Cisco Cisco Packet Data Gateway (PDG)
SaMOG Gateway Overview
▀ SaMOG Services
▄ SaMOG Administration Guide, StarOS Release 19
20
For EAP AKA authentication: 2<pseudonym-
id>@nai.epc.mnc<homeMNC>.mnc<homeMCC>.3gppnetwork.org
nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!2<pseudonym-
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For SIM authentication: 3<pseudonym-id>@nai.epc.mnc<homeMNC>.mnc<homeMCC>.3gppnetwork.org
nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!3<pseudonym-
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
For EAP AKA’ authentication: 7<pseudonym-
id>@nai.epc.mnc<homeMNC>.mnc<homeMCC>.3gppnetwork.org
nai.epc.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!7<pseudonym-
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
id>@nai.epc.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
EAP Identity of Root NAI Formats—MRME
The SaMOG Gateway supports the use of the EAP identity of the Root NAI in the following format:
username@otherrealm
The username part of the Root NAI complies with RFCs 4187, 4816, and 5448 for EAP AKA, EAP SIM, and EAP
AKA’, respectively.
AKA’, respectively.
The following are examples of a typical NAI:
For EAP AKA authentication: 0<IMSI>@wlan.mnc<MNC>.mcc<MCC>.3gppnetwork.org
For EAP SIM authentication: 1<IMSI>@wlan.mnc<MNC>.mcc<MCC>.3gppnetwork.org
For EAP AKA' authentication: 6<IMSI>@wlan.mnc<MNC>.mcc<MCC>.3gppnetwork.org
EAP Agnostic Authentication—MRME
The SaMOG Gateway additionally supports EAP-based authentication where the inner layer of EAP protocols is
agnostic. This enables SaMOG to support authentication mechanisms such as EAP-TLS and EAP-TTLS/MSCHAPv2,
to connect non-UICC devices to the EPC core.
agnostic. This enables SaMOG to support authentication mechanisms such as EAP-TLS and EAP-TTLS/MSCHAPv2,
to connect non-UICC devices to the EPC core.
EAP-TLS
This authentication mechanism enables SaMOG to provide a certificate-based mutual authentication mechanism
between the UE and the EAP Server for non-UICC devices.
between the UE and the EAP Server for non-UICC devices.
EAP-TTLS/MSCHAPv2
SaMOG performs this authentication mechanism in two phases. During the first phase, SaMOG authenticates the server
using a certificate that is used to create a secure tunnel. In the second phase, the subscriber is authenticated using
MSCHAPv2 authentication mechanism within the secure tunnel.
using a certificate that is used to create a secure tunnel. In the second phase, the subscriber is authenticated using
MSCHAPv2 authentication mechanism within the secure tunnel.
Authentication
SaMOG considers the EAP-response/identity messages between the WLC and the AAA server as an uncategorized EAP
authentication mechanism. SaMOG allows messages to be exchanged until a success/failure message is received from
the AAA server, or the session setup timer expires.
authentication mechanism. SaMOG allows messages to be exchanged until a success/failure message is received from
the AAA server, or the session setup timer expires.
NAI Usage
As with SIM-based authentications, in compliance to 3GPP 23.003 standard, SaMOG expects the NAI forwarded by the
UE to be in the same format for P-GW selection, with the flexibility to support non-IMSI-based user-name in the AVP.
UE to be in the same format for P-GW selection, with the flexibility to support non-IMSI-based user-name in the AVP.