.yml
aaa_server:
<<: *feggoservice
container_name: aaa_server
environment:
USE_REMOTE_SWX_PROXY: 1 # Relay to FeG
MAGMA_PRINT_GRPC_PAYLOAD: 1
healthcheck:
test: ["CMD", "nc", "-zv", "localhost","9109"]
timeout: "4s"
retries: 3
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/aaa_server -logtostderr=true -v=4
eap_aka:
<<: *feggoservice
container_name: eap_aka
environment:
USE_REMOTE_SWX_PROXY: 1 # Relay to FeG
MAGMA_PRINT_GRPC_PAYLOAD: 1
healthcheck:
test: ["CMD", "nc", "-zv", "localhost","9123"]
timeout: "4s"
retries: 3
command: envdir /var/opt/magma/envdir /var/opt/magma/bin/eap_aka -logtostderr=true -v=0
2. Modify “pipelined.yml”:
# vim /etc/magma/pipelined.yml
# log_level: INFO
log_level: DEBUG
#magma_print_grpc_payload: false
magma_print_grpc_payload: true
# cd /var/opt/magma/docker
# docker-compose down && docker-compose up -d
# docker-compose logs -f pipelined
# vim /etc/magma/sessiond.yml
# log_level: INFO
log_level: DEBUG
print_grpc_payload: true
# cd /var/opt/magma/docker
# docker-compose down && docker-compose up -d
# docker-compose logs -f sessiond
4. Modify “policydb.yml”:
# vim /etc/magma/policydb.yml
# log_level: INFO
log_level: DEBUG
# cd /var/opt/magma/docker
# docker-compose down && docker-compose up -d
# docker-compose logs -f policydb
5. Modify “magmad.yml”:
# vim /etc/magma/magmad.yml
# log_level: INFO
log_level: DEBUG
# cd /var/opt/magma/docker
# docker-compose down && docker-compose up -d
# docker-compose logs -f magmad
# tcpdump -i eth1 -nn port 1812 or port 1813 or port 3799 -w /tmp/radius.pcap
Significant logs
# cd /var/opt/magma/docker
# docker-compose logs -f aaa_server
# docker-compose logs -f sessiond
# docker-compose logs -f pipelined
# docker-compose logs -f policydb
imsi : 101012345678944
ip_addr :
rule_num : 1
direction : 0
qos_handle: 2
qos_handle_ambr: 0
qos_handle_ambr_leaf: 0
Dev: eth2
class htb 1:2 parent 1:fffe prio quantum rate 8192Kbit ceil 8192Kbit linklayer ethernet burst 1598b/1 mpu 0b cburst 1598b/1 mpu 0b level 0
Sent 14489879 bytes 20282 pkt (dropped 0, overlimits 8896 requeues 0)
backlog 0b 0p requeues 0
lended: 19480 borrowed: 0 giants: 0
tokens: 23398 ctokens: 23398
imsi : 101012345678944
ip_addr :
rule_num : 1
direction : 1
qos_handle: 3
qos_handle_ambr: 0
qos_handle_ambr_leaf: 0
Dev: eth1
class htb 1:3 parent 1:fffe prio quantum rate 8192Kbit ceil 8192Kbit linklayer ethernet burst 1598b/1 mpu 0b cburst 1598b/1 mpu 0b level 0
Sent 19653360 bytes 20188 pkt (dropped 0, overlimits 6870 requeues 0)
backlog 0b 0p requeues 0
lended: 14156 borrowed: 0 giants: 0
tokens: 22819 ctokens: 22819
Pipelined CLI(enforcement)
records {
sid: "IMSI101012345678944"
rule_id: "04_RULE_UNLIM_MB_8MBPS"
bytes_tx: 1717893
bytes_rx: 26193239
rule_version: 1
}
records {
sid: "IMSI101012345678944"
rule_id: "internal_default_drop_flow_rule"
}
epoch: 1652457844
- - - - - - - - - - - - - - - - - - - - - - -
# ovs-vsctl show
Bridge "cwag_br0"
Controller "tcp:127.0.0.1:6633"
is_connected: true
fail_mode: secure
Port "gre0"
Interface "gre0"
type: gre
options: {remote_ip=flow}
Port li_port
Interface li_port
type: internal
Port cwag_patch
Interface cwag_patch
type: patch
options: {peer=uplink_patch}
Bridge "uplink_br0"
fail_mode: secure
Port "eth2"
Interface "eth2"
Port uplink_patch
Interface uplink_patch
type: patch
options: {peer=cwag_patch}
Port "uplink_br0"
Interface "uplink_br0"
type: internal
Port "gw0"
Interface "gw0"
type: internal
ovs_version: "2.12.0"
# ovs-vsctl list-br
cwag_br0
uplink_br0
cwag_patch
gre0
li_port
mon1
eth2
gw0
uplink_patch
_uuid : d6b53b6c-c9b7-4dfa-803c-6961017e6e63
bridges : [151abd6c-8d6e-4dcc-8608-ac7b74a02cf6, dc6a5304-4b58-454b-ab95-7b3b4c1ee04d]
cur_cfg : 506
datapath_types : [netdev, system]
db_version : "8.0.0"
dpdk_initialized : false
dpdk_version : none
external_ids : {hostname=cwag-dev, rundir="/var/run/openvswitch", system-id="6baf88b1-eba2-4404-91b3-fbc8f250b1fe"}
iface_types : [erspan, geneve, gre, internal, "ip6erspan", "ip6gre", lisp, patch, stt, system, tap, vxlan]
manager_options : []
next_cfg : 506
other_config : {}
ovs_version : "2.12.0"
_uuid : a293adde-377d-4053-898e-525308eca596
connection_mode : []
controller_burst_limit: []
controller_rate_limit: []
enable_async_messages: []
external_ids : {}
inactivity_probe : []
is_connected : true
local_gateway : []
local_ip : []
local_netmask : []
max_backoff : []
other_config : {}
role : other
status : {last_error="Connection refused", sec_since_connect="42627", state=ACTIVE}
target : "tcp:127.0.0.1:6633"
type : []
OvS datapath
# ovs-dpctl show
system@ovs-system:
lookups: hit:12533823 missed:66049 lost:0
flows: 21
masks: hit:17532880 total:11 hit/pkt:1.39
port 0: ovs-system (internal)
port 1: gre_sys (gre: packet_type=ptap)
port 2: cwag_br0 (internal)
port 3: mon1 (internal)
port 4: li_port (internal)
port 5: gw0 (internal)
port 6: eth2
port 7: uplink_br0 (internal)
# ovs-dpctl dump-flows
Logging:
# ovs-appctl vlog/list
# ovs-appctl vlog/set ofproto:file:dbg
Tracing:
# ovs-appctl ofproto/trace cwag_br0 in_port=gre0
This error may occur while building CWAG images (docker-compose build --parallel)
Solution:
Increase Docker Desktop memory to 10G and re-launch docker-compose build.
# /opt/pcrf_utils/bin/pcrf_full_restart.sh
Deletion of coredumps
# cd /cores
# rm *
Logging
# lv
# lvt
Reference
Refer to YotaPCRF Administrators Guide:
● page 63 - for the full list of utilities
● page 31 - for logging
Solution:
1. Remove FreePCRF guest from the NAT network, disconnect the Virtualbox
"cable", switch to NAT, leave the "cable" disconnected.
2. Remove the DHCP server for the NAT network. Use this command in a
command prompt:
3. Reset the guest to the NAT network and connect the "cable".
If successful, check routes on the FreePCRF VM, Default route should now be
installed and the Default GW IP should be pingable:
root@cwag-dev:/# tcpdump -i eth1 -nn port 1812 or port 1813 or port 3799
04:29:08.658984 IP 172.16.0.2.1645 > 172.16.0.3.1812: RADIUS, Access-Request (1), id: 0x13 length: 306
04:29:08.661849 IP 172.16.0.3.1812 > 172.16.0.2.1645: RADIUS, Access-Challenge (11), id: 0x13 length: 52
04:29:08.669307 IP 172.16.0.2.1645 > 172.16.0.3.1812: RADIUS, Access-Request (1), id: 0x14 length: 314
04:29:09.183748 IP 172.16.0.3.1812 > 172.16.0.2.1645: RADIUS, Access-Challenge (11), id: 0x14 length: 108
04:29:09.356946 IP 172.16.0.2.1645 > 172.16.0.3.1812: RADIUS, Access-Request (1), id: 0x15 length: 314
04:29:15.389906 IP 172.16.0.3.1812 > 172.16.0.2.1645: RADIUS, Access-Reject (3), id: 0x15 length: 44
Solution:
Authentication debugs
EAP debugs
WPA debugs
(Step18)Radius Disconnect-Request to AP
*Nov 4 01:25:59.501: RADIUS: POD received from id 0 172.16.0.3:46289, POD Request, len 49
*Nov 4 01:25:59.501: POD: 172.16.0.3 request queued
*Nov 4 01:25:59.501: ++++++ POD Attribute List ++++++
*Nov 4 01:25:59.501: 051749F8 0 00000001 session-id(408) 4 20(14)
*Nov 4 01:25:59.501: 05174F48 0 00000081 formatted-clid(37) 17 E4-19-C1-42-01-3E
*Nov 4 01:25:59.501: DOT11 POD Received PoD request
*Nov 4 01:25:59.501: DOT11 POD Invalid MAC address (E4-19-C1-42-01-3E) len=17
*Nov 4 01:25:59.502: DOT11 POD Could not terminate session, wds=0 err_code=404
*Nov 4 01:25:59.502: POD: Added NACK Error Cause: Invalid Request
*Nov 4 01:25:59.502: POD: Sending NAK from port 3799 to 172.16.0.3/46289
*Nov 4 01:25:59.502: RADIUS: 101 6 00000194
The root cause for an error 404 is “Invalid MAC address” which can be found in the
AP’s debug output below:
*Nov 2 04:36:20.324: RADIUS: POD received from id 0 172.16.0.3:50250, POD Request, len 49
*Nov 2 04:36:20.325: POD: 172.16.0.3 request queued
*Nov 2 04:36:20.325: ++++++ POD Attribute List ++++++
*Nov 2 04:36:20.325: 022BF6D0 0 00000001 session-id(408) 4 1146(47A)
*Nov 2 04:36:20.325: 022BFB10 0 00000081 formatted-clid(37) 17 E4-19-C1-42-01-3E
*Nov 2 04:36:20.325:
*Nov 2 04:36:20.325: DOT11 POD Received PoD request
*Nov 2 04:36:20.325: DOT11 POD Invalid MAC address (E4-19-C1-42-01-3E) len=17
*Nov 2 04:36:20.325: DOT11 POD Could not terminate session, wds=0 err_code=404
*Nov 2 04:36:20.325: POD: Added NACK Error Cause: Invalid Request
*Nov 2 04:36:20.325: POD: Sending NAK from port 3799 to 172.16.0.3/50250
*Nov 2 04:36:20.326: RADIUS: 101 6 00000194
The UE MAC string stored by the AP in Cisco default format doesn’t match the
obtained IETF string and the format conversion is not performed before string
comparison. As a result, the UE stays connected with the “magma” wireless network
instead of being disauthenticated/disasociated.
As described here, the issue does not occur when the Authenticator uses Cisco
native format for csid (dot11 aaa csid default), but as mentioned before such a
configuration makes the UE attach procedure fail.
Solution:
There is currently neither a solution nor workaround for existing Lab setup. The Cisco
AIR-AP1142N-E-K9 platform is EOL and is running with the latest available version of
firmware 15.3(3)JD17. It could be tried to launch CIsco WLC on a VM and convert the
AP to the lightweight mode but it needs additional hardware resources, increases
Lab complexity, and may still not guarantee successful Disconnect operation.
7.7 UEs
7.7.1 Collecting UE logs with Android Debug Bridge (ADB)
UE logs may be extremely useful when troubleshooting EAP-AKA authentication.
Follow the steps below to collect log messages from the Android devices used in the
Lab (Samsung Galaxy SM-G350 running Android 4 and Huawei P smart 2019 running
Android 10). Note that the iPhone does not allow for logs access without rooting.
2. On your Mac:
a. Download ADB file for Mac:
https://dl.google.com/android/repository/platform-tools-latest-darwin.zip
b. Unpack the zip file and enter the extracted directory:
$ cd ~/Downloads/platform-tools
$ ./adb devices
and Allow USB debugging on the phone when the prompt pops up.
Note
The log format and contents may differ depending on Android version.
Command Description
Reference
https://www.xda-developers.com/install-adb-windows-macos-linux/
https://www.xda-developers.com/how-to-take-logs-in-android/
http://adbcommand.com/awesome-adb
AMF Authentication Management Field. The AMF is a 16 bit value which is used to set the
acceptable synchronization window in both the UE (User Equipment) and the network.
ICCID 19 or 20 characters USIM's unique serial number printed on the card. Used mainly for
logistics.
PIN/PUK PINs and PUKs are codes to unlock the card. If you get the PIN wrong too many times you
need the longer PUK to unlock it.
IMSI International Mobile Subscriber Identity. IMSIs are hierarchical, starting with 3 digit Mobile
Country Code MCC, then the Mobile Network Code (MNC) (2/3 digits) and finally a Mobile
Subscription Identification Number (MSIN), a unique number allocated by the operator to the
subscribers in their network.
ACC Access Control Class. The ACC allows values from 0-15, and determines the access control
class of the subscriber.
AD Administrative Data. Like the ACC field the AD field allows operators to drive test networks
without valid paying subscribers attaching to the network.
Ki Subscriber's Key. Subscriber’s secret key known only to the Subscriber (USIM) and the HSS.
OP Operator Code. Same for all USIMs from a single operator. Used in combination with Ki as an
input for some authentication / authorisation crypto generation.
OPc Instead of giving each USIM the Operator Code (OP), a derived operator code can be
precomputed when the USIM is written with the Ki key.This means the OP is not stored on
the USIM.
OPc=Encypt-Algo(OP,Key)
GID 1/2 Two group identifier fields that allow the operator to identify a group of USIMs for a
particular application.
MSISDN Mobile Station International Subscriber Directory Number. The E.164 formatted phone
number of the subscriber (not mandatory in Magma setup).
ECC Codes up to 6 digits long the subscriber is allowed to dial from the home screen / in
emergency / while not authenticated (999,112, etc.)
XOR XOR is available as an alternative to Milenage available on some SIM cards for testing only,
Launch the following commands to resume Magma services and FreePCRF VM:
Cisco AP
Orc8r
NMS
FreePCRF
URL Description
2. https://github.com/magma/magma/blob/master/docs/p
dfs/Magma%20FWA%20Product%20Specifications%20v1
.0.pdf
https://docs.magmacore.org/docs/howtos/ue_metering n UE metering
URL Description
QoS
URL Description
VirtualBox
URL Description
URL Description
2. https://community.cisco.com/t5/wireless/converting-a-li
ghtweight-ap-to-an-autonomous-ap/td-p/2284278
URL Description
https://www.cspsprotocol.com/swx-interface/ SWx
https://www.cspsprotocol.com/gy-interface/ Gy
http://www.lteandbeyond.com/2012/01/gx-interface-sitting-betw Gx
een-pcrf-and.html
Yota/Telexir FreePCRF
URL Description
Telexir PCRF 3.7.1. Quick Start Guide.pdf Telexir PCRF 3.7.1. Quick Start Guide
Yota PCRF 3.6. Subscriber Management Interface Descripti… Yota PCRF 3.6. Subscriber
Management Interface Description
Yota PCRF 3.6. Policy Engine Description.pdf Yota PCRF 3.6. Policy Engine
Description
Yota PCRF 3.6. Product Description.pdf Yota PCRF 3.6. Product Description
Yota PCRF 3.6. Release Notes.pdf Yota PCRF 3.6. Release Notes
Yota PCRF 3.6. Installation Guide.pdf Yota PCRF 3.6. Installation Guide
Yota PCRF 3.6. Administrators Guide.pdf Yota PCRF 3.6. Administrators Guide
Yota PCRF 3.6. Backup and Recovery.pdf Yota PCRF 3.6. Backup and Recovery
Yota PCRF 3.6. DDF Information Interface Description.pdf Yota PCRF 3.6. DDF Information Interface
Description
Yota PCRF Policy Control Presentation (Berlin 2014).pdf Yota PCRF Policy Control Presentation
(Berlin 2014)