для Cisco Cisco Packet Data Gateway (PDG)
Evolved Packet Data Gateway Overview
▀ Features and Functionality
▄ ePDG Administration Guide, StarOS Release 18
54
EAP-TTLS so can indicate using "A". ePDG shall be transparent to received prefix and shall send to AAA
server so that operator is free to use any prefix except the defined ones.
server so that operator is free to use any prefix except the defined ones.
4. ePDG → AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id, Origin-Host, Origin-
Realm, Destination-Host, Destination-Realm, Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-
Payload, User-Name (NAI), RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message
to the 3GPP AAA Server. The EAP-Payload shall contain the UE identity encoded by ePDG.
Payload, User-Name (NAI), RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message
to the 3GPP AAA Server. The EAP-Payload shall contain the UE identity encoded by ePDG.
5. AAA server → ePDG: DEA The 3GPP AAA Server initiates the authentication challenge and responds with
DEA (Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload). The EAP-Payload shall contain the
EAP-TTLS/Start, the Start 'S' bit is set with no data.
EAP-TTLS/Start, the Start 'S' bit is set with no data.
6. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (IDr, [CERT (X509 CERTIFICATE
SIGNATURE)], EAP Payload) The IDr is the identity of the ePDG and if the UE requests for certificates then
CERT is included. The EAP message received from the 3GPP AAA Server (EAP-Request/Start) is included in
order to start the EAP procedure over IKEv2.
CERT is included. The EAP message received from the 3GPP AAA Server (EAP-Request/Start) is included in
order to start the EAP procedure over IKEv2.
7. UE → ePDG: IKEv2 AUTH_REQ UE sends IKE_AUTH_REQ (EAP payload) containing the TLS client hello
handshake message.
8. ePDG → AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id, Origin-Host, Origin-
Realm, Destination-Host, Destination-Realm, Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-
Payload, User-Name (NAI), RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message
to the 3GPP AAA Server. The EAP-Payload shall contain the TLS client hello handshake message.
Payload, User-Name (NAI), RAT-Type(WLAN), MIP6-Feature-Vector, Visited-Network-Identifier) message
to the 3GPP AAA Server. The EAP-Payload shall contain the TLS client hello handshake message.
9. AAA server → ePDG: DEA The 3GPP AAA Server initiates the authentication challenge and responds with
DEA (Session-Id, Base AVPs, Auth-Request-Type and EAP-Payload). The AAA server will then respond with
an EAP-Request packet with EAP-Type=EAP-TTLS. The data field of this packet will encapsulate one or
more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS
certificate, server_key_exchange, server_hello_done and/or finished handshake messages, and/or a TLS
change_cipher_spec message.
an EAP-Request packet with EAP-Type=EAP-TTLS. The data field of this packet will encapsulate one or
more TLS records. These will contain a TLS server_hello handshake message, possibly followed by TLS
certificate, server_key_exchange, server_hello_done and/or finished handshake messages, and/or a TLS
change_cipher_spec message.
10. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (EAP Payload) The EAP payload shall
contain the TLS message as received from the AAA server.
11. UE → ePDG: IKEv2 AUTH_REQ The UE sends EAP message in IKE_AUTH Request (EAP). The data field of
this packet MUST encapsulate one or more TLS records containing a TLS client_key_exchange,
change_cipher_spec, and finished messages.
change_cipher_spec, and finished messages.
12. ePDG → AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id, Origin-Host,Origin-
Realm, Destination-Host, Destination-Realm, Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-
Payload) message to the3GPP AAA Server. The EAP-Payload shall contain the message as sent by UE.
Payload) message to the3GPP AAA Server. The EAP-Payload shall contain the message as sent by UE.
13. AAA server → ePDG: DEA The 3GPP AAA Server on successful authentication responds with DEA (Session-
Id, Base AVPs, Auth-Request-Type and EAP-Payload) where EAP-Payload does contain the TLS finished
message.
message.
14. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (EAP Payload) The EAP payload shall
contain the TLS message as received from the AAA server. This stage the first phase of TTLS is done
completing the TLS handshake and AAA server is authenticated by device and keys are generated to secure
subsequent message handling.
completing the TLS handshake and AAA server is authenticated by device and keys are generated to secure
subsequent message handling.
15. UE → ePDG: IKEv2 AUTH_REQ The UE sends EAP message in IKE_AUTH Request (EAP) with user-name,
MS-CHAP2- Response, MS-CHAP Challenge AVPs.
16. ePDG → AAA server :DER The ePDG sends the DER (Session-Id, Auth-Application-Id, Origin-Host, Origin-
Realm, Destination-Host, Destination-Realm, Auth-Request-Type(AUTHORIZE_AUTHENTICATE), EAP-
Payload) message to the3GPP AAA Server. The EAP-Payload shall contain the message as sent by UE.
Payload) message to the3GPP AAA Server. The EAP-Payload shall contain the message as sent by UE.
17. AAA server → ePDG: DEA The 3GPP AAA Server on successful authentication responds with DEA (Session-
Id, Base AVPs, Auth-Request-Type and EAP-Payload), Upon receipt of these AVPs from the UE, the AAA
server MUST verify that the value of the MS-CHAP-Challenge AVP and the value of the Ident in the client's
MS-CHAP2-Response AVP are equal to the values generated as challenge material. If either item does not
match exactly, the AAA server MUST reject the UE. In success case, AAA shall encode the MS-CHAP2-
Success attribute.
server MUST verify that the value of the MS-CHAP-Challenge AVP and the value of the Ident in the client's
MS-CHAP2-Response AVP are equal to the values generated as challenge material. If either item does not
match exactly, the AAA server MUST reject the UE. In success case, AAA shall encode the MS-CHAP2-
Success attribute.
18. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (EAP Payload) The EAP payload shall
contain the EAP-TTLS message as received from the AAA server.