![background image](http://html.mh-extra.com/html/cisco/asr-5x00-home-enodeb/asr-5x00-home-enodeb_administration-manual_64831451.webp)
Proxy-Mobile IP
How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication ▀
Cisco ASR 5x00 Packet Data Network Gateway Administration Guide ▄
451
Step
Description
4
PDIF processes the IKE_SA_INIT Request for the appropriate PDIF service (bound by the destination IP address in the
IKEv2 INIT request). PDIF responds with IKE_SA_INIT Response with SA, KE, Nr payloads and NAT-Detection Notify
payloads. If multiple-authentication support is configured to be enabled in the PDIF service, PDIF will include
MULTIPLE_AUTH_SUPPORTED Notify payload in the IKE_SA_INIT Response. PDIF will start the IKEv2 setup timer
after sending the IKE_SA_INIT Response.
5
On receiving successful IKE_SA_INIT Response from PDIF, MS sends IKE_ AUTH Request for the first EAP-AKA
authentication. If the MS is capable of doing multiple-authentication, it will include MULTI_AUTH_SUPPORTED
Notify payload in the IKE_AUTH Request. MS also includes IDi payload which contains the NAI, SA, TSi, TSr, CP
(requesting IP address and DNS address) payloads. MS will not include AUTH payload to indicate that it will use EAP
methods.
6
On receiving IKE_AUTH Request from MS, PDIF sends DER message to Diameter AAA server. AAA servers are
selected based on domain profile, default subscriber template or default domain configurations. PDIF includes Multiple-
Auth-Support AVP, EAP-Payload AVP with EAP-Response/Identity in the DER. Exact details are explained in the
Diameter message sections. PDIF starts the session setup timer on receiving IKE_AUTH Request from MS.
7
PDIF receives DEA with Result-Code AVP specifying to continue EAP authentication. PDIF takes EAP-Payload AVP
contents and sends IKE_ AUTH Response back to MS in the EAP payload. PDIF allows IDr and CERT configurations in
the PDIF service and optionally includes IDr and CERT payloads (depending upon the configuration). PDIF optionally
includes AUTH payload in IKE_AUTH Response if PDIF service is configured to do so.
8
MS receives the IKE_AUTH Response from PDIF. MS processes the exchange and sends a new IKE_AUTH Request
with EAP payload. PDIF receives the new IKE_AUTH Request from MS and sends DER to AAA server. This DER
message contains the EAP-Payload AVP with EAP-AKA challenge response and challenge received from MS.
9
The AAA server sends the DEA back to the PDIF with Result-Code AVP as “success.” The EAP-Payload AVP message
also contains the EAP result code with “success.” The DEA also contains the IMSI for the user, which is included in the
Callback-Id AVP. PDIF uses this IMSI for all subsequent session management functions such as duplicate session
detection etc. PDIF also receives the MSK from AAA, which is used for further key computation.
10
PDIF sends the IKE_AUTH Response back to MS with the EAP payload.
11
MS sends the final IKE_AUTH Request for the first authentication with the AUTH payload computed from the keys. If
the MS plans to do the second authentication, it will include ANOTHER_AUTH_FOLLOWS Notify payload also.
12
PDIF processes the AUTH request and responds with the IKE_AUTH Response with the AUTH payload computed from
the MSK. PDIF does not assign any IP address for the MS pending second authentication. Nor will the PDIF include any
configuration payloads.
a. If PDIF service does not support Multiple-Authentication and ANOTHER_AUTH_FOLLOWS Notify payload is
received, then PDIF sends IKE_AUTH Response with appropriate error and terminate the IKEv2 session by sending
INFORMATIONAL (Delete) Request.b. If ANOTHER_AUTH_FOLLOWS Notify payload is not present in the
IKE_AUTH Request, PDIF allocates the IP address from the locally configured pools. However, if
proxy-mip-
required
is enabled, then PDIF initiates Proxy-MIP setup to HA by sending P-MIP RRQ. When PDIF receives the
Proxy-MIP RRP, it takes the Home Address (and DNS addresses if any) and sends the IKE_AUTH Response back to MS
by including CP payload with Home Address and DNS addresses. In either case, IKEv2 setup will finish at this stage and
IPSec tunnel gets established with a Tunnel Inner Address (TIA).
13
MS does the second authentication by sending the IKE_AUTH Request with IDi payload to include the NAI. This NAI
may be completely different from the NAI used in the first authentication.