Description
The Remote Authentication Dial In User Service (RADIUS) is a client-server protocol defined originally by the IETF (RFC 2865, 2866) for carrying Authentication, Authorization, and Accounting (AAA) information. Within the 3GPP architecture, RADIUS is not a native 3GPP protocol but is specified for interoperability, primarily to interface with trusted or untrusted non-3GPP IP access networks, such as Wireless Local Area Networks (WLAN), fixed broadband, or WiMAX, when they integrate with the 3GPP core network.
In 3GPP systems, a RADIUS client typically resides in the network access gateway (e.g., a WLAN Access Gateway, evolved Packet Data Gateway (ePDG) for untrusted access, or a Trusted WLAN Access Gateway (TWAG)). The RADIUS server is part of the 3GPP AAA infrastructure, which includes the AAA Server and often interacts with the Home Subscriber Server (HSS) for credential verification. The protocol operates over UDP, using a shared secret between client and server for message security. The process begins when a user device attempts to attach via non-3GPP access. The access gateway collects user credentials (like a Network Access Identifier - NAI) and sends a RADIUS Access-Request message to the 3GPP AAA Server.
The 3GPP AAA Server authenticates the user by querying the HSS using Diameter-based interfaces (like SWx), but the result is conveyed back to the access network using RADIUS. Upon successful authentication, the AAA server responds with a RADIUS Access-Accept message, which includes authorization parameters. These parameters are critical and can include the user's subscribed QoS profile, permitted access point names (APNs), and, importantly, tunneling information. For example, in the case of trusted WLAN access to the EPC, the Access-Accept may authorize the establishment of a GTP tunnel between the TWAG and the PGW and provide the PGW's IP address. RADIUS Accounting messages (Accounting-Request/Response) are used to report session start, interim updates, and stop events for billing and monitoring purposes.
RADIUS's role in 3GPP is thus one of a bridging protocol, enabling legacy or non-3GPP access networks that widely support RADIUS to integrate with the 3GPP AAA framework. It allows operators to leverage existing WLAN infrastructure for cellular data offload or convergence. The protocol carries 3GPP-specific attributes in Vendor-Specific Attributes (VSAs) to convey the necessary cellular-centric information (e.g., 3GPP-Charging-Characteristics, 3GPP-APN) between the non-3GPP gateway and the 3GPP core.
Purpose & Motivation
RADIUS was adopted into 3GPP standards to solve the problem of integrating heterogeneous access technologies, specifically non-3GPP IP access networks like WLAN, into the unified 3GPP service framework. As cellular operators began offering WLAN hotspots, they needed a way to extend their subscriber authentication, policy enforcement, and charging systems to these new access points. RADIUS was the de facto standard AAA protocol in the IP networking world, making it the natural choice for this interworking.
Its inclusion addressed the limitation of having separate, siloed authentication systems for cellular and WLAN. Without a protocol like RADIUS, operators would have to manage completely separate user databases and billing systems for WLAN access, preventing a seamless user experience. By specifying how RADIUS interacts with the 3GPP HSS/AAA infrastructure, 3GPP enabled 'SIM-based' authentication for WLAN, allowing users to connect using their cellular subscription credentials, a key step towards fixed-mobile convergence.
The motivation was driven by commercial needs for data offloading and service continuity. RADIUS provided a proven, scalable, and widely implemented protocol to bridge the gap between the packet-switched IP world of WLAN and the telephony-inspired Diameter-based core of 3GPP networks. It allowed operators to reuse existing WLAN infrastructure investments while maintaining centralized control over subscriber management and policy, which was essential for creating integrated billing and service plans.
Key Features
- Client-server protocol for Authentication, Authorization, and Accounting (AAA)
- Uses UDP transport with request/response transaction model
- Supports extensible Attribute-Value Pairs (AVPs) for information exchange
- Utilizes Vendor-Specific Attributes (VSAs) for 3GPP-specific parameters
- Provides message integrity and security via shared secrets
- Enables integration of non-3GPP access networks with 3GPP core
Evolution Across Releases
Initially introduced for WLAN interworking in the 3GPP system. Defined the use of RADIUS between a WLAN Access Gateway and the 3GPP AAA Server to authenticate users based on SIM/USIM credentials (EAP-SIM/AKA), enabling cellular subscribers to access WLAN hotspots.
Enhanced for tighter integration with the IMS (IP Multimedia Subsystem). Defined RADIUS-based interfaces for service authorization and policy control in the context of WLAN access to IMS services, expanding its role beyond basic network access.
Integrated into the Evolved Packet System (EPS) architecture for trusted and untrusted non-3GPP access. Defined its use with the evolved Packet Data Gateway (ePDG) for secure untrusted access and with the Trusted WLAN Access Gateway for trusted access, carrying parameters for EPS bearer context establishment.
Further refined for LTE-WLAN Aggregation (LWA) and integration. Specified RADIUS procedures for setting up the necessary tunnels and exchanging parameters between the WLAN termination point and the eNB, facilitating tighter radio-level integration between LTE and WLAN.
Defining Specifications
| Specification | Title |
|---|---|
| TS 21.905 | 3GPP TS 21.905 |
| TS 23.140 | 3GPP TS 23.140 |
| TS 23.923 | 3GPP TS 23.923 |
| TS 29.061 | 3GPP TS 29.061 |
| TS 29.161 | 3GPP TS 29.161 |
| TS 29.234 | 3GPP TS 29.234 |
| TS 32.808 | 3GPP TR 32.808 |