Proxy-Mobile IP
How Proxy Mobile IP Works in a WiFi Network with Multiple Authentication ▀
Cisco ASR 5x00 Packet Data Network Gateway Administration Guide ▄
449
How Proxy Mobile IP Works in a WiFi Network with Multiple
Authentication
Proxy-Mobile IP was developed as a result of networks of Mobile Subscribers (MS) that are not capable of Mobile IP
operation. In this scenario a PDIF acts a mobile IP client and thus implements Proxy-MIP support.
Although not required or necessary in a Proxy-MIP network, this implementation uses a technique called Multiple
Authentication. In Multi-Auth arrangements, the device is authenticated first using HSS servers. Once the device is
authenticated, then the subscriber is authenticated over a RADIUS interface to AAA servers. This supports existing EV-
DO servers in the network.
The MS first tries to establish an IKEv2 session with the PDIF. The MS uses the EAP-AKA authentication method for
the initial device authentication using Diameter over SCTP over IPv6 to communicate with HSS servers. After the
initial Diameter EAP authentication, the MS continues with EAP MD5/GTC authentication.
After successful device authentication, PDIF then uses RADIUS to communicate with AAA servers for the subscriber
authentication. It is assumed that RADIUS AAA servers do not use EAP methods and hence RADIUS messages do not
contain any EAP attributes.
Assuming a successful RADIUS authentication, PDIF then sets up the IPSec Child SA tunnel using a Tunnel Inner
Address (TIA) for passing control traffic only. PDIF receives the MS address from the Home Agent, and passes it on to
the MS through the final AUTH response in the IKEv2 exchange.
When IPSec negotiation finishes, the PDIF assigns a home address to the MS and establishes a CHILD SA to pass data.
The initial TIA tunnel is torn down and the IP address returned to the address pool.The PDIF then generates a RADIUS
accounting START message.
When the session is disconnected, the PDIF generates a RADIUS accounting STOP message.
The following figures describe a Proxy-MIP session setup using CHAP authentication (EAP-MD5), but also addresses a
PAP authentication setup using EAP-GTC when EAP-MD5 is not supported by either PDIF or MS.