Cisco Cisco Packet Data Gateway (PDG)
Enables/ disables authentication for local messages (such as local RAUs, Service Requests, Detach Requests,
etc) . Consecutive security failures is fairly rare for local messages so the default count frequency is fairly
high, 5. Setting the count frequency enables the feature and sets the number of consecurity local message
security failures that must occur prior t o authentication being forced.
etc) . Consecutive security failures is fairly rare for local messages so the default count frequency is fairly
high, 5. Setting the count frequency enables the feature and sets the number of consecurity local message
security failures that must occur prior t o authentication being forced.
frequency: Enter an integer from 1 to 10.
non-local-messages count count
Default: 1
Enables/ disables authentication for non-local messages (such as inter-RAT RAUs and all types of attaches)
. Consecutive security failures for non-local messages is fairly common so the default count frequency is 1.
Setting the count frequency enables the feature and sets the number of consecurity non-local message security
failures that must occur prior t o authentication being forced.
. Consecutive security failures for non-local messages is fairly common so the default count frequency is 1.
Setting the count frequency enables the feature and sets the number of consecurity non-local message security
failures that must occur prior t o authentication being forced.
frequency: Enter an integer from 1 to 10.
Usage Guidelines
GMM authentication is optional for UMTS. When GMM authentication is skipped, the SGSN and the MS
continue to re-use the latest keys exchanged during the most recent GMM authentication procedure. This can
result in the SGSN and the MS going out of sync with the CK and IK currently in use. If a mismatch occurs
when the MS continues to use the correct parameters (e.g., cksn or P-TMSI signature) in the next Iu and if
the SGSN skips authentication on the Iu, then, usually, the security mode will timeout or be rejected because
the MS will not be able to decipher or perform an integrity check on the network messages. This scenario
results in a lot of useless signaling in the network. This command allows the operator to enable a forced GMM
authentication that will either resolve this type of problem or avoid it. As well, the operator can configure a
frequency of authentication that best meets their needs.
continue to re-use the latest keys exchanged during the most recent GMM authentication procedure. This can
result in the SGSN and the MS going out of sync with the CK and IK currently in use. If a mismatch occurs
when the MS continues to use the correct parameters (e.g., cksn or P-TMSI signature) in the next Iu and if
the SGSN skips authentication on the Iu, then, usually, the security mode will timeout or be rejected because
the MS will not be able to decipher or perform an integrity check on the network messages. This scenario
results in a lot of useless signaling in the network. This command allows the operator to enable a forced GMM
authentication that will either resolve this type of problem or avoid it. As well, the operator can configure a
frequency of authentication that best meets their needs.
Examples
The following command enables forced authentication after every 3rd local message security failure:
force-authenticate consecutive-security-failure local-messages count 3
force-authenticate consecutive-security-failure local-messages count 3
Command Line Interface Reference, Modes I - Q, StarOS Release 19
336
IuPS Service Configuration Mode Commands
force-authenticate consecutive-security-failure