Руководство По Устранению Ошибки для Cisco Cisco Packet Data Gateway (PDG)
ASN Gateway Service Operation and Configuration
Terminology ▀
Cisco ASR 5000 Series Access Service Network Gateway Administration Guide ▄
OL-22953-01
AAA Realms
An AAA realm is the location within the AAA context where you define subscriber-specific templates that are applied
to subscribers who match that realm. An AAA realm is considered part of the AAA context, and the AAA context itself
is also considered a realm. You may define many different AAA realms within a single AAA context.
to subscribers who match that realm. An AAA realm is considered part of the AAA context, and the AAA context itself
is also considered a realm. You may define many different AAA realms within a single AAA context.
As an example of a realm, within a source context named ingress, there could be a domain alias of domain1.com,
another domain alias of domain2.com, and a single AAA configuration used by the entire system. In this example, the
source context is also serving as a AAA context. There are three specific AAA realms in this case; ingress,
domain1.com, and domain2.com, since all three could have their own defined subscriber templates.
another domain alias of domain2.com, and a single AAA configuration used by the entire system. In this example, the
source context is also serving as a AAA context. There are three specific AAA realms in this case; ingress,
domain1.com, and domain2.com, since all three could have their own defined subscriber templates.
The primary purpose of a AAA realm is to host a subscriber template for each realm that provides AAA attributes that
may be used if an authenticated subscriber’s access-accept message from RADIUS fails to contain certain attributes. In
this case, the default attributes contained in the realm-based subscriber template are used. However, if the RADIUS
authentication message contains an attribute from that subscriber’s RADIUS user profile, then that information will be
used to overwrite any default attribute parameters that are contained in the subscriber template.
may be used if an authenticated subscriber’s access-accept message from RADIUS fails to contain certain attributes. In
this case, the default attributes contained in the realm-based subscriber template are used. However, if the RADIUS
authentication message contains an attribute from that subscriber’s RADIUS user profile, then that information will be
used to overwrite any default attribute parameters that are contained in the subscriber template.
More information about subscriber templates will be provided later in this chapter when subscribers are discussed.
Each realm must have a unique name since each realm name can only be used in one context in one system.
Authenticator
The authenticator function is part of the ASN gateway. This function performs the role of an anchored authenticator for
a specific subscriber for the duration of the session. For example, as a subscriber moves between base stations served by
the ASN gateway, the authenticator anchor remains stationary. If a subscriber moves to a base station served by a new
ASN Gateway, the anchor authenticator is hosted at the new ASN Gateway. A full re-authentication of the subscriber is
required.
a specific subscriber for the duration of the session. For example, as a subscriber moves between base stations served by
the ASN gateway, the authenticator anchor remains stationary. If a subscriber moves to a base station served by a new
ASN Gateway, the anchor authenticator is hosted at the new ASN Gateway. A full re-authentication of the subscriber is
required.
The RADIUS client for authentication and accounting is collocated with the authenticator function. The ASN Gateway
acts as an EAP relay and is agnostic to the EAP method. EAP transport is performed between the ASN Gateway and the
base station as a control exchange. The base station functions as an EAP-relay, converting from Pair-wise Master Key
version 2 (PKMv2) to the EAP messages over to the ASN Gateway. The ASN Gateway is an EAP pass-through, and
any key that generates EAP methods is supported in the system.
acts as an EAP relay and is agnostic to the EAP method. EAP transport is performed between the ASN Gateway and the
base station as a control exchange. The base station functions as an EAP-relay, converting from Pair-wise Master Key
version 2 (PKMv2) to the EAP messages over to the ASN Gateway. The ASN Gateway is an EAP pass-through, and
any key that generates EAP methods is supported in the system.
EAP Profile
EAP profiles are the group of EAP authentication methods, network and subscriber parameters, and other authentication
configurations for a subscriber. The Extensible Authentication Protocol (EAP) is an authentication framework used in
wireless networks and point-to-point connections. EAP provides multiple authentication methods that can be tailored to
an operator’s preference for user-level, device-level, or user and device level network authorization.
configurations for a subscriber. The Extensible Authentication Protocol (EAP) is an authentication framework used in
wireless networks and point-to-point connections. EAP provides multiple authentication methods that can be tailored to
an operator’s preference for user-level, device-level, or user and device level network authorization.
Device level authentication is beneficial in a roaming application at the H-AAA server in Home Network Service
Provider (H-NSP) to guard against unauthorized network access by users with stolen access devices.
Provider (H-NSP) to guard against unauthorized network access by users with stolen access devices.