EasyManua.ls Logo

Cisco ASR 5000 Series - Page 493

Cisco ASR 5000 Series
992 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
How the PDG/TTG Works
Cisco ASR 5000 Series Product Overview
OL-22938-02
Step
Description
9.
The AAA server sends the DEA back to the TTG with Result-Code AVP as Success. The EAP-Payload AVP message also
contains an EAP result code as Success. The TTG also receives the MSK (keying materials) from the AAA server, which is
used for further key computation. When using Diameter, the MSK is encapsulated in the EAP-Master-Session-Key
parameter. The AAA server also includes several authorization AVPs.
When the checks for an IMS emergency call fail, the AAA Server also sends an Authentication Answer that includes an
EAP Failure to the TTG.
Note that steps 9a. and 9b. (described below) may not be required if authorization attributes or AVPs are present in the
Access-Accept message containing the EAP-Success. As explained in step 5 above, if the W-APN is present in all the
Access-Request messages from the TTG to the AAA server, the AAA server can use the W-APN to look up the
authorization database to retrieve the parameters. If the TTG has done the W-APN-to-real-APN mapping and includes the
mapped APN in the AAA messages, the TTG performs steps 9a. and 9b., and includes the W-APN in a separate message
after successful EAP-authentication.
9a. The TTG sends an Authorization Request message with an empty EAP AVP, but containing the W-APN, to the AAA
server. The AAA server checks the user's subscription information whether the user is authorized to establish a tunnel. The
IKE SA counter for that W-APN is incremented. If the maximum number of IKE SAs for that W-APN is exceeded, the
AAA server sends an indication to the TTG that established the oldest active IKE SA (it could be the same TTG or a
different one) to delete the oldest established IKE SA. The AAA server then updates the counters tracking the active IKE
SAs for the W-APN accordingly.
9b. The AAA server sends the AA-Answer to the TTG. The AAA server sends the IMSI within the AA-Answer.
10.
The TTG sends the IKE_AUTH Response back to UE with the EAP payload.
11.
The UE sends the final IKE_AUTH Request with the AUTH payload computed from the keys. The TTG uses the MSK to
generate the AUTH parameters in order to authenticate the IKE_SA_INIT phase messages. These first two messages had
not been authenticated before as there was no key material available yet. When used over IKEv2, the shared secret
generated in the EAP exchange (the MSK) is used to generate the AUTH parameters. The TTG processes the IKE_AUTH
Request, checks the validity of AUTH payload, and initiates PDP context activation with the GGSN.
12.
The TTG sends a Create PDP Context Request to the GGSN. The GGSN processes the request and assigns an IP address to
the UE.
13.
The GGSN sends a Create PDP Context Response to the TTG. The TTG sets up an IPSec SA.
14.
The TTG sends an IKE_AUTH Response with the AUTH payload computed from the MSK. The TTG assigns the IP
address received from the GGSN to the UE in the configuration payload along with DNS addresses and other parameters.
15.
The TTG session/IPSec SA is fully established and ready for data transfer.

Table of Contents

Other manuals for Cisco ASR 5000 Series

Preview: Administration Guide
Administration Guide508 pages
Preview: Installation Guide
Installation Guide317 pages
Preview: Thresholding Configuration Guide
Thresholding Configuration Guide163 pages
Preview: Installation And Administration Guide
Installation And Administration Guide95 pages

Related product manuals