Subscriber Creation

A subscriber is an entity, whether a person or a device, that maintains an agreement with a service provider to access mobile telecommunication services. The subscriber is represented by a collection of subscription profiles, which include bearer services, supplementary services, and other attributes stored in network databases such as the Home Location Register (HLR) or Home Subscriber Server (HSS). These profiles define the subscriber’s authorized services, access permissions, and allocated Quality of Service (QoS). The network registers and manages the subscription profile rather than the physical user, enabling effective troubleshooting, QoS monitoring, and feature activation. The subscriber’s profile is typically associated with the User Equipment (UE) to facilitate service delivery and network interactions.

In Cloud-Native Network Functions (CNFs), a subscriber refers to an entity (typically an end-user or device) that is consuming mobile network services provided by a telecommunications operator. Subscribers play a central role in F5 CNF operations, as these cloud-native functions enable the management of their traffic, services, security, and overall network experience. CNFs are commonly used in 4G LTE, 5G networks, and beyond, contributing to functionalities such as traffic routing, load balancing, and security enforcement.

A Subscriber ID is a unique identity assigned to a subscriber or device to identify it within the mobile core network. It is key to all interactions because it defines who the subscriber is and links their identity to other mechanisms such plans, privileges, policies, and so on. There are three Subscriber ID types, and based on the selected Subscriber ID type, service provider can configure the corresponding attribute to be used as the Subscriber ID.

Subscriber ID Type	Description
E164	A number that defines the format of an MSISDN international phone number (up to 15 digits).
NAI	A fully qualified network name that identifies a subscriber and the home network to which the subscriber belongs.
IMSI	A globally unique code number, that identifies a GSM, UMTS, or LTE mobile phone user.

Note: The system constructs a Subscriber ID by concatenating the values of attached RADIUS attributes (IMSI, NAI, E.164) along with user-specified prefixes and suffixes. However, the maximum allowable length for the Subscriber ID is 64 characters. If this limit is exceeded, the system will fail to create the subscriber session. To avoid this issue, ensure that the total length of the concatenated Subscriber ID remains within 64 characters.

A Subscriber Session refers to the active connection created between the subscriber’s device (User Equipment) and the mobile network during network attachment. It contains information related to the subscriber’s usage such as session start time, subscriber ID, IP address and applied policies. Each session is unique to the subscriber and tied to their subscriber ID. Session is triggered when the subscriber’s device authenticates with the network.

Subscriber Awareness is the ability of network functions—such as Cloud-Native Network Functions (CNFs)—to identify subscriber traffic, correlate it with a specific subscriber profile (using their ID and session), and apply customized rules or policies accordingly.

The subscriber ID, subscriber session, and subscriber awareness work together to ensure seamless service delivery and personalized experiences for users. The subscriber ID allows the network to recognize and authenticate the user. Once identified, the network establishes a subscriber session, which is the active connection between the user’s device and the network, enabling services such as voice calls, data usage, and messaging. Each session includes details such as IP address, bearer paths, and quality-of-service parameters that are tailored to the subscriber’s needs. The Subscriber awareness enables the network to manage and treat sessions dynamically, processing traffic based on the subscriber ID and session context. This ensures that services, security policies, and traffic optimizations can be personalized for each subscriber in real-time.

Role of Subscriber in different CNF modules:

• Carrier-Grade NAT (CGNAT)

  • In mobile and service provider networks, subscribers are often assigned private IP addresses due to limited IPv4 availability.

  • CGNAT translates subscriber IP addresses to public IP addresses, enabling internet access for millions of subscribers in large-scale deployments.

  • Subscribers are defined by their IP address, IMSI, MSISDN or RADIUS attributes for traffic tracking and logging.

• Policy Enforcement Manager (PEM)

  • The PEM module for subscriber-aware traffic management enables service providers to apply granular policies for different subscribers based on their subscription types or usage patterns.

  • Subscribers are identified by unique attributes such as IP address, IMSI, MSISDN or RADIUS attributes.

  • PEM can enforce data usage limits, throttle connections, or steer traffic based on subscriber profiles, helping service providers customize user experiences and apply differentiated billing.

A subscriber can be created in several ways depending on the source and trigger for the session creation. Below are the primary mechanisms for subscriber creation:

• RADIUS Message-Triggered Subscriber

RADIUS Message-Triggered Subscriber

Subscribers are dynamically created using RADIUS messages sent from the NAS to the network (via the RADIUS server). When a subscriber connects to the network:

• Access Request

  • A subscriber device sends an authentication request (for example, through a mobile network, Wi-Fi, or corporate VPN).

  • The Network Access Server (NAS) generates a RADIUS Access-Request message with subscriber details (for example, username, IMSI, or MSISDN).

• Session Authentication

  • NAS sends the Access-Request to the RADIUS server for validation.

  • The RADIUS server authenticates the subscriber and responds with an Access-Accept message if authentication is successful.

• Session Creation

  • After authentication, NAS sends a RADIUS Accounting-Request (Start) message to the gateway.

  • The CNF creates a subscriber session using the information in the RADIUS Accounting-Request.

• Optional Session Updates

  • Periodically, NAS sends RADIUS Interim messages or Accounting-Request (Interim) to update session details.

• Session Termination

  • When the subscriber disconnects, a RADIUS Accounting-Request (Stop) is sent, and the session is terminated.

Procedures

Apply Subscriber Attributes for IP Address

Subscriber attributes for IP address requires F5BigSubscriberAttribute to enable the IP address.

1. Copy the following example into the subscriber_attribute_framed_ip.yaml file.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigSubscriberAttribute
   metadata:
    name: "subscriber-attribute-framed-ip"
   spec:
    import: true
    export: true
    wellKnownAttributeId: "ipv4-address"
   

   If you are using an IPv6 address, use the IPv6 address in the ‘wellKnownAttributeId’ field.

2. Run the following command to apply the subscriber attributes.

   kubectl apply -f subscriber_attribute_framed_ip.yaml -n <name_space>
   

3. Verify that the subscriber attributes for IP address is applied by checking the f5ingress logs.

   For more information on subscriber attributes for IP address, see F5BigSubscriberAttribute CRD page.

Apply Subscriber Attributes for Subscriber ID

Subscriber attributes for subscriber ID requires F5BigSubscriberAttribute to enable the subscriber ID. There are three Subscriber ID types, and based on the selected Subscriber ID type, service provider can configure the corresponding attribute to be used as the Subscriber ID.

Subscriber ID Type	Description
E164	A number that defines the format of an MSISDN international phone number (up to 15 digits).
NAI	A fully qualified network name that identifies a subscriber and the home network to which the subscriber belongs.
IMSI	A globally unique code number, that identifies a GSM, UMTS, or LTE mobile phone user.

1. Copy the following example into the subscriber_attribute_imsi.yaml file.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigSubscriberAttribute
   metadata:
    name: "subscriber-attribute-imsi"
   spec:
    import: true
    export: true
    wellKnownAttributeId: "imsi"
   

If you are using NAI or E164 subscriber ID, use ‘NAI’ or ‘E164’ in the ‘wellKnownAttributeId’ field.

2. Run the following command to apply the subscriber attributes.

   kubectl apply -f subscriber_attribute_imsi.yaml -n <name_space>
   

3. Verify that the subscriber attributes for subscriber ID is applied by checking the f5ingress logs.

   For more information on subscriber attributes for subscriber ID, see F5BigSubscriberAttribute CRD page.

Apply RADIUS Attribute Definitions for IP Address

RADIUS attribute definitions requires F5BigRadiusAttribute to enable the RADIUS attributes.

1. Copy the following example into the radius_attribute_framed_ip.yaml file.

   • For IPv4 address:

     apiVersion: "k8s.f5net.com/v1"
     kind: F5BigRadiusAttribute
     metadata:
      name: "radius-attribute-framed-ip"
     spec:
      datatype: "ip4addr"
      minLength: 4
      maxLength: 4
      type: "framed-ip-address"
     

   • For IPv6 address:

     apiVersion: "k8s.f5net.com/v1"
     kind: F5BigRadiusAttribute
     metadata:
      name: "radius-attribute-framed-ip"
     spec:
      datatype: "ip6addr"
      minLength: 16
      maxLength: 16
      type: "framed-ipv6-address"
     

2. Run the following command to apply the RADIUS attribute definitions.

   kubectl apply -f radius_attribute_framed_ip.yaml -n <name_space>
   

3. Verify that the RADIUS attribute definitions are applied by checking the f5ingress logs.

   For more information on RADIUS attribute definitions for IP address, see F5BigRadiusAttribute CRD page.

Apply RADIUS Attribute Definitions for Subscriber ID

RADIUS attribute definitions requires F5BigRadiusAttribute to enable the subscriber ID.

1. Copy the following example into the radius_attribute_imsi.yaml file.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigRadiusAttribute
   metadata:
    name: "radius-attribute-imsi"
   spec:
    datatype: "string"
    minLength: 3
    maxLength: 19
    vendorId: 10415
    vendorType: 1
    type: "vendor-specific"
   

   If you are using NAI or E164 subscriber ID, modify the name field accordingly.

2. Run the following command to apply the RADIUS attribute definitions.

   kubectl apply -f radius_attribute_imsi.yaml -n <name_space>
   

3. Verify that the RADIUS attribute definitions are applied by checking the f5ingress logs.

   For more information on RADIUS attribute definitions for subscriber ID, see F5BigRadiusAttribute CRD page.

Apply RADIUS Protocol Profile

RADIUS Protocol Profile requires F5BigRadiusProtocolProfile to enable the RADIUS protocol profile.

1. Copy the following example into the radius-profile.yaml file.

   apiVersion: "k8s.f5net.com/v1"
   kind: radiusProfile
   metadata:
    name: "radius-profile-nai"
   spec:
    description: "RADIUS protocol profile for NAI Subscriber ID"
    subscriberIdType: "nai" # nai | imsi | e164
    subscriberIdList:
     - name: "username"
       order: 1
       prefix: "nai"
       suffix: "_sub"
       radiusAttribute: "radius-attribute-imsi"
    radiusMessages:
     - name: "radius-start-message"
       messageType: "acc-start"
       attributeList:
         - name: "my_framed_ip_avp"
           default: "19.19.19.19"
           ingress: "import"
           radiusAttribute: "radius-attribute-framed-ip"
           subscriberAttribute: "subscriber-attribute-framed-ip"
         - name: "my_imsi_avp"
           default: "123456789"
           ingress: "import"
           radiusAttribute: "radius-attribute-nai"
           subscriberAttribute: "subscriber-attribute-nai"
   
     - name: "radius-stop-message"
       messageType: "acc-stop"
       attributeList:
         - name: "my_framed_ip_avp"
           default: "19.19.19.19"
           ingress: "import"
           radiusAttribute: "radius-attribute-framed-ip"
           subscriberAttribute: "subscriber-attribute-framed-ip"
         - name: "my_imsi_avp"
           default: "123456789"
           ingress: "import"
           radiusAttribute: "radius-attribute-nai"
           subscriberAttribute: "subscriber-attribute-nai"
   
     - name: "radius-update-message"
       messageType: "acc-interim"
       attributeList:
         - name: "my_framed_ip_avp"
           default: "19.19.19.19"
           ingress: "import"
           radiusAttribute: "radius-attribute-framed-ip"
           subscriberAttribute: "subscriber-attribute-framed-ip"
         - name: "my_imsi_avp"
           default: "123456789"
           ingress: "import"
           radiusAttribute: "radius-attribute-nai"
           subscriberAttribute: "subscriber-attribute-nai"
   

2. Run the following command to apply the RADIUS protocol profile.

   kubectl apply -f radius-profile.yaml -n <name_space>
   

3. Verify that the RADIUS protocol profile is applied by checking the f5ingress logs.

   For more information on RADIUS Protocol Profile, see F5BigRadiusProtocolProfile CRD page.

Apply Subscriber-Aware Profile

Subscriber Aware Profile requires F5BigRadiusSubscriberAwareProfile to enable the subscriber aware profile.

1. Copy the following example into the subscriber-aware.yaml file.

   apiVersion: "k8s.f5net.com/v1"
   kind: radiusSubscriberAware
   metadata:
    name: "subscriber-aware-nas"
   spec:
    subscriberDiscovery: true
    clientSpec: "specify"
    addressList:
     - "10.10.10.10"
    radiusProtocolProfile: "radius-profile-nai"
   

2. Run the following command to apply the subscriber aware profile.

   kubectl apply -f radius-subscriber-aware.yaml -n <name_space>
   

3. Verify that the subscriber aware profile is applied by checking the f5ingress logs.

   For more information on Subscriber Aware Profile, see F5BigRadiusSubscriberAwareProfile CRD page.

Apply RADIUS Accounting Secure Context

1. Add the following example in secure-context.yaml file.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigContextSecure
   metadata:
    name: "radius-virtual"
   spec:
    destinationAddress: 0.0.0.0/0
    ipProtocol: "udp"
    profile: "udp"
    destinationPort: 1813
    radiusSubscriberAwareProfile: "subscriber-aware-profile-radius" 
   

2. Apply the Secure Context CR.

   kubectl apply -f secure-context.yaml -n <name_space>
   

3. Verify that the RADIUS secure context is applied by checking the f5ingress logs.

   For more information on RADIUS Secure Context, see F5BigContextSecure CRD page.

Default CRs for RADIUS Message-Triggered Subscriber

Radius Attribute for Username

apiVersion: "k8s.f5net.com/v1"
kind: F5BigRadiusAttribute
metadata:
  name: "radius-attribute-user-name"
spec:
  datatype:   "string"
  minLength:  1
  maxLength:  253
  vendorType: 0
  vendorId:   0
  type:       "user-name"

Radius Attribute for IMSI

apiVersion: "k8s.f5net.com/v1"
kind: F5BigRadiusAttribute
metadata:
  name: "radius-attribute-imsi"
spec:
  datatype:   "string"
  minLength:  1
  maxLength:  15
  vendorType: 1
  vendorId:   10415
  type:       "vendor-specific"

Radius Attribute for Calling Station ID

apiVersion: "k8s.f5net.com/v1"
kind: F5BigRadiusAttribute
metadata:
  name: "radius-attribute-calling-station-id"
spec:
  datatype:   "string"
  minLength:  1
  maxLength:  253
  vendorType: 0
  vendorId:   0
  type:       "calling-station-id"

Radius Attribute for Framed IP Address

apiVersion: "k8s.f5net.com/v1"
kind: F5BigRadiusAttribute
metadata:
  name: "radius-attribute-framed-ip-address"
spec:
  datatype:   "ip4addr"
  minLength:  4
  maxLength:  4
  vendorType: 0
  vendorId:   0
  type:       "framed-ip-address"

Radius Attribute for Framed IPv6 Prefix

apiVersion: "k8s.f5net.com/v1"
kind: F5BigRadiusAttribute
metadata:
  name: "radius-attribute-framed-ipv6-prefix"
spec:
  datatype:   "ip6prefix"
  minLength:  2
  maxLength:  18
  vendorType: 0
  vendorId:   0
  type:       "framed-ipv6-prefix"

Radius Attribute for Framed IPv6 Address

apiVersion: "k8s.f5net.com/v1"
kind: F5BigRadiusAttribute
metadata:
  name: "radius-attribute-framed-ipv6-address"
spec:
  datatype:   "ip6addr"
  minLength:  16
  maxLength:  16
  vendorType: 0
  vendorId:   0
  type:       "framed-ipv6-address"

Subscriber Attribute for Username

apiVersion: "k8s.f5net.com/v1"
kind: F5BigSubscriberAttribute
metadata:
  name: "default-subscriber-attribute-username"
spec:
  import: true
  export: true
  wellKnownAttributeId: "user-name"

Subscriber Attribute for IMSI

apiVersion: "k8s.f5net.com/v1"
kind: F5BigSubscriberAttribute
metadata:
  name: "default-subscriber-attribute-imsi"
spec:
  import: true
  export: true
  wellKnownAttributeId: "imsi"

Subscriber Attribute for Calling Station ID

apiVersion: "k8s.f5net.com/v1"
kind: F5BigSubscriberAttribute
metadata:
  name: "default-subscriber-attribute-calling-station-id"
spec:
  import: true
  export: true
  wellKnownAttributeId: "calling-station-id"

Subscriber Attribute for Framed IP Address

apiVersion: "k8s.f5net.com/v1"
kind: F5BigSubscriberAttribute
metadata:
  name: "default-subscriber-attribute-framed-ip-address"
spec:
  import: true
  export: true
  wellKnownAttributeId: "ip-address"

Subscriber Attribute for Framed IPv6 Address

apiVersion: "k8s.f5net.com/v1"
kind: F5BigSubscriberAttribute
metadata:
  name: "default-subscriber-attribute-framed-ipv6-address"
spec:
  import: true
  export: true
  wellKnownAttributeId: "not-defined"

Subscriber Attribute for Framed IPv6 Prefix

apiVersion: "k8s.f5net.com/v1"
kind: F5BigSubscriberAttribute
metadata:
  name: "default-subscriber-attribute-framed-ipv6-prefix"
spec:
  import: true
  export: true
  wellKnownAttributeId: "not-defined"