WX系列AC上通过手机号码维护EAP-SIM认证经验案例
一、EAP-SIM认证组网&协议:
中国移动EAP-SIM认证方案下,Wifi手机和AAA Server基于AC构建的EAP通道完成对彼此的身份验证。其中手机终端的身份信息是由(U)SIM卡中的IMSI来标识的,具体为由IMSI导出的伪随机NAI或永久NAI(Network Access Identifier)。
所以我们在radius的User-name属性看到的是一长串随机码,例如
[1 User-name ] [58] [3C0807458312ADFDE77D8@***.***] 或
[1 User-name ] [17] [460005315000063],
但这些NAI信息通常不易读,无法把它们与手机号码直接对应起来,对维护工作造成了较大麻烦。本案例提供了通过AC调试信息获取用户手机号的方法。
二、如何识别SIM认证的手机号码:
集团服务器在2013年2月份进行了升级整改,无感知认证的手机号码信息将会出现在radius报文中,具体在code=[2] (Access-Accept认证接受包)和radius code=[4] (Accounting-Request计费请求包)中。
原理分析:
手机用户的NAI信息通过EAP通道上传到AAA Server后,AAA会通过MAP协议与移动核心数据库HLR交互获取用户鉴权信息,并取得手机号码。之后,AAA会把该手机号码通过Radius 89号属性(Chargeable_user_identity)携带于Access-Accept报文中传回AC。AC借此获取到用户手机号码,并在Radius计费报文中再次送到AAA完成用户的话单入账。
Debug情况分析:
*Feb 4 10:37:04:877 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[1 User-name ] [58] [3C0807458312ADFDE77D8@***.***] //认证请求报文中的User-name,伪随机NAI
[12 Framed-MTU ] [6 ] [1450]
[79 EAP-Message ] [63] [0201003D0133433038303734353833313241444644453737443840776C616E2E6D6E633030302E6D63633436302E336770706E6574776F726B2E6F7267]
[80 Message-Autheticator ] [18] [00000000000000000000000000000000]
[89 Chargeable_user_identity ] [3 ] []
[4 NAS-IP-Address ] [6 ] [120.192.23.62]
*Feb 4 10:37:04:877 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[32 NAS-Identifier ] [18] [0438053153100460]
[5 NAS-Port ] [6 ] [16903096]
[87 NAS_Port_Id ] [12] [0000003000]
[61 NAS-Port-Type ] [6 ] [19]
[6 Service-Type ] [6 ] [2]
[7 Framed-Protocol ] [6 ] [1]
*Feb 4 10:37:04:878 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[31 Caller-ID ] [19] [44432D32422D36312D37432D35442D3835]
[30 Called-station-Id ] [29] [80-F6-2E-17-91-F0:CMCC-AUTO]
[44 Acct-Session-Id ] [19] [113010410371b2f30]
*Feb 4 10:37:04:878 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
Event: Begin to switch RADIUS server when sending 0 packet.
*Feb 4 10:37:04:879 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG: The RD TWL timer has resumeed.
*Feb 4 10:37:04:879 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG: Malloc seed:147 in 221.176.1.138 for User ID:4872
*Feb 4 10:37:04:879 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG: Send: IP=[221.176.1.138], UserIndex=[4872], ID=[147], RetryTimes=[0], Code=[1], Length=[295] //认证请求报文
-----------------------------------------------------------------------
*Feb 4 10:37:08:027 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG: Receive:IP=[221.176.1.138],Code=[2],Length=[335] //认证成功报文
*Feb 4 10:37:08:028 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[79 EAP-Message ] [6 ] [03030004]
[MS-16 MS-MPPE-Send-Key ] [52] [9135607910CB03E7C696062104EB8C876370511CBF07BAC91D398FB9306A5ECE9FA5828E92CAE6624E01C29623F1406EDA54]
[MS-17 MS-MPPE-Recv-Key ] [52] [91343D28A9DE678702AC963EBD23E4C0A2DCBF358A2777ADF1345F798E99DB1A7F2E21530E84034FD86FD7125929E097B058]
[6 Service-Type ] [6 ] [2]
[7 Framed-Protocol ] [6 ] [1]
[27 Session-TimeOut ] [6 ] [28800]
*Feb 4 10:37:08:028 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[1 User-name ] [17] [460005315000063] //认证成功报文中的User-name,永久NAI
[89 Chargeable_user_identity ] [13] [13505310063] //用户手机号码
[18 Reply-Message ] [117] [0;User(3C0807458312ADFDE77D8@***.***) Authenticate OK, Request Accept by ***.***]
[80 Message-Autheticator ] [18] [10ACC8C6DD36A18FA9E78404B7803075]
-------------------------------------------------------------------------------------
*Feb 4 10:37:08:050 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG: Send attribute list:
*Feb 4 10:37:08:051 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[1 User-name ] [17] [460005315000063] //计费报文中的User-name,永久NAI
[32 NAS-Identifier ] [18] [0438053153100460]
[5 NAS-Port ] [6 ] [16903096]
[87 NAS_Port_Id ] [12] [0000003000]
[61 NAS-Port-Type ] [6 ] [19]
[31 Caller-ID ] [19] [44432D32422D36312D37432D35442D3835]
*Feb 4 10:37:08:051 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[30 Called-station-Id ] [29] [80-F6-2E-17-91-F0:CMCC-AUTO]
[40 Acct-Status-Type ] [6 ] [1]
[45 Acct-Authentic ] [6 ] [1]
[44 Acct-Session-Id ] [19] [113010410371b2f30]
[89 Chargeable_user_identity ] [13] [13505310063] //用户手机号码
[4 NAS-IP-Address ] [6 ] [120.192.23.62]
*Feb 4 10:37:08:052 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
[55 Event-Timestamp ] [6 ] [1359974228]
*Feb 4 10:37:08:052 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG:
Event: Begin to switch RADIUS server when sending 1 packet.
*Feb 4 10:37:08:052 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG: Malloc seed:150 in 221.176.1.138 for User ID:4872
*Feb 4 10:37:08:053 2013 SDJN-WLAN-AC02-HSWX6103 RDS/7/DEBUG: Send: IP=[221.176.1.138], UserIndex=[4872], ID=[150], RetryTimes=[0], Code=[4], Length=[183] //计费报文
三、总结:
移动AAA服务器修改实现后,SIM认证手机号码信息会承载于AAA的radius认证成功报文通过89号属性Chargeable_user_identity传回AC。在debugging radius packet中可以识别SIM用户的手机号码。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作