Cisco Cisco ASR 5000
Description
Step
PDIF processes the AUTH request and responds with the IKE_AUTH Response with the AUTH
payload computed from the MSK. PDIF does not assign any IP address for the MS pending
second authentication. Nor will the PDIF include any configuration payloads.
payload computed from the MSK. PDIF does not assign any IP address for the MS pending
second authentication. Nor will the PDIF include any configuration payloads.
a. If PDIF service does not support Multiple-Authentication and ANOTHER_AUTH_FOLLOWS
Notify payload is received, then PDIF sends IKE_AUTH Response with appropriate error and
terminate the IKEv2 session by sending INFORMATIONAL (Delete) Request.b. If
ANOTHER_AUTH_FOLLOWS Notify payload is not present in the IKE_AUTH Request,
PDIF allocates the IP address from the locally configured pools. However, if proxy-mip-required
is enabled, then PDIF initiates Proxy-MIP setup to HA by sending P-MIP RRQ. When PDIF
receives the Proxy-MIP RRP, it takes the Home Address (and DNS addresses if any) and sends
the IKE_AUTH Response back to MS by including CP payload with Home Address and DNS
addresses. In either case, IKEv2 setup will finish at this stage and IPSec tunnel gets established
with a Tunnel Inner Address (TIA).
Notify payload is received, then PDIF sends IKE_AUTH Response with appropriate error and
terminate the IKEv2 session by sending INFORMATIONAL (Delete) Request.b. If
ANOTHER_AUTH_FOLLOWS Notify payload is not present in the IKE_AUTH Request,
PDIF allocates the IP address from the locally configured pools. However, if proxy-mip-required
is enabled, then PDIF initiates Proxy-MIP setup to HA by sending P-MIP RRQ. When PDIF
receives the Proxy-MIP RRP, it takes the Home Address (and DNS addresses if any) and sends
the IKE_AUTH Response back to MS by including CP payload with Home Address and DNS
addresses. In either case, IKEv2 setup will finish at this stage and IPSec tunnel gets established
with a Tunnel Inner Address (TIA).
12
MS does the second authentication by sending the IKE_AUTH Request with IDi payload to
include the NAI. This NAI may be completely different from the NAI used in the first
authentication.
include the NAI. This NAI may be completely different from the NAI used in the first
authentication.
13
On receiving the second authentication IKE_AUTH Request, PDIF checks the configured second
authentication methods. The second authentication may be either EAP-MD5 (default) or
EAP-GTC. The EAP methods may be either EAP-Passthru or EAP-Terminated.
authentication methods. The second authentication may be either EAP-MD5 (default) or
EAP-GTC. The EAP methods may be either EAP-Passthru or EAP-Terminated.
a. If the configured method is EAP-MD5, PDIF sends the IKE_AUTH Response with EAP
payload including challenge.b. If the configured method is EAP-GTC, PDIF sends the
IKE_AUTH Response with EAP-GTC.c. MS processes the IKE_AUTH Response:
payload including challenge.b. If the configured method is EAP-GTC, PDIF sends the
IKE_AUTH Response with EAP-GTC.c. MS processes the IKE_AUTH Response:
• If the MS supports EAP-MD5, and the received method is EAP-MD5, then the MS will
take the challenge, compute the response and send IKE_AUTH Request with EAP payload
including Challenge and Response.
including Challenge and Response.
• If the MS does not support EAP-MD5, but EAP-GTC, and the received method is
EAP-MD5, the MS sends legacy-Nak with EAP-GTC.
14
PDIF receives the new IKE_AUTH Request from MS.
If the original method was EAP-MD5 and MD5 challenge and response is received, PDIF sends
RADIUS Access Request with corresponding attributes (Challenge, Challenge Response, NAI,
IMSI etc.).
RADIUS Access Request with corresponding attributes (Challenge, Challenge Response, NAI,
IMSI etc.).
15(a)
If the original method was EAP-MD5 and legacy-Nak was received with GTC, the PDIF sends
IKE_AUTH Response with EAP-GTC.
IKE_AUTH Response with EAP-GTC.
15(b)
PDIF receives Access Accept from RADIUS and sends IKE_AUTH Response with EAP success.
16
PDIF receives the final IKE_AUTH Request with AUTH payload.
17
PDIF checks the validity of the AUTH payload and initiates Proxy-MIP setup request to the
Home Agent if proxy-mip-required is enabled. The HA address may be received from the
RADIUS server in the Access Accept (Step 16) or may be locally configured. PDIF may also
remember the HA address from the first authentication received in the final DEA message.
Home Agent if proxy-mip-required is enabled. The HA address may be received from the
RADIUS server in the Access Accept (Step 16) or may be locally configured. PDIF may also
remember the HA address from the first authentication received in the final DEA message.
18
HSGW Administration Guide, StarOS Release 19
112
Proxy-Mobile IP
How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication