Example 1: Mobile IP Support Using the System as a PDSN/FA
The system supports both Simple and Mobile IP. For Mobile IP applications, the system can be configured to perform the function of a Packet Data Serving Node/Foreign Agent (PDSN/FA) and/or a Home Agent (HA). This example describes what is needed for and how the system performs the role of the PDSN/FA. Examples 2 and 3 provide information on using the system to provide HA functionality.
The system's PDSN/FA configuration for Mobile IP applications is best addressed with three contexts (one source, one AAA, and one Mobile IP destination) configured as shown in the figure below.
Important |
A fourth context that serves as a destination context must also be configured if Reverse Tunneling is disabled in the FA service configuration. Reverse Tunneling is enabled by default. |
The source context will facilitate the PDSN service(s), and the R-P interfaces. The AAA context will be configured to provide foreign AAA functionality for subscriber sessions and facilitate the AAA interfaces. The MIP destination context will facilitate the FA service(s) and the Pi interface(s) from the PDSN/FA to the HA.
The optional destination context will allow the routing of data from the mobile node to the packet data network by facilitating a packet data network (PDN) interface. This context will be used only if reverse tunneling was disabled.
Information Required
Prior to configuring the system as shown in this example, there is a minimum amount of information required. The following sections describe the information required to configure the source and destination contexts.
Source Context Configuration
Required Information | Description |
---|---|
Source context name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the source context will be recognized by the system. |
R-P Interface Configuration |
|
R-P interface name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. R-P interfaces are configured in the source context. |
IP address and subnet |
These will be assigned to the R-P interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
Physical port number |
This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces. |
Physical port description |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if using multiple ports. Physical ports are configured within the source context and are used to bind logical R-P interfaces. |
Gateway IP address |
Used when configuring static routes from the R-P interface(s) to a specific network. |
PDSN service Configuration |
|
PDSN service name |
This is an identification string between 1 and 63 characters (alpha and/or numeric) by which the PDSN service will be recognized by the system. Multiple names are needed if using multiple PDSN services. PDSN services are configured in the source context. |
UDP port number for R-P traffic |
Specifies the port used by the PDSN service and the PCF for communications. The UDP port number and can be any integer value between 1 and 65535. The default value is 699. |
Authentication protocols used |
Specifies how the system handles authentication: using a protocol (such as CHAP, PAP, or MSCHAP), or not requiring any authentication. |
Domain alias for NAI-construction |
Specifies a context name for the system to use to provide accounting functionality for a subscriber session. This parameter is needed only if the system is configured to support no authentication. |
Security Parameter Index Information |
PCF IP address: Specifies the IP address of the PCF that the PDSN service will be communicating with. The PDSN service allows the creation of a security profile that can be associated with a particular PCF. Multiple IP addresses are needed if the PDSN service is to communicate with multiple PCFs. |
Index: Specifies the shared SPI between the PDSN service and a particular PCF. The SPI can be configured to any integer value between 256 and 4294967295. Configure multiple SPIs if the PDSN service is to communicate with multiple PCFs. |
|
Secret: Specifies the shared SPI secret between the PDSN service and the PCF. The secret can be between 1 and 127 characters (alpha and/or numeric). An SPI secret is required for each SPI configured. |
|
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is MD5. A hash-algorithm is required for each SPI configured. |
|
Replay-protection process: Specifies how protection against replay-attacks is implemented. The possible processes are nonce and timestamp. The default is timestamp with a tolerance of 60 seconds. A replay-protection process is required for each SPI configured. |
|
Subscriber session lifetime |
Specifies the time in seconds that an A10 connection can exist before its registration is considered expired. The time is expressed in seconds and can be configured to any integer value between 1 and 65534, or the timer can be disabled to set an infinite lifetime. The default value is 1800 seconds. |
Mobile IP FA context name |
Specifies the name of the context in which the FA service is configured. |
AAA Context Configuration
The following table lists the information that is required to configure the AAA context.
Required Information | Description | ||
---|---|---|---|
AAA context name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the AAA context will be recognized by the system.
|
||
AAA Interface Configuration |
|||
AAA interface name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. AAA interfaces will be configured in the source context. |
||
IP address and subnet |
These will be assigned to the AAA interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
||
Physical port number |
This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces. |
||
Physical port description |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the destination context and are used to bind logical AAA interfaces. |
||
Gateway IP address(es) |
Used when configuring static routes from the AAA interface(s) to a specific network. |
||
Foreign RADIUS Server Configuration |
|||
Foreign RADIUS Authentication server |
IP Address: Specifies the IP address of the foreign RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Multiple addresses are needed if configuring multiple RADIUS servers. Foreign RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority. |
||
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key exchanged between the RADIUS accounting server and the source context. A shared secret is needed for each configured RADIUS server. |
|||
UDP Port Number: Specifies the port used by the source context and the foreign RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1812. |
|||
Foreign RADIUS Accounting server |
IP Address: Specifies the IP address of the foreign RADIUS accounting server that the source context will communicate with to provide subscriber accounting functions. Multiple addresses are needed if configuring multiple RADIUS servers. Foreign RADIUS accounting servers are configured within the source context. Multiple servers can be configured and each assigned a priority. |
||
Shared Secret: The shared secret is a string between 1 and 15 characters (alpha and/or numeric) that specifies the key exchanged between the RADIUS accounting server and the source context. A shared secret is needed for each configured RADIUS server. |
|||
UDP Port Number: Specifies the port used by the source context and the foreign RADIUS Accounting server for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 1813. |
|||
RADIUS attribute NAS Identifier |
Specifies the name by which the source context will be identified in the Access-Request message(s) it sends to the foreign RADIUS server. The name must be between 1 and 32 alpha and/or numeric characters and is case sensitive. |
||
RADIUS NAS IP address |
Specifies the IP address of the source context's AAA interface. A secondary address can be optionally configured. |
Mobile IP Destination Context Configuration
Required Information | Description | ||
---|---|---|---|
Mobile IP destination context name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system.
|
||
Pi Interface Configuration |
|||
Pi interface name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. Pi interfaces are configured in the destination context. |
||
IP address and subnet |
These will be assigned to the Pi interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
||
Physical port number |
This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces. |
||
Physical port description |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the destination context and are used to bind logical Pi interfaces. |
||
Gateway IP address(es) |
Used when configuring static routes from the Pi interface(s) to a specific network. |
||
FA Service Configuration |
|||
FA service name |
This is an identification string between 1 and 63 characters (alpha and/or numeric) by which the FA service will be recognized by the system. Multiple names are needed if multiple FA services will be used. FA services are configured in the destination context. |
||
UDP port number for Mobile IP traffic |
Specifies the port used by the FA service and the HA for communications. The UDP port number can be any integer value between 1 and 65535. The default value is 434. |
||
Security Parameter Index (indices) Information |
HA IP address: Specifies the IP address of the HAs with which the FA service communicates. The FA service allows the creation of a security profile that can be associated with a particular HA. |
||
Index: Specifies the shared SPI between the FA service and a particular HA. The SPI can be configured to any integer value between 256 and 4294967295. Multiple SPIs can be configured if the FA service is to communicate with multiple HAs. |
|||
Secrets: Specifies the shared SPI secret between the FA service and the HA. The secret can be between 1 and 127 characters (alpha and/or numeric).An SPI secret is required for each SPI configured. |
|||
Hash-algorithm: Specifies the algorithm used to hash the SPI and SPI secret. The possible algorithms that can be configured are MD5 per RFC 1321 and keyed-MD5 per RFC 2002. The default is hmac-md5. A hash-algorithm is required for each SPI configured. |
|||
FA agent advertisement lifetime |
Specifies the time (in seconds) that an FA agent advertisement remains valid in the absence of further advertisements. The time can be configured to any integer value between 1 and 65535. The default is 9000. |
||
Number of allowable unanswered FA advertisements |
Specifies the number of unanswered agent advertisements that the FA service will allow during call setup before it will reject the session. The number can be any integer value between 1 and 65535. The default is 5. |
||
Maximum mobile-requested registration lifetime allowed |
Specifies the longest registration lifetime that the FA service will allow in any Registration Request message from the mobile node. The lifetime is expressed in seconds and can be configured between 1 and 65534. An infinite registration lifetime can be configured by disabling the timer. The default is 600 seconds. |
||
Registration reply timeout |
Specifies the amount of time that the FA service will wait for a Registration Reply from an HA. The time is measured in seconds and can be configured to any integer value between 1 and 65535. The default is 7. |
||
Number of simultaneous registrations |
Specifies the number of simultaneous Mobile IP sessions that will be supported for a single subscriber. The maximum number of sessions is 3. The default is 1.
|
||
Mobile node re-registration requirements |
Specifies how the system should handle authentication for mobile node re-registrations. The FA service can be configured to always require authentication or not. If not, the initial registration and de-registration will still be handled normally. |
System-Level AAA Configuration
Required Information | Description | ||
---|---|---|---|
Subscriber default domain name |
Specifies the name of a context that can provide AAA functions in the event that the domain-part of the username is missing or poorly formed. This parameter will be applied to all subscribers if their domain can not be determined from their username regardless of what domain they are trying to access.
|
||
Subscriber Last-resort context |
Specifies the name of a context that can provide AAA functions in the event that the domain-part of the username was present but does not match the name of a configured destination context. This parameter will be applied to all subscribers if their specified domain does not match a configured destination context regardless of what domain they are trying to access.
|
||
Subscriber username format |
Specifies the format of subscriber usernames as to whether or not the username or domain is specified first and the character that separates them. The possible separator characters are:
Up to six username formats can be specified. The default is username @.
|
Optional Destination Context
The following table lists the information required to configure the optional destination context. As discussed previously, This context is required if: 1) reverse tunneling is disabled in the FA service, or 2) if access control lists (ACLs) are used.
Important |
If ACLs are used, the destination context would only consist of the ACL configuration. Interface configuration would not be required. |
Required Information | Description | ||
---|---|---|---|
Destination context name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the destination context will be recognized by the system.
|
||
PDN Interface Configuration |
|||
PDN interface name |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the interface will be recognized by the system. Multiple names are needed if multiple interfaces will be configured. PDN interfaces are configured in the destination context. |
||
IP address and subnet |
These will be assigned to the PDN interface. Multiple addresses and/or subnets are needed if multiple interfaces will be configured. |
||
Physical port number |
This specifies the physical port to which the interface will be bound. Ports are identified by the chassis slot number where the line card resides in, followed by the number of the physical connector on the line card. For example, port 17/1 identifies connector number 1 on the card in slot 17. A single physical port can facilitate multiple interfaces. |
||
Physical port description |
This is an identification string between 1 and 79 characters (alpha and/or numeric) by which the physical port will be recognized by the system. Multiple descriptions are needed if multiple ports will be used. Physical ports are configured within the destination context and are used to bind logical PDN interfaces. |
||
Gateway IP address(es) |
Used when configuring static routes from the PDN interface(s) to a specific network. |
||
IP Address Pool Configuration |
|||
IP address pool name |
Each IP address pool is identified by a name. The pool name can be between 1 and 31 alpha and/or numeric characters and is case sensitive. IP address pools are configured in the destination context(s). Multiple address pools can be configured within a single context. |
||
IP pool addresses |
An initial address and a subnet, or a starting address and an ending address, are required for each configured pool. The pool will then consist of every possible address within the subnet , or all addresses from the starting address to the ending address. The pool can be configured as public, private, or static. If this IP pool is being used for Interchassis Session Recovery, it must be a static and srp-activated. |
How This Configuration Works
-
The system-level AAA settings were configured as follows: -
Subscriber default domain name = AAA context
-
Subscriber username format = username @
-
Subscriber last-resort context name = AAA context
-
-
A subscriber session from the PCF is received by the PDSN service over the R-P interface.
-
The PDSN service determines which context to use to provide foreign AAA functionality for the session. This process is described in the How the System Selects Contexts section located in the Understanding the System Operation and Configuration chapter of the System Administration Guide.
For this example, the result of this process is that PDSN service determined that foreign AAA functionality should be provided by the AAA context.
-
The system then communicates with the foreign AAA server specified in the AAA context's AAA configuration to authenticate the subscriber.
-
Upon successful authentication, the PDSN service determines the IP address of the subscriber's HA using either an attribute returned in the Access Accept message, or the address specified by the mobile.
The PDSN service uses the Mobile IP FA context name to determine what destination context is facilitating the FA service. In this example, it determines that it must use the MIP Destination context.
-
The PDSN service passes the HA IP address to the FA service.
-
The FA service then establishes a connection to the specified HA over the Pi interface.
-
Accounting messages for the session are sent to the Foreign AAA server over the AAA interface.
-
If reverse tunneling is disabled, then subscriber data traffic would have been routed over the PDN interface configured in the Optional Destination context.