Authorization Session

As discussed that session can be initiated from any message, that shall contain Session-Id AVP and either Auth-Session-State AVP is absent or set to STATE_MAINTAINED. With the help of Auth-Request-Type AVP it is informed to peer that user to be authenticated only, authorize only and both, Same is the indication whether the session is to be maintained for authentication only,authorization only or for both.

Few more information is exchanged such as Life span of session, grace period in life and session TimeOut . Authorization-Lifetime AVP contains maximum time (in seconds ) to which the service is given to user before re-authorization/authentication is requested. It's value to chosen very carefully because a very small value could cause traffic congestion, while a large value shall provide the service for long time before re-authorization/authentication. 

Authorization-Lifetime AVP set to zero tells peer that multiple authentication is required, so immediately initiate next message for authentication and authorization. Authorization-Lifetime AVP MAY be used by client to tell tentative maximum time period of session, or to which client is expecting to used service before re-authorization/authentication. While server MAY return value equal to or less than client value.


Auth-Grace-Period AVP shall contain the number of seconds server will wait after the expiration of Authorization-Lifetime before starting clean-up processes for session.

Diameter server can initiate re-auth request for a particular session with same session id that is used for considered session after the expiration of Authorization-Lifetiem. Server Shall send send Re-Auth-Request-Type AVP to inform peer that session is to be re-authorize for AUTHORIZE_ONLY or AUTHORIZE_AUTHENTICATE (authorization and authentication) .

Session-Timeout AVP tell the number of seconds the service is provided to user before termination of session. Value of Session-TimeOut MUST be equal to or greater than Authorization-Lifetime AVPs if present.As the time present in Session-Timeout AVP expires causes client to trigger STR.

As we know that session can terminated by one of the following reasons.
1) client terminates the session (Graceful End) by sending STR Session-Termination-Request because of  Session-TimeOut.After receiving this message server shall release all resources for the session identified by session-id and reply back with Session-Termination-Answer

2)Server can stop session be sending Abort-Session-Request (Graceful End) for the session identified with session id to client, client shall reply with Abort-Session-Answer.

3) If either client or server is rebooted (Un-Graceful end). This is identified by change in value of Origin-State-Id in CER/CEA message.

5 comments:

  1. Hi All,

    Has anyone implemented a successful RAR/RAA? Can you share the mandatory AVPs that MUST be passed from the server to the client please?

    Thanks.

    ReplyDelete
    Replies
    1. Hi,
      i will tell from credit control server point of view of RAR messages.
      these are mandatory avps as mentioned below
      destination-host
      destination-realm
      origin-host
      origin-realm
      auth-application-id
      credit-control
      re-auth-request-type
      rating-group
      service-identifier

      thanks

      Delete
  2. Can someone explain me little more detail when to start the authentication, authorisation and accounting session ? and how ? if possible with an example would be more helpful.

    ReplyDelete
    Replies
    1. Hi Sanjay

      Starting of AAA session totally depend on your use-case. Like some person giving a call and we need to track of his Payment (Re-Charge)balance then there would be authorization session (For instance not allowed to make International Call for more than 10 Minutes)and Accounting session to track payment incurred because it can finish before 10 minutes or can have for more than 10 minutes

      Thanks for your query.
      Happy to help you again.
      Team-Diameter

      Delete
  3. Thanks, Is the RAR request can be initiated either from client or from server right ? I mean any of the node can use it...i.e Whenever the node (either client/server) wants to inform to the other node (either server/client) in the middle of a on-going session, they can use RAR to inform to the other node about few specific information.right?

    ReplyDelete