Cisco Cisco Packet Data Gateway (PDG)
Non UICC Device Support Using Certificate Based Authentication
ePDG is enhanced to support the non UICC devices connectivity to EPC via ePDG using certificate based
UE authentication following authorization by AAA server.
UE authentication following authorization by AAA server.
ePDG already supports UICC devices connectivity using EAP-AKA based device authentication. However
as non UICC devices cannot do EAP-AKA based authentication, alternate method of using certificates is
used.
as non UICC devices cannot do EAP-AKA based authentication, alternate method of using certificates is
used.
ePDG supports the X.509 certificate based authentication and also communicates with OCSP (Online Certificate
Status Protocol) server for completing the authentication. Once the authentication is done ePDG communicates
with AAA server for ensuring the authorization of the device.
Status Protocol) server for completing the authentication. Once the authentication is done ePDG communicates
with AAA server for ensuring the authorization of the device.
As non UICC devices do not have IMSI, customized vIMSI in format similar to UICC IMSI uniquely identifying
the non UICC device needs to be shared by the device. The device IMSI is shared as part of peer (device)
certificate to ePDG. ePDG extracts serial number, issuing authority and OCSP responder address details from
the certificate and communicates with OCSP responder. In case the OCSP responder detail is absent in the
certificate the ePDG configuration is used for extracting the same. The OCSP client (ePDG) to the OCSP
responder interaction will be over HTTP. A TCP socket connection will be established to the OCSP responder.
OCSP responder communicates with the associated CA (certification authority) and gets the certificate
revocation status which can be "good" or "revoked" or "unknown". The ePDG behavior in case of "unknown"
is similar to "revoked". When the OCSP response reaches ePDG, it validates if the response is received from
genuine entity and post validation checks the certificate status. If the certificate status is good then proceeds
with device authorization.
the non UICC device needs to be shared by the device. The device IMSI is shared as part of peer (device)
certificate to ePDG. ePDG extracts serial number, issuing authority and OCSP responder address details from
the certificate and communicates with OCSP responder. In case the OCSP responder detail is absent in the
certificate the ePDG configuration is used for extracting the same. The OCSP client (ePDG) to the OCSP
responder interaction will be over HTTP. A TCP socket connection will be established to the OCSP responder.
OCSP responder communicates with the associated CA (certification authority) and gets the certificate
revocation status which can be "good" or "revoked" or "unknown". The ePDG behavior in case of "unknown"
is similar to "revoked". When the OCSP response reaches ePDG, it validates if the response is received from
genuine entity and post validation checks the certificate status. If the certificate status is good then proceeds
with device authorization.
ePDG expects the SUBJECT/CN field of UE certificate to contain the IMSI or NAI and detects that its NAI
with presence of '' else its IMSI. This extracted CN fields is accordingly verified with the IDi payload received
from UE in IKE_AUTH_REQ message. The certificate identity is more reliable and also the IKE_AUTH_REQ
identity does have significance is AUTH payload verification hence this functionality of comparison is in
place. ePDG sends the NAI identity as received in the IKE_AUTH_REQ message to the AAA server and
once AAA server sends back the authorization success then ePDG does PGW selection and communicates
with PGW over S2b interface to establish the call.
with presence of '' else its IMSI. This extracted CN fields is accordingly verified with the IDi payload received
from UE in IKE_AUTH_REQ message. The certificate identity is more reliable and also the IKE_AUTH_REQ
identity does have significance is AUTH payload verification hence this functionality of comparison is in
place. ePDG sends the NAI identity as received in the IKE_AUTH_REQ message to the AAA server and
once AAA server sends back the authorization success then ePDG does PGW selection and communicates
with PGW over S2b interface to establish the call.
IPsec subsystem does comply with RFC 2560 and uses open SSL 0.9.7 for certificate based authentication,
therefore ePDG inherently complies with same.
therefore ePDG inherently complies with same.
ePDG supports both UICC and non-UICC devices simultaneously for same ePDG service. ePDG service does
have single crypto template association with the service IP address and hence IPsec subsystem is enhanced
for supporting the multiple authentication methods per crypto template. ePDG identifies whether certificate
based authentication needs to be used or not by the presence of AUTH payload. If the AUTH parameter is
absent in initial IKE_AUTH_REQ message it indicates that EAP-AKA based authentication is to be used. If
the AUTH payload is present and the CERT payload is also present it indicates certificate based mechanism
is to be used.
have single crypto template association with the service IP address and hence IPsec subsystem is enhanced
for supporting the multiple authentication methods per crypto template. ePDG identifies whether certificate
based authentication needs to be used or not by the presence of AUTH payload. If the AUTH parameter is
absent in initial IKE_AUTH_REQ message it indicates that EAP-AKA based authentication is to be used. If
the AUTH payload is present and the CERT payload is also present it indicates certificate based mechanism
is to be used.
ePDG Administration Guide, StarOS Release 19
41
Evolved Packet Data Gateway Overview
Non UICC Device Support Using Certificate Based Authentication