MicrosoftDocs
diff --git a/‎articles/private-5g-core/collect-required-information-for-a-site.md
Lines changed: 19 additions & 2 deletions b/‎articles/private-5g-core/collect-required-information-for-a-site.md
Lines changed: 19 additions & 2 deletions
diff --git a/‎articles/private-5g-core/complete-private-mobile-network-prerequisites.md
Lines changed: 2 additions & 0 deletions b/‎articles/private-5g-core/complete-private-mobile-network-prerequisites.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/private-5g-core/create-a-site.md
Lines changed: 14 additions & 12 deletions b/‎articles/private-5g-core/create-a-site.md
Lines changed: 14 additions & 12 deletions
@@ -52,6 +52,23 @@ Collect all the values in the following table for the packet core instance that
    | The Azure Stack Edge resource representing the Azure Stack Edge Pro device in the site. You created this resource as part of the steps in [Order and set up your Azure Stack Edge Pro devices](complete-private-mobile-network-prerequisites.md#order-and-set-up-your-azure-stack-edge-pro-devices).</br></br> If you're going to create your site using the Azure portal, collect the name of the Azure Stack Edge resource.</br></br> If you're going to create your site using an ARM template, collect the full resource ID of the Azure Stack Edge resource. You can do this by navigating to the Azure Stack Edge resource, selecting **JSON View**, and copying the contents of the **Resource ID** field. | **Azure Stack Edge device** |
    |The custom location that targets the Azure Kubernetes Service on Azure Stack HCI (AKS-HCI) cluster on the Azure Stack Edge Pro device in the site. You commissioned the AKS-HCI cluster as part of the steps in [Commission the AKS cluster](commission-cluster.md).</br></br> If you're going to create your site using the Azure portal, collect the name of the custom location.</br></br> If you're going to create your site using an ARM template, collect the full resource ID of the custom location. You can do this by navigating to the Custom location resource, selecting **JSON View**, and copying the contents of the **Resource ID** field.|**Custom location**|
 
+## Collect RADIUS values
+
+If you have a Remote Authentication Dial-In User Service (RADIUS) authentication, authorization and accounting (AAA) server in your network, you can optionally configure the packet core to use it to authenticate UEs on attachment to the network and session establishment. If you want to use RADIUS, collect all the values in the following table.
+
+|Value  |Field name in Azure portal  |
+|---------|---------|
+|IP address for the RADIUS AAA server. |RADIUS server address |
+|IP address for the network access servers (NAS). |RADIUS NAS address |
+|Authentication port to use on the RADIUS AAA server. |RADIUS server port |
+|The names of one or more data networks that require RADIUS authentication. |RADIUS Auth applies to DNs |
+|Whether to use: </br></br>- the default username and password, defined in your Azure Key Vault </br></br>- the International Mobile Subscriber Identity (IMSI) as the username, with the password defined in your Azure Key Vault. |RADIUS authentication username. |
+|URL of the secret used to secure communication between the packet core and AAA server, stored in your Azure Key Vault. |Shared secret |
+|URL of the default username secret, stored in your Azure Key Vault. Not required if using IMSI. |Secret URI for the default username |
+|URL of the default password secret, stored in your Azure Key Vault. |Secret URI for the default password |
+
+To add the secrets to Azure Key Vault, see [Quickstart: Set and retrieve a secret from Azure Key Vault using the Azure portal](../key-vault/secrets/quick-create-portal.md).
+
 ## Collect access network values
 
 Collect all the values in the following table to define the packet core instance's connection to the access network over the control plane and user plane interfaces. The field name displayed in the Azure portal depends on the value you have chosen for **Technology type**, as described in [Collect packet core configuration values](#collect-packet-core-configuration-values).
@@ -141,7 +158,7 @@ You can use a self-signed or a custom certificate to secure access to the [distr
 
 If you don't want to provide a custom HTTPS certificate at this stage, you don't need to collect anything. You'll be able to change this configuration later by following [Modify the local access configuration in a site](modify-local-access-configuration.md).
 
-If you want to provide a custom HTTPS certificate at site creation, follow the steps below.
+If you want to provide a custom HTTPS certificate at site creation:
 
    1. Either [create an Azure Key Vault](../key-vault/general/quick-create-portal.md) or choose an existing one to host your certificate. Ensure the key vault is configured with **Azure Virtual Machines for deployment** resource access.
    1. Ensure your certificate is stored in your key vault. You can either [generate a Key Vault certificate](../key-vault/certificates/create-certificate.md) or [import an existing certificate to your Key Vault](../key-vault/certificates/tutorial-import-certificate.md?tabs=azure-portal#import-a-certificate-to-your-key-vault). Your certificate must:
@@ -158,7 +175,7 @@ If you want to provide a custom HTTPS certificate at site creation, follow the s
       > - Certificate validation is always performed against the latest version of the local access certificate in the Key Vault.
       > - If you enable auto-rotation, it might take up to four hours for certificate updates in the Key Vault to synchronize with the edge location.
 
-   1. Decide how you want to provide access to your certificate. You can use a Key Vault access policy or Azure role-based access control (Azure RBAC).
+   1. Decide how you want to provide access to your certificate. You can use a Key Vault access policy or Azure role-based access control (RBAC).
 
       - [Assign a Key Vault access policy](../key-vault/general/assign-access-policy.md?tabs=azure-portal). Provide **Get** and **List** permissions under **Secret permissions** and **Certificate permissions** to the **Azure Private MEC** service principal.
       - [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control (RBAC)](../key-vault/general/rbac-guide.md?tabs=azure-cli). Provide **Key Vault Reader** and **Key Vault Secrets User** permissions to the **Azure Private MEC** service principal.
 
@@ -264,6 +264,7 @@ You must set these up in addition to the [ports required for Azure Stack Edge (A
 | TCP 443 Inbound      | Management (LAN)        | Access to local monitoring tools (packet core dashboards and distributed tracing). |
 | 5671 In/Outbound    | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |
 | 5672 In/Outbound    | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |
+| UDP 1812 In/Outbound | Management (LAN) | Authentication with a RADIUS AAA server. </br>Only required when RADIUS is in use. |
 | SCTP 38412 Inbound   | Port 3 (Access network) | Control plane access signaling (N2 interface). </br>Only required for 5G deployments. |
 | SCTP 36412 Inbound   | Port 3 (Access network) | Control plane access signaling (S1-MME interface). </br>Only required for 4G deployments. |
 | UDP 2152 In/Outbound | Port 3 (Access network) | Access network user plane data (N3 interface for 5G, S1-U for 4G, or N3/S1-U for combined 4G and 5G). |
@@ -282,6 +283,7 @@ You must set these up in addition to the [ports required for Azure Stack Edge (A
 | TCP 443 Inbound      | Management (LAN)        | Access to local monitoring tools (packet core dashboards and distributed tracing). |
 | 5671 In/Outbound    | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |
 | 5672 In/Outbound    | Management (LAN) | Communication to Azure Event Hubs, AMQP Protocol |
+| UDP 1812 In/Outbound | Management (LAN) | Authentication with a RADIUS AAA server. </br>Only required when RADIUS is in use. |
 | SCTP 38412 Inbound   | Port 5 (Access network) | Control plane access signaling (N2 interface). </br>Only required for 5G deployments. |
 | SCTP 36412 Inbound   | Port 5 (Access network) | Control plane access signaling (S1-MME interface). </br>Only required for 4G deployments. |
 | UDP 2152 In/Outbound | Port 5 (Access network) | Access network user plane data (N3 interface for 5G, S1-U for 4G, or N3/S1-U for combined 4G and 5G). |
 
@@ -58,11 +58,11 @@ In this step, you'll create the mobile network site resource representing the ph
 
 :::zone pivot="ase-pro-gpu"
 
-7. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to fill out the fields in the **Access network** section.
+1. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to fill out the fields in the **Access network** section.
     > [!NOTE]
     > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site will support 5G UEs), **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site will support 4G UEs), or **ASE N2/S1-MME virtual subnet** and **ASE N3/S1-U virtual subnet** (if this site will support both 4G and 5G UEs) must match the corresponding virtual network names on port 5 on your Azure Stack Edge Pro GPU device.
 
-9. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-gpu#collect-data-network-values) to fill out the fields. Note the following:
+1. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-gpu#collect-data-network-values) to fill out the fields. Note the following:
     - **ASE N6 virtual subnet** (if this site will support 5G UEs), **ASE SGi virtual subnet** (if this site will support 4G UEs), or **ASE N6/SGi virtual subnet** (if this site will support combined 4G and 5G UEs) must match the corresponding virtual network name on port 5 or 6 on your Azure Stack Edge Pro device.
     - If you decided not to configure a DNS server, clear the **Specify DNS addresses for UEs?** checkbox.
     - If you decided to keep NAPT disabled, ensure you configure your data network router with static routes to the UE IP pools via the appropriate user plane data IP address for the corresponding attached data network.
@@ -73,11 +73,13 @@ In this step, you'll create the mobile network site resource representing the ph
 :::zone-end
 :::zone pivot="ase-pro-2"
 
-7. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to fill out the fields in the **Access network** section.
+1. Use the information you collected in [Collect access network values](collect-required-information-for-a-site.md#collect-access-network-values) to fill out the fields in the **Access network** section.
     > [!NOTE]
     > **ASE N2 virtual subnet** and **ASE N3 virtual subnet** (if this site will support 5G UEs), **ASE S1-MME virtual subnet** and **ASE S1-U virtual subnet** (if this site will support 4G UEs), or **ASE N2/S1-MME virtual subnet** and **ASE N3/S1-U virtual subnet** (if this site will support both 4G and 5G UEs) must match the corresponding virtual network names on port 3 on your Azure Stack Edge Pro device.
 
-9. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-2#collect-data-network-values) to fill out the fields. Note the following:
+1. If you decided you want to use Remote Authentication Dial-In User Service (RADIUS) authentication, select **Enable** in the **RADIUS server configuration** section and use the information you collected in [Collect RADIUS values](collect-required-information-for-a-site.md#collect-radius-values) to fill out the fields.
+
+1. In the **Attached data networks** section, select **Attach data network**. Choose whether you want to use an existing data network or create a new one, then use the information you collected in [Collect data network values](collect-required-information-for-a-site.md?pivots=ase-pro-2#collect-data-network-values) to fill out the fields. Note the following:
     - **ASE N6 virtual subnet** (if this site will support 5G UEs), **ASE SGi virtual subnet** (if this site will support 4G UEs), or **ASE N6/SGi virtual subnet** (if this site will support combined 4G and 5G UEs) must match the corresponding virtual network name on port 3 or 4 on your Azure Stack Edge Pro device.
     - If you decided not to configure a DNS server, clear the **Specify DNS addresses for UEs?** checkbox.
     - If you decided to keep NAPT disabled, ensure you configure your data network router with static routes to the UE IP pools via the appropriate user plane data IP address for the corresponding attached data network.
@@ -87,9 +89,9 @@ In this step, you'll create the mobile network site resource representing the ph
     Once you've finished filling out the fields, select **Attach**.
 :::zone-end
 
-10. Repeat the previous step for each additional data network you want to configure.
+1. Repeat the previous step for each additional data network you want to configure.
 
-8. Go to the **Diagnostics** tab. If you want to enable UE Metric monitoring, select **Enable** from the **UE Metric monitoring** dropdown. Use the information collected in [Collect UE Usage Tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.
+1. Go to the **Diagnostics** tab. If you want to enable UE Metric monitoring, select **Enable** from the **UE Metric monitoring** dropdown. Use the information collected in [Collect UE Usage Tracking values](collect-required-information-for-a-site.md#collect-ue-usage-tracking-values) to fill out the **Azure Event Hub Namespace**, **Event Hub name** and **User Assigned Managed Identity** values.
 
 1. If you decided you want to configure diagnostics packet collection or use a user assigned managed identity for HTTPS certificate for this site, select **Next : Identity >**.  
 If you decided not to configure diagnostics packet collection or use a user assigned managed identity for HTTPS certificates for this site, you can skip this step.
@@ -101,25 +103,25 @@ If you decided not to configure diagnostics packet collection or use a user assi
 
     1. Under **Provide custom HTTPS certificate?**, select **Yes**.
     1. Use the information you collected in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values) to select a certificate.
-13. In the **Local access** section, set the fields as follows:
+1. In the **Local access** section, set the fields as follows:
 
     :::image type="content" source="media/create-a-site/create-site-local-access-tab.png" alt-text="Screenshot of the Azure portal showing the Local access configuration tab for a site resource.":::
 
     - Under **Authentication type**, select the authentication method you decided to use in [Choose the authentication method for local monitoring tools](collect-required-information-for-a-site.md#choose-the-authentication-method-for-local-monitoring-tools).
     - Under **Provide custom HTTPS certificate?**, select **Yes** or **No** based on whether you decided to provide a custom HTTPS certificate in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values). If you selected **Yes**, use the information you collected in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values) to select a certificate.
 
-14. Select **Review + create**.
-15. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.
+1. Select **Review + create**.
+1. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.
 
     :::image type="content" source="media/create-a-site/create-site-validation.png" alt-text="Screenshot of the Azure portal showing successful validation of configuration values for a site resource.":::
 
     If the validation fails, you'll see an error message and the **Configuration** tab(s) containing the invalid configuration will be flagged with red X icons. Select the flagged tab(s) and use the error messages to correct invalid configuration before returning to the **Review + create** tab.
 
-16. Once your configuration has been validated, you can select **Create** to create the site. The Azure portal will display the following confirmation screen when the site has been created.
+1. Once your configuration has been validated, you can select **Create** to create the site. The Azure portal will display the following confirmation screen when the site has been created.
 
     :::image type="content" source="media/site-deployment-complete.png" alt-text="Screenshot of the Azure portal showing the confirmation of a successful deployment of a site.":::
 
-17. Select **Go to resource group**, and confirm that it contains the following new resources:
+1. Select **Go to resource group**, and confirm that it contains the following new resources:
 
     - A **Mobile Network Site** resource representing the site as a whole.
     - A **Packet Core Control Plane** resource representing the control plane function of the packet core instance in the site.
@@ -129,7 +131,7 @@ If you decided not to configure diagnostics packet collection or use a user assi
 
     :::image type="content" source="media/create-a-site/site-related-resources.png" alt-text="Screenshot of the Azure portal showing a resource group containing a site and its related resources." lightbox="media/create-a-site/site-related-resources.png":::
 
-18. If you want to assign additional packet cores to the site, for each new packet core resource see [Create additional Packet Core instances for a site  using the Azure portal](create-additional-packet-core.md).
+1. If you want to assign additional packet cores to the site, for each new packet core resource see [Create additional Packet Core instances for a site  using the Azure portal](create-additional-packet-core.md).
 
 ## Next steps