Packet Data Interworking Function Overview
â–„ Cisco ASR 5000 Series Product Overview
The MS initiates IKE_AUTH exchange messages with the PDIF/FA. The MS omits the AUTH parameter to the PDIF/FA,
indicating that it wants to use EAP over IKEv2. The MS includes its identity in the IDi payload of the IKE_AUTH request.
The IDi is set to be the same as the NAI and the NAI realm is chosen appropriately for M-NAI devices.The MS embeds the
MAC address of the WiFi access point (AP) in the NAI and includes the IKEv2 configuration payload. Attributes included
in the CFG_REQUEST are at least the INTERNAL_IP4_ADDRESS (with the length set to zero), the
INTERNAL_IP4_DNS, and the 3GPP2_MIP_MODE.
When the PDIF/FA receives the IKE_AUTH request, it checks if MAC address authorization is enabled. If so, the
PDIF/FA uses the ims-sh-service interface to the HSS and requests the list of authorized APs for this user via a User Data
Request (UDR).
The HSS answers with the list of authorized WiFi APs for the user.
After checking that the AP MAC address in the realm portion of the NAI matches with one of the authorized MAC
addresses received from the HSS, the PDIF/FA strips the AP MAC address from the realm portion of the NAI and sends
the resulting NAI as an EAP response identity to the H-AAA using a RADIUS Access-Request message. This message
includes at least the user-name set as the NAI being sent in the EAP response identity, the 3GPP2 correlation ID, the EAP-
Message attribute, and the message-authenticator attribute.
The H-AAA verifies the identity and checks that WiFi service is allowed for the subscriber. The H-AAA generates a
random value RAND and AUTN based on the shared DMU CHAP-key and a sequence number.The H-AAA sends the
EAP-Request/AKA Challenge to the PDIF/FA via a RADIUS access-challenge. The EAP-Request/AKA Challenge
contains the AT_RAND, AT_AUTN, and the AT_MAC attribute to protect the integrity of the EAP message.
The PDIF/FA sends an IKE_AUTH response to the MS with the EAP-Request/AKA-Challenge message received from the
H-AAA.
The MS verifies the authentication parameters in the EAP-Request/AKA-Challenge message and if the verification is
successful, it responds to the challenge with an IKE_AUTH Request message to the PDIF/FA. The main payload of this
message is the EAP-Response/AKA-Challenge message.
The PDIF/FA forwards the EAP-Response/AKA-Challenge message to the H-AAA via a RADIUS access-request message
(RRQ).
If authentication succeeds, the H-AAA sends a RADIUS access-accept message with the EAP-message attribute containing
EAP Success. The H-AAA sends the EAP-Success and the MSK generated during the EAP-AKA authentication process to
the PDIF/FA. The 64-byte MSK is split into two 32-byte parts, with the first 32 bytes sent in the MS-MPPE-REC-KEY and
the second 32 bytes sent in the MS-MPEE-SEND-KEY.Both of these attributes (the values of which are encrypted) are
needed to construct the 64-byte MSK at the PDIF/FA. If either are missing, the PDIF/FA rejects the session. In addition,
the H-AAA sends other attributes equivalent to what it normally sends to the PDSN for a simple IP session. The attributes
include at least the following: The Framed-Pool (if required) so that the PDIF/FA can assign a TIA from the right IP
address pool, the Session-Timeout, and The Idle-Timeout.
The PDIF/FA forwards the EAP Success message to the MS in an IKE_AUTH Response message.
The MS calculates the MSK (RFC 4187) and uses it to generate the AUTH payload to authenticate the first IKE_SA_INIT
message. The MS sends the AUTH payload in an IKE_AUTH Request message to the PDIF/FA.
The PDIF/FA uses the MSK to check the correctness of the AUTH payload received from the MS and calculates its own
AUTH payload for the MS to verify [RFC 4306]. The PDIF/FA sends the AUTH payload to the MS together with the
Configuration Payload (CP) containing security associations and the rest of the IKEv2 parameters in the IKE_AUTH
Response message, and the IKEv2 negotiation terminates.The CP contains the TIA and IP address of the DNS servers that
the device had requested earlier. Although the MS requested a DNS address by including only a single payload option for
INTERNAL_IP4_DNS, the PDIF/FA may include both a primary DNS address and a secondary DNS address if one is
available.
To Next Page
Loading...
Need help?
General
