для Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 18
52
EAP-Payload User-Name(0<IMSI>@mnc<mnc val>.mcc<mcc val>.pub.3gppnetwork.org), EAP-Master-
Session-Key, APN-Configuration (Context-Identifier, PDN-Type: IPv4v6, Service-Selection (apn name),
MIP6-Agent-Info), Auth-Session-State:STATE_MAINTAINED, Origin-State-Id). At this point device is
authenticated and authorized by AAA server.
Session-Key, APN-Configuration (Context-Identifier, PDN-Type: IPv4v6, Service-Selection (apn name),
MIP6-Agent-Info), Auth-Session-State:STATE_MAINTAINED, Origin-State-Id). At this point device is
authenticated and authorized by AAA server.
18. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (EAP Payload) The EAP payload shall
contain the TLS message as received from the AAA server.
19. UE → ePDG: IKEv2 AUTH_REQ UE sends IKE_AUTH request (AUTH) The UE takes its own copy of the
MSK as input to generate the AUTH parameter to authenticate the first IKE_SA_INITmessage.
20. ePDG → PGW: S2b Create Session Req ePDG sends Create Session Request (IMSI, [MSISDN],Serving
Network, RAT Type (WLAN), Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA,
APN-AMBR, [APCO], Bearer Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to
"MS or network provided APN subscribed verified". The PGW performs the necessary interactions with 3GPP-
AAA, PCRF and OCS/OFCS. ePDG shall set the HO in Indication flags IE and also the preserved IP address
as received from UE in PAA IE.
APN-AMBR, [APCO], Bearer Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to
"MS or network provided APN subscribed verified". The PGW performs the necessary interactions with 3GPP-
AAA, PCRF and OCS/OFCS. ePDG shall set the HO in Indication flags IE and also the preserved IP address
as received from UE in PAA IE.
21. PGW → ePDG: Create Session Resp The PGW allocates the requested IP address session and responds back to
the ePDG with a Create Session Response (Cause, PGW S2b F-TEID, PAA, [APN-AMBR],APCO, Bearer
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
22. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (AUTH, CP, SA,
CFG_REPLY([INTERNAL_IP4_ADDRESS], [INTERNAL_IP4_NETMASK],[INTERNAL_IP4_DNS],
INTERNAL_IP6_ADDRESS, INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr) At
this stage the ePDG has completed the ipsec SA and tunnel setup and also GTP-U tunnel setup thus completing
the data path. The IP address provided by PGW is communicated to UE.
INTERNAL_IP6_ADDRESS, INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr) At
this stage the ePDG has completed the ipsec SA and tunnel setup and also GTP-U tunnel setup thus completing
the data path. The IP address provided by PGW is communicated to UE.
23. ePDG → UE: IPv6 RA The assumption is that the IP stack needs the RA to initialize the address.
EAP-TTLS authentication mechanism Call Flow
The EAP-TTLS based approach is useful when there is no certificate based infrastructure present for the operator to
configure certificate for each device. Unlike EAP-TLS it enables the device authentication without certificates using
customized AVPs. Here we have defined MSCHAPv2 based authentication mechanism. Here the AAA server needs to
provide the key similar to MSK to ePDG for validating/generating the AUTH payload during IKEv2 xchg. Following
diagram shows the call flow for the EAP-TTLS based authentication:
configure certificate for each device. Unlike EAP-TLS it enables the device authentication without certificates using
customized AVPs. Here we have defined MSCHAPv2 based authentication mechanism. Here the AAA server needs to
provide the key similar to MSK to ePDG for validating/generating the AUTH payload during IKEv2 xchg. Following
diagram shows the call flow for the EAP-TTLS based authentication: