Skip to main content

Setup Enterprise Connector

info

You will be using the Alef Mobile Network API to carry out the tasks in this section. This is a basic config, Refer to the API reference documentation to learn more about the API and explore the full schema.

Enterprise Mobile Gateway Concept

Fig 1: Alef Mobile Radius Integration

Fig 1: Alef Mobile Radius Integration

The Enterprise Mobile Gateway allows you to use an enterpise IAM to store and manage all your SIM data. The Authentication and Authorization is transfered from the Mobile Core to your IAM system. This allows for setting IP addresses, policies and activily manage connections with Change of Authorization or disconnect request.

Radius Client

The Enterprise Mobile Gateway is a radius client. the radius client communicates with your radius server (IAM systems like: LDAP, MSAD, ICE) via the network connection between your network and Alef. For this it uses the radius client's ip address (nas-ip-address), which is typically the same as the MME IP address. The client will be configured like any other raduis client with a shared key and nas-identifier (default to Mobius) to handle its authentication against you IAM.

Radius Server

Per Enterprise Mobile Gateway one or more Radius servers, can be configured. This configuration is for the Radius Client to know which servers it can connect to and what the priority of the server is. Each server will require the IP address to be configured. This IP address needs to be addressable from the Alef network via the network connection to your network. The other configuration details are standard for a radius server connections and explained below

Dynamic Authorization

In order to enable dynamic authorization on your Enterprise Mobile Gateway, the ability to support Change of Authorization (CoA) or Disconnect requests, you need to specify the server that can instruct the Enterprise Mobile Gateway to manage connections. This function requires the Enterprise Mobile Gateway to be configured with the server information from which it can accept incoming CoA/Disconnect requests. The configuration details are explained below

note

You will need ensure that your IAM can operate with the Enterprise Mobile Gateway radius client. We can provide guidance on this. The solution has been tested on OpenLDAP, MS Active Directory and Cisco ICE.

SIM Provisioning

If you are using the Enterprise Mobile Gateway you will need to provision your SIMs and keys into your IAM. Alef can provide you with the VSA (Vendor-Specific attributes) and an LDAP schema for this.

Configure your Enterprise Mobile Gateway

Required information

  • name: Name for the Enterprise Mobile Gateway, needs to be unique in your account. At least one of these two needs to be set:
  • nas-ip-address: NAS IP address, can be the MME IP.
  • nas-identifier: NAS Identifier name for Radius Client (Default Mobius).

Optional:

  • framed-mtu: MTU Frame size (Default 1432).
  • auth-server: See below for details.
  • dynamic-authorization: See below for details.
tip

Please contact Alef Support if you have any questions relations to these items.

You will use the following POST request body with the /connectivity/v2/networks/radius endpoint to create and configure your Enterprise Mobile Gateway.

You can use the following GET request body with the /connectivity/v2/networks/radius/:id endpoint to retrieve your Enterprise Mobile Gateway information.

Expand here to see the mobile core POST request body. 
{
  "name": "string",
  "nas-ip-address": "IP address",
  "nas-identifier": "Mobius",
  "framed-mtu": 1432,
  "auth-server": [
    {
      "name": "Name",
      "host": "IP address",
      "port": 1812,
      "shared-key": "string",
      "priority": 0,
      "transport-config": "UDP",
      "reconnect-time": 0,
      "dead-interval": 0,
      "send-status-server": false
    }
  ],
  "dynamic-authorization": {
    "allowed-client": [
      {
        "address": "IP address",
        "shared-key": "string",
        "allow-coa-requests": true,
        "allow-disconnect-requests": true
      }
    ]
  }
}

The following section is a breakdown of the request:

Enterprise Mobile Gateway POST request guide

Authentication and Authorization servers

This is the required information to configure your IAM server(s) as an endpoint for the Enterprise Mobile Gateway:

  • name: Name of the Radius server.
  • host: IP address of the Radius server.
  • port: Port of the Radius server (default 1812)
  • shared-key: Shared key for the Radius server.
  • priority: Priority of the server. 0 disables the server. Higher number is a higher priority (max 255).
  • transport-config: The Radius transport protocol between server and client. Options are UDP/TCP, default to UDP.

Optional values:

  • reconnect-time: Time after which we attempt to reconnect to a server in case of errors (default 15s).
  • dead-interval: Interval in seconds after which a server is declared unreachable (default 30s).
  • send-status-server: Whether to send status server messages (default false).
  "auth-server": [
    {
      "name": "string",
      "host": "IP address",
      "port": 1812,
      "shared-key": "string",
      "priority": 1,
      "transport-config": "UDP",
      "reconnect-time": 15,
      "dead-interval": 30,
      "send-status-server": false
    }
  ],

Dynamic Authorization

This is the required information to configure your IAM server(s) as allowed servers to make an inbound request to the Enterprise Mobile Gateway:

  • address: IP address of the Radius server.
  • shared-key: Shared key for the Radius server.
  • allow-coa-requests: Enable Change of Authorization request (default true).
  • allow-disconnect-requests: Enable disconnect request (default true).
  "dynamic-authorization": {
    "allowed-client": [
      {
        "address": "IP address",
        "shared-key": "string",
        "allow-coa-requests": true,
        "allow-disconnect-requests": true
      }
    ]
  },