для Cisco Cisco Tunnel Terminating Gateway (TTG)
Evolved Packet Data Gateway Overview
Features and Functionality ▀
ePDG Administration Guide, StarOS Release 17 ▄
45
3. UE → ePDG: IKEv2 AUTH_REQ UE sends IKE_AUTH_REQ (IDi, AUTH, CERT, [CERTREQ], IDr, SA, CP
(CFG_REQUEST (INTERNAL_IP6_ADDRESS, [INTERNAL_IP6_DNS], [INTERNAL_IP6_PCSCF]), TSi,
TSr)). The UE does include AUTH and CERT payload to indicate that it will use the certificates (X.509) for
authenticating itself. Presence of AUTH payload indicates EAP-AKA is not used. IDi contains the NAI and
IDr does contain the APN name. Root NAI is of format X<IMSI>@
nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org so IMSI (virtual IMSI used for non UICC device IMSI) is
required which should be of decimal digit UICC IMSI format. One proposed approach is to use <device
prefix><MSISDN> where MSISDN is common for the associated non UICC and UICC devices but its
operator decision and ePDG shall be able to handle it until its unique per non UICC device and is in UICC
IMSI format. The certificate SUBJECT/CN field shall be containing the IMSI or NAI as it's identifier. ePDG
uses received public key as part of certificates for authenticating the UE. OCSP shall be used for checking the
revocation status during the certificates based device authentication. OCSP communication is optional means if
the OCSP responder is absent in operator infrastructure then the ePDG shall be authenticating the device using
the configured Root CA certificate.Note :The device can share the certificates (X.509) or can communicate the
URL to ePDG for downloading the device certificates. Both the mechanism are supported on ePDG.
TSr)). The UE does include AUTH and CERT payload to indicate that it will use the certificates (X.509) for
authenticating itself. Presence of AUTH payload indicates EAP-AKA is not used. IDi contains the NAI and
IDr does contain the APN name. Root NAI is of format X<IMSI>@
nai.epc.mnc<MNC>.mcc<MCC>.3gppnetwork.org so IMSI (virtual IMSI used for non UICC device IMSI) is
required which should be of decimal digit UICC IMSI format. One proposed approach is to use <device
prefix><MSISDN> where MSISDN is common for the associated non UICC and UICC devices but its
operator decision and ePDG shall be able to handle it until its unique per non UICC device and is in UICC
IMSI format. The certificate SUBJECT/CN field shall be containing the IMSI or NAI as it's identifier. ePDG
uses received public key as part of certificates for authenticating the UE. OCSP shall be used for checking the
revocation status during the certificates based device authentication. OCSP communication is optional means if
the OCSP responder is absent in operator infrastructure then the ePDG shall be authenticating the device using
the configured Root CA certificate.Note :The device can share the certificates (X.509) or can communicate the
URL to ePDG for downloading the device certificates. Both the mechanism are supported on ePDG.
4. ePDG → OCSP responder : OCSP request ePDG sends the OCSP request containing the certificate identifier.
5. OCSP responder → ePDG :OCSP Response OCSP responder checks and returns back the revocation status of
5. OCSP responder → ePDG :OCSP Response OCSP responder checks and returns back the revocation status of
the certificate. At this stage ePDG completes the authentication of the device.
6. ePDG → AAA server :AAR The ePDG sends the AA-Request (Session-Id, Auth-Application-Id, Origin-Host,
Origin-Realm, Destination-Host, Destination-Realm, Auth-Request-Type (AUTHORIZE_AUTHENTICATE),
User-Name (NAI)) message to the 3GPP AAA server. ePDG communicates the NAI for AAA to check UE
identity and authorize the same.
User-Name (NAI)) message to the 3GPP AAA server. ePDG communicates the NAI for AAA to check UE
identity and authorize the same.
7. AAA server → HSS :SAR The 3GPP AAA updates the HSS with the 3GPP AAA Server Address information
for the user. The AAA sends Server-Assignment-Request (Session-Id, Auth-Session-State
(NO_STATE_MAINTAINED), Origin-Host, Origin-Realm, Destination-Host, Destination-Realm, User-Name
(IMSI-NAI), Server-Assignment-Type (REGISTRATION)). Note :As this call flow is not defined in 3GPP yet
so the proposed message between AAA to HSS is to be decided by AAA & HSS vendors however based on
existing SWx interface messages have proposed the usage of SAR.
(NO_STATE_MAINTAINED), Origin-Host, Origin-Realm, Destination-Host, Destination-Realm, User-Name
(IMSI-NAI), Server-Assignment-Type (REGISTRATION)). Note :As this call flow is not defined in 3GPP yet
so the proposed message between AAA to HSS is to be decided by AAA & HSS vendors however based on
existing SWx interface messages have proposed the usage of SAR.
8. HSS → AAA server :SAA The HSS sends Server-Assignment-Answer (Session-Id, Result-Code, Experimental-
Result (Vendor-Id, Experimental-Result-Code), Non-3GPP-User-Data {Subscription-ID (END_USER_E164,
MSISDN), Non-3GPP-IP-Access (NON_3GPP_SUBSCRIPTION_ALLOWED), Non-3GPP-IP-Access-APN
(Non_3GPP_APNS_ENABLE), APN-Configuration , ANID (WLAN)}, APN-OI-Replacement, APN-
Configuration})
MSISDN), Non-3GPP-IP-Access (NON_3GPP_SUBSCRIPTION_ALLOWED), Non-3GPP-IP-Access-APN
(Non_3GPP_APNS_ENABLE), APN-Configuration , ANID (WLAN)}, APN-OI-Replacement, APN-
Configuration})
9. AAA server → ePDG: AA-Answer The 3GPP AAA Server responds with AAA (Session-Id, Auth-Application-
Id, Auth-Request-Type, Origin-Host, Origin-Realm, Result-Code, User-Name, APN-Configuration, 3GPP-
Charging-Characteristics, Subscription-ID)
Charging-Characteristics, Subscription-ID)
10. ePDG → DNS server: DNS(NAPTR/AAAA) query ePDG sends DNS query to DNS server with APN/PGW
FQDN for PGW resolution.
11. DNS server → ePDG:DNS query response DNS server returns the PGW address to ePDG as part of DNS
AAAA/A response.
12. ePDG → PGW: S2b Create Session Req ePDG selects PGW based on DNS mechanism using APN/PGW
FQDN. The ePDG sends Create Session Request (IMSI, [MSISDN],Serving Network, RAT Type (WLAN),
Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA, APN-AMBR, [APCO], Bearer
Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to "MS or network provided APN
subscribed verified". Private IE is populated if the UE request P-CSCF addresses. The PGW performs the
necessary interactions with 3GPP-AAA, PCRF and OCS/OFCS.
Indication Flags, Sender F-TEID for C-plane, APN, Selection Mode, PAA, APN-AMBR, [APCO], Bearer
Contexts(), [Recovery], [Private IE (P-CSCF)]). Selection Mode shall be set to "MS or network provided APN
subscribed verified". Private IE is populated if the UE request P-CSCF addresses. The PGW performs the
necessary interactions with 3GPP-AAA, PCRF and OCS/OFCS.
13. PGW → ePDG: Create Session Resp The PGW allocates the requested IP address session and responds back to
the ePDG with a Create Session Response (Cause, PGW S2b F-TEID, PAA, [APN-AMBR],[APCO],Bearer
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
Contexts Created (EPS Bearer ID, Cause, [TFT], S2b-U PGW F-TEID, Bearer Level QoS), [Recovery],
[Private IE (P-CSCF)]) message.
14. ePDG → UE: IKEv2 AUTH_RESP ePDG sends IKE_AUTH_RESP (AUTH, IDr, [CERT (X509
CERTIFICATE SIGNATURE)], CP, SA, CFG_REPLY ([INTERNAL_IP4_ADDRESS],
[INTERNAL_IP4_NETMASK], [INTERNAL_IP4_DNS], INTERNAL_IP6_ADDRESS,
INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr)
[INTERNAL_IP4_NETMASK], [INTERNAL_IP4_DNS], INTERNAL_IP6_ADDRESS,
INTERNAL_IP6_SUBNET, INTERNAL_IP6_DNS, [P-CSCF]) TSi, TSr)