Cisco Cisco Packet Data Gateway (PDG)
exit
aaa group default
exit
aaa group
<
group_name
>
diameter authentication dictionary
<
aaa_custom_dictionary
>
diameter authentication endpoint
<
endpoint_name
>
diameter authentication max-retries
<
max_retries
>
diameter authentication max-transmissions
<
max_transmissions
>
diameter authentication request-timeout
<
request_timeout_duration
>
diameter authentication failure-handling eap-request request-timeout action terminate
diameter authentication failure-handling eap-request result-code
<
start_result_code_1
>
to
<
end_result_code_1
>
action retry-and-terminate
diameter authentication failure-handling eap-request result-code
<
start_result_code_2
>
to
<
end_result_code_2
>
action terminate
diameter authentication server
<
host_name
>
priority
<
priority
>
exit
gttp group default
exit
exit
end
In this example, the EAP method is used for UE authentication. The eap-profile command creates the EAP
profile to be used in the crypto template for the ePDG service. The mode authenticator-pass-through
command specifies that the ePDG functions as an authenticator passthrough device, enabling an external EAP
server to perform UE authentication.
profile to be used in the crypto template for the ePDG service. The mode authenticator-pass-through
command specifies that the ePDG functions as an authenticator passthrough device, enabling an external EAP
server to perform UE authentication.
The crypto template command and associated commands are used to define the cryptographic policy for the
ePDG. You must create one crypto template per ePDG service. The ikev2-dynamic keyword in the crypto
template command specifies that IKEv2 protocol is used. The authentication remote command specifies
the EAP profile to use for authenticating the remote peer.
ePDG. You must create one crypto template per ePDG service. The ikev2-dynamic keyword in the crypto
template command specifies that IKEv2 protocol is used. The authentication remote command specifies
the EAP profile to use for authenticating the remote peer.
The rekey keepalive command enables Child SA (Security Association) rekeying so that a session will be
rekeyed even when there has been no data exchanged since the last rekeying operation. The ikev2-ikesa
keepalive-user-activity command resets the user inactivity timer when keepalive messages are received from
the peer. The ikev2-ikesa policy error-notification command enables the ePDG to generate Error Notify
messages for Invalid IKEv2 Exchange Message ID and Invalid IKEv2 Exchange Syntax for the IKE_SA_INIT
exchange.
rekeyed even when there has been no data exchanged since the last rekeying operation. The ikev2-ikesa
keepalive-user-activity command resets the user inactivity timer when keepalive messages are received from
the peer. The ikev2-ikesa policy error-notification command enables the ePDG to generate Error Notify
messages for Invalid IKEv2 Exchange Message ID and Invalid IKEv2 Exchange Syntax for the IKE_SA_INIT
exchange.
The ip routing maximum-paths command enables ECMP (Equal Cost Multiple Path) routing support and
specifies the maximum number of ECMP paths that can be submitted by a routing protocol in the current
context. The interface command creates each of the logical interfaces, and the associated ip address command
specifies the IP address and subnet mask of each interface.
specifies the maximum number of ECMP paths that can be submitted by a routing protocol in the current
context. The interface command creates each of the logical interfaces, and the associated ip address command
specifies the IP address and subnet mask of each interface.
The aaa group command configures the AAA server group in the ePDG context and the diameter
authentication commands specify the associated Diameter authentication settings.
authentication commands specify the associated Diameter authentication settings.
The ikev2-ikesa policy use-rfc5996-notification command enables processing for new notification payloads
added in RFC 5996, and is disabled by default.
added in RFC 5996, and is disabled by default.
Creating the ePDG Service
Use the following configuration example to do the following:
• Create the ePDG service.
• Specify the context in which the MAG/EGTP service will reside.
ePDG Administration Guide, StarOS Release 19
100
Configuring the Evolved Packet Data Gateway
ePDG Context and Service Configuration