Cisco Cisco Packet Data Gateway (PDG)
interface. In case the protocol used on S2b is GTPv2 then this information is communicated using the Private
Extension IE in Create Session Request message.
Extension IE in Create Session Request message.
The WLAN UEs send the MAC address of each WiFi access point to the ePDG embedded in the NAI (Network
Access Identifier). When the ePDG receives an NAI that includes a MAC address, the ePDG checks the MAC
address and if the validation is successful, the ePDG removes the MAC address from the NAI before sending
it to the AAA server in the User-Name AVP of DER (Diameter EAP Request) messages.
Access Identifier). When the ePDG receives an NAI that includes a MAC address, the ePDG checks the MAC
address and if the validation is successful, the ePDG removes the MAC address from the NAI before sending
it to the AAA server in the User-Name AVP of DER (Diameter EAP Request) messages.
Note that the ePDG can be configured to allow IPSec connection establishment without the MAC address
present. If the MAC address is not present and the ePDG is configured to check for the MAC address, the
ePDG fails the IKE negotiation and returns Notify payload 24 (AUTHENTICATION_FAILED).
present. If the MAC address is not present and the ePDG is configured to check for the MAC address, the
ePDG fails the IKE negotiation and returns Notify payload 24 (AUTHENTICATION_FAILED).
AAA Server Groups
A value-added feature to enable VPN service provisioning for enterprise or MVNO customers. Enables each
corporate customer to maintain its own AAA servers with its own unique configurable parameters and custom
dictionaries. This feature provides support for up to 800 AAA server groups and 800 NAS IP addresses that
can be provisioned within a single context or across the entire chassis. A total of 128 servers can be assigned
to an individual server group. Up to 1,600 accounting, authentication, and/or mediation servers are supported
per chassis.
corporate customer to maintain its own AAA servers with its own unique configurable parameters and custom
dictionaries. This feature provides support for up to 800 AAA server groups and 800 NAS IP addresses that
can be provisioned within a single context or across the entire chassis. A total of 128 servers can be assigned
to an individual server group. Up to 1,600 accounting, authentication, and/or mediation servers are supported
per chassis.
EAP Authentication
Enables secure user and device level authentication with a 3GPP AAA server or via 3GPP2 AAA proxy and
the authenticator in the ePDG.
the authenticator in the ePDG.
The ePDG uses the Diameter-based SWm interface to authenticate subscriber traffic with the 3GPP AAA
server. Following completion of the security procedures (IKEv2) between the UE and ePDG, the ePDG selects
EAP-AKA as the method for authenticating the subscriber session. EAP-AKA uses symmetric cryptography
and pre-shared keys to derive the security keys between the UE and EAP server. The ePDG represents the
EAP authenticator and triggers the identity challenge-response signaling between the UE and back-end 3GPP
AAA server. On successful verification of user credentials, the 3GPP AAA server obtains the Cipher Key
and Integrity Key from the HSS. It uses these keys to derive the MSK (Master Session Key) that are returned
on EAP-Success to the ePDG. The ePDG uses the MSK to derive the authentication parameters.
server. Following completion of the security procedures (IKEv2) between the UE and ePDG, the ePDG selects
EAP-AKA as the method for authenticating the subscriber session. EAP-AKA uses symmetric cryptography
and pre-shared keys to derive the security keys between the UE and EAP server. The ePDG represents the
EAP authenticator and triggers the identity challenge-response signaling between the UE and back-end 3GPP
AAA server. On successful verification of user credentials, the 3GPP AAA server obtains the Cipher Key
and Integrity Key from the HSS. It uses these keys to derive the MSK (Master Session Key) that are returned
on EAP-Success to the ePDG. The ePDG uses the MSK to derive the authentication parameters.
After the user credentials are verified by the 3GPP AAA and HSS, the ePDG returns the PDN address obtained
from the P-GW (using PMIPv6/GTPv2) to the UE. In the connection establishment procedures, the PDN
address is triggered based on subscription information conveyed over the SWm reference interface. Based on
the subscription information and requested PDN-Type signaled by the UE, the ePDG informs the P-GW of
the type of required address (IPv6 and/or IPv4 Home Address Option for dual IPv4/v6 PDNs).
from the P-GW (using PMIPv6/GTPv2) to the UE. In the connection establishment procedures, the PDN
address is triggered based on subscription information conveyed over the SWm reference interface. Based on
the subscription information and requested PDN-Type signaled by the UE, the ePDG informs the P-GW of
the type of required address (IPv6 and/or IPv4 Home Address Option for dual IPv4/v6 PDNs).
IPv6 Capabilities
IPv6 addressing enables increased address efficiency and relieves pressures caused by the rapidly approaching
IPv4 address exhaustion problem.
IPv4 address exhaustion problem.
The ePDG offers the following IPv6 capabilities:
• Support for any combination of IPv4, IPv6, or dual stack IPv4/v6 address assignment from address pools
on the P-GW.
ePDG Administration Guide, StarOS Release 19
11
Evolved Packet Data Gateway Overview
AAA Server Groups