Cisco ASR 5000 series Product Overview page 493

PDG/TTG Overview
Step Description
9. The AAA server sends the DEA back to the TTG with Result-Code AVP as Success. The EAP-Payload AVP message also
contains an EAP result code as Success. The TTG also receives the MSK (keying materials) from the AAA server, which is
used for further key computation. When using Diameter, the MSK is encapsulated in the EAP-Master-Session-Key
parameter. The AAA server also includes several authorization AVPs.
When the checks for an IMS emergency call fail, the AAA Server also sends an Authentication Answer that includes an
EAP Failure to the TTG.
Note that steps 9a. and 9b. (described below) may not be required if authorization attributes or AVPs are present in the
Access-Accept message containing the EAP-Success. As explained in step 5 above, if the W-APN is present in all the
Access-Request messages from the TTG to the AAA server, the AAA server can use the W-APN to look up the
authorization database to retrieve the parameters. If the TTG has done the W-APN-to-real-APN mapping and includes the
mapped APN in the AAA messages, the TTG performs steps 9a. and 9b., and includes the W-APN in a separate message
after successful EAP-authentication.
9a. The TTG sends an Authorization Request message with an empty EAP AVP, but containing the W-APN, to the AAA
server. The AAA server checks the user's subscription information whether the user is authorized to establish a tunnel. The
IKE SA counter for that W-APN is incremented. If the maximum number of IKE SAs for that W-APN is exceeded, the
AAA server sends an indication to the TTG that established the oldest active IKE SA (it could be the same TTG or a
different one) to delete the oldest established IKE SA. The AAA server then updates the counters tracking the active IKE
SAs for the W-APN accordingly.
9b. The AAA server sends the AA-Answer to the TTG. The AAA server sends the IMSI within the AA-Answer.
10. The TTG sends the IKE_AUTH Response back to UE with the EAP payload.
11. The UE sends the final IKE_AUTH Request with the AUTH payload computed from the keys. The TTG uses the MSK to
generate the AUTH parameters in order to authenticate the IKE_SA_INIT phase messages. These first two messages had
not been authenticated before as there was no key material available yet. When used over IKEv2, the shared secret
generated in the EAP exchange (the MSK) is used to generate the AUTH parameters. The TTG processes the IKE_AUTH
Request, checks the validity of AUTH payload, and initiates PDP context activation with the GGSN.
12. The TTG sends a Create PDP Context Request to the GGSN. The GGSN processes the request and assigns an IP address to
the UE.
13. The GGSN sends a Create PDP Context Response to the TTG. The TTG sets up an IPSec SA.
14. The TTG sends an IKE_AUTH Response with the AUTH payload computed from the MSK. The TTG assigns the IP
address received from the GGSN to the UE in the configuration payload along with DNS addresses and other parameters.
15. The TTG session/IPSec SA is fully established and ready for data transfer.
OL-22938-02
How the PDG/TTG Works ▀
Cisco ASR 5000 Series Product Overview ▄