X.509 Certificate-Based Peer Authentication - Cisco ASR 5000 Series Administration Manual

▀ How the FNG Works
Step Description
3. The FAP initiates an IKE_AUTH exchange with the FNG. The FAP omits the AUTH payload, indicating that it wants to
use an EAP exchange over IKEv2. The FAP includes its identity in the IDi payload of the IKE_AUTH Request. The IDi is
set to the FAP ID. The FAP ID is a string in the format id@domain. The FAP also includes the IKEv2 CFG_REQUEST
payload in the IKE_AUTH Request. The INTERNAL_IP4_ADDRESS attribute is included in the CFG_REQUEST
payload with the length set to 0.
4. The FNG receives the IKE_AUTH Request and sends the FAPID as the EAP Response identity to the AAA server using a
RADIUS Access-Request message with an EAP-Message attribute.
5. The AAA server verifies the FAP's identity and generates a random value RAND and AUTN based on the shared CHAP-
key and a sequence number.
The AAA server sends the EAP-Request/AKA-Challenge to the FNG via a RADIUS Access-Challenge message. The
EAP-Request/AKA-Challenge contains the RAND and AUTN to protect the integrity of the EAP message.
6. The FNG sends an IKE_AUTH Response to the FAP that contains the EAP-Request/AKA-Challenge message received
from the AAA server.
7. The FAP verifies the authentication parameters in the EAP-Request/AKA-Challenge message and if the verification is
successful, it responds to the challenge with an IKE_AUTH Request message to the FNG.
8. The FNG forwards the EAP-Response/AKA-Challenge message to the AAA server via a RADIUS Access-Request
message.
9. If the authentication is successful, the AAA server sends a RADIUS Access-Accept message with an EAP-Message
attribute containing EAP Success. The AAA server sends the EAP Success and the MSK generated during the EAP-AKA
authentication process to the FNG. In addition, the AAA server also sends other attributes that it normally sends to the
PDSN for a simple IP session. These attributes include at a minimum the Framed-Pool (if required), so that the FNG can
assign a TIA from the correct IP address pool, the Session-Timeout, and the Idle-Timeout.
10. The FNG forwards the EAP Success message to the FAP in an IKE_AUTH Response message.
11. The FAP calculates the MSK according to RFC 4187 and uses it as an input to generate the AUTH payload to authenticate
the first IKE_SA_INIT message. The FAP sends the AUTH payload to the FNG in an IKE_AUTH Request message.
12. The FNG uses the MSK to check the validity of the AUTH payload received from the FAP and calculates its own AUTH
payload for the FAP to verify per RFC 4306. The FNG sends the AUTH payload to the FAP together with the
configuration payload containing SAs and the rest of the IKEv2 parameters in an IKE_AUTH Response message. This
completes the IKEv2 negotiation. The configuration payload contains the TIA.
It is up to the FAP implementation to establish separate Child SAs for configuration management and VoIP traffic, or to
use the same Child SA for all traffic types. The FNG supports both options. Once the IPSec tunnel is established, the FAP
uses the TIA assigned by the FNG for each 1x UE (in the SIP headers or as the RTP IP address).

X.509 Certificate-based Peer Authentication

The figure below shows the message flow during X.509 certificate-based peer authentication. The table that follows the
figure describes each step in the message flow.
▄ Cisco ASR 5000 Series Femto Network Gateway Administration Guide
30
Femto Network Gateway Overview
OL-24872-01