Cisco ASR 5000 Series Administration Manual page 126

▀ Example 2: Mobile IP Support Using the System as an HA
Required Information
Mobile node re-
registration requirements
FA-to-HA Security
Parameter Index
Information
Mobile Node Security
Parameter Index
Information
Maximum registration
lifetime
Maximum number of
simultaneous bindings
AAA Interface Configuration
▄ Cisco ASR 5000 Series Gateway GPRS Support Node Administration Guide
Description
Specifies how the system should handle authentication for mobile node re-registrations.The HA
service can be configured as follows:
Always require authentication
Never require authentication
NOTE: The initial registration and de-registration will still be handled normally)
Never look for mn-aaa extension
Not require authentication but will authenticate if mn-aaa extension present.
FA IP address: The HA service allows the creation of a security profile that can be associated with a
particular FA.
This specifies the IP address of the FA that the HA service will be communicating with.
Multiple FA addresses are needed if the HA will be communicating with multiple FAs.
Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be
configured to any integer value between 256 and 4294967295.
Multiple SPIs can be configured if the HA service is to communicate with multiple FAs.
Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be
between 1 and 127 characters (alpha and/or numeric).
An SPI secret is required for each SPI configured.
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible
algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The
default algorithm is hmac-md5.
A hash-algorithm is required for each SPI configured.
Index: Specifies the shared SPI between the HA service and a particular FA. The SPI can be
configured to any integer value between 256 and 4294967295.
Multiple SPIs can be configured if the HA service is to communicate with multiple FAs.
Secret: Specifies the shared SPI secret between the HA service and the FA. The secret can be
between 1 and 127 characters (alpha and/or numeric).
An SPI secret is required for each SPI configured.
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible
algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The
default algorithm is hmac-md5.
A hash-algorithm is required for each SPI configured.
Replay-protection process: Specifies how protection against replay-attacks is implemented. The
possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds.
A replay-protection process is required for each mobile node-to-HA SPI configured.
Specifies the longest registration lifetime that the HA service will allow in any Registration Request
message from the mobile node.
The time is measured in seconds and can be configured to any integer value between 1 and 65535. An
infinite registration lifetime can also be configured by disabling the timer. The default is 600.
Specifies the maximum number of "care-of" addresses that can simultaneously be bound for the same
user as identified by NAI and Home address.
The number can be configured to any integer value between 1 and 5. The default is 3.
Mobile IP Configuration Examples
OL-22944-02