Cisco ASR 5000 Series Administration Manual page 31

Femto Network Gateway Overview
Figure 4. X.509 Certificate-based Peer Authentication
FAP
1. Preconfigured FAP device
cert and trusted server CA
certs (for FNG auth)
2. FNG Discovery (per 3GPP2 X.P0059)
3. IKE_SA_INT Request (HDR, SA, KE, Ni)
4. IKE_SA_INIT Response (HDR, SA, KE, Nr, CERTREQ)
5. IKE_AUTH Request (HDR, SK {Idi(FEID),
(HDR, SK {IDr(FQDNofFNG), CERT(FNG), AUTH})
10. Verify FNG cert and
AUTH signature; verify
discovered GW ID (FQDN)
matches the identity in the
server cert
Table 4. X.509 Certificate-based Peer Authentication
Step Description
1. The FAP is assigned a device certificate during it's manufacturing. The FAP device certificate is signed by a Certificate
Authority (device certificate CA) trusted by the operator. The private key for the certificate is stored securely at the FAP.
Similarly, the FNG is assigned a server certificate. The private key of the FNG is stored securely at the FNG. In addition,
the FNG is configured with a list of root CA certificates corresponding to the trusted device certificate CAs. The FAP is
also configured with a list of root CA certificates corresponding to the server certificates that the FAP will accept from the
FNG.
OL-24872-01
CERT(FEID), CERTREQ, AUTH})
9. IKE_AUTH Response
11. IPSec_SA established
FNG
1. Preconfigured FNG server
cert and trusted FAP device
CA certs (for FAP auth)
6. Verify FAP cert and AUTH
signature; verify IDi matches
cert identity
7. AAA Request (FEID)
8. AAA Response
(Authorization info)
Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄
How the FNG Works ▀
AAA
31