Cisco Cisco Packet Data Gateway (PDG)
SaMOG Gateway Overview
▀ SaMOG Services
▄ SaMOG Administration Guide, StarOS Release 16
14
MRME Features and Functions
The MRME service includes the following features and functions.
EAP Authentication over RADIUS—MRME
The SaMOG Gateway's MRME service supports Extensible Authentication Protocol (EAP) over RADIUS to interact
with the WLCs for authenticating the WLAN UEs based on RFC 3579. Two attributes, EAP-Message and Message-
Authenticator, are used to transport EAP messages as defined in RFC 3579. The MRME service validates and processes
these messages as follows:
with the WLCs for authenticating the WLAN UEs based on RFC 3579. Two attributes, EAP-Message and Message-
Authenticator, are used to transport EAP messages as defined in RFC 3579. The MRME service validates and processes
these messages as follows:
Validates the EAP header fields (Code, Identifier, and Length attributes) prior to forwarding an EAP packet.
Discards Access-Request packets that include an EAP-Message attribute without a Message-Authenticator
attribute.
If multiple EAP-Message attributes are contained within an Access-Request or Access-Challenge packet,
concatenates them to form a single EAP packet.
For Access-Challenge, Access-Accept, and Access-Reject packets, calculates the Message-Authenticator
attribute as follows: Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, and Request
Authenticator attributes).
Authenticator attributes).
EAP Identity of Decorated NAI Formats—MRME
The SaMOG Gateway supports the use of the EAP identity of the Decorated NAI in the following format:
homerealm!username@otherrealm
The username part of the Decorated NAI complies with RFCs 4187, 4816, and 5448 for EAP AKA, EAP SIM, and EAP
AKA’, respectively.
AKA’, respectively.
The following are examples of a typical NAI:
For EAP AKA authentication:
wlan.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!0<IMSI>@wlan.mnc<visitedMNC>.mcc<visited
MCC>.3gppnetwork.org
MCC>.3gppnetwork.org
For EAP SIM authentication:
wlan.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!1<IMSI>@wlan.mnc<visitedMNC>.mcc<visited
MCC>.3gppnetwork.org
MCC>.3gppnetwork.org
For EAP AKA' authentication:
wlan.mnc<homeMNC>.mcc<homeMCC>.3gppnetwork.org!6<IMSI>@wlan.mnc<visitedMNC>.mcc<visited
MCC>.3gppnetwork.org
MCC>.3gppnetwork.org
EAP Identity of Emergency NAI Formats—MRME
The SaMOG Gateway's MRME service supports the use of the EAP identity of the Emergency NAI in the following
format:
format:
0<IMSI>@sos.wlan.mnc015.mcc234.3gppnetwork.org/1<IMSI>@sos.wlan.mnc015.mcc234.3gppnetwork.org
If the IMSI is not available, the Emergency NAI can include the IMEI/MAC address, as follows:
imei<IMEI>@sos.wlan.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
mac<MAC>@sos.wlan.mnc<visitedMNC>.mcc<visitedMCC>.3gppnetwork.org
As per RFC 29.273, UEs without an IMSI are not authorized via the STa Interface. If the Emergency NAI includes an
IMEI or MAC username format, the authentication request will be rejected.
IMEI or MAC username format, the authentication request will be rejected.