Prisma Access
RADIUS Attributes for Prisma SASE 5G Integration
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
-
RADIUS Attributes for Prisma SASE 5G Integration
RADIUS attributes that are used by Prisma SASE to monitor 5G communication and
enforce security policies.
Prisma SASE 5G relies on specific RADIUS attributes provided by the 5G network to
uniquely identify user equipment (UE) and enforce fine-grained, per-device security
policies.
These attributes, often included in multiple RADIUS messages, are essential for
authentication, authorization, accounting, and policy mapping.
| Attribute | Value | Mandatory/Optional |
|---|---|---|
| Subscriber-ID | IMSI, SUPI | Mandatory |
| Device-ID | IMEI | Mandatory |
| Subscriber-ID | MSISDN | Mandatory |
| IP Address | IPv4 or IPv6 address of the 5G subscriber/device | Mandatory |
| Timestamp | Message Timestamp | Mandatory |
| APN | APN assigned for this UE/Device | Conditional (Optional if 5G Slice-ID) |
| 5G Slice-ID | SST or SD assigned for this UE/device | Conditional (Optional if APN) |
| RAT | Radio Access Type | Optional |
| Cell_id | RAN Cell ID of the UE/Device | Optional |
| Timeout | Timeout associated with the UE/device | Optional |
| Operator-ID | Unique ID of the Cellular Operator | Conditional (Mandatory for Multi-operator support) |
RADIUS Message-Specific Attribute Requirements
Prisma SASE 5G processes different types of RADIUS
messages to manage the lifecycle of a UE session—registration, deregistration,
and keep-alive monitoring. Each message type must contain specific
Attribute-Value Pairs (AVPs) to convey context and ensure accurate session
tracking and policy enforcement.
Accounting-Request Prisma SASE 5G
uses the following messages to identify UE registration and
deregistration.
- Accounting-Request: Start- used to uniquely identify the 5G UEs when they have been successfully authenticated and authorized by the 5G Mobile Network.
- Accounting-Request: Stop- used to disconnect or deregister a UE from the 5G network.
These messages must contain detailed session metadata to support policy
correlation and logging in the SASE platform.
| Field Name | Type | Mandatory / Optional | Value |
|---|---|---|---|
| Acct-Status-Type | UTF8String | Mandatory |
Indicates the type of accounting message (Start or
Stop)
|
| 3GPP-IMSI | UTF8String | Mandatory | IMSI |
| 3GPP-IMEISV | UTF8String | Mandatory | IMEI |
| Called-Station-Id | UTF8String | Mandatory | MSISDN |
| NAS-Identifier | UTF8String | Mandatory | APN |
| Slice-Id | UTF8String | Optional |
5G Slide Id
|
| 3GPP-PDP-Type | UTF8String | Mandatory |
Flag that indicates if IPv4, IPv6 or IPv4 + IPv6
addresses are included
|
| Framed-IP-Address | OctetString | Mandatory | IPv4 UE address |
| Framed-IPv6-Prefix | OctetString | Mandatory | IPv6 UE address prefix |
| User-Name | UTF8String | Optional |
IdP username of the UE
Required to be able to map the IdP user with the
IMSI & IMEI values
|
| Event-Timestamp | UnsignedInt32 | Mandatory | Number of seconds since epoch |
| 3GPP-MS-TimeZone | OctetString | Mandatory | Indicate the offset between universal time and local time in steps of 15 minutes of where the MS/UE currently resides |
| 3GPP-RAT-Type | OctetString | Mandatory |
6 E-UTRAN (LTE)
9 E-UTRAN with Carrier Aggregation (LTE-CA)
12 5G NR
13 E-UTRAN with 5G NR (Dual Connectivity)
|
| Cell-Global-Identity | OctetString | Mandatory | Cell Global Identification of the user, which identifies the cell where the user equipment is registered |
| NAS-Identifier | UTF8String | Mandatory |
PGW or UPF identifier of the data gateway that the
UE is connected to
This information can be used to determine which
region the UE is in, and hence which region the UE data
packets will be sent to
|
| 3GPP-User-Location-Info | UTF8String | Optional |
GCP region where the UE data packets will be sent
to
This overloads the existing field with the UE data
packet GCP region info
|
| Idle-Timeout | UnsignedInt32 | Optional | The maximum number of consecutive seconds of idle connection allowable to the user before termination of the session or before a prompt is issued |
| Operator-Id | UnsignedInt32 | Optional |
Network Operator Id
|
This message is used to confirm and verify
that the Prisma SASE server is responsive and operational. It includes specific
attribute value pairs to authenticate the request and identify the
device.
| Field Name | Type | Mandatory / Optional | Value |
|---|---|---|---|
| User-Name | UTF8String | Optional |
Set to “status-server”
Used to verify that this is a health check
request
|
| NAS-IP-Address | IPv4 Address | Mandatory | RADIUS client IPv4 address |
| NAS-Identifier | UTF8String | Optional | RADIUS client user name |
| Message-Authenticator | 16-byte HMAC-MD5 | Mandatory | Used to verify the authenticity of the request |
This message from the Prisma SASE server
indicates if the server is healthy or unhealthy. Absence of the Status-Server
response indicates that the RADIUS server is either dead or unreachable. The
response includes the standard fields required for verification, and it does not
require any additional attribute value pairs.
| Field Name | Type | Mandatory / Optional | Value |
|---|---|---|---|
| Code | UnsignedInt32 | Mandatory |
2 = Access-Accept or
3 = Access-Reject
|
| Identifier | UTF8String | Mandatory | Value copied from request |
| Authenticator | 16-byte HMAC-MD5 | Mandatory |
Used to verify the authenticity of the response
MD5 of response attributes + shared secret +
original request authenticator
|