Ipsec Tunnel Establishment With Eap-Aka Authentication - Cisco ASR 5000 Series Administration Manual

Femto network gateway

Hide thumbs Also See for ASR 5000 Series:

Product overview (992 pages)

Administration manual (509 pages)

Installation manual (317 pages)

Table Of Contents

Table of Contents

▀ How the FNG Works

Table 2. IPSec Tunnel Establishment

Step

Description

The FAP is assigned a device certificate during it's manufacturing. The private key for the certificate is stored securely at

the FAP. Similarly, the FNG is assigned a server certificate. The FNG is also configured with a list of root CA certificates

corresponding to the trusted device CA certificates.

The FAP initiates an IKEv2 exchange with the FNG, known as the IKE_SA_INIT exchange, by issuing an IKE_SA_INIT

Request to negotiate cryptographic algorithms, exchange nonces, and perform a Diffie-Hellman exchange with the FNG.

The FNG responds with an IKE_SA_INIT Response by choosing a cryptographic suite from the initiator's offered choices,

completing the Diffie-Hellman and nonce exchanges with the FAP. In addition, the FNG includes the list of FAP CA

certificates that it will accept in its CERTREQ payload. For successful FAP authentication, the CERTREQ payload has to

contain at least one CA certificate that is in the trust chain of the FAP device certificate. At this point in the negotiation, the

IKE_SA_INIT exchange is complete and all but the headers of all the messages that follow are encrypted and integrity-

protected.

The FAP initiates an IKE_AUTH exchange with the FNG by setting the IDi payload to the FEID, the CERT payload set to

the FAP device certificate corresponding to the FEID, and the AUTH payload containing the signature of the previous

IKE_SA_INIT Request message (in step 2) generated using the private key of the FAP device certificate. The

authentication algorithm used to generate the AUTH payload is also included in the AUTH payload.

Using the CA certificate corresponding to the FAP device certificate, the FNG first verifies that the FAP device certificate

in the CERT payload has not been modified and the identity included in the IDi corresponds to the identity in the FAP

device certificate. If the verification is successful, using the public key of the FAP device certificate, the FNG generates the

expected AUTH payload and compares it with the received AUTH payload. If they match, the authentication of the FAP is

successful. Otherwise, the FNG sends an IKEv2 Notification message indicating authentication failure.

If the network policy requires femtocell subscription authorization, the FNG contacts the AAA server to verify that the FAP

identified by the FEID is authorized to provide service.

The AAA server responds with the authorization result. If the authorization is not successful, the FNG sends an IKEv2

Notification message indicating authorization failure. Otherwise, the FNG proceeds with server authentication.

The FNG responds with the IKE_AUTH Response by setting the IDr payload to the FQDN of the FNG, setting the CERT

payload to the FNG server certificate corresponding to the FQDN, and including the AUTH payload containing the

signature of the IKE_SA_INIT Response message (in step 3) generated using the private key of the FNG server certificate.

The authentication algorithm used to generate the AUTH payload is also included in the AUTH payload.

Using the CA certificate corresponding to the FNG server certificate, the FAP first verifies that the FNG server certificate

in the CERT payload has not been modified and the identity included in the IDi corresponds to the identity in the server

certificate and contains the expected FNG value as discovered during the FNG discovery procedures. If the verification is

successful, using the public key of the FNG server certificate, the FAP generates the expected AUTH payload and

compares it with the received AUTH payload. If they match, the FNG server authentication is successful. This completes

the IKE_AUTH exchange. An IPSec SA with the first CHILD_SA pair is established between the FAP and the FNG.