Cisco Cisco Packet Data Gateway (PDG)
SaMOG Gateway Overview
▀ SaMOG Services
▄ SaMOG Administration Guide, StarOS Release 17
16
As per RFC 29.273, UEs without an IMSI are not authorized via the STa Interface. If the Emergency NAI includes an
IMEI or MAC username format, the authentication request will be rejected.
IMEI or MAC username format, the authentication request will be rejected.
EAP Identity of Fast Reauthentication NAI Formats—MRME
Where the AAA server supports fast reauthentication, the AAA server assigns an identity to the subscriber which is used
by the subscriber's UE to initiate a reattach or reauthentication. This authentication method is faster than the full
reauthentication method as the AAA server and UE use the authentication key from a previous full authentication. The
UE sends the assigned fast reauthentication NAI for subsequent authentication attempts, and the AAA server looks up
the mapping between the fast reauthentication NAI and the identity of the subscriber.
by the subscriber's UE to initiate a reattach or reauthentication. This authentication method is faster than the full
reauthentication method as the AAA server and UE use the authentication key from a previous full authentication. The
UE sends the assigned fast reauthentication NAI for subsequent authentication attempts, and the AAA server looks up
the mapping between the fast reauthentication NAI and the identity of the subscriber.
The SaMOG gateway supports the use of the EAP identity of the Fast Reauthentication NAI in the following normal
and decorated formats:
and decorated formats:
Normal: <prefix+fast-reauth-id>@nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org
Decorated: nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!<prefix+fast-reauth-
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
Important:
Currently, SaMOG does not support multi-PLMN. If the PLMN ID of a UE changes during a re-
attach procedure, the User-Name changes from root to decorated NAI format or vice versa. The SaMOG service simply
logs the event and continutes with the session setup. The IPSG manager is updated with the permanent NAI (root
format) and sent to the WLC to be included in the PBU for the PMIPv6 session. If the WLC does not use the NAI
format in the PBU, call setup fails as the PBU is rejected. To avoid the change from root to decorated NAI or vice versa,
specify a serving PLMN ID with an IMSI range. When a serving PLMN ID changes, the existing call is taken down and
a re-attach procedure occurs.
logs the event and continutes with the session setup. The IPSG manager is updated with the permanent NAI (root
format) and sent to the WLC to be included in the PBU for the PMIPv6 session. If the WLC does not use the NAI
format in the PBU, call setup fails as the PBU is rejected. To avoid the change from root to decorated NAI or vice versa,
specify a serving PLMN ID with an IMSI range. When a serving PLMN ID changes, the existing call is taken down and
a re-attach procedure occurs.
The fast-reauth-id part of the Fast Reauthentication NAI complies with 3GPP 23.003 standards.
The following are examples of a typical NAI:
For EAP AKA authentication: 4<fast-reauth-
id>@nai.epc.mnc<homeMNC>.mnc<homeMCC>.3gppnetwork.org
nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!4<fast-reauth-
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For SIM authentication: 5<fast-reauth-id>@nai.epc.mnc<homeMNC>.mnc<homeMCC>.3gppnetwork.org
nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!5<fast-reauth-
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For EAP AKA’ authentication: 8<fast-reauth-
id>@nai.epc.mnc<homeMNC>.mnc<homeMCC>.3gppnetwork.org
nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!8<fast-reauth-
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
EAP Identity of Pseudonym NAI Formats—MRME
The pseudonym NAI is a temporary identity provided to a user by the AAA server that the subscriber uses while
connecting to the network. This enables the subscriber to connect and authenticate without revealing their IMSI
information on the network. The AAA server maintains a mapping between the real identity and the pseudonym NAI of
the subscriber, and uses the mapping to identify the subscriber.
connecting to the network. This enables the subscriber to connect and authenticate without revealing their IMSI
information on the network. The AAA server maintains a mapping between the real identity and the pseudonym NAI of
the subscriber, and uses the mapping to identify the subscriber.
The SaMOG gateway supports the use of the EAP identity of the Pseudonym NAI in the following normal and
decorated formats:
decorated formats: