Cisco ASR 5000 series Product Overview page 440

▀ Sample Deployments
Step Description
2 The MS initiates IKE_AUTH exchange messages with the PDIF/FA. The MS omits the AUTH parameter to the PDIF/FA,
indicating that it wants to use EAP over IKEv2. The MS includes its identity in the IDi payload of the IKE_AUTH request.
The IDi is set to be the same as the NAI and the NAI realm is chosen appropriately for M-NAI devices.The MS embeds the
MAC address of the WiFi access point (AP) in the NAI and includes the IKEv2 configuration payload. Attributes included
in the CFG_REQUEST are at least the INTERNAL_IP4_ADDRESS (with the length set to zero), the
INTERNAL_IP4_DNS, and the 3GPP2_MIP_MODE.
3 When the PDIF/FA receives the IKE_AUTH request, it checks if MAC address authorization is enabled. If so, the
PDIF/FA uses the ims-sh-service interface to the HSS and requests the list of authorized APs for this user via a User Data
Request (UDR).
4 The HSS answers with the list of authorized WiFi APs for the user.
5 After checking that the AP MAC address in the realm portion of the NAI matches with one of the authorized MAC
addresses received from the HSS, the PDIF/FA strips the AP MAC address from the realm portion of the NAI and sends
the resulting NAI as an EAP response identity to the H-AAA using a RADIUS Access-Request message. This message
includes at least the user-name set as the NAI being sent in the EAP response identity, the 3GPP2 correlation ID, the EAP-
Message attribute, and the message-authenticator attribute.
6 The H-AAA verifies the identity and checks that WiFi service is allowed for the subscriber. The H-AAA generates a
random value RAND and AUTN based on the shared DMU CHAP-key and a sequence number.The H-AAA sends the
EAP-Request/AKA Challenge to the PDIF/FA via a RADIUS access-challenge. The EAP-Request/AKA Challenge
contains the AT_RAND, AT_AUTN, and the AT_MAC attribute to protect the integrity of the EAP message.
7 The PDIF/FA sends an IKE_AUTH response to the MS with the EAP-Request/AKA-Challenge message received from the
H-AAA.
8 The MS verifies the authentication parameters in the EAP-Request/AKA-Challenge message and if the verification is
successful, it responds to the challenge with an IKE_AUTH Request message to the PDIF/FA. The main payload of this
message is the EAP-Response/AKA-Challenge message.
9 The PDIF/FA forwards the EAP-Response/AKA-Challenge message to the H-AAA via a RADIUS access-request message
(RRQ).
10 If authentication succeeds, the H-AAA sends a RADIUS access-accept message with the EAP-message attribute containing
EAP Success. The H-AAA sends the EAP-Success and the MSK generated during the EAP-AKA authentication process to
the PDIF/FA. The 64-byte MSK is split into two 32-byte parts, with the first 32 bytes sent in the MS-MPPE-REC-KEY and
the second 32 bytes sent in the MS-MPEE-SEND-KEY.Both of these attributes (the values of which are encrypted) are
needed to construct the 64-byte MSK at the PDIF/FA. If either are missing, the PDIF/FA rejects the session. In addition,
the H-AAA sends other attributes equivalent to what it normally sends to the PDSN for a simple IP session. The attributes
include at least the following: The Framed-Pool (if required) so that the PDIF/FA can assign a TIA from the right IP
address pool, the Session-Timeout, and The Idle-Timeout.
11 The PDIF/FA forwards the EAP Success message to the MS in an IKE_AUTH Response message.
12 The MS calculates the MSK (RFC 4187) and uses it to generate the AUTH payload to authenticate the first IKE_SA_INIT
message. The MS sends the AUTH payload in an IKE_AUTH Request message to the PDIF/FA.
13 The PDIF/FA uses the MSK to check the correctness of the AUTH payload received from the MS and calculates its own
AUTH payload for the MS to verify [RFC 4306]. The PDIF/FA sends the AUTH payload to the MS together with the
Configuration Payload (CP) containing security associations and the rest of the IKEv2 parameters in the IKE_AUTH
Response message, and the IKEv2 negotiation terminates.The CP contains the TIA and IP address of the DNS servers that
the device had requested earlier. Although the MS requested a DNS address by including only a single payload option for
INTERNAL_IP4_DNS, the PDIF/FA may include both a primary DNS address and a secondary DNS address if one is
available.
▄ Cisco ASR 5000 Series Product Overview
Packet Data Interworking Function Overview
OL-22938-02