Cisco Cisco ASR 5000
Description
Step
MS sets up IKEv2/IPSec tunnel by sending IKE_SA_INIT Request to PDIF. MS includes SA,
KE, Ni, NAT-DETECTION Notify payloads in the IKEv2 exchange.
KE, Ni, NAT-DETECTION Notify payloads in the IKEv2 exchange.
3
PDIF processes the IKE_SA_INIT Request for the appropriate PDIF service (bound by the
destination IP address in the IKEv2 INIT request). PDIF responds with IKE_SA_INIT Response
with SA, KE, Nr payloads and NAT-Detection Notify payloads. If multiple-authentication
support is configured to be enabled in the PDIF service, PDIF will include
MULTIPLE_AUTH_SUPPORTED Notify payload in the IKE_SA_INIT Response. PDIF will
start the IKEv2 setup timer after sending the IKE_SA_INIT Response.
destination IP address in the IKEv2 INIT request). PDIF responds with IKE_SA_INIT Response
with SA, KE, Nr payloads and NAT-Detection Notify payloads. If multiple-authentication
support is configured to be enabled in the PDIF service, PDIF will include
MULTIPLE_AUTH_SUPPORTED Notify payload in the IKE_SA_INIT Response. PDIF will
start the IKEv2 setup timer after sending the IKE_SA_INIT Response.
4
On receiving successful IKE_SA_INIT Response from PDIF, MS sends IKE_ AUTH Request
for the first EAP-AKA authentication. If the MS is capable of doing multiple-authentication, it
will include MULTI_AUTH_SUPPORTED Notify payload in the IKE_AUTH Request. MS
also includes IDi payload which contains the NAI, SA, TSi, TSr, CP (requesting IP address and
DNS address) payloads. MS will not include AUTH payload to indicate that it will use EAP
methods.
for the first EAP-AKA authentication. If the MS is capable of doing multiple-authentication, it
will include MULTI_AUTH_SUPPORTED Notify payload in the IKE_AUTH Request. MS
also includes IDi payload which contains the NAI, SA, TSi, TSr, CP (requesting IP address and
DNS address) payloads. MS will not include AUTH payload to indicate that it will use EAP
methods.
5
On receiving IKE_AUTH Request from MS, PDIF sends DER message to Diameter AAA
server. AAA servers are selected based on domain profile, default subscriber template or default
domain configurations. PDIF includes Multiple-Auth-Support AVP, EAP-Payload AVP with
EAP-Response/Identity in the DER. Exact details are explained in the Diameter message sections.
PDIF starts the session setup timer on receiving IKE_AUTH Request from MS.
server. AAA servers are selected based on domain profile, default subscriber template or default
domain configurations. PDIF includes Multiple-Auth-Support AVP, EAP-Payload AVP with
EAP-Response/Identity in the DER. Exact details are explained in the Diameter message sections.
PDIF starts the session setup timer on receiving IKE_AUTH Request from MS.
6
PDIF receives DEA with Result-Code AVP specifying to continue EAP authentication. PDIF
takes EAP-Payload AVP contents and sends IKE_ AUTH Response back to MS in the EAP
payload. PDIF allows IDr and CERT configurations in the PDIF service and optionally includes
IDr and CERT payloads (depending upon the configuration). PDIF optionally includes AUTH
payload in IKE_AUTH Response if PDIF service is configured to do so.
takes EAP-Payload AVP contents and sends IKE_ AUTH Response back to MS in the EAP
payload. PDIF allows IDr and CERT configurations in the PDIF service and optionally includes
IDr and CERT payloads (depending upon the configuration). PDIF optionally includes AUTH
payload in IKE_AUTH Response if PDIF service is configured to do so.
7
MS receives the IKE_AUTH Response from PDIF. MS processes the exchange and sends a
new IKE_AUTH Request with EAP payload. PDIF receives the new IKE_AUTH Request from
MS and sends DER to AAA server. This DER message contains the EAP-Payload AVP with
EAP-AKA challenge response and challenge received from MS.
new IKE_AUTH Request with EAP payload. PDIF receives the new IKE_AUTH Request from
MS and sends DER to AAA server. This DER message contains the EAP-Payload AVP with
EAP-AKA challenge response and challenge received from MS.
8
The AAA server sends the DEA back to the PDIF with Result-Code AVP as "success." The
EAP-Payload AVP message also contains the EAP result code with "success." The DEA also
contains the IMSI for the user, which is included in the Callback-Id AVP. PDIF uses this IMSI
for all subsequent session management functions such as duplicate session detection etc. PDIF
also receives the MSK from AAA, which is used for further key computation.
EAP-Payload AVP message also contains the EAP result code with "success." The DEA also
contains the IMSI for the user, which is included in the Callback-Id AVP. PDIF uses this IMSI
for all subsequent session management functions such as duplicate session detection etc. PDIF
also receives the MSK from AAA, which is used for further key computation.
9
PDIF sends the IKE_AUTH Response back to MS with the EAP payload.
10
MS sends the final IKE_AUTH Request for the first authentication with the AUTH payload
computed from the keys. If the MS plans to do the second authentication, it will include
ANOTHER_AUTH_FOLLOWS Notify payload also.
computed from the keys. If the MS plans to do the second authentication, it will include
ANOTHER_AUTH_FOLLOWS Notify payload also.
11
HSGW Administration Guide, StarOS Release 19
111
Proxy-Mobile IP
How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication