Configure Intelligent Security using RADIUS for User Equipment to IP Address Correlation
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Intelligent Security and the UEIP Database
- Intelligent Security with PFCP for User Equipment to IP Address Correlation
- Configure Intelligent Security using PFCP for User Equipment to IP Address Correlation
- Configure Intelligent Security using RADIUS for User Equipment to IP Address Correlation
- Configure Intelligent Security using GTP for User Equipment to IP Address Correlation
Configure Intelligent Security using RADIUS for User Equipment to IP Address
Correlation
Learn how to use Intelligent Security to correlate IP addresses with User Equipment
using RADIUS for Security policy enforcement.
Information such as the Subscriber ID (IMSI or SUPI) and the Equipment ID (IMEI or
PEI) for User Equipment (UE) mobile devices are key identifiers for Security policy
enforcement in mobile networks such as 5G and 4G/LTE networks. Mapping the IMSI or
IMEI to subscriber or user IP addresses requires access to the signaling protocol
traffic exchanges over the 3GPP interfaces; however, in some deployments, the 3GPP
interfaces between network functions are not exposed.
Intelligent Security with RADIUS in 5G allows deployment of the firewall on the
N6/SGi interface, which contains the RADIUS traffic for the management plane, and
Internet Protocol traffic without outer GTP-U headers for the dataplane. The
firewall inspects the RADIUS traffic to extract information for correlation with the
user plane. This provides subscriber and equipment-level visibility, as well as
consistent policy enforcement for vulnerabilities, malware, viruses, URLs, C2, and
applications.
If you enable UEIP Correlation, the following options are
not available in the same Mobile Network Protection Profile:
- GTP-C
- 5G-C
- Packet Forwarding Control Protocol (PFCP)
The following diagram represents a possible deployment for UE to IP address
correlation for an N6 deployment with RADIUS.
When the UE attempts to connect with the network, the SMF exchanges authentication,
authorization, and accounting messages with the DN-AAA server using RADIUS. The
accounting message provides a record of the network services that the authenticated
UE accesses. This message contains parameters, which include the user's ID and IPv4
or IPv6 address, that the application servers use to identify the user.
The firewall monitors the Accounting Start messages on UDP ports 1813 and 1646 and
Interim Updates to map the UE to the IP address and adds the mapping to the UEIP correlation database on the firewall.
The firewall also generates a log during IP address allocation.
When the firewall receives the RADIUS session end message, it removes the mapping
from the correlation database on the firewall and creates a log.
Intelligent Security requires the following fields and Vendor-Specific Attributes
(VSAs) in the RADIUS messages:
- Framed-IP-Address(8):<IPv4-address>
- Framed-IPv6-Prefix(97):<IPv6-prefix>
- Called-Station-Id:<APN>
- Vendor-Specific(26): VSA: t=3GPP-IMSI(1):<IMSI_value>
- Vendor-Specific(26): VSA: t=3GPP-IMEISV(20):<IMEI_value>
- Vendor-Specific(26): VSA: t=3GPP-RAT-Type(21):<RAT>
- Enable GTP Security.
- Log in to the firewall web interface.
- Selectthen selectDeviceSetupManagementGeneral SettingsGTP Security.
- ClickOK.
- Committhe change.
- SelectandDeviceSetupOperationsReboot Device.
- Create a Mobile Network Protection Profile.
- SelectandObjectsSecurity ProfilesMobile Network ProtectionAdda new profile.
- Give the profile a uniqueName.
- SelectCorrelationand enableUEIP Correlation.
- Select theModeyou want to use.
- Loose—(Default) When the firewall detects traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
- Strict—Drops the traffic if the GTP-U query does not return any results.
- Uncheck theUser Plane with GTP-U encapsulationoption.
- SelectRADIUSas theSource.Select theSourcethat you want the firewall to use to correlate the management plane and user plane information for subscriber-level and equipment-level Security policy enforcement. The firewall inspects traffic for the source type you select to process and extract 5G/4G identity information, such as subscriber ID (SUPI and IMSI), equipment ID (PEI and IMEI), and the IP address of the user equipment (UE), to correlate with 5G/4G subscriber Internet Protocol traffic.
- (Optional) Select whether you want to log UEIP correlation events when the firewall allocates an IP address to the UE (Log At Ueip Start), when the firewall releases the allocated IP address (Log At Ueip End), or both.The firewall logs the following GTP events during correlation that you can view by going to:MonitorLogsGTP
- UEIP mapping start
- UEIP mapping end
The logs contain the following user information:- Subscriber Identity (including IMSI and SUPI)
- Equipment Identity (including IMEI and PEI)
- End User IP address allocated to UE
- Access Point Name (APN)
- Radio Access Technology (RAT)
- Create a Security policy to identify and allow RADIUS traffic between the SMF and the RADIUS server.There are two methods for policy creation based on the necessary level of security between the SMF and the RADIUS server. Select the appropriate method based on your security needs.
- (Recommended) To allow all traffic between the SMF and RADIUS server zone, as well as the UPF and Data Network zones:
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource ZoneasAnyand theSource AddressasAny.
- In theDestinationtab,AddtheDestination ZoneasAnyand theDestination AddressasAny.
- In theApplicationtab,Addradiusas theApplicationyou want to allow.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it is not already selected.
- To allow RADIUS application traffic only between the SMF and the RADIUS server:
- SelectandPoliciesSecurityAdda uniqueNamefor the rule in theGeneraltab.
- In theSourcetab,AddtheSource ZoneandSource Addressof the interface that the SMF uses to communicate with the RADIUS server.
- In theDestinationtab,AddtheDestination ZoneandDestination Addressfor the interface that contains the IP address of the RADIUS server.
- In theApplicationtab,Addradiusas theApplicationyou want to allow.
- In theService/URL Categorytab, select theServiceasAny.
- In theActionstab, select theActionasAllow.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile as theProfile Type.
- SelectLog at Session Endif it is not already selected.
- Create a custom application and a Security policy that uses the custom application. (Required if you allow traffic between the SMF and RADIUS server only)Because the firewall applies this policy rule first, it processes the first packet of all user traffic and enables UEIP database querying, move this policy rule above any other policy rules in your Security policy for user traffic on the N6 interface. Any application-specific or IMSI/IMEI-based policy rules must occur after this policy rule.
- SelectandObjectsApplicationsAdda uniqueNamefor the application (for example,radius-ueip).
- SelectandPoliciesSecurityAdda uniqueNamefor the policy rule.
- In theSourcetab,Addthe zone that contains traffic to the UPF as theSource Zoneand selectAnyas theSource Address. If you use an IP pool for the UE IP address, add the IP pool as theSource Address.Don't select anything in theSource SubscriberorSource Equipmenttabs.
- In theDestinationtab,Addthe zone that contains traffic to the Packet Data Network as theDestination Zoneand selectAnyas theDestination Address.
- In theService/URL Categorytab, selectAnyas theService.
- In theActionstab, selectAllowas theAction.
- Attach theMobile Network Protection profileto the Security policy rule by selectingProfilesand selecting the profile you created in step 3 as theProfile Type.
- SelectLog at Session Endif it is not already selected.
- Create Security policy rules for user equipment (UE) traffic based on the criteria you want to use, such as IP address, application, URL category, IMSE, or IMEI.
- SelectandPoliciesSecurityAdda uniqueNamefor the rule.
- In theSourcetab,AddtheSource ZoneandSource Address.If you use an IP pool for the UE IP address, add the IP pool as theSource Address.
- In theSourcetab,AddtheSource Subscriberand if required, theSource Equipment.
- In theDestinationtab,AddtheDestination ZoneandDestination Addressthe address of the servers in the corporate network or MEC site or useanyfor internet access.
- In theApplicationtab,AddtheApplicationor applications you want to allow, such asdns,web-browsing, orssl.
- In theService/URL Categorytab, select the type or types ofServiceyou want to allow.
- In theActionstab, select theActionyou want to take for the selected traffic (Allowthe traffic orDenyit).
- SelectLog at Session Endif it is not already selected.
- Confirm that the profile isEnabled() andPoliciesSecuritySecurity Policy RuleActionsProfile SettingMobile Network ProtectionCommitthe changes.
- Verify your configuration is correct.
- Verify the session traffic on the firewall using the following CLI commands.
- show session all filter application radius
- show session all filter source<IP_address_of_UE>(where<IP_address_of_UE>is the IP address of the user equipment).
- Verify the mappings on the firewall displayradiusas the source (src).
- View the logs () and verify that theMonitorLogsGTPGTP Event TypedisplaysUEIP mapping startandUEIP mapping end.
- Verify the Traffic logs () display the IMSI or IMEI in theMonitorLogsTrafficSubscriber Identitycolumn for the UE traffic.
- Use the Global Counters to verify the configuration.