: Configure Intelligent Security Using RADIUS for User Equipment to IP Address Correlation
Focus
Focus

Configure Intelligent Security Using RADIUS for User Equipment to IP Address Correlation

Table of Contents

Configure Intelligent Security Using RADIUS for User Equipment to IP Address Correlation

Learn how to use Intelligent Security to correlate IP addresses with User Equipment using RADIUS for Security policy enforcement.
Information such as the Subscriber ID (IMSI or SUPI) and the Equipment ID (IMEI or PEI) for User Equipment (UE) mobile devices are key identifiers for Security policy enforcement in mobile networks such as 5G and 4G/LTE networks. Mapping the IMSI or IMEI to subscriber or user IP addresses requires access to the signaling protocol traffic exchanges over the 3GPP interfaces; however, in some deployments, the 3GPP interfaces between network functions are not exposed.
Intelligent Security with RADIUS in 5G allows deployment of the firewall on the N6/SGi interface, which contains the RADIUS traffic for the management plane, and Internet Protocol traffic without outer GTP-U headers for the dataplane. The firewall inspects the RADIUS traffic to extract information for correlation with the user plane. This provides subscriber and equipment-level visibility, as well as consistent policy enforcement for vulnerabilities, malware, viruses, URLs, C2, and applications.
If you enable UEIP Correlation, the following options are not available in the same Mobile Network Protection Profile:
  • GTP-C
  • 5G-C
  • Packet Forwarding Control Protocol (PFCP)
The following diagram represents a possible deployment for UE to IP address correlation for an N6 deployment with RADIUS.
When the UE attempts to connect with the network, the SMF exchanges authentication, authorization, and accounting messages with the DN-AAA server using RADIUS. The accounting message provides a record of the network services that the authenticated UE accesses. This message contains parameters, which include the user's ID and IPv4 or IPv6 address, that the application servers use to identify the user.
The firewall monitors the Accounting Start messages on UDP ports 1813 and 1646 and Interim Updates to map the UE to the IP address and adds the mapping to the correlation database on the firewall. The firewall also generates a log during IP address allocation.
When the firewall receives the RADIUS session end message, it removes the mapping from the correlation database on the firewall and creates a log.
Intelligent Security requires the following fields and Vendor-Specific Attributes (VSAs) in the RADIUS messages:
  • Framed-IP-Address(8):
    <IPv4-address>
  • Framed-IPv6-Prefix(97):
    <IPv6-prefix>
  • Called-Station-Id:
    <APN>
  • Vendor-Specific(26): VSA: t=3GPP-IMSI(1):
    <IMSI_value>
  • Vendor-Specific(26): VSA: t=3GPP-IMEISV(20):
    <IMEI_value>
  • Vendor-Specific(26): VSA: t=3GPP-RAT-Type(21):
    <RAT>
  1. Enable GTP Security.
    1. Log in to the firewall web interface.
    2. Select
      Device
      Setup
      Management
      General Settings
      then select
      GTP Security
      .
    3. Click
      OK
      .
    4. Commit
      the change.
    5. Select
      Device
      Setup
      Operations
      and
      Reboot Device
      .
  2. Create a Mobile Network Protection Profile.
    1. Select
      Objects
      Security Profiles
      Mobile Network Protection
      and
      Add
      a new profile.
    2. Give the profile a unique
      Name
      .
    3. Select
      Correlation
      and enable
      UEIP Correlation
      .
    4. Select the
      Mode
      you want to use.
      • Loose
        —(Default) When the firewall detects traffic, it queries the source or destination address to find the correlated IMEI or IMSI information. If there are no results, the firewall forwards the traffic.
      • Strict
        —Drops the traffic if the GTP-U query does not return any results.
    5. Uncheck the
      User Plane with GTP-U encapsulation
      option.
    6. Select
      RADIUS
      as the
      Source
      .
      Select the
      Source
      that you want the firewall to use to correlate the management plane and user plane information for subscriber-level and equipment-level Security policy enforcement. The firewall inspects traffic for the source type you select to process and extract 5G/4G identity information, such as subscriber ID (SUPI and IMSI), equipment ID (PEI and IMEI), and the IP address of the user equipment (UE), to correlate with 5G/4G subscriber Internet Protocol traffic.
    7. (Optional) Select whether you want to log UEIP correlation events when the firewall allocates an IP address to the UE (
      Log At Ueip Start
      ), when the firewall releases the allocated IP address (
      Log At Ueip End
      ), or both.
      The firewall logs the following GTP events during correlation that you can view by going to
      Monitor
      Logs
      GTP
      :
      • UEIP mapping start
      • UEIP mapping end
      The logs contain the following user information:
      • Subscriber Identity (including IMSI and SUPI)
      • Equipment Identity (including IMEI and PEI)
      • End User IP address allocated to UE
      • Access Point Name (APN)
      • Radio Access Technology (RAT)
  3. Create a Security policy to identify and allow RADIUS traffic between the SMF and the RADIUS server.
    There are two methods for policy creation based on the necessary level of security between the SMF and the RADIUS server. Select the appropriate method based on your security needs.
    • (
      Recommended
      ) To allow all traffic between the SMF and RADIUS server zone, as well as the UPF and Data Network zones:
      1. Select
        Policies
        Security
        and
        Add
        a unique
        Name
        for the rule in the
        General
        tab.
      2. In the
        Source
        tab,
        Add
        the
        Source Zone
        as
        Any
        and the
        Source Address
        as
        Any
        .
      3. In the
        Destination
        tab,
        Add
        the
        Destination Zone
        as
        Any
        and the
        Destination Address
        as
        Any
        .
      4. In the
        Application
        tab,
        Add
        radius
        as the
        Application
        you want to allow.
      5. In the
        Service/URL Category
        tab, select the
        Service
        as
        Any
        .
      6. In the
        Actions
        tab, select the
        Action
        as
        Allow
        .
      7. Attach the
        Mobile Network Protection profile
        to the Security policy rule by selecting
        Profiles
        and selecting the profile as the
        Profile Type
        .
      8. Select
        Log at Session End
        if it is not already selected.
    • To allow RADIUS application traffic only between the SMF and the RADIUS server:
      1. Select
        Policies
        Security
        and
        Add
        a unique
        Name
        for the rule in the
        General
        tab.
      2. In the
        Source
        tab,
        Add
        the
        Source Zone
        and
        Source Address
        of the interface that the SMF uses to communicate with the RADIUS server.
      3. In the
        Destination
        tab,
        Add
        the
        Destination Zone
        and
        Destination Address
        for the interface that contains the IP address of the RADIUS server.
      4. In the
        Application
        tab,
        Add
        radius
        as the
        Application
        you want to allow.
      5. In the
        Service/URL Category
        tab, select the
        Service
        as
        Any
        .
      6. In the
        Actions
        tab, select the
        Action
        as
        Allow
        .
      7. Attach the
        Mobile Network Protection profile
        to the Security policy rule by selecting
        Profiles
        and selecting the profile as the
        Profile Type
        .
      8. Select
        Log at Session End
        if it is not already selected.
  4. Create a custom application and a Security policy that uses the custom application. (
    Required if you allow traffic between the SMF and RADIUS server only
    )
    Because the firewall applies this policy rule first, it processes the first packet of all user traffic and enables UEIP database querying, move this policy rule above any other policy rules in your Security policy for user traffic on the N6 interface. Any application-specific or IMSI/IMEI-based policy rules must occur after this policy rule.
    1. Select
      Objects
      Applications
      and
      Add
      a unique
      Name
      for the application (for example,
      radius-ueip
      ).
    2. Select
      Policies
      Security
      and
      Add
      a unique
      Name
      for the policy rule.
    3. In the
      Source
      tab,
      Add
      the zone that contains traffic to the UPF as the
      Source Zone
      and select
      Any
      as the
      Source Address
      . If you use an IP pool for the UE IP address, add the IP pool as the
      Source Address
      .
      Don't select anything in the
      Source Subscriber
      or
      Source Equipment
      tabs.
    4. In the
      Destination
      tab,
      Add
      the zone that contains traffic to the Packet Data Network as the
      Destination Zone
      and select
      Any
      as the
      Destination Address
      .
    5. In the
      Application
      tab,
      Add
      the
      Application
      you created in step 4.1.
    6. In the
      Service/URL Category
      tab, select
      Any
      as the
      Service
      .
    7. In the
      Actions
      tab, select
      Allow
      as the
      Action
      .
    8. Attach the
      Mobile Network Protection profile
      to the Security policy rule by selecting
      Profiles
      and selecting the profile you created in step 3 as the
      Profile Type
      .
    9. Select
      Log at Session End
      if it is not already selected.
  5. Create Security policy rules for user equipment (UE) traffic based on the criteria you want to use, such as IP address, application, URL category, IMSE, or IMEI.
    1. Select
      Policies
      Security
      and
      Add
      a unique
      Name
      for the rule.
    2. In the
      Source
      tab,
      Add
      the
      Source Zone
      and
      Source Address
      .
      If you use an IP pool for the UE IP address, add the IP pool as the
      Source Address
      .
    3. In the
      Source
      tab,
      Add
      the
      Source Subscriber
      and if required, the
      Source Equipment
      .
    4. In the
      Destination
      tab,
      Add
      the
      Destination Zone
      and
      Destination Address
      the address of the servers in the corporate network or MEC site or use
      any
      for internet access.
    5. In the
      Application
      tab,
      Add
      the
      Application
      or applications you want to allow, such as
      dns
      ,
      web-browsing
      , or
      ssl
      .
    6. In the
      Service/URL Category
      tab, select the type or types of
      Service
      you want to allow.
    7. In the
      Actions
      tab, select the
      Action
      you want to take for the selected traffic (
      Allow
      the traffic or
      Deny
      it).
    8. Select
      Log at Session End
      if it is not already selected.
  6. Verify your configuration is correct.
    1. Verify the session traffic on the firewall using the following CLI commands.
      • show session all filter application radius
      • show session all filter source
        <IP_address_of_UE>
        (where
        <IP_address_of_UE>
        is the IP address of the user equipment).
    2. Verify the mappings on the firewall display
      radius
      as the source (
      src
      ).
    3. View the logs (
      Monitor
      Logs
      GTP
      ) and verify that the
      GTP Event Type
      displays
      UEIP mapping start
      and
      UEIP mapping end
      .
    4. Verify the Traffic logs (
      Monitor
      Logs
      Traffic
      ) display the IMSI or IMEI in the
      Subscriber Identity
      column for the UE traffic.
    5. Use the Global Counters to verify the configuration.

Recommended For You