Proxy Mobile Ip Security; Configuring Proxy Mobile Ip; Configuration Guidelines - Cisco Aironet 1100 Series Installation And Configuration Manual

Configuring Proxy Mobile IP

Typically, the visiting client sends packets as it normally would. The access point intercepts these
packets and sends them to the foreign agent, which routes them to their final destination, the
correspondent node.

Proxy Mobile IP Security

Mobile IP uses a strong authentication scheme to protect communications to and from visiting clients.
All registration messages between a visiting client and the home agent must contain the Mobile-Home
Authentication Extension (MHAE). Proxy mobile IP also implements this requirement in the registration
messages sent by the access point on behalf of the visiting clients to the home agent.
The integrity of the registration messages is protected by a shared 128-bit key between the access point
(on behalf of the visiting client) and the home agent. You can enter the shared key on the access point or
on a RADIUS server.
The keyed message digest algorithm 5 (MD5) in prefix+suffix mode is used to compute the authenticator
value in the appended MHAE. Mobile IP and proxy mobile IP also support the hash-based message
authentication code (HMAC-MD5). The receiver compares the authenticator value it computes over the
message with the value in the extension to verify the authenticity.
Optionally, the Mobile-Foreign Authentication Extension and the Foreign-Home Authentication
Extension are appended to protect message exchanges between a visiting client and foreign agent and
between a foreign agent and home agent, respectively.
Replay protection uses the identification field in the registration messages as a timestamp and sequence
number. The home agent returns its time stamp to synchronize the visiting client for registration. In
proxy mobile IP, the visiting clients are not synchronized to their home agents because the access point
intercepts all home agent messages.
Configuring Proxy Mobile IP
These sections describe how to configure proxy mobile IP:
•
•
•

Configuration Guidelines

Before configuring proxy mobile IP, you should consider these guidelines:
•
•
•
•
•
Cisco Aironet 1100 Series Access Point Installation and Configuration Guide
14-6
Configuration Guidelines, page 14-6
Configuring Proxy Mobile IP on Your Wired LAN, page 14-7
Configuring Proxy Mobile IP on Your Access Point, page 14-7
You can enable proxy mobile IP only on root access points (units connected to the wired LAN). You
cannot enable proxy mobile IP on repeater access points.
Access points participating in proxy mobile IP should be configured with gateway addresses. You
can configure the gateways manually, or the access points can receive gateways through DHCP.
The foreign and home agents must reside on the network gateways where you want to support proxy
mobile IP.
If your authoritative access points receive their IP addresses through DHCP, use the access point
host names to specify the AAPs in the proxy mobile IP configuration.
Proxy mobile IP does not support broadcast and multicast traffic for visiting clients.
Chapter 14 Configuring Proxy Mobile IP
OL-2851-01