Cisco Cisco Packet Data Interworking Function (PDIF)
SaMOG Gateway Overview
How the SaMOG Gateway Works ▀
SaMOG Administration Guide, StarOS Release 18 ▄
33
Table 5. SaMOG Gateway Session Establishment
Step
Description
1.
An association between the UE and WLC is established.
2.
The initial attach procedure starts with the authenticator sending an EAP Request/Identity message toward the supplicant.
3.
The UE responds to the EAP Request/Identity message with an EAP Response/Identity message, which contains the
permanent identity (IMSI) on the SIM.
permanent identity (IMSI) on the SIM.
4.
The WLC requests MRME for authentication using EAP over RADIUS by sending an "Access- Request" message.
The WLC includes the User-Name, EAP-Identity as part of the EAP-Message, Acct-Session-Id in the "Access-Request"
message.
The WLC includes the User-Name, EAP-Identity as part of the EAP-Message, Acct-Session-Id in the "Access-Request"
message.
5.
The MRME initiates Authentication and Authorization procedures by sending "Diameter EAP Request" message to the
3GPP AAA Server, containing the user identity and EAP-Payload.
3GPP AAA Server, containing the user identity and EAP-Payload.
6.
The 3GPP AAA Server fetches the user profile and authentication vectors from the HSS/HLR (if these parameters are not
available in the 3GPP AAA Server). The 3GPP AAA Server looks for the IMSI of the authenticated user based on the
received user identity (root NAI or Decorated NAI), and includes the EAP-AKA as the requested authentication method in
the request sent to the HSS. The HSS then generates authentication vectors and sends them back to the 3GPP AAA server.
The 3GPP AAA Server checks if the user's subscription is authorized for a trusted non-3GPP access.
The 3GPP AAA Server initiates the authentication challenge. The user identity is not requested again.
available in the 3GPP AAA Server). The 3GPP AAA Server looks for the IMSI of the authenticated user based on the
received user identity (root NAI or Decorated NAI), and includes the EAP-AKA as the requested authentication method in
the request sent to the HSS. The HSS then generates authentication vectors and sends them back to the 3GPP AAA server.
The 3GPP AAA Server checks if the user's subscription is authorized for a trusted non-3GPP access.
The 3GPP AAA Server initiates the authentication challenge. The user identity is not requested again.
7.
The MRME responds to WLC with a "Radius Access-Challenge" messgae by including EAP-AKA AKA-Challenge in the
EAP-Messages.
EAP-Messages.
8.
WLC sends an authentication challenge towards the UE.
9.
The UE responds with a challenge response.
10.
The WLC forwards the "Radius Access-Request" by including EAP-Response/AKA-Challenge in the EAP-Message to
MRME.
MRME.
11.
The MRME forwards the EAP-Response/AKA-Challenge message to the 3GPP AAA Server by sending a "Diameter EAP
Request" message.
The AAA Server checks if the authentication response is correct.
Request" message.
The AAA Server checks if the authentication response is correct.
12.
The 3GPP AAA Server forwards the final Authentication and Authorization answer by initiaing "Diameter EAP Answer"
(with a result code indicating success) including the relevant service authorization information, an EAP success and the key
material to the MRME.
The MRME performs P-GW Resolution (Steps 13-16) for dynamic P-GW selection by delaying the EAP-Response
(Access-Accept) message to the WLC.
(with a result code indicating success) including the relevant service authorization information, an EAP success and the key
material to the MRME.
The MRME performs P-GW Resolution (Steps 13-16) for dynamic P-GW selection by delaying the EAP-Response
(Access-Accept) message to the WLC.
13.
The MRME sends a "DNS Request" with S-NAPTR Query by constructing an APN FQDN to the DNS Server.
14.
The MRME receives a "DNS Answer" with a list of A-Records from the DNS Server.
15.
The MRME sends a "DNS Request" by including the selected A-Record to get the P-GW IPv4 address.
16.
The MRME receives the resolved P-GW IPv4 address in the "DNS Response" from the DNS Server.
17.
The MRME sends the "Radius Access-Accept" message to the WLC by including the Shared Secret generated in the EAP
exchange, and the User-Name.
exchange, and the User-Name.
18.
The WLC originates the "PMIPv6 Proxy-Binding-Update" message to the CGW. The information for the subscriber to
form the PBU message is included. In addition, WLC also allocates a GRE tunnel ID for downlink data transfer, and
includes it in the PBU message.
form the PBU message is included. In addition, WLC also allocates a GRE tunnel ID for downlink data transfer, and
includes it in the PBU message.