Cisco Cisco ASR 5000
Description
Step
The HA sends a Proxy Mobile IP De-Registration Response message to the FA terminating the R3
interface
interface
18
The ASN GW/FA and the BS terminate the R6 session.
19
The HA and the AAA server stop accounting for the session.
20
The ASN GW and the AAA server stop accounting for the session.
21
How Proxy Mobile IP Works in a WiFi Network with Multiple
Authentication
Authentication
Proxy-Mobile IP was developed as a result of networks of Mobile Subscribers (MS) that are not capable of
Mobile IP operation. In this scenario a PDIF acts a mobile IP client and thus implements Proxy-MIP support.
Mobile IP operation. In this scenario a PDIF acts a mobile IP client and thus implements Proxy-MIP support.
Although not required or necessary in a Proxy-MIP network, this implementation uses a technique called
Multiple Authentication. In Multi-Auth arrangements, the device is authenticated first using HSS servers.
Once the device is authenticated, then the subscriber is authenticated over a RADIUS interface to AAA servers.
This supports existing EV-DO servers in the network.
Multiple Authentication. In Multi-Auth arrangements, the device is authenticated first using HSS servers.
Once the device is authenticated, then the subscriber is authenticated over a RADIUS interface to AAA servers.
This supports existing EV-DO servers in the network.
The MS first tries to establish an IKEv2 session with the PDIF. The MS uses the EAP-AKA authentication
method for the initial device authentication using Diameter over SCTP over IPv6 to communicate with HSS
servers. After the initial Diameter EAP authentication, the MS continues with EAP MD5/GTC authentication.
method for the initial device authentication using Diameter over SCTP over IPv6 to communicate with HSS
servers. After the initial Diameter EAP authentication, the MS continues with EAP MD5/GTC authentication.
After successful device authentication, PDIF then uses RADIUS to communicate with AAA servers for the
subscriber authentication. It is assumed that RADIUS AAA servers do not use EAP methods and hence
RADIUS messages do not contain any EAP attributes.
subscriber authentication. It is assumed that RADIUS AAA servers do not use EAP methods and hence
RADIUS messages do not contain any EAP attributes.
Assuming a successful RADIUS authentication, PDIF then sets up the IPSec Child SA tunnel using a Tunnel
Inner Address (TIA) for passing control traffic only. PDIF receives the MS address from the Home Agent,
and passes it on to the MS through the final AUTH response in the IKEv2 exchange.
Inner Address (TIA) for passing control traffic only. PDIF receives the MS address from the Home Agent,
and passes it on to the MS through the final AUTH response in the IKEv2 exchange.
When IPSec negotiation finishes, the PDIF assigns a home address to the MS and establishes a CHILD SA
to pass data. The initial TIA tunnel is torn down and the IP address returned to the address pool.The PDIF
then generates a RADIUS accounting START message.
to pass data. The initial TIA tunnel is torn down and the IP address returned to the address pool.The PDIF
then generates a RADIUS accounting START message.
When the session is disconnected, the PDIF generates a RADIUS accounting STOP message.
HSGW Administration Guide, StarOS Release 19
109
Proxy-Mobile IP
How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication