Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
Packet Data Interworking Function Overview
▀ Features and Functionality - Licensed Enhanced Feature Support
▄ Cisco ASR 5000 Series Product Overview
OL-22937-01
The two algorithms for second-phase authentication are EAP-MD5 (which is the same as CHAP authentication) and
EAP-GTC (which is the same as PAP authentication). When the MS sends the NAI to identify the subscriber, the PDIF
initiates the EAP-Request with a challenge. Once the MS returns the challenge response, the PDIF maps it to a RADIUS
ACCESS_REQUEST message to complete CHAP authentication. There is an internal mechanism to inform each peer if
one method is not supported and to renegotiate to use the other supported method.
EAP-GTC (which is the same as PAP authentication). When the MS sends the NAI to identify the subscriber, the PDIF
initiates the EAP-Request with a challenge. Once the MS returns the challenge response, the PDIF maps it to a RADIUS
ACCESS_REQUEST message to complete CHAP authentication. There is an internal mechanism to inform each peer if
one method is not supported and to renegotiate to use the other supported method.
In general, session attributes during first-phase authentication are overwritten by those from second-phase
authentication, unless specified separately. Exceptions to this include
authentication, unless specified separately. Exceptions to this include
and
,
when the lower values are taken.
Termination
During session setup, if there are any configuration mismatches or the PDIF cannot get the required information, the
session setup process is terminated and appropriate log messages are generated.
session setup process is terminated and appropriate log messages are generated.
If
is not enabled on the PDIF, and the MS still sends a
MULTIPLE_AUTH_SUPPORTED Notify payload marked with the critical bit set, the PDIF returns
UNSUPPORTED_PAYLOAD. Otherwise, the PDIF ignores it and processes the IKE packet as if the payload was
never received. This is non-standard MS behavior.
UNSUPPORTED_PAYLOAD. Otherwise, the PDIF ignores it and processes the IKE packet as if the payload was
never received. This is non-standard MS behavior.
Important:
The multiple authentication process in a proxy mobile IP network is described in Proxy-MIP in the
System Enhanced Features Guide.
Session Recovery
The session recovery feature provides reconstruction of subscriber session information in the event of a hardware or
software fault within the system, providing seamless failover andpreventing a fully connected user session from being
dropped.
software fault within the system, providing seamless failover andpreventing a fully connected user session from being
dropped.
In addition to maintaining call state information, information is retained in order to:
Recover IPSec manager policies, all template maps, and all subscriber maps.
Use the policies (including templates) to recover CHILD SA tunnels, flow IDs, andstatistics.
Recover or reconfigure NPU flow IDs and data path handles.
Recover and restore the IKEv2 stack state for all tunnels.
Supply the IKEv2 stack with needed data statistics to determine rekey and DPD states.
Recover Diameter session information.
Recovery requires a complex interaction between IPSec and session subsystems. The IPSec subsystem also interacts
with a Datapath that includes daughter cards, daughter card managers, and the NPU. The session recovery feature is
disabled by default on the system, even when the feature use key is present.
with a Datapath that includes daughter cards, daughter card managers, and the NPU. The session recovery feature is
disabled by default on the system, even when the feature use key is present.