Cisco Cisco Packet Data Gateway (PDG)
3
UE ePDG: IKEv2 AUTH_REQ UE sends IKE_AUTH_REQ (IDi, [CERTREQ], IDr, SA, CP
(CFQ_REQUEST (INTERNAL_IP6_ADDRESS, [INTERNAL_IP6_DNS], [INTERNAL_IP6_PCSCF]),
TSi, TSr)). The UE does not include AUTH payload to indicate that it will use the EAP-TTLS method for
authenticating itself to AAA. IDi contains the NAI in the form "A<IMSI>
nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org". Per standards the prefix can be 0/1 indicating
EAP-AKA/EAP-SIM now as we shall be indicating to AAA server that use different authentication method
here EAP-TTLS so can indicate using "A". ePDG shall be transparent to received prefix and shall send to
AAA server so that operator is free to use any prefix except the defined ones.
(CFQ_REQUEST (INTERNAL_IP6_ADDRESS, [INTERNAL_IP6_DNS], [INTERNAL_IP6_PCSCF]),
TSi, TSr)). The UE does not include AUTH payload to indicate that it will use the EAP-TTLS method for
authenticating itself to AAA. IDi contains the NAI in the form "A<IMSI>
nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org". Per standards the prefix can be 0/1 indicating
EAP-AKA/EAP-SIM now as we shall be indicating to AAA server that use different authentication method
here EAP-TTLS so can indicate using "A". ePDG shall be transparent to received prefix and shall send to
AAA server so that operator is free to use any prefix except the defined ones.
4
ePDG AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id, Origin-Host,
Origin-Realm, Destination-Host, Destination-Realm,
Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-Payload, User-Name (NAI),
RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message to the 3GPP AAA Server.
The EAP-Payload shall contain the UE identity encoded by ePDG.
Origin-Realm, Destination-Host, Destination-Realm,
Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-Payload, User-Name (NAI),
RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message to the 3GPP AAA Server.
The EAP-Payload shall contain the UE identity encoded by ePDG.
5
AAA server ePDG: DEA The 3GPP AAA Server initiates the authentication challenge and responds with
DEA (Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload). The EAP-Payload shall contain
the EAP-TTLS/Start, the Start 'S' bit is set with no data.
DEA (Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload). The EAP-Payload shall contain
the EAP-TTLS/Start, the Start 'S' bit is set with no data.
6
ePDG UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (IDr, [CERT (X509 CERTIFICATE
SIGNATURE)], EAP Payload) The IDr is the identity of the ePDG and if the UE requests for certificates
then CERT is included. The EAP message received from the 3GPP AAA Server (EAP-Request/Start) is
included in order to start the EAP procedure over IKEv2.
SIGNATURE)], EAP Payload) The IDr is the identity of the ePDG and if the UE requests for certificates
then CERT is included. The EAP message received from the 3GPP AAA Server (EAP-Request/Start) is
included in order to start the EAP procedure over IKEv2.
7
UE ePDG: IKEv2 AUTH_REQ UE sends IKE_AUTH_REQ (EAP payload) containing the TLS client
hello handshake message.
hello handshake message.
8
ePDG AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id, Origin-Host,
Origin-Realm, Destination-Host, Destination-Realm,
Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-Payload, User-Name (NAI),
RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message to the 3GPP AAA Server.
The EAP-Payload shall contain the TLS client hello handshake message.
Origin-Realm, Destination-Host, Destination-Realm,
Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-Payload, User-Name (NAI),
RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message to the 3GPP AAA Server.
The EAP-Payload shall contain the TLS client hello handshake message.
9
AAA server ePDG: DEA The 3GPP AAA Server initiates the authentication challenge and responds with
DEA (Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload). The AAA server will then respond
with an EAP-Request packet with EAP-Type=EAP-TTLS. The data field of this packet will encapsulate
one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed
by TLS certificate, server_key_exchange, server_hello_done and/or finished handshake messages, and/or
a TLS change_cipher_spec message.
DEA (Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload). The AAA server will then respond
with an EAP-Request packet with EAP-Type=EAP-TTLS. The data field of this packet will encapsulate
one or more TLS records. These will contain a TLS server_hello handshake message, possibly followed
by TLS certificate, server_key_exchange, server_hello_done and/or finished handshake messages, and/or
a TLS change_cipher_spec message.
10
ePDG UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (EAP Payload) The EAP payload shall
contain the TLS message as received from the AAA server.
contain the TLS message as received from the AAA server.
11
UE ePDG: IKEv2 AUTH_REQ The UE sends EAP message in IKE_AUTH Request (EAP). The data
field of this packet MUST encapsulate one or more TLS records containing a TLS client_key_exchange,
change_cipher_spec, and finished messages.
field of this packet MUST encapsulate one or more TLS records containing a TLS client_key_exchange,
change_cipher_spec, and finished messages.
12
ePDG AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id,
Origin-Host,Origin-Realm, Destination-Host, Destination-Realm,
Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-Payload) message to the3GPP AAA Server.
The EAP-Payload shall contain the message as sent by UE.
Origin-Host,Origin-Realm, Destination-Host, Destination-Realm,
Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-Payload) message to the3GPP AAA Server.
The EAP-Payload shall contain the message as sent by UE.
13
AAA server ePDG: DEA The 3GPP AAA Server on successful authentication responds with DEA
(Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload) where EAP-Payload does contain the
TLS finished message.
(Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload) where EAP-Payload does contain the
TLS finished message.
14
ePDG UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (EAP Payload) The EAP payload shall
contain the TLS message as received from the AAA server. This stage the first phase of TTLS is done
completing the TLS handshake and AAA server is authenticated by device and keys are generated to secure
subsequent message handling.
contain the TLS message as received from the AAA server. This stage the first phase of TTLS is done
completing the TLS handshake and AAA server is authenticated by device and keys are generated to secure
subsequent message handling.
ePDG Administration Guide, StarOS Release 19
51
Evolved Packet Data Gateway Overview
EAP-MSCHAPv2/EAP-TLS/EAP-TTLS Based Support For NON UICC Devices