First-Phase Authentication - Cisco ASR 5000 series Product Overview

Packet Data Interworking Function Overview
PDIF translates this Access-Accept message into an EAP Success message, and returns this in an IKE_AUTH Response
message.
It is possible that some MSs may not support CHAP authentication. In this case, the MS is expected to return the EAP
payload with a legacy-Nak message when the PDIF sends an MD5-Challenge message. Upon receipt of the legacy-Nak
message, the PDIF initiates an EAP-GTC procedure. When the MS returns EAP-GTC including its own password, the
PDIF sends a RADIUS Access Request message which includes an NAI, a password, and an IMSI number. Once the
AAA server returns an Access-Accept message, attributes such as Framed-IP-Address and HA address are expected for
the subsequent session setup processing. The PDIF translates the Access-Accept message as EAP success, and returns
this in an IKE_AUTH Response message.
If EAP-GTC is configured, then the EAP-GTC method is used instead of the EAP-MD5 method.
The PDIF does the following for IKEv2 and RADIUS authentication:
The PDIF terminates EAP-MD5/GTC authentication. The PDIF understands the values in the EAP payload, and maps
them as RADIUS attributes for CHAP/PAP authentication.
Upon request from the MS, the PDIF performs EAP-GTC authentication instead of EAP-MD5.
Each domain profile may be configured with two AAA groups, one for Diameter and the other for RADIUS.
In deployments where both NAI happen to be the same for both authentications, it will point to the same AAA group
and thereafter only one protocol (either RADIUS or Diameter) is used.
There are cases where the domain template may not be associated with a given NAI. In such cases, the default AAA
groups are used for authentication. Since authentication happens in two phases, and each using Diameter and RADIUS
AAA groups respectively, there needs to be two default AAA groups (one for Diameter authentication and one for
RADIUS authentication) for multiple authentication. The default AAA groups are configured in the PDIF service.

First-Phase Authentication

During first-phase authentication, the HSS authenticates the device. The MS first sends an NAI for device
authentication. After the successful EAP-AKA transaction between the MS and the HSS, the HSS is expected to return
an IMSI number for this subscriber. The PDIF takes this authorized IMSI number for session management.
This authentication method uses EAP between the MS and the AAA server, and the PDIF acts as a pass-through agent.
Important:
Depending on the number of HSSs in the network, it is possible that a Subscription Locator Function (SLF) would be
introduced into the network as a Diameter proxy or relay agent. If deployed, the SLF would be the first point of contact
for the PDIF.
The protocol stack between the PDIF and the HSS/SLF is Diameter over SCTP over IPv6.
Second-Phase Authentication
Second-phase authentication uses EAP-MD5 or EAP-GTC authentication with IKEv2 using a legacy RADIUS server,
which does not understand or implement EAP. This could be the same AAA server as those deployed in any existing
EV-DO network. In this case, EAP authentication happens between the MS and the PDIF.
The protocol stack between the PDIF and the AAA server is RADIUS over UDP over IPv4.
OL-22938-02
First-phase authentication must use the EAP-AKA method.
Features and Functionality - Licensed Enhanced Feature Support ▀
Cisco ASR 5000 Series Product Overview ▄