Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 18
46
8. HSS → AAA server :SAA The HSS sends Server-Assignment-Answer (Session-Id, Result-Code, Experimental-
Result (Vendor-Id, Experimental-Result-Code), Non-3GPP-User-Data {Subscription-ID (END_USER_E164,
MSISDN), Non-3GPP-IP-Access (NON_3GPP_SUBSCRIPTION_ALLOWED), Non-3GPP-IP-Access-APN
(Non_3GPP_APNS_ENABLE), APN-Configuration , ANID (WLAN)}, APN-OI-Replacement, APN-
Configuration})
MSISDN), Non-3GPP-IP-Access (NON_3GPP_SUBSCRIPTION_ALLOWED), Non-3GPP-IP-Access-APN
(Non_3GPP_APNS_ENABLE), APN-Configuration , ANID (WLAN)}, APN-OI-Replacement, APN-
Configuration})
9. AAA server → ePDG: AA-Answer The 3GPP AAA Server responds with AAA (Session-Id, Auth-Application-
Id, Auth-Request-Type, Origin-Host, Origin-Realm, Result-Code, User-Name, APN-Configuration, 3GPP-
Charging-Characteristics, Subscription-ID)
Charging-Characteristics, Subscription-ID)
10. ePDG → DNS server: DNS(NAPTR/AAAA) query ePDG sends DNS query to DNS server with APN/PGW
FQDN for PGW resolution.
11. DNS server → ePDG:DNS query response DNS server returns the PGW address to ePDG as part of DNS
AAAA/A response.
12. ePDG → PGW: S2b Create Session Req ePDG selects PGW based on DNS mechanism using APN/PGW
FQDN. The ePDG sends Create Session Request (IMSI, [MSISDN],Serving Network, RAT Type (WLAN),
Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA, APN-AMBR, [APCO], Bearer
Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to "MS or network provided APN
subscribed verified". Private IE is populated if the UE request P-CSCF addresses. The PGW performs the
necessary interactions with 3GPP-AAA, PCRF and OCS/OFCS.
Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA, APN-AMBR, [APCO], Bearer
Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to "MS or network provided APN
subscribed verified". Private IE is populated if the UE request P-CSCF addresses. The PGW performs the
necessary interactions with 3GPP-AAA, PCRF and OCS/OFCS.
13. PGW → ePDG: Create Session Resp The PGW allocates the requested IP address session and responds back to
the ePDG with a Create Session Response (Cause, PGW S2b F-TEID, PAA, [APN-AMBR],[APCO],Bearer
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
14. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (AUTH, IDr, [CERT (X509
CERTIFICATE SIGNATURE)], CP, SA, CFG_REPLY ([INTERNAL_IP4_ADDRESS],
[INTERNAL_IP4_NETMASK], [INTERNAL_IP4_DNS], INTERNAL_IP6_ADDRESS,
INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr)
[INTERNAL_IP4_NETMASK], [INTERNAL_IP4_DNS], INTERNAL_IP6_ADDRESS,
INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr)
15. ePDG → UE: IPv6 RA The assumption is that the IP stack needs the RA to initialize the address.
EAP-MSCHAPv2/EAP-TLS/EAP-TTLS Based Support For NON UICC Devices
Currently 3GPP standard provides a mechanism for the UICC (SIM based) devices connectivity to the EPC via non-
3GPP access enabling them for voice and video services over WiFi. However lot of non UICC devices such as iPads,
Tablets, Laptops do not have defined 3GPP standard mechanism for connecting over WLAN to EPC via ePDG. These
devices can use the same LTE subscription as for the UICC device do not have potential to utlize CSPs and monetize
voice and video offering by extending the same to non UICC devices.
3GPP access enabling them for voice and video services over WiFi. However lot of non UICC devices such as iPads,
Tablets, Laptops do not have defined 3GPP standard mechanism for connecting over WLAN to EPC via ePDG. These
devices can use the same LTE subscription as for the UICC device do not have potential to utlize CSPs and monetize
voice and video offering by extending the same to non UICC devices.
EAP-AKA is the mechanism defined in 3GPP standards for authenticating and authorizing the mobile devices using
AAA server. The non UICC devices cannot support EAP-AKA.
AAA server. The non UICC devices cannot support EAP-AKA.
For non UICC devices as IMSI is not present the IMSI mentioned in below flows is vIMSI which can be alphanumeric
type (limit to 24 chars) or decimal digit IMSI and in such case when alphanumeric vIMSI is used its expected that AAA
server shall be providing decimal digit IMSI to ePDG for S2b interface as part of mobile-node-identifier AVP.
type (limit to 24 chars) or decimal digit IMSI and in such case when alphanumeric vIMSI is used its expected that AAA
server shall be providing decimal digit IMSI to ePDG for S2b interface as part of mobile-node-identifier AVP.
Below is the list of different authentication mechanisms which can be used with ePDG acting as EAP pass-through
mode for the non UICC device support:
mode for the non UICC device support:
EAP-MSCHAPv2
Single phase
Use MSCHAPv2 inside EAP
Challenge/Response based mechanism
Reference - http://tools.ietf.org/id/draft-kamath-pppext-eap-mschapv2-01.txt and RFC 3079