Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 17
46
15. ePDG → UE: IPv6 RA The assumption is that the IP stack needs the RA to initialize the address.
EAP-MSCHAPv2/EAP-TLS/EAP-TTLS based support for NON UICC devices
Currently 3GPP standard provides a mechanism for the UICC (SIM based) devices connectivity to the EPC via non-
3GPP access enabling them for voice and video services over WiFi. However lot of non UICC devices such as iPads,
Tablets, Laptops do not have defined 3GPP standard mechanism for connecting over WLAN to EPC via ePDG. These
devices can use the same LTE subscription as for the UICC device do not have potential to utlize CSPs and monetize
voice & video offering by extending the same to non UICC devices.
3GPP access enabling them for voice and video services over WiFi. However lot of non UICC devices such as iPads,
Tablets, Laptops do not have defined 3GPP standard mechanism for connecting over WLAN to EPC via ePDG. These
devices can use the same LTE subscription as for the UICC device do not have potential to utlize CSPs and monetize
voice & video offering by extending the same to non UICC devices.
EAP-AKA is the mechanism defined in 3GPP standards for authenticating and authorizing the mobile devices using
AAA server. The non UICC devices cannot support EAP-AKA.
AAA server. The non UICC devices cannot support EAP-AKA.
For non UICC devices as IMSI is not present the IMSI mentioned in below flows is vIMSI which can be alphanumeric
type (limit to 24 chars) or decimal digit IMSI and in such case when alphanumeric vIMSI is used its expected that AAA
server shall be providing decimal digit IMSI to ePDG for S2b interface as part of mobile-node-identifier AVP.
type (limit to 24 chars) or decimal digit IMSI and in such case when alphanumeric vIMSI is used its expected that AAA
server shall be providing decimal digit IMSI to ePDG for S2b interface as part of mobile-node-identifier AVP.
Below is the list of different authentication mechanisms which can be used with ePDG acting as EAP pass-through
mode for the non UICC device support:
mode for the non UICC device support:
EAP-MSCHAPv2
Single phase
Use MSCHAPv2 inside EAP
Challenge/Response based mechanism
Reference - http://tools.ietf.org/id/draft-kamath-pppext-eap-mschapv2-01.txt and RFC 3079
EAP-TTLS (using MS-CHAPv2)
EAP method encapsulating TLS session
Two phases
Handshake phase (server authentication & key generation)
Data Phase (client authentication)
Handshake phase provides secure channel for data phase
Use MSCHAPv2 for authenticating client/device
Reference - RFC 5281
EAP-TLS
Single phase
EAP method encapsulating TLS session
Use certificates between UE & AAA server for mutual authentication
Reference - RFC 5216
EAP-MSCHAPv2 authentication mechanism call flow
In this authentication mechanism the ePDG shall be acting in EAP pass-through mode and the AAA server shall be
authenticating the device using EAP-MSCHAPv2. The authentication mechanism does have advantage of less lengthy
call flow and is standard way. Additionally the operator does not require having certificate based infrastructure. The
disadvantage is that MSK is 64 bytes but with 32 byte key & remaining 32 bytes as zeros as opposed to EAP-AKA
authenticating the device using EAP-MSCHAPv2. The authentication mechanism does have advantage of less lengthy
call flow and is standard way. Additionally the operator does not require having certificate based infrastructure. The
disadvantage is that MSK is 64 bytes but with 32 byte key & remaining 32 bytes as zeros as opposed to EAP-AKA