Cisco Cisco Packet Data Gateway (PDG) Documentation Roadmaps
ASN Gateway Overview
▀ Supported Features
▄ Cisco ASR 5000 Series Product Overview
OL-22938-01
CoA). One case is for the initial connection establishment in which the home agent or H-AAA server assigns an IP
address and generates the mobility binding. Another is when the mobile subscriber roams across cell sites or ASNs and
attaches to a target ASN Gateway.
address and generates the mobility binding. Another is when the mobile subscriber roams across cell sites or ASNs and
attaches to a target ASN Gateway.
Client Mobile IPv4 (CMIPv4)
CMIPv4 provides mobility procedures for mobile IP-capable access devices. In contrast to PMIPv4, where stateful
DHCP proxy signaling triggers R3 signaling between the ASN Gateway and the home agent, CMIPv4 uses agent
advertisement between the foreign agent component in the ASN Gateway and mobile IP client on subscriber access
device. Mobile IP signaling occurs directly between the access device and the anchor foreign agent component in the
ASN Gateway.
DHCP proxy signaling triggers R3 signaling between the ASN Gateway and the home agent, CMIPv4 uses agent
advertisement between the foreign agent component in the ASN Gateway and mobile IP client on subscriber access
device. Mobile IP signaling occurs directly between the access device and the anchor foreign agent component in the
ASN Gateway.
Authenticator
The authenticator function in the ASN Gateway acts as an anchored authenticator for a subscriber for the duration of the
session. For example, as a subscriber moves between base stations served by the ASN Gateway, the authenticator
anchor remains stationary. If a subscriber moves to a base station served by a different ASN Gateway, the anchor
authenticator is hosted at that ASN Gateway. If the R4 interface is not supported between both gateways, only the
subscriber needs to be re-authenticated.
session. For example, as a subscriber moves between base stations served by the ASN Gateway, the authenticator
anchor remains stationary. If a subscriber moves to a base station served by a different ASN Gateway, the anchor
authenticator is hosted at that ASN Gateway. If the R4 interface is not supported between both gateways, only the
subscriber needs to be re-authenticated.
The RADIUS client for authentication and accounting is collocated with the authenticator function. The ASN Gateway
acts as an EAP relay and is agnostic to the EAP method. EAP transport between the ASN Gateway and the base station
is performed as a control exchange. The base station functions as an EAP relay, converting Pair-wise Master Key
version 2 (PKMv2) to the EAP messages for the ASN Gateway. The ASN Gateway works in pass-through mode and
any EAP method that generates keys, such as MSK or EMSK, is supported in the system.
acts as an EAP relay and is agnostic to the EAP method. EAP transport between the ASN Gateway and the base station
is performed as a control exchange. The base station functions as an EAP relay, converting Pair-wise Master Key
version 2 (PKMv2) to the EAP messages for the ASN Gateway. The ASN Gateway works in pass-through mode and
any EAP method that generates keys, such as MSK or EMSK, is supported in the system.
PKMv2 performs over-the-air user authentication. PKMv2 transfers EAP over the IEEE 802.16 air interface between
the MS and the base station. The base station relays the EAP messages to the authenticator in the ASN Gateway. The
AAA client on the authenticator encapsulates the EAP message in AAA protocol packets, and forwards them through
one or more AAA proxies to the AAA server in the CSN of the home NSP. In roaming scenarios, one or more AAA
brokers with AAA proxies may exist between the authenticator and the AAA server. AAA sessions always exist
between the Authenticator and AAA server, with optional AAA brokers providing a conduit for NAI realm-based
routing.
the MS and the base station. The base station relays the EAP messages to the authenticator in the ASN Gateway. The
AAA client on the authenticator encapsulates the EAP message in AAA protocol packets, and forwards them through
one or more AAA proxies to the AAA server in the CSN of the home NSP. In roaming scenarios, one or more AAA
brokers with AAA proxies may exist between the authenticator and the AAA server. AAA sessions always exist
between the Authenticator and AAA server, with optional AAA brokers providing a conduit for NAI realm-based
routing.
EAP Authentication Methods
WiMAX networks use Ethernet as the L2 protocol for network access authentication. The Extensible Authentication
Protocol (EAP) provides the network authorization function. The ASN Gateway represents the EAP authenticator and
supports a transparent relay point between the EAP client on the subscriber access device and EAP server on the AAA.
The ASN Gateway triggers an EAP-identity request to the subscriber device. The subscriber device responds with an
EAP-identity response. It subsequently unpacks EAP messages over the R6 interface and transfers them via RADIUS or
Diameter signaling to the AAA server.
Protocol (EAP) provides the network authorization function. The ASN Gateway represents the EAP authenticator and
supports a transparent relay point between the EAP client on the subscriber access device and EAP server on the AAA.
The ASN Gateway triggers an EAP-identity request to the subscriber device. The subscriber device responds with an
EAP-identity response. It subsequently unpacks EAP messages over the R6 interface and transfers them via RADIUS or
Diameter signaling to the AAA server.
EAP authentication provide multiple authentication methods that can be tailored to the operator‘s preference toward
user-level, device-level, or user- and device-level network authorization. At the H-AAA server in Home Network
user-level, device-level, or user- and device-level network authorization. At the H-AAA server in Home Network