Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
Features and Functionality ▀
ePDG Administration Guide, StarOS Release 18 ▄
55
19. UE → ePDG: IKEv2 AUTH_REQ The UE sends IKE_AUTH Request (EAP) with no data. Upon receipt of the
MS-CHAP2-Success AVP, the UE is able to authenticate the AAA. If the authentication succeeds, the UE
sends an EAP-TTLS packet to the TTLS server containing no data (that is, with a zero-length Data field). Upon
receipt of the empty EAP-TTLS packet from the client, the TTLS server considers the MS-CHAP-V2
authentication to have succeeded.
sends an EAP-TTLS packet to the TTLS server containing no data (that is, with a zero-length Data field). Upon
receipt of the empty EAP-TTLS packet from the client, the TTLS server considers the MS-CHAP-V2
authentication to have succeeded.
20. ePDG → AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id, Origin-Host,Origin-
Realm, Destination-Host, Destination-Realm, Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-
Payload) message to the 3GPP AAA Server. The EAP-Payload shall contain the message as sent by UE.
Payload) message to the 3GPP AAA Server. The EAP-Payload shall contain the message as sent by UE.
21. AAA server → ePDG: DEA The 3GPP AAA Server sends an EAP success (Session-Id, Auth-Application-Id:
16777264, Result-Code, Origin-Host, Origin-Realm, Auth-Request-Type(AUTHORIZE_AUTHENTICATE),
EAP-Payload User-Name(0<IMSI>@mnc<mnc val>.mcc<mcc val>.pub.3gppnetwork.org), EAP-Master-
Session-Key, APN-Configuration (Context-Identifier, PDN-Type: IPv4v6, Service-Selection (apn name),
MIP6-Agent-Info), Auth-Session-State:STATE_MAINTAINED, Origin-State-Id). At this point mutual
authentication is done and device is authorized by AAA server.
EAP-Payload User-Name(0<IMSI>@mnc<mnc val>.mcc<mcc val>.pub.3gppnetwork.org), EAP-Master-
Session-Key, APN-Configuration (Context-Identifier, PDN-Type: IPv4v6, Service-Selection (apn name),
MIP6-Agent-Info), Auth-Session-State:STATE_MAINTAINED, Origin-State-Id). At this point mutual
authentication is done and device is authorized by AAA server.
22. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (EAP Payload) The EAP payload shall
contain the TLS message as received from the AAA server.
23. UE → ePDG: IKEv2 AUTH_REQ UE sends IKE_AUTH request (AUTH) The UE takes its own copy of the
MSK asinput to generate the AUTH parameter to authenticate the first IKE_SA_INITmessage.
24. ePDG → PGW: S2b Create Session Req ePDG sends Create Session Request (IMSI, [MSISDN],Serving
Network, RAT Type (WLAN), Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA,
APN-AMBR, [APCO], Bearer Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to
"MS or network provided APN subscribed verified". The PGW performs the necessary interactions with 3GPP-
AAA, PCRF and OCS/OFCS. ePDG shall set the HO in Indication flags IE and also the preserved IP address
as received from UE in PAA IE.
APN-AMBR, [APCO], Bearer Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to
"MS or network provided APN subscribed verified". The PGW performs the necessary interactions with 3GPP-
AAA, PCRF and OCS/OFCS. ePDG shall set the HO in Indication flags IE and also the preserved IP address
as received from UE in PAA IE.
25. PGW → ePDG: Create Session Resp The PGW allocates the requested IP address session and responds back to
the ePDG with a Create Session Response (Cause, PGW S2b F-TEID, PAA, [APN-AMBR],APCO, Bearer
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
26. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (AUTH, CP, SA,
CFG_REPLY([INTERNAL_IP4_ADDRESS], [INTERNAL_IP4_NETMASK],[INTERNAL_IP4_DNS],
INTERNAL_IP6_ADDRESS,INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr) At
this stage the ePDG has completed the ipsec SA and tunnel setup and also GTP-U tunnel setup thus completing
the data path. The IP address provided by PGW is communicated to UE.
INTERNAL_IP6_ADDRESS,INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr) At
this stage the ePDG has completed the ipsec SA and tunnel setup and also GTP-U tunnel setup thus completing
the data path. The IP address provided by PGW is communicated to UE.
27. ePDG → UE: IPv6 RA The assumption is that the IP stack needs the RA to initialize the address.
Emergency APN Support on ePDG
To support VoWiFi calls on ePDG should support emergency APN session. For areas where the LTE coverage is less or
absent then the user shall utilize the WiFi to be able to perform the emergency session via ePDG.
absent then the user shall utilize the WiFi to be able to perform the emergency session via ePDG.
In release 17.1 ePDG shall be handling the emergency sessions for authenticated UICC UEs. The un-authenticated and
non UICC UEs is out of scope of this release 17.1. A new ePDG-APN bulkstats schema is added for capturing the APN
level ePDG service statistics which shall be useful for emergency APN related statistics capture..
non UICC UEs is out of scope of this release 17.1. A new ePDG-APN bulkstats schema is added for capturing the APN
level ePDG service statistics which shall be useful for emergency APN related statistics capture..
Emergency APN Support Use Cases
S.No Use Case
Expected Behavior
1.
ePDG receives the emergency session with UE indicating the
emergency APN connectivity request for UE whose profile is present
at AAA/HSS.
emergency APN connectivity request for UE whose profile is present
at AAA/HSS.
Call should be successfully established.